[Editor’s Note: This article is part of a Just Security series, COVID and International Law. All articles in the series can be found here.]
This week cybersecurity researchers reported a suspected state-sponsored attempt to gain access to the accounts of executives and officials at companies and international organizations managing the logistics of COVID-19 vaccine distribution. According to IBM, the hackers were apparently seeking information about how the vaccines, some of which have to be kept at extremely low temperatures, will be stored and moved. The motive – whether to simply steal technology or to interfere with the distribution of the vaccine – is still unclear.
This is just the latest in a slew of cyber incidents related to COVID-19, which has proved a boon for hackers. Professional life has rapidly gone digital during the pandemic, making it more vulnerable to cyber criminals. Interpol has reported an “alarming” rise in cyber incidents since the pandemic started. Much of the crime wave has come from individuals and gangs looking to turn a quick profit, but States have gotten in on the act, too. British, U.S., and Canadian intelligence agencies have accused Russia of attempting to steal research from universities and companies working to create a vaccine for COVID-19. China has apparently attempted to steal vaccine data from the University of North Carolina and other cutting edge research labs. Iran tried to break into the personal email accounts of staff at the World Health Organization early in the pandemic. “Nearly all of the United States’ adversaries,” according to the New York Times, are attempting to pilfer cutting-edge research.
Data theft is not the only COVID-19-related cyber risk. Russian trolls have for years promoted anti-vaccine content online. Kremlin-linked groups have peddled conspiracy theories about COVID-19, including the idea that it is a U.S.-made biological weapon and half-satirical claims that the Oxford-AstraZeneca vaccine turns patients into monkeys because it is based on a deactivated chimpanzee virus. Western intelligence agencies fear a widespread Russian disinformation campaign aimed at damaging public trust in any vaccine approved in Europe or the United States in the coming months. To protect the health of their own citizens and the integrity of international scientific collaboration, States need to respond to State and non-State efforts to spread disinformation.
This article considers what role international law might play in regulating these cyber incidents. It examines the law governing use of force, the principle of non-intervention, and the proposed “rule” of sovereignty. It finds that international law, at least as currently constituted, does not apply to the known incidents thus far (though if it turns out the latest attack interferes with vaccine distribution, that might change). No international legal rule clearly prohibits vaccine espionage or misinformation campaigns. The gaps in the law pose a problem for any response to COVID-19 cyber incidents, but they could also provide States with an opportunity—and an incentive—to finally clarify the rules that govern cyberspace.
Law Governing the Use of Force
One of the bedrock rules of international law is the prohibition on the use of force, contained in Article 2(4) of the UN Charter. Although States have had trouble defining exactly when a cyber operation would constitute a use of force, they have mostly agreed that cyber operations could, in principle, violate the prohibition. The bar is high, however.
As one of us put it in a 2012 article: “the best test of when a cyber-attack is properly considered cyber-warfare is whether the attack results in physical destruction—sometimes called a ‘kinetic effect’—comparable to a conventional attack.” That same year, the U.S. State Department put forward a similar view, concluding that a cyber operation would qualify as a use of force if it caused “direct physical injury and property damage” of the kind produced by traditional weapons.
No COVID-19 vaccine hacking or disinformation campaign has met that standard, and it is hard to see how efforts to steal data or spread false information could. It is possible that a cyber operation that destroyed stocks of an approved vaccine, or prevented a country from distributing it, could have a sufficiently close causal link to resulting deaths that it would resemble a traditional attack that violates the prohibition on the use of force. But anything short of that is unlikely to count. Even if a hacking effort significantly delayed the production of a vaccine, rather than merely copying researchers’ data, the link between the operation and subsequent deaths from the lengthened pandemic would probably be too attenuated for the hack to constitute a use of force under current interpretations of international law.
Setting aside the use of force, commentators have made two main arguments for why vaccine hacking and disinformation might break international law. First, they argue that such operations could breach the principle of non-intervention. Second, such attacks might violate a putative rule of State sovereignty. We consider each possibility in turn.
The Principle of Non-Intervention
The principle of non-intervention bars a State from coercing another State into acting against its will in an area within its inherent sovereign functions. The definitions of both “coerce” and “sovereign functions” have proven tricky to pin down. Coercion requires more than a mere attempt to influence State policy, such as through diplomacy or propaganda, but exactly how much more has been a point of contention. As for the definition of sovereign functions, the International Court of Justice has concluded that an unlawful intervention must bear “on matters in which each State is permitted … to decide freely,” such as “the choice of a political, economic, social and cultural system.” That definition suggests that the principle protects a broad swathe of government policy. As the legal scholars Marko Milanovic and Michael Schmitt have argued, a government’s response to a pandemic likely qualifies, since protecting public health is widely regarded as a core function of the State.
State practice backs up these definitions. States have accused the perpetrators of cyber incidents of violating international law, in the words of a recent Chatham House report by Harriet Moynihan, only when the attack has “practical effects” on a State’s ability to exercise its “inherently sovereign powers,” and not when the attack targets individuals and private companies without a broader effect on State policy. Thus in 2018, the United Kingdom accused Russia of a “flagrant violation” of international law for carrying out a campaign of cyberattacks that disrupted transport systems in Ukraine. Likewise, in 2020, the United Kingdom accused Russia of violating international law in a 2019 cyberattack on Georgia, which knocked out the national TV station and numerous government websites.
In contrast, countries have responded in other ways—notably without alleging violations of State sovereignty—to cyber incidents that do not impinge on core State functions. After the 2014 North Korean hack of Sony, U.S. President Barack Obama characterized the incident not as an act of war but as “an act of cyber vandalism.” In 2018, the United States and the United Kingdom declined to accuse Iran of breaking international law by conducting a spear phishing campaign against private universities and companies, instead treating the incursion as a violation of domestic law. The same reticence showed up after the 2017 WannaCry ransomware operation, despite the potentially dangerous effects of the incident. The malware hit the British National Health Service particularly hard, locking patient records and making thousands of medical devices temporarily unusable, leading to the cancellation of doctor’s appointments and surgical procedures. Yet its main aim appeared to be financial gain, not changes to State policy, and the United Kingdom characterized it as “a criminal use of cyber space” rather than a violation of international law.
Thus, attempts to merely steal vaccine research likely do not violate the international law rule against intervention, as simply copying research does not involve coercing the target State or affecting core State policy. It is instead an act of cyber espionage, which is generally not regulated by international law (though it is prohibited almost everywhere by domestic law). Things might be different if the attackers began to destroy data, put vaccine research or production facilities out of operation, or disrupt the logistics of vaccine distribution. That would risk depriving States of the ability to execute their responses to the pandemic, arguably a prohibited coercive intervention.
As for disinformation, Milanovic and Schmitt persuasively argue that merely seeking to influence the population, even in harmful ways, is not sufficiently coercive to constitute an intervention. Yet some acts of misinformation could qualify as prohibited intervention, if sufficiently coercive. The scholar Jens Olin also suggests there could be some instances where propaganda and disinformation could become so corrosive to the State’s capacity to effectively respond to the pandemic that they would cross the line into intervention. Yet as of this writing, it does not appear that the current vaccine-related operations have crossed, or even come close to, that line.
The (Non-)Rule of Sovereignty
Underlying international law is the principle of State sovereignty. Some legal scholars, including Schmitt, the editor of the Tallinn Manual 2.0, have argued that the sovereignty principle creates a stand-alone rule of international law that applies to cyberspace. This rule would sweep in many intrusions that fall below the non-intervention threshold. A State violates another State’s sovereignty, the Manual holds, when it exercises State power within the target State’s territory without its consent. Violations can be executed remotely.
A few States, including Finland and the Netherlands, as well as members of the Shanghai Cooperation Organization, have endorsed this view. Milanovic and Schmitt, who endorse the principle in a jointly authored article on cyberattacks and cyber misinformation operations during a pandemic, argue that misinformation campaigns can violate the rule “by causing effects on the territory of” another State “or by interfering with its inherently governmental functions even in the absence of territorial effects.” In their view “any negative health outcome would qualify as an ‘effect’” and therefore any cyber-operation that has a negative health outcome violates the sovereignty rule. For example, a denial of service attack against a website providing information on virus testing or a ransomware attack that impedes dissemination of information about the pandemic would qualify as a violation as long as there is “some concrete harm.”
The stand-alone sovereignty argument isn’t widely accepted, however. The United Kingdom has rejected it outright, and the United States has repeatedly expressed skepticism that sovereignty creates a binding stand-alone rule of international law. In 2018, British Attorney General Jeremy Wright set out his government’s position: “there is no such rule as a matter of current international law.” In this view, operations that fall short of the non-intervention rule may be unwelcome—and, depending on the specific facts, illegal under domestic law—but they are not barred by international law.
The U.S. government has expressed sympathy for the British view. In May, Department of Defense General Counsel Paul Ney argued that there was not sufficiently “widespread and consistent State practice … to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory,” a position he characterized as sharing “similarities” with the British view.
Those who reject a rule of cyber sovereignty as an independent rule have, we think, the better of the argument. For one thing, the principle of sovereignty is precisely what underlies the principle of non-intervention. Going beyond non-intervention to bar all cyber operations that infringe on “sovereignty” broadly defined would almost certainly sweep in too much activity. Traditional espionage operations, for example, are widely held to be unregulated by international law. The proposed stand-alone rule of sovereignty would risk making most electronic snooping illegal; according to the Chatham House report, “a [S]tate simply sitting on another [S]tate’s server” could violate the victim [S]tate’s sovereignty. That would upend intelligence work and, in any case, be rejected out of hand by the world’s practitioners of cyber espionage (or at least those who are mindful of their international law obligations).
It is not just States that would find their activities curtailed by a free-standing sovereignty rule prohibiting cross-border cyber operations. Human rights organizations, for example, often seek to influence the politics and law of the countries within which they operate, and these influence campaigns sometimes involve cross-border operations that are resisted by the sovereign State in which they occur. Russia, for instance, has banned foreign non-governmental organizations. A broad rule of sovereignty might help legitimate Russia’s actions by giving rise to a claim that these organizations and their sponsors are violating Russia’s “sovereignty.” Or consider Voice of America, which aims to provide television and radio programming to populations whose governments do not always welcome it. Does Voice of America’s projection of electronic signals into these countries violate their “sovereignty”?
Some commentators have attempted to save the idea of sovereignty-as-rule by exempting de minimis territorial intrusions, but no one seems to agree where to draw the line, and State practice thus far provides no guidance. In the end, as Ney pointed out, the very fact of wide disagreement among States about a potential rule of cyber sovereignty itself forecloses the existence of such a norm—at least at present.
Without a violable rule of sovereignty, efforts to steal vaccine research likely do not break international law—as long as they do not impede that research. Economic espionage appears to fall within the zone of intelligence activity. Data theft alone does not appear to violate the non-intervention principle, as there is nothing inherently governmental about protecting commercial or scientific information and such theft has not apparently significantly impeded efforts to respond to the virus. (That said, the actions are far from legal: they almost certainly violate U.S. domestic law, including the Economic Espionage Act and the Cyber Fraud and Abuse Act.)
It is no surprise, then, that the United States has largely avoided referring to international law when condemning cyber espionage, instead treating it as a violation of domestic law or aspirational codes of State behavior. In 2015, when China and the United States agreed that neither country would support intellectual property cybertheft—an agreement that proved short-lived—the deal made no mention of international law. And in July, when the Department of Justice indicted two Chinese government hackers for attempting to steal vaccine research, it did not accuse China of violating international law, instead simply denouncing it for working to steal the “hard-earned intellectual property” of American companies.
Even before COVID-19, the international community struggled to define rules of the road for cyberspace and to deter unwelcome State cyber operations. Indicting foreign State hackers can shame wrongdoers and impose unwelcome travel restrictions, but perpetrators of State-backed cyber incidents are unlikely to face criminal prosecution. Diplomatic measures are also frequently insufficient. This July, according to the New York Times, the Trump administration shuttered the Chinese consulate in Houston in part because China was using it for medical research espionage, but it is unclear what effect the move had. Bilateral agreements, such the 2015 U.S.-Chinese deal, can help, but only temporarily. The digital world remains a Wild West.
Perhaps the greatest impact of the cyber incidents during the COVID-19 pandemic has been to reveal how few rules there really are. There are already two UN-sponsored efforts underway to provide greater clarity about the rules for “responsible behavior in cyberspace.” Maybe the inability of international law to regulate hacking incidents during the pandemic will finally encourage the international community to take more serious steps to agree on the international rules that govern cyber activities.