This article evaluates acceptance of the Tallinn Rules by states on the basis of eleven case studies involving cyberoperations, all occurring after the first Tallinn Manual was published in 2013. Our principal findings are that (1) it is unclear whether states are ready to accept the Tallinn Rules; (2) states show uneven interest in promoting legal certainty in cyberspace; and (3) a growing need for coordinated response to cyberattacks may induce states to consider more favorably the Tallinn Rules.
The authors thank participants in the international workshop on the Tallinn Manuals and Customary International Law held in Jerusalem on December 10, 2017, and in particular Professor Michael N. Schmitt and Nimrod Karin, for their useful comments provided in relation to an earlier draft. Thanks is also due to our research assistants Sima Granovsky, Ya'ara Mordecai, and Yael Oppenheim for their assistance, and to the four anonymous reviewers of the Journal. Responsibility for any errors remains with us.
1 Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual 1.0]; Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt ed., 2017) [hereinafter Tallinn Manual 2.0]. A “cyber operation” is defined in Tallinn Manual 2.0 as “the employment of cyber capabilities to achieve objectives in or through cyberspace.” Tallinn Manual 2.0, at 564. The term “cyber operation” is narrower from the term “cyber activity,” which the Manual defines as “any activity that involves the use of cyber infrastructure or employs cyber means to affect the operation of such infrastructure.” Id.
2 A “cyber-attack” is defined in Tallinn Manual 2.0 as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” Tallinn Manual 2.0, supra note 1, at 415 (Rule 92). The U.S. Director of National Intelligence (DNI) defines “cyber-attack” more broadly as “a non-kinetic offensive operation intended to create physical effects or to manipulate, disrupt, or delete data.” See Statement for the Record Worldwide Threat Assessment of the U.S. Intelligence Community Senate Select Committee on Intelligence, at 1, Mar. 12, 2013, available at https://www.dni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf.
3 Schmitt, Michael N., International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 Harv. Int'l L.J. 13, 36 (2012).
4 See, e.g., The White House International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011), available at https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf; The DoD Cyber Strategy (Apr. 2015), available at https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf; China's International Strategy of Cooperation on Cyberspace (Mar. 2017), available at http://www.xinhuanet.com/english/china/2017-03/01/c_136094371.htm; Secrétariat Général de la Défense et de la Sécurité Nationale, Strategic Review of Cyber Defense (Feb. 2018), available at http://www.sgdsn.gouv.fr/uploads/2018/03/revue-cyber-resume-in-english.pdf; The National Cyber Security Strategy 2016 to 2021 (Nov. 1, 2016), available at https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
5 See, e.g., Jeremy Wright, the UK Attorney General, Speech Delivered at Chatham House, London: Cyber and International Law in the 21st Century (May 23, 2018), available at https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century. See also Harold H. Koh, Legal Adviser, U.S. Dep't of State, Speech delivered at USCYBERCOM Inter-Agency Legal Conference at Fort Meade, Maryland: International Law in Cyberspace (Sept. 18, 2012), available at http://www.harvardilj.org/wp-content/uploads/2012/12/Koh-Speech-to-Publish1.pdf.
6 Ann Väljataga, B ack to Square One? The Fifth UN GGE Fails to Submit a Conclusive Report at the UN General Assembly, Incyder News (Sept. 1, 2017), at https://ccdcoe.org/back-square-one-fifth-un-gge-fails-submit-conclusive-report-un-general-assembly.html.
7 Fleck, Dieter, Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of the New Tallinn Manual, 18 J. Conflict & Security L. 331, 335 (2013); Ashley Deeks, Tallinn 2.0 and a Chinese View on the Tallinn Process, Lawfare (May 31, 2015), at https://www.lawfareblog.com/tallinn-20-and-chinese-view-tallinn-process; Kilovaty, Ido, Cyber Warfare and the Jus ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on International Law Applicable to Cyber Warfare, 5 Nat'l Security L. Brief 91, 108 (2014).
8 Kirsten E. Eichensehr, Book Review: Tallinn Manual on the International Law Applicable to Cyber Warfare, 108 AJIL 585, 588 (2014).
9 Tallinn Manual 2.0, supra note 1, at 330 (Rule 69) (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
10 Id. at 375 (Rule 80) (“Cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”).
11 Id. at 20.
12 Id. at 21.
13 See, e.g., Adam Segal, Axiom and the Deepening Divide in US – China Cyber Relations, Net Pol. - Council For. Rel. Blog (Oct. 29, 2014), at https://www.cfr.org/blog/axiom-and-deepening-divide-us-china-cyber-relations.
14 Michael Schmitt, Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn't, Just Security (Feb. 9, 2017), at https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations.
15 See infra Part IV.
16 Check, Terence, Book Review: Analyzing the Effectiveness of the Tallinn Manual's Jus ad Bellum Doctrine on Cyber-conflict: A NATO-centric Approach, 63 Clev. St. L. Rev. 495, 511 (2015); Gary Corn, Tallinn Manual 2.0 – Advancing the Conversation, Just Security (Feb. 15, 2017), at https://www.justsecurity.org/37812/tallinn-manual-2-0-advancing-conversation; Boer, Lianne JM, Restating the Law “As It Is”: On the Tallinn Manual and the Use of Force in Cyberspace, 5 Amsterdam L. Forum 4, 6 (2013).
17 See Nominations of Gen. Paul J. Selva, USAF, for reappointment to the Grade of General and to be Commander, U.S. Transportation Command; and VADM Michael S. Rogers, USN, to be Admiral and Director, National Security Agency/Chief, Central Security Services/Commander, U.S. Cyber Command: Hearing Before the Armed Services Committee of the United States Senate, 113th Cong. 506 (2014), available at https://www.congress.gov/113/chrg/shrg93919/CHRG-113shrg93919.pdf (Rogers asserts that criteria used for assessing cyberspace events are classified).
18 Id. at 507 (Rogers: “It is likely that other nations will assert and apply different definitions and thresholds for what constitutes a use a force in cyberspace, and will continue to do so for the foreseeable future.”).
19 Corn, supra note 16; see also Schmitt, Michael N. & Watts, Sean, The Decline of International Humanitarian Law Opinio Juris and the Law of Cyber Warfare, 50 Tex. Int'l L.J. 189, 223, 230 (2014).
20 Kessler, Oliver & Werner, Wouter, Expertise, Uncertainty and International Law: A Study of the Tallinn Manual on Cyberwarfare, 26 Leiden J. Int'l L. 793, 809 (2013).
21 Ingber, Rebecca, Interpretation Catalysts in Cy berspace, 95 Tex. L. Rev. 1531, 1534–35 (2017); PoKempner, Dinah, Squinting Through the Pinhole: A Dim View of Human Rights from Tallinn 2.0, 95 Tex. L. Rev. 1599, 1602 (2017).
22 Corn, supra note 16.
23 Tallinn Manual 2.0, supra note 1, at 330 (Rule 69).
24 Kilovaty, Ido, Virtual Violence – Disruptive Cyberspace Operations as “Attacks” Under International Humanitarian Law, 23 Mich. Telecomm. & Tech. L. Rev. 113, 146 (2016); Dinniss, Heather A. Harrison, The Nature of Objects: Targeting Networks and the Challenge of Defining Military Objectives, 48 Isr. L. Rev. 39, 54 (2015); Adm. James Stavridis, Incoming: What is Cyber Attack, SIGNAL (Jan. 1, 2015), available at https://www.afcea.org/content/?q=node/13832. But see Deeks, supra note 7 (reporting on a speech by Prof. Huang ZhiXiong from Wuhan University, China, who criticized the Rules for introducing too low of a threshold).
25 Ido Kilovaty, Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal Under International Humanitarian Law?, Just Security (Mar. 3, 2017), at https://www.justsecurity.org/38291/violence-cyberspace-disruptive-cyberspace-operations-legal-international-humanitarian-law.
26 See Fleck, supra note 7, at 336; Kilovaty, supra note 7. at 116.
27 Tallinn Manual 2.0, supra note 1, at 21; Schmitt, supra note 3, at 20.
28 Kubo, Mačák, Military Objectives 2.0: The Case for Interpreting Computer Data as Objects Under International Humanitarian Law, 48 Isr. L. Rev. 55, 78 (2015); Dinniss, supra note 24, at 54.
29 Kilovaty, supra note 25. For further information on psychological cyber warfare, see Marco Roscini, Cyber Operations and the Use of Force in International Law 240–42 (2014).
30 A parallel concern arising under IHL involved the imprecise definition under the rules of what constitutes collateral harm to cyberattacks. Kilovaty, supra note 24, at 146 (criticizing Rule 113).
31 Note, however, that some commentators and governments dispute the distinction offered by the International Court of Justice (ICJ) in the Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 ICJ Rep. 14 (June 27) [hereinafter Military and Paramilitary Activities], between “use of force” and “armed attack” (pursuant to which, according to the Court, only the latter, aggravated forms of the use of force, would justify self-defense action). See Collin Allan, Was the Cyber Attack on a Dam in New York an Armed Attack?, Just Security (Jan. 8, 2016), at https://www.justsecurity.org/28720/cyber-attack-dam-armed-attack.
32 Kilovaty, supra note 7, at 115. But see Peter Pascucci & Kurt Sanger, Why a Broad Definition of “Violence” in Cyber Conflict Is Unwise and Legally Unsound, Just Security (Mar. 8, 2017), at https://www.justsecurity.org/38536/broad-definition-violence-cyber-conflict-unwise-legally-unsound.
33 Afek, Sharon, Cyber-attacks – Legal Contours: Application of International Law Rules to Cyber Wars, 5 Eshtonont – Nat'l Security C. Res. Ctr. 17 (2013) (Hebrew), available at http://maarachot.idf.il/PDF/FILES/4/113504.pdf.
34 Kilovaty, supra note 7, at 111.
35 See, e.g., Anderson, Troy, Fitting a Virtual Peg into a Round Hole: Why Existing International Law Fails to Govern Cyber Reprisals, 34 Ariz. J. Int'l & Comp. L. 135 (2017).
36 Tallinn Manual 2.0, supra note 1, at 339 (Rule 71) (“A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defense. Whether a cyber operation constitutes an armed attack depends on its scale and effects.”).
37 The experts were, for example, divided on whether the 2010 Stuxnet operation met the required scale and effect to warrant self-defense. Id. at 342.
38 Tallinn Manual 2.0, supra note 1, at 111 (Rule 20).
39 Id. at 120, 127.
40 Corn, supra note 16.
41 Eichensehr, supra note 8, at 587 (noting that the very notion of anticipatory self-defense in international law remains controversial).
42 Tallinn Manual 2.0, supra note 1, at 17 (Rule 4).
43 Id. at 20. The experts were divided as to whether harmful operations falling short of permanent non-functionality, such as introduction of malware, destruction of data, creation of open doors, and temporary loss of functionality (e.g., distributed denial of service attacks), violate sovereignty per se. Id. at 21. Most, though not all, experts were also willing to extend the sovereignty rule to operations calculated to disrupt essential government service, which occurred or manifested themselves outside the victim state's territory. Id. at 23.
44 See Memorandum from Jennifer M. O'Connor, Gen. Counsel of the Dep't of Def., International Law Framework for Employing Cyber Capabilities in Military Operations (Jan. 19, 2017), discussed in Watts, Sean & Richard, Theodore, Baseline Territorial Sovereignty and Cyberspace, 22 Lewis & Clark L. Rev. 803, 859–63 (2018). The approach taken in the 2017 Memorandum stands in tension with the traditional approach of the United States to cyberattacks as potentially constituting a violation of sovereignty. U.S. Dep't of Def., Office of Gen. Counsel, An Assessment of International Legal Issues in Information Operations 19 (2d ed. 1999), available at http://www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf. The document presented the pillars of the Department of Defense (DoD) legal policy regarding what it then called a computer network attack (CNA) or information operations and nowadays, “cyberwarfare” and “cyber-attacks.” For instance, it provided that “any unauthorized intrusion into a nation's computer systems would justify that nation at least in taking self-help actions to expel the intruder and to secure the system against reentry. An unauthorized electronic intrusion into another nation's computer systems may very well end up being regarded as a violation of the victim's sovereignty. It may even be regarded as equivalent to a physical trespass into a nation's territory … .”
45 Wright, supra note 5. For a discussion of the implications of the speech, see Gary Corn & Eric Jensen, The Technicolor Zone of Cyberspace – Part I, Just Security (May 30, 2018), at https://www.justsecurity.org/57217/technicolor-zone-cyberspace-part; Gary Corn & Eric Jensen, The Technicolor Zone of Cyberspace – Part II, Just Security (June 8, 2018), at https://www.justsecurity.org/57545/technicolor-zone-cyberspace-part-2.
46 Corn, supra note 16. See also Corn, Gary P. & Taylor, Robert, Sovereignty in the Age of Cyber, 111 AJIL Unbound 207 (2017) (presenting the sovereignty as a principle approach). See the responding article by Schmitt, Michael N. & Vihul, Liis, Respect for Sovereignty in Cyberspace, 95 Tex. L. Rev. 1639 (2017) (describing the evolution in the legal position of the DoD, and presenting support in state practice and opinio juris for sovereignty as a rule). See also Spector, Phil, In Defense of Sovereignty, in the Wake of Tallinn 2.0, 111 AJIL Unbound 219 (2017).
47 Tallinn Manual 2.0, supra note 1, at 43 (Rule 7) (“The principle of due diligence requires a State to take all measures that are feasible in the circumstances to put an end to cyber operations that affect a right of, and produce serious adverse consequences for, other States.”).
48 Fleck, supra note 7, at 338.
49 Tallinn Manual 2.0 supra note 1, at 44–45; Eichensehr, supra note 8, at 586.
50 Tallinn Manual 2.0, supra note 1, at 111 (Rule 20) (“A State may be entitled to take countermeasures, whether cyber in nature or not, in response to a breach of an international legal obligation that it is owed by another State.”); see also id. at 113.
51 Corn, supra note 16; Kilovaty, supra note 7, at 119–20. For a defense of the position of the Manuals in this regard, see Schmitt, Michael N., In Defense of Due Diligence in Cyberspace, 125 Yale L.J. Forum 68 (2015).
52 Andrew Keane Woods, The Tallinn Manual 2.0, Sovereignty 1.0, Lawfare (Feb. 8, 2017), at https://www.lawfareblog.com/tallinn-manual-20-sovereignty-10.
53 Schmitt, Michael N., The Notion of “Objects” During Cyber Operations: A Riposte in Defiance of Interpretive and Applicative Precision, 48 Isr. L. Rev. 81, 82 (2015).
54 Id. at 108. See also Schmitt, Michael N., The Law of Cyber Warfare: Quo Vadis?, 25 Stan. L. & Pol'y Rev. 269–99 (2014); Kilovaty, supra note 7 at 115 (calling in this regard for reexamination of the exclusion of political and economic coercion from the scope of use of force prohibited by Article 2(4) of the UN Charter).
55 Cf. Mark T. Peters, Cashing in on Cyberpower: How Interdependent Actors Seek Economic Outcomes in a Digital World 87 (2008) (claiming that millions of potential cyberattacks occur on a daily basis).
56 See, e.g., Ghappour, Ahmed, Tallinn, Hacking, and Customary International Law, 111 AJIL Unbound 224 (2017).
57 The CSIS and the CFR are among the world's leading think tanks in the field of defense and national security studies. James G. McGann, 2017 Global Go To Think Tank Index Report, at 96 (University of Pennsylvania Scholarly Commons, 2018). See Significant Cyber Incidents Since 2006, CSIS, at https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects-cybersecurity (The full list includes incidents since 2006, focusing on cyberattacks on government agencies, defense and high-tech companies or economic crimes, entailing losses of more than a million dollars.). See also Cyber Operations Tracker, CFR, at https://www.cfr.org/interactive/cyber-operations.
58 Tallinn Manual 2.0, supra note 1, at 330–38 (Rules 69–70).
59 Tallinn Manual 2.0, supra note 1, at 168–74 (Rule 32). See also Pun, Darien, Rethinking Espionage in the Modern Era, 18 Chi. J. Int'l L. 353, 359–68 (2017) (presenting the conflicting approaches regarding the legality of espionage activity under international law); Ohlin, Jens David, Did Russian Cyber Interference in the 2016 Election Violate International Law?, 95 Tex. L. Rev. 1579 (2017).
60 Evron, Gadi, Battling Botnets and Online Mobs: Estonia's Defense Efforts During the Internet War, 9 Geo. J. Int'l Aff. 121 (2008); Herzog, Stephen, Revisiting the Estonian Cyberattacks: Digital Threats and Multinational Responses, 4 J. Strategic Security 49 (2011); Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, Guardian (May 17, 2007), at https://www.theguardian.com/world/2007/may/17/topstories3.russia; Peter Finn, Cyber Assaults on Estonia Typify a New Battle Tactic, Wash. Post (May 19, 2007), at http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html.
61 John Markoff, Before the Gunfire, Cyberattacks, N.Y. Times (Aug. 12, 2008), at http://www.nytimes.com/2008/08/13/technology/13cyber.html; Noah Shachtman, Top Georgian Official: Moscow Cyberattacked Us – We Just Can't Prove It, Wired (Nov. 3, 2009), at https://www.wired.com/2009/03/georgia-blames; Korns, Stephen W. & Kastenberg, Joshua E., Georgia's Cyber Left Hook, 38 Parameters 60 (2009); Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm & Liis Vihul, Cyber-attacks Against Georgia: Legal Lessons Identified (NATO Cooperative Cyber Defense Centre of Excellence, 2008).
62 Farwell, James P. & Rohozinski, Rafal, Stuxnet and the Future of Cyber War, 53 Survival 23 (2011); Collins, Sean & McCombie, Stephen, Stuxnet: The Emergence of a New Cyber Weapon and its Implications, 7 J. Policing, Intelligence & Counter Terrorism 80 (2012); Kim Zetter, An Unprecedented Look at Stuxnet, the World's First Digital Weapon, Wired (Mar. 11, 2014), at https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet.
63 International Law Commission, Identification of Customary International Law, Conclusion 6(2), UN Doc. A/CN.4/L.908 (2018) (text of the draft conclusions as adopted by the Drafting Committee on second reading).
64 Id., Conclusion 10(2).
65 Id., Conclusion 10(3).
66 See, e.g., Michael Byers, Custom, Power and the Power of Rules: International Relations and Customary International Law 156 (1999); Tullio Treves, Customary International Law, in Max Planck Encyclopedia of Public International Law, para. 79 (2006).
67 See Vienna Convention on the Law of Treaties, Art. 31(3)(b), May 23, 1969, 1155 UNTS 331.
68 Adam Samson & Matt Egan, Chase, NYSE Websites Targeted in Cyber Attacks, Fox Business (Sept. 19, 2012), at https://www.foxbusiness.com/features/chase-nyse-websites-targeted-in-cyber-attacks; Nicole Perlroth & Quentin Hardy, Bank Hacking Was the Work of Iranians, Officials Say, N.Y. Times (Jan. 8, 2013), at http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html.
69 Sealed Indictment, United States v. Fathi, 16 Cr. 48 (S.D.N.Y. Jan. 21, 2016), available at https://www.justice.gov/usao-sdny/file/835061/download.
70 U.S. Dep't of Justice Press Release, Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector on Behalf of Islamic Revolutionary Guard Corps-Sponsored Entities (Mar. 24, 2016), at https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-against-seven-iranians-conducting-coordinated.
71 Id.; see also Indictment (U.S. v. Fathi), supra note 69.
72 Mark Thompson, Iranian Cyber Attack on New York Dam Shows Future of War, Time (Mar. 24, 2016), at http://time.com/4270728/iran-cyber-attack-dam-fbi. See also Perlroth & Hardy, supra note 68.
73 Iran Cyber Police Uncovers Hacking of US Bank, Mehr News Agency (Jan. 20, 2013), available at http://www.payvand.com/news/13/jan/1182.html.
75 U.S. Dep't of Justice Press Release, supra note 70.
76 See Indictment (U.S. v. Fathi), supra note 69.
77 U.S. Dep't of Justice Press Release, supra note 70. The U.S. attorney general stated: “[W]e will not allow any individual, group, or nation to sabotage American financial institutions… .” The assistant U.S. attorney for Manhattan added: “These were no ordinary crimes, but calculated attacks by groups with ties to Iran's Islamic Revolutionary Guard and designed specifically to harm America and its people.” The head of the FBI promised that: “By calling out the individuals and nations who use cyber-attacks to threaten American enterprise, as we have done in this indictment, we will change behavior.”
78 Ellen Nakashima, US Rallied Multinational Response to 2012 Cyberattack on American Banks, Wash. Post (Apr. 11, 2014), at https://www.washingtonpost.com/world/national-security/us-rallied-multi-nation-response-to-2012-cyberattack-on-american-banks/2014/04/11/7c1fbb12-b45c-11e3-8cb6-284052554d74_story.html?utm_term=.ba23ea798108.
82 Michael Riley & Jordan Robertson, FBI Probes if Banks Hacked Back as Firms Mull Offensives, Bloomberg News (Dec. 30, 2014), at https://www.bloomberg.com/news/articles/2014-12-30/fbi-probes-if-banks-hacked-back-as-firms-mull-offensives (reporting on ongoing FBI investigation to find out if someone from the targeted banks hacked back Iranian servers). See also the follow-up report of Eric Chabrow, The Case Against “Hack-Back,” Bank Info Security (Jan. 6, 2015), at https://www.bankinfosecurity.com/case-against-hack-back-a-7759 (presenting the main arguments against hacking back by private victims); Nicholas Schmidle, The Digital Vigilantes Who Hack Back, New Yorker (May 7, 2018), at https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back (reporting that at least one of the targeted banks resorted to hacking back).
83 Nakashima, supra note 78.
84 Thompson, supra note 72.
85 Mike Masnick, DOJ's Tone Deaf Criminal Charges Against Chinese Hackers Helps No One, Opens US Officials Up To Similar Charges, Techdirt (May 20, 2014), at https://www.techdirt.com/articles/20140520/05303727288/dojs-tone-deaf-cri (criticizing the DOJ's decision to file charges against Chinese hackers, and predicting that the United States would never put its hands on the defendants).
86 Committee on Oversight and Government Reform, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation? (2016), available at https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf.
87 The stolen data included personal files of 4.2 million former and current employees, security clearance investigation information on 22.1 million individuals, and biometric data of 5.6 million individuals.
88 Ian Tuttle, Cyber Disaster: How the Government Compromised Our Security, Nat'l Rev. (Sept. 9, 2016), at http://www.nationalreview.com/article/439869/opm-hack-house-oversight-committee-report.
89 Ellen Nakashima, Chinese Government Has Arrested Hackers it Says Breached OPM Database, Wash. Post (Dec. 2, 2015), at https://www.washingtonpost.com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.html?utm_term=.65fd5ee72a90.
90 Ellen Nakashima, Hacks of OPM Databases Compromised 22.1 Million People, Wash. Post (July 9, 2015), at https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/?utm_term=.655600c9d982.
91 David Boyer, Obama Says US Must Boost Cyber Defenses, Stops Short of Blaming China for Hacking, Wash. Times (June 8, 2015), at http://www.washingtontimes.com/news/2015/jun/8/obama-says-us-must-boost-cyber-defenses.
92 Hearing Before the Subcommittee on East Asia, the Pacific, and International Cyber Security Policy of the Committee on Foreign Relations – United States Senate, International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms, at 15, 114th Congress, 2d Sess., May 25, 2016, available at https://www.govinfo.gov/content/pkg/CHRG-114shrg28853/pdf/CHRG-114shrg28853.pdf.
93 David Welna, In Data Breach, Reluctance to Point the Finger at China, NPR (July 2, 2015), at http://www.npr.org/sections/parallels/2015/07/02/419458637/in-data-breach-reluctance-to-point-the-finger-at-china.
94 Boyer, supra note 91. President Obama, when asked about the OPM hack in a press conference, refrained from leveling specific accusations against any specific actor, and presented his general view on current cyberoperations: “[B]oth State and non-state actors are sending everything they've got at trying to breach these [U.S.] systems. In some cases, it's non-state (actors) engaging in criminal activity and potential theft. In the case of state actors, they're probing for intelligence or, in some cases, trying to bring down systems in pursuit of their various foreign-policy objectives.”
95 Brendan I. Koerner, Inside the Cyber-Attack that Shocked the US Government, Wired (Oct. 23, 2016), at https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government (referring to a wealth of evidence, ranging from IP addresses to telltale email accounts and a remote-access tool commonly deployed by Chinese-speaking hacking units on computers used by foes of China's government. Those footprints indicate that the hackers were tied to China, and that, in addition, the operation does not have any financial or commercial motive, but rather appears to serve the needs of intelligence services. Finally, the hack required professional human resources at a scale only governmental authorities are likely to have.).
96 Michael D. Shear & Scott Shane, White House Weighs Sanctions After Second Breach of a Computer System, N.Y. Times (June 12, 2015), at https://www.nytimes.com/2015/06/13/us/white-house-weighs-sanctions-after-second-breach-of-a-computer-system.html. See also Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power 56 (2018).
97 Ellen Nakashima, Chinese Hack of Federal Personnel Files Included Security-Clearance Database, Wash. Post (June 12, 2015), at https://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html?utm_term=.9ea58a001b11.
98 Nakashima, supra note 89. Interestingly, President Trump informally attributed the OPM hack to China during a phone interview to the New York Times in January 2017, in which he said: “China, relatively recently, hacked 20 million government names. How come nobody even talks about that?” This statement might relate to Trump's efforts to minimize the significance of Russian cyber operations, which allegedly influenced the presidential election. See Michael D. Shear & David E. Sanger, Putin Led a Complex Cyberattack Scheme to Aid Trump, Report Finds, N.Y. Times (Jan. 6, 2017), at https://www.nytimes.com/2017/01/06/us/politics/donald-trump-wall-hack-russia.html?_r=0.
99 Chris Strohm, Hacked OPM Data Hasn't Been Shared or Sold, Top Spy-Catcher Says, Bloomberg Pol. (Sept. 28, 2017), at https://www.bloomberg.com/news/articles/2017-09-28/hacked-opm-data-hasn-t-been-shared-or-sold-top-spy-catcher-says.
101 David E. Sanger, US Decides to Retaliate Against China's Hacking, N.Y. Times (July 31, 2015), at https://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?mcubz=0.
102 Nakashima, supra note 90, (citing, inter alia, Rep. Adam Schiff stating that if the United States blurs the line between economic spying and foreign intelligence spying, “we risk undermining the fight against economic theft”).
103 Strohm, supra note 99.
104 Tallinn Manual 2.0, supra note 1, Rules 32, 89. See also Pun, supra note 59.
105 Dianna Cahn, Effects of OPM Data Breach Are Far-Reaching, Gov't Tech. (July 13, 2015), at http://www.govtech.com/security/Effects-of-OPM-Data-Breach-Are-Far-Reaching.html; Joseph Marks, Greatest Damage from OPM Breach Was to Government's Reputation, NextGov (Apr. 10, 2017), at https://www.nextgov.com/cybersecurity/2017/04/greatest-damage-opm-breach-was-governments-reputation/136902; Michael Adams, Why the OPM Hack Is Far Worse Than You Imagine, Lawfare (Mar. 11, 2016), at https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine; Kristin Finklea, Michelle D. Christensen, Eric A. Fischer, Susan V. Lawrence & Catherine A. Theohary, Cyber Intrusion into U.S. Office of Personnel Management: In Brief, Cong. Res. Serv. Rep. (2015), available at https://digitalcommons.ilr.cornell.edu/key_workplace/1440; Ian Brown, I maging A C yber S urprise : H ow M ight C hina U se S tolen OPM R ecords to T arget Trust?, War on the Rocks (May 22, 2018), at https://warontherocks.com/2018/05/imagining-a-cyber-surprise-how-might-china-use-stolen-opm-records-to-target-trust.
106 See, e.g., Stavridis, supra note 24.
107 FBI and Secret Service Investigating Las Vegas Casino, Hacker5 Magazine (Feb. 28, 2014); Las Vegas Sands Sites Hacked as Posts Criticize CEO Sheldon Adelson's Politics, Postmedia (Feb. 12, 2014).
108 Tony Capaccio, David Lerman & Chris Strohm, Iran Behind Cyber-attack on Adelson's Sands Corp., Clapper Says, Bloomberg (Feb. 26, 2015), at https://www.bloomberg.com/news/articles/2015-02-26/iran-behind-cyber-attack-on-adelson-s-sands-corp-clapper-says.
109 Jose Pagliery, Iran Hacked an American Casino, US Says, CNN Tech (Feb. 27, 2015), at http://money.cnn.com/2015/02/27/technology/security/iran-hack-casino/index.html.
110 Gary Leupp, A Chronology of the Sony Hacking Incident, Counterpunch (Dec. 29, 2014), at http://www.counterpunch.org/2014/12/29/a-chronology-of-the-Sony-hacking-incident.
112 Choe Sang-Hun, North Korea Warns US Over Film Mocking Its Leader, N.Y. Times (June 25, 2014), at https://www.nytimes.com/2014/06/26/world/asia/north-korea-warns-us-over-film-parody.html?mtrref=www.google.co.il&gwh=B3B3453BC13185E0E57B63F83177166B&gwt=pay&assetType=nyt_now.
113 It turned out that, early in June 2014, SPE's CEO consulted with Bruce Bennett, a senior defense analyst in Washington DC, asking his advice on whether or not to preserve the movie's final scene, in which the head of the North Korean leader is blown up by U.S. CIA agents. Although cutting or changing the final scene might have eased the North Koreans’ fury, Bennett's recommendation was to keep the film as it was, hoping that a movie “about the removal of the Kim family regime and the creation of a new government by the North Korean people” would “start a real thinking” among South and North Koreans who would watch it. That recommendation was supported by “very senior” U.S. government officials. See id.; Leupp, supra note 110; William Boot, Exclusive: Sony Emails Say State Department Blessed Kim Jong-un Assassination in “The Interview,” Daily Beast (Dec. 17, 2014), at http://www.thedailybeast.com/exclusive-sony-emails-say-state-department-blessed-kim-jong-un-assassination-in-the-interview.
114 Boot, supra note 113.
115 A Breakdown and Analysis of the December, 2014 Sony Hack, RBS (Dec. 5, 2014), at https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack. See also Alex Altman & Zeke J. Miller, State Department Insists North Korea Behind Sony Hack, Time (Dec. 31, 2014), at http://time.com/3651171/sony-hack-north-korea-fbi/?xid=time_readnext.
116 David E. Sanger & Michael S. Schmidt, More Sanctions on North Korea After Sony Case, N.Y. Times (Jan. 2, 2015), at https://www.nytimes.com/2015/01/03/us/in-response-to-sony-attack-us-levies-sanctions-on-10-north-koreans.html (questioning the speediness of the FBI conclusions). See also A Breakdown and Analysis, supra note 115 (questioning attribution of the breach by the FBI to North Korea).
117 Leupp, supra note 110 (arguing that North Korea does not have the advanced technological capability required to conduct such a destructive hack). See also Paul, New Clues in Sony Hack Point to Insiders, Away from DPRK, Security Ledger (Dec. 28, 2014), at https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk.
118 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack, Novetta (Feb. 2016), available at https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf.
119 White House Press Release, Statement by the Press Secretary on the Executive Order Entitled “Imposing Additional Sanctions with Respect to North Korea” (Jan. 2, 2015), available at https://obamawhitehouse.archives.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-s.
120 Sanger & Schmidt, supra note 116.
121 Kim Zetter, Evidence Suggests the Sony Hackers Are Alive and Well and Still Hacking, Wired (Dec. 2, 2016), at https://www.wired.com/2016/02/evidence-suggests-the-sony-hackers-are-alive-and-well-and-still-hacking.
122 Operation Blockbuster, supra note 118.
123 Oliver Laughland & Dominic Rushe, Sony Pulling The Interview Was “a Mistake” Says Obama, Guardian (Dec. 20, 2014), available at https://www.theguardian.com/us-news/2014/dec/19/obama-sony-the-interview-mistake-north-korea.
124 See U.S. Dep't of State Press Release, Condemning Cyber-Attacks by North Korea (Dec. 19, 2014), at https://2009-2017.state.gov/secretary/remarks/2014/12/235444.htm.
125 White House Press Release, Remarks by the President in Year-End Press Conference (Dec. 19, 2014), available at https://obamawhitehouse.archives.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference. See also Sean Sullivan, Obama: North Korea Hack “Cyber-vandalism,” Not “Act of War,” Wash. Post (Dec. 21, 2014), at https://www.washingtonpost.com/news/post-politics/wp/2014/12/21/obama-north-korea-hack-cyber-vandalism-not-act-of-war/?utm_term=.a295316b9b98.
126 Id. See also Michael B. Kelley & Armin Rosen, The US Needs to Stop Pretending the Sony Hack Is Anything Less Than an Act of War, Business Insider (Dec. 15, 2014), at http://www.businessinsider.com/sony-hack-should-be-considered-an-act-of-war-2014-12. The Business Insider story cited David Aitel, a former NSA research scientist, who opined that cyberattacks should be considered an act of war even when they do not meet the required threshold which might justify a military response and that once it has become known which nation should be held accountable, the United States must respond, at least with a firm diplomatic reaction, while considering additional measure in cyberspace, such as attacking targets of the adversary or shutting down the Internet for a while).
127 White House Press Release, supra note 119.
128 Sanger & Schmidt, supra note 116; Sony Cyber-attack: North Korea Faces New US Sanctions, BBC News (Jan. 3, 2015), at http://www.bbc.com/news/world-us-canada-30661973. On September 6, 2018, the Department of Justice unsealed an indictment against Park Jin-Hyok, a North Korean citizen, charged with conspiracy to conduct multiple cyber operations, including the Sony hack. U.S. Dep't of Justice, Office of Public Affairs Press Release, North Korean Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions (Sept. 6, 2018), at https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and.
129 Chris Strohm, North Korea Web Outage Response to Sony Hack, Lawmaker Says, Bloomberg Pol. (Mar. 17, 2015), at https://www.bloomberg.com/politics/articles/2015-03-17/north-korea-web-outage-was-response-to-sony-hack-lawmaker-says. See also Francesca Chambers, Lucy Crossley & Alexandra Klausner, North Korea's Internet Is Shut Down AGAIN After Losing Connectivity for Nine Hours Yesterday, Daily Mail (Dec. 23, 2014), at http://www.dailymail.co.uk/news/article-2885359/North-Korea-s-internet-shut-losing-connectivity-nine-hours-yesterday.html.
130 Sanger, supra note 101.
131 The facts described below are partial and subject to ongoing investigations by the Senate Select Committee on Intelligence (SSCI) and by Robert Mueller, a special counsel appointed by the deputy attorney general to investigate the Russian interference in the presidential election and related matters. The information presented here about the DNC hack is based mainly on Dmitri Alperovitch's blog. Alperovitch is the CTO of CrowdStrike. See Dmitri Alperovitch, Bears in the Midst: Intrusion into the Democratic National Committee, CrowdStrike (June 15, 2016), at https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee. It should be noted that there are other narratives of the incident, such as the theory reported by Patrick Lawrence, A New Report Raises Big Questions About Last Year's DNC Hack, Nation (Aug. 9, 2017), at https://www.thenation.com/article/a-new-report-raises-big-questions-about-last-years-dnc-hack.
132 See Alperovitch, supra note 131.
133 See Pascal Brangetto & Matthijs A. Veenendaal, Influence Cyber Operations: The Use of Cyberattacks in Support of Influence Operations, in Cyber Power 113, 114 (N. Pissanidis, H. Rõigas & M. Veenendaal eds., 2016), available at https://ccdcoe.org/cycon/2016/proceedings/08_brangetto_veenendaal.pdf.
134 Matthew Cole, Richard Esposito, Sam Biddle & Ryan Grim, Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election, Intercept (June 5, 2017), at https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election.
135 Intelligence Community Assessment (ICA), Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytical Process and Cyber Incident Attribution (Jan. 6, 2017), available at https://www.intelligence.senate.gov/sites/default/files/documents/ICA_2017_01.pdf.
136 Cole, Esposito, Biddle & Grim, supra note 134; see the authentic document dated May 5, 2017, available at https://www.documentcloud.org/documents/3766950-NSA-Report-on-Russia-Spearphishing.html#document/p1.
137 Cynthia Mcfadden, William Arkin & Kevin Monahan, Russians Penetrated US Voter Systems, Top US Official Says, NBC News Pol. (Feb. 8, 2018), at https://www.nbcnews.com/politics/elections/russians-penetrated-u-s-voter-systems-says-top-u-s-n845721.
138 Michael Isikoff, Obama Cyber Chief Confirms “Stand Down” Order Against Russian Cyberattacks in Summer 2016, Yahoo News (June 20, 2018), at https://www.yahoo.com/news/obama-cyber-chief-confirms-stand-order-russian-cyberattacks-summer-2016-204935758.html. See also Russia Election Interferenc e, C-Span, (Senate Intelligence Committee Hearing, June 20, 2018), at https://www.c-span.org/video/?447328-1/obama-administration-officials-testify-russia-election-interference.
139 Andrew Blake, Russian Hackers Likely Scanned Election Systems in all 50 States During 2016 Race: Obama Cyber Czar, Wash. Times (June 21, 2018), at https://www.washingtontimes.com/news/2018/jun/21/russian-hackers-likely-scanned-election-systems-al.
140 ICA, supra note 135.
141 Senate Select Committee on Intelligence (SSCI), Initial Findings (July 3, 2018), available at https://www.burr.senate.gov/imo/media/doc/SSCI%20ICA%20ASSESSMENT_FINALJULY3.pdf.
142 Id. Following the DNC Hack, the then DHS Secretary Jeh Johnson decided in January 2017 to designate the nation's electoral systems as federally protected critical infrastructure.
143 See Alperovitch, supra note 131.
144 The claim of “typical disorder” appears to us as somewhat implausible. It is more likely that intentional disorder was created in order to obfuscate the situation and divert suspicions from Russian Intelligence.
145 Alperovitch, supra note 131.
146 Ellen Nakashima, Cyber Researchers Confirm Russian Government Hack of Democratic National Committee, Wash. Post (June 20, 2016), at https://www.washingtonpost.com/world/national-security/cyber-researchers-confirm-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-3719-11e6-9ccd-d6005beac8b3_story.html?utm_term=.4d8ae7360f6c. See also Sam Thielma, DNC Email Leak: Russian Hackers Cozy Bear and Fancy Bear Behind Breach, Guardian (July 26, 2016), at https://www.theguardian.com/technology/2016/jul/26/dnc-email-leak-russian-hack-guccifer-2.
147 Kevin Poulsen & Spencer Ackerman, EXCLUSIVE: “Lone DNC Hacker” Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer, Daily Beast (Mar. 22, 2018), at https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer.
148 U.S. Dep't of Homeland Security Press Release, Joint Statement, the Department of Homeland Security & Office of the Director of National Intelligence on Election Security (Oct. 7, 2016), at https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national.
149 See ICA, supra note 135.
150 Id. at 1.
151 Nick Gass, Putin on DNC Leak: “Does it Even Matter Who Hacked this Data?,” Politico (Sept. 2, 2016), at http://www.politico.com/story/2016/09/putin-interview-dnc-hack-227668.
152 See Joint Statement, supra note 148.
153 Louis Nelson, Obama Says He Told Putin to “Cut It Out” on Russia Hacking, Politico (Dec. 16, 2016), at http://www.politico.com/story/2016/12/obama-putin-232754 (What Obama was concerned about was the potential of “hamper[ing] the vote counting [an]d affect[ing] the actual election process itself.”).
154 William M. Arkin, Ken Dilanian & Cynthia McFadden, What Obama Said to Putin on the Red Phone About the Election Hack, NBC News (Dec. 20, 2016), available at https://perma.cc/5CKG-G5XC.
155 Nelson, supra note 153.
157 See ICA, supra note 135, at 3.
158 Russia Election Interference, supra note 138, at 36:17–37:00 (testimony by Ambassador Victoria Nulland, former assistant secretary of state for European and Eurasian affairs).
159 William M. Arkin, Ken Dilanian & Cynthia McFadden, CIA Prepping for Possible Cyber Strike Against Russia, NBC News (Oct. 14, 2016), at www.nbcnews.com/news/us-news/cia-prepping-possible-cyber-strike-against-russia-n666636.
160 President Obama himself adopted similar language, saying: “I think there is no doubt that when any foreign government tries to impact the integrity of our elections … we need to take action. And we will—at a time and place of our own choosing. Some of it may be explicit and publicized; some of it may not be.” Scott Detrow, Obama on Russian Hacking: “We Need to Take Action. And We Will,” NPR (Dec. 15, 2016), at http://www.npr.org/2016/12/15/505775550/obama-on-russian-hacking-we-needto-take-action-and-we-will.
161 See Arkin, Dilanian & McFadden, supra note 159.
164 The “red phone” is a confidence-building measure for communication, upgraded by Obama and Putin in 2013. It is to be activated in urgent and very sensitive situations.
165 See Arkin, Dilanian & McFadden, supra note 154.
166 See Nelson, supra note 153.
167 Erik Lipton, The Perfect Weapon: How Russian Cyberpower Invaded the U.S., N.Y. Times (Dec. 13, 2016), at https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html.
168 Exec. Order No. 13757, Dec. 28, 2016, “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” 82 CFR 1 (2016), available at https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/executive-order-taking-additional-steps-address-national-emergency.
169 White House Press Release, Presidential Statement on Actions in Response to Russian Malicious Cyber Activity and Harassment (Dec. 29, 2016), available at https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/statement-president-actions-response-russian-malicious-cyber-activity.
170 Id. See also Rebecca Crootof, The DNC Hack Demonstrates the Need for Cyber-Specific Deterrents, Lawfare (Jan. 9, 2017), at https://www.lawfareblog.com/dnc-hack-demonstrates-need-cyber-specific-deterrents (“Despite this being the strongest public action the United States has ever taken in response to a cyberoperation, many are bemoaning its inadequacy. The U.S. actions have been derided as ‘too little, too late,’ ‘confusing and weak,’ and ‘insufficient.’ However, this seemingly insufficient reaction may have been informed by international law; the United States might have responded to the DNC hack as it did because international law did not permit it to do more.”).
171 U.S. Dep't of Justice Press Release, Grand Jury Indicts Thirteen Russian Individuals and Three Russian Companies for Scheme to Interfere in the United States Political System (Feb. 16, 2018), at https://www.justice.gov/opa/pr/grand-jury-indicts-thirteen-russian-individuals-and-three-russian-companies-scheme-interfere.
173 Indictment, United States v. Internet Research Agency LLC, Case No. 1:18-cr-00032-DLF (D.C. Cir., Feb. 18, 2018), available at https://www.justice.gov/opa/press-release/file/1035562/download.
174 Id., para.2.
175 Jon Swaine & Marc Bennetts, Robert Mueller Charges 13 Russians with Interfering in US Election to Help Trump, Guardian (Feb. 17, 2018), at https://www.theguardian.com/us-news/2018/feb/16/robert-mueller-russians-charged-election.
176 See U.S. Dep't of Justice Press Release, supra note 171; Matt Apuzzo & Sharon LaFraniere, 13 Russians Indicted as Mueller Reveals Effort to Aid Trump Campaign, N.Y. Times (Feb. 16, 2018), at https://www.nytimes.com/2018/02/16/us/politics/russians-indicted-mueller-election-interference.html.
177 Indictment, United States v. Netyksho, Case No. 1:18-cr-00215-ABJ (D.C. Cir., July 13, 2018), available at https://int.nyt.com/data/documenthelper/80-netyksho-et-al-indictment/ba0521c1eef869deecbe/optimized/full.pdf?action=click&module=Intentional&pgtype=Article.
178 U.S. Dep't of the Treasury Press Release, Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks (Mar. 15, 2018), a t https://home.treasury.gov/news/press-releases/sm0312. See also Ellen Nakashima, Trump Administration Hits Russian Spies, Trolls with Sanctions Over US Election Interference, Cyberattacks, Wash. Post (Mar. 15, 2018), at https://www.washingtonpost.com/world/national-security/trump-administration-sanctions-russian-spies-trolls-over-us-election-interference-cyber-attacks/2018/03/15/3eaae186-284c-11e8-b79d-f3d931db7f68_story.html?noredirect=on&utm_term=.f8cf97eb19d5; Donna Borak, US Imposes Sanctions Against Russian Oligarchs and Government Officials, CNN (Apr. 6, 2018), at https://edition.cnn.com/2018/04/06/politics/russia-sanctions-oligarchs/index.html.
179 Raimund, Germany Blames Russia for Cyberattacks, Hacked Press (May 5, 2017), at https://hacked.press/2017/05/05/germany-blames-russia-cyberattacks; Andrea Shalal, Germany Challenges Russia Over Alleged Cyberattacks, Reuters (May 4, 2017), at http://www.reuters.com/article/us-germany-security-cyber-russia-idUSKBN1801CA.
180 Kate Connolly, German Spy Chief Says Russian Hackers Could Disrupt Elections, Guardian (Nov. 29, 2016), at https://www.theguardian.com/world/2016/nov/29/german-spy-chief-russian-hackers-could-disrupt-elections-bruno-kahl-cyber-attacks.
183 Russia “Was Behind German Parliament Hack,” BBC News (May 13, 2016), at http://www.bbc.com/news/technology-36284447.
184 Samburaj Das, Germany Blames Russia for Parliament Hack, Hacked (May 14, 2016), at https://hacked.com/germany-blames-russia-parliament-hack.
185 Connolly, supra note 180.
186 Rowena Mason, Theresa May Accuses Russia of Interfering in Elections and Fake News, Guardian (Nov. 14, 2017), at https://www.theguardian.com/politics/2017/nov/13/theresa-may-accuses-russia-of-interfering-in-elections-and-fake-news.
187 The UK Prime Minister's statement was issued in the wake of a significant increase in cyberoperations against UK media and telecommunication, and reports about hundreds of fake Twitter accounts and tens of thousands of other accounts tied to Russia, presumably used to influence the outcome of the referendum on the Brexit. Brexit: Russian Twitter Accounts Tweeted 3,468 Times About EU Independence Referendum, Independent (Nov. 15, 2017), at http://www.independent.co.uk/news/uk/politics/brexit-latest-russian-twitter-accounts-eu-independence-referendum-tweets-influence-result-a8055746.html. Investigations into possible Russian interference in the British democratic process have been launched recently by the UK government and Parliament. Zach Marzouk, The Intelligence and Security Committee Has Finally Reformed After the General Election, ITPRO (Nov. 24, 2017), at http://www.itpro.co.uk/security/29963/parliaments-intelligence-committee-considering-russia-investigation.
188 Melissa Eddy, After a Cyberattack, Germany Fears Election Disruption, N.Y. Times (Dec. 8, 2016), at https://www.nytimes.com/2016/12/08/world/europe/germany-russia-hacking.html.
189 Andrea Shalal, German Military Can Use “Offensive Measures” Against Cyber-attacks: Minister, Reuters (Apr. 5, 2017), at http://www.reuters.com/article/us-germany-cyber-idUSKBN1771MW.
190 See Shalal, supra note 179.
191 Kate Brady, Reports: German Government Plans Cyberattack “Hackback” Ahead of Election, Deutsche Welle (Apr. 20, 2017), at http://www.dw.com/en/reports-german-government-plans-cyberattack-hackback-ahead-of-election/a-38506101.
192 Mason, supra note 186. Prime Minister May echoed in her remarks the words of President Obama, who delivered a similar response in his 2016 Presidential Statement. White House Press Release, supra note 169.
193 Mason, supra note 186.
194 Kay Armin Serjoie, Iran Investigates if Series of Oil Industry Accidents Were Caused by Cyber Attack, Time (Aug. 12, 2016), at http://time.com/4450433/iran-investigates-if-series-of-oil-industry-accidents-were-caused-by-cyber-attack.
195 Iran Oil Industry Fires, Blasts Raise Suspicions of Hacking, Fox News (Sept. 22, 2016), at http://www.foxnews.com/world/2016/09/22/iran-oil-industry-fires-blasts-raise-suspicions-hacking.html.
198 John Leyden, Hack on Saudi Aramco Hit 30,000 Workstations, Oil Firm Admits, Register (Aug. 29, 2012), at www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis.
199 Jon Gambrell, Saudi Arabia Warns Destructive Computer Virus Has Returned, US News (Jan. 24, 2017), at https://www.usnews.com/news/business/articles/2017-01-24/saudi-arabia-warns-destructive-computer-virus-has-returned.
200 Nicole Perlroth, In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, N.Y. Times (Oct. 23, 2012), at http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?mcubz=0.
201 Gambrell, supra note 199.
202 Michael Riley, Glen Carey & John Fraher, Destructive Hacks Strike Saudi Arabia, Posing Challenge to Trump, Bloomberg Tech. (Dec. 1, 2016), at https://www.bloomberg.com/news/articles/2016-12-01/destructive-hacks-strike-saudi-arabia-posing-challenge-to-trump.
203 Sewell Chan, Cyberattacks Strike Saudi Arabia, Harming Aviation Agency, N.Y. Times (Dec. 1, 2016), at http://www.nytimes.com/2016/12/01/world/middleeast/saudi-arabia-shamoon-attack.html?ref=technology.
204 Mahmoud Habboush, Gwen Ackerman & Michael Riley, Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaws, Bloomberg Tech. (Dec. 12, 2016), at https://www.bloomberg.com/news/articles/2016-12-12/hack-of-saudi-arabia-exposes-middle-east-cyber-security-flaws.
205 Nicole Perlroth & Clifford Krauss, A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try, N.Y. Times (Mar., 15, 2018), at https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html. See also Rebecca Cheetham & Sébastien Heon, Triton Cyber-attack: Hackers Target the Safety Systems of Industrial Plants Score, Scor Live Blog (Mar. 6, 2018), at https://www.scor.com/en/media/news-press-releases/triton-cyber-attack-hackers-target-safety-systems-industrial-plants. See also Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker & Christopher Glyer, Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure, FireEye (Dec. 14, 2017), at https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.
206 Ed Clowes, Destructive Computer Virus “Shamoon” Hits Saudi Arabia for Third Time, Gulf News Tech. (Jan. 30, 2017), at http://gulfnews.com/business/sectors/technology/destructive-computer-virus-shamoon-hits-saudi-arabia-for-third-time-1.1970590.
207 Threat Analysis – Industrial Control System Technical Report (Accenture Security, 2018), available at https://www.accenture.com/t20180123T095554Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Triton-Trisis-Threat-Analysis.pdf.
208 Perlroth & Krauss, supra note 205.
209 The theory that Iran has been behind the Shamoon attacks developed incrementally. See Rob Rachwald, The Significance of the Aramco Hack, IMPERVA (Aug. 23, 2012), at https://www.imperva.com/blog/2012/08/the-significance-of-the-aramco-hack; Bronk, Christopher & Tikk-Ringas, Eneken, The Cyber Attack on Saudi Aramco, 55 Survival – Glob. Pol. & Strategy 81, 96 (2013), at https://doi.org/10.1080/00396338.2013.784468; David, E. Sanger & Nicole Perlroth, Iran Is Raising Sophistication and Frequency of Cyberattacks, Study Says, N.Y. Times (Apr. 15, 2015), at http://www.nytimes.com/2015/04/16/world/middleeast/iran-is-raising-sophistication-and-frequency-of-cyberattacks-study-says.html; Daniel R. Coats, Worldwide Threat Assessment of the US Intelligence Community (Feb. 13, 2018), available at https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Unclassified-SSCI.pdf.
210 U.S. Dep't of Defense Press Release, Transcript Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security (Oct. 11, 2012), available at http://archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136.
211 Perlroth, supra note 200.
212 Solis, Gary D., Cyber Warfare, 219 Mil. L. Rev. 1, 44–49 (2014) (describing the operation and analyzing its legal aspects); Weissbrodt, David, Cyber-Conflict, Cyber-Crime, and Cyber-Espionage, 22 Minn. J. Int'l L. 347, 378–79 (2013). See also Michelle Nicholas, Iran Says Terrorism Includes any Attack on Nuclear Facility, Reuters (Sept. 28, 2012), at https://www.reuters.com/article/us-un-assembly-nuclear-iran/iran-says-terrorism-includes-any-attack-on-nuclear-facility-idUSBRE88R13O20120928 (reporting on the Iranian Foreign Minister's speech during the UN summit stating that Iran places “special importance” on preventing nuclear terrorism targeted at is nationals and its nuclear facilities, adding that “any such act committed by a state, as certain countries continue to commit such crimes in my country, is a manifestation of nuclear terrorism and consequently a grave violation of the principles of U.N. Charter and international law”).
213 Saudi Arabia Warns on Cyber Defense as Shamoon Resurfaces, Reuters (Jan. 23, 2017), at https://www.reuters.com/article/us-saudi-cyber/saudi-arabia-warns-on-cyber-defense-as-shamoon-resurfaces-idUSKBN1571ZR. See also Bill Gertz, Iran Renews Destructive Cyber-attacks on Saudi Arabia, Wash. Free Beacon (Feb. 22, 2017), at http://freebeacon.com/national-security/iran-renews-destructive-cyber-attacks-saudi-arabia.
214 Coats, supra note 209.
215 Perlroth & Krauss, supra note 205.
216 Natasha Turak & Hadley Gamble, Saudi Foreign Minister Calls Iran Most Dangerous Nation for Cyberattacks, CNBC (Feb. 18, 2018), at https://www.cnbc.com/2018/02/18/iran-most-dangerous-nation-for-cyber-attacks-says-saudi-foreign-minister.html.
217 For a discussion of the Iranian links to the war in Yemen, see Shaul Shay, Saudi Arabia and the Houthi Missile Threat, Israel Defense (Nov. 15, 2016), at http://www.israeldefense.co.il/en/node/27571.
218 D. U. Case, Analysis of the Cyber Attack on the Ukrainian Power Grid, E-ISAC (Mar. 18, 2016), available at https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. See also Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid, Wired (Mar. 3, 2016), at https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid.
219 Elias Groll, Did Russia Knock Out Ukraine's Power Grid?, For. Pol'y (Jan. 8, 2016), at http://foreignpolicy.com/2016/01/08/did-russia-knock-out-ukraines-power-grid.
220 Andy Greenberg, “Crash Override”: The Malware that Took Down a Power Grid, Wired (June 12, 2017), at https://www.wired.com/story/crash-override-malware.
221 Andy Greenberg, Your Guide to Russia's Infrastructure Hacking Teams, Wired (July 12, 2017), at https://www.wired.com/story/russian-hacking-teams-infrastructure. See also John Hultquist, Sandworm Team and the Ukrainian Power Authority Attacks, FireEye (Jan. 7, 2016), at https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html.
222 Hultquist, supra note 221.
224 Andy Greenberg, How an Entire Nation Became Russia's Test Lab for Cyberwar?, Wired (June 20, 2017), at https://www.wired.com/story/russian-hackers-attack-ukraine (citing the Ukrainian President's accusation). See also Pavel Polityuk, Ukraine Points Finger at Russian Security Services in Recent Cyber-attack, Reuters (July 1, 2017), at https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P; Pavel Polityuk, Ukraine Investigates Suspected Cyber-attack on Kiev Power Grid, Reuters (Dec. 20, 2016), at https://www.reuters.com/article/us-ukraine-crisis-cyber-attacks/ukraine-investigates-suspected-cyber-attack-on-kiev-power-grid-idUSKBN1491ZF.
225 Jim Finkle, Cyber Firms Warn of Malware that Could Cause Power Outages, Reuters (June 12, 2017), at https://www.reuters.com/article/us-cyber-attack-utilities-idUSKBN1931EG.
226 See Michael B. Kelley, “Very High Level of Confidence” Russia Used Kaspersky Software for Devastating NSA Leaks, Yahoo Finance (Jan. 13, 2018), at https://finance.yahoo.com/news/experts-link-nsa-leaks-shadow-brokers-russia-kaspersky-144840962.html. See also Rohit Langde, WannaCry Ransomware: A Detailed Analysis of the Attack, Techspective (Sept. 26, 2017), at https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack (describing NSA tools such as EternalBlue and DoublePulsar, which exploit vulnerabilities in Microsoft-Windows operating system. Those tools were used in this operation, enabling the attacker to use the IP address of the computer to directly communicate with the Server Message Block (SMB) protocol and plant a backdoor to enable remote access and to facilitate control of systems by hackers who could easily install in them virus or malware.).
227 Langde, supra note 226.
228 Ryan Browne, Hackers Have Cashed Out on $143,000 of Bitcoin from the Massive WannaCry Ransomware Attack, CNBC (Aug. 3, 2017), at https://www.cnbc.com/2017/08/03/hackers-have-cashed-out-on-143000-of-bitcoin-from-the-massive-wannacry-ransomware-attack.html.
229 Nicole Perlroth & David E. Sanger, Hackers Hit Dozens of Countries Exploiting Stolen NSA's Tool, N.Y. Times (May 12, 2017), at https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?_r=0.
230 U.S. Homeland Security Advisor, Thomas Bossert, Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea (Dec. 19, 2017), available at https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917.
231 Olivia Solon, WannaCry Ransomware Has Links to North Korea, Cybersecurity Experts Say, Guardian (May 15, 2017), at https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group.
232 Ellen Nakashima, The NSA Has Linked the WannaCry Computer Worm to North Korea, Wash. Post (June 14, 2017), at https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html?utm_term=.9f6ef39a5856.
233 Ryan Browne, UK Government: North Korea Was Behind the WannaCry Cyber-attack that Crippled Health Service, CNBC (Oct. 27, 2017), at https://www.cnbc.com/2017/10/27/uk-north-korea-behind-wannacry-cyber-attack-that-crippled-nhs.html.
234 Symantec Security Response, WannaCry: Ransomware Attacks Show Strong Links to Lazarus Group, Symantec (May 22, 2017), at https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group (describing technical findings connecting WannaCry to the Lazarus group, which was also a key player in the Sony hack and in the theft of US$81 million from the Bangladesh Central Bank, emphasizing, however, that available technical information does not yet enable to attribute the attack to a specific state or non-state actor).
235 Joel Hills, North Korean Government Behind NHS Cyber-attack, Says Microsoft Boss, ITV (Oct. 13, 2017), at http://www.itv.com/news/2017-10-13/hacking-threat-is-as-serious-as-terrorism-says-microsoft-boss. See also Brad Smith, The Need for Urgent Collective Action to Keep People Safe Online: Lessons from Last Week's Cyberattack, Microsoft Blog (May 14, 2017), at https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack.
236 U.S. Homeland Security Advisor Press Briefing, supra note 230.
237 Foreign and Commonwealth Office and Lord Ahmad of Wimbledon Press Release, Foreign Office Minister Condemns North Korean Actor for WannaCry Attacks (Dec. 19, 2017), available at https://www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacks.
238 U.S. Homeland Security Advisor Press Briefing, supra note 230.
239 Browne, supra note 233.
240 Hills, supra note 235. See also Brad Smith, The Need for a Digital Geneva Convention, Microsoft Blog (Feb. 14, 2017), at https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention.
241 U.S. Homeland Security Advisor Press Briefing, supra note 230.
242 Foreign and Commonwealth Office and Lord Ahmad of Wimbledon Press Release, supra note 237.
243 U.S. Homeland Security Advisor Press Briefing, supra note 230.
244 EY – Technical Intelligence Analysis, Petya Wiper Malware Disguised as a Ransomware Attack (June 2017), available at http://www.ey.com/Publication/vwLUAssets/ey-technical-intelligence-analysis-petya-wiper-disguised-as-ransomware-attack/$FILE/ey-technical-intelligence-analysis-petya-wiper-disguised-as-ransomware-attack.pdf.
245 Lucian Constantin, Petya Ransomware Is Now Double the Trouble, NetworkWorld (May 13, 2016), at https://www.networkworld.com/article/3069990/petya-ransomware-is-now-double-the-trouble.html.
246 EY– Technical Intelligence Analysis, supra note 244, at 3.
247 Patrick Howell O'Neill, NotPetya Ransomware Cost Merck More than $310 Million, Cyber Scoop (Oct. 27, 2017), at https://www.cyberscoop.com/notpetya-ransomware-cost-merck-310-million.
248 Sam Jones, Finger Points at Russian State Over Petya Hack Attack, Fin. Times (June 30, 2017), at https://www.ft.com/content/f300ad84-5d9d-11e7-b553-e2df1b0c3220.
249 Nolan Peterson, Whose Cyberattack Brought Ukraine to a Shuddering Halt?, Newsweek (July 1, 2017), at http://www.newsweek.com/nolan-peterson-whose-cyberattack-brought-ukraine-shuddering-halt-630500; Ben Dixon, The Strange Failures of the Petya Ransomware Attack, Daily Dot (July 1, 2017), at https://www.dailydot.com/layer8/petya-ransomware-attack-hackers-motives-failures.
250 SBU Establishes Involvement of the RF Special Services into Petya.A Virus-Extorter Attack, SBU Press-Center (July 1, 2017), at https://ssu.gov.ua/en/news/1/category/2/view/3660#.eXBAf7Sa.dpbs.
251 Ukraine State Security Service Blames Russia for the NotPetya Cyber-attack, Firstpost (July 1, 2017), at http://www.firstpost.com/tech/news-analysis/ukraine-state-security-service-blames-russia-for-the-notpetya-cyber-attack-3835341.html.
252 Anton Cherepanov, TeleBots Are Back: Supply-Chain Attacks Against Ukraine, Welivesecurity (June 30, 2017), at https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine (concluding that the attack was directed against businesses in Ukraine, but the malware went out of control because its authors apparently underestimated the malware's spreading capabilities).
253 Kimberly Zenz, Is Russia or North Korea Behind Petya, the Latest Cyberattack?, Newsweek (July 7, 2017), at http://www.newsweek.com/russia-or-north-korea-behind-petya-latest-cyberattack-633410.
254 White House Press Release, Statement from the Press Secretary (Feb. 15, 2018), available at https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25.
256 Sarah Marsh, US Joins UK in Blaming Russia for NotPetya Cyber-attack, Guardian (Feb. 15, 2018), at https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine.
257 Sarah Young & Denis Pinchuk, Australia Joins UK, US to Blame Russia for NotPetya, ITnews (Feb. 16, 2018), at https://www.itnews.com.au/news/australia-joins-uk-us-to-blame-russia-for-notpetya-485306.
258 Global Ransomware Attack Causes Turmoil, BBC (June 18, 2017), at http://www.bbc.com/news/technology-40416611.
259 Roland Oliphant & Cara McGoogan, NATO Warns Cyber-attacks “Could Trigger Article 5” as World Reels from Ukraine Hack, Telegraph (June 28, 2017), at http://www.telegraph.co.uk/news/2017/06/28/nato-assisting-ukrainian-cyber-defences-ransom-ware-attack-cripples.
261 Nakashima, supra note 178.
262 Articles on Responsibility of States for Internationally Wrongful Acts, in Int'l Law Comm'n Rep. on the Work of Its Fifty-Third Session, UN GAOR, 56th Sess., April 23–June 1 and July 2–August 10, 2001, UN Doc. A/56/10 [hereinafter ASR]. The ability to attribute wrongful acts or omissions to a state or to one of its agents—organs, entities, person, or group of persons—who in fact, acted “on the instruction of, or under the direction, or control of, that State in carrying out the conduct” (ASR, Art. 8), is essential for establishing state responsibility. According to the ICJ, a high threshold of “effective control” is required and mere acts of encouraging, financing, planning, and organizing do not meet that threshold. Military and Paramilitary Activities, supra note 31, at 64–65. At the same time, adopting the attack as one's own is sufficient to attribute the responsibility to the state. ASR, Art. 11.
263 See e.g., Corfu Channel (UK v. Alb.), Judgment, 1949 ICJ 4, 22 (Apr. 9).
264 Margulies, Peter, Sovereignty and Cyber Attacks: Technology's Challenge to the Law of State Responsibility, 14 Melbourne J. Int'l L. 496, 500 (2013).
265 Banks, William, State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0, 95 Tex. L. Rev. 1486, 1493 (2017) (asserting that cyber attribution is challenging and often time-consuming when state responsibility is suspected and that “international law places States in an untenable posture in responding to cyber intrusions below the use of force level”).
266 Roscini, Marco, Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations, 50 Tex. Int'l L.J. 233 (2015) (describing and discussing the evidentiary aspects of attribution regarding state responsibility in cyber context).
267 Egan, Brian, International Law and Stability in Cyberspace, 35 Berk. J. Int'l L. 169, 177 (2017).
269 Roscini, supra note 266, at 272 (arguing that the standard of proof is not uniform for all rules applicable to cyberoperations. Whereas claims of self-defense against cyberoperations, like against kinetic attacks, must be proved with clear and convincing evidence, fully conclusive evidence is needed to prove that a litigant conducted cyberoperations amounting to international crimes, and a slightly less demanding standard seems to apply when what needs to be proved is that the state did not exercise due diligence to stop its cyber infrastructure from being used by others to commit international crimes). By contrast, see Egan, supra note 267, stating there is no legal obligation to present the evidence and the standard of proof used in specific incident, although political reasons might lead to greater transparency.
270 Egan, supra note 267, at 177; Wright, supra note 5.
271 Maurer, supra note 96, at 151–52 (suggesting three types of proxy relationships—delegation, under the state effective control; orchestration, looser relationship with the state, receiving funding but no specific instructions; and sanctioning, involving passive support from the state is aware and the turning of a blind eye on its part).
272 Note that criminal investigations provided sufficient evidence to file charges against seven Iranian hackers linked with the Iranian government in connection with the attacks, see Indictment and U.S. Dep't of Justice Press Release, supra notes 69-70.
273 Regarding the standard of proof, see Roscini, supra note 266, at 248–54, and Egan, supra note 267, at 177. Regarding the countermeasures discussed by the administration against Iran, including destroying the attackers’ server, see Nakashima, supra note 78. Such a discussion arguably suggests a high level of confidence in the possibility to attribute the operation, directly or indirectly, to Iran.
274 The final results of the criminal investigation into this incident have not been published yet, but Clapper, the then director of national intelligence, had pointed the finger at Iran. See Capaccio, supra note 108.
275 Nakashima, supra note 78.
276 Id. See also Dev, Priyanka R., “Use of Force” and “Armed Attack” Thresholds in Cyber Conflict: The Looming Definitional Gaps and the Growing Need for Formal U.N. Response, 50 Tex. Int'l L.J. 379, 392 (2015) (arguing that the highly defensive strategy the United States adopted will do little to deter its adversaries and expose it to repeated attacks).
277 The first known imitation of the Stuxnet was the Shamoon malware deployed in August 2012, but there have been other copycat operations. Some are included in our case studies, for example, the Sony and Sands Casino hacks, Black-Energy 1+2, Shamoon 3+4, and NotPetya.
278 In the DNC hack case, it seems that the president and directors of the U.S. intelligence community did not share the same approach. Whereas the USIC joint report of October 7, 2016 attributes responsibility to Russia and calls to back up American warnings with action, the president seemed to adopt a more cautious approach, focusing solely on preventing Russia from disrupting the election process. See Nelson, supra note 153.
279 In the DNC hack case, the NSA released information about Russian cyber vulnerabilities to increase the risk of Russia being attacked by independent hacktivists and non-state actors, whereas in the Sony hack case the shutdown of the internet in North Korea for several hours was presumably a U.S. covert act of retaliation.
280 See Evanina's remarks regarding the OPM hack, cited in Strohm's report, supra note 99. See also the head of the BfV's remarks regarding the Bundestag hack, supra notes 183–84.
281 Browne, supra note 233; Hills, supra note 235; U.S. Homeland Security Advisor Press Briefing, supra note 230. See also Pyongyang Denies Responsibility for WannaCry, Glob. Times (Dec. 21, 2017), at http://www.globaltimes.cn/content/1081511.shtml.
282 William Banks, Who Did It? Attribution of Cyber Intrusions and the Jus in Bello, in The Impact of Emerging Technologies on the Law of Armed Conflict (forthcoming 2019), available at SSRN: https://ssrn.com/abstract=3191972.
283 Egan, supra note 267, at 177 (“Absolute certainty is not—and cannot be—required[;] …there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action.”); Wright, supra note 5 (claiming, inter alia, that there is no legal obligation on states to disclose the information on which the decision to attribute is based).
284 Banks, supra note 282, at 16–21; Clement Guitton, Inside the Enemy's Computer: Identifying Cyber Attackers 5 (2017).
285 Rid, Thomas & Buchanan, Ben, Attributing Cyber Attacks, 38 J. Strategic Stud. 4, 7 (2015).
286 Id. at 6.
287 See, e.g., Samuel Osborne, Salisbury Nerve Agent Attack: Sergei Skripal and Daughter were Poisoned with Novichok on Their Front Door, Independent (Mar. 28, 2018), at https://www.independent.co.uk/news/uk/crime/sergei-skripal-salisbury-poison-nerve-agent-russia-daughter-attack-novichok-front-door-home-a8278631.html.
288 U.S. Dep't of the Treasury Press Release, Treasury Sanctions Russian Federal Security Service Enablers (June 11, 2018), available at https://home.treasury.gov/news/press-releases/sm0410; Jim Finkle & Doina Chiacu, U.S., Britain Blame Russia for Global Cyber Attack, Reuters (Apr. 16, 2018), at https://www.reuters.com/article/us-usa-britain-cyber/u-s-britain-blame-russia-for-global-cyber-attack-idUSKBN1HN2CK.
289 Tallinn Manual 2.0, supra note 1, at 329 (Rule 68) (“A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.”); id. at 330 (Rule 69) (“A cyber operation constitute a use of force when its scale and effects are comparable to non-cyber operations rising to level of a use of force.”).
290 See Tsagourias, Nicolas, The Tallinn Manual on the International Law Applicable to Cyber Warfare: A Commentary on Chapter II – The Use of Force, 15 Y.B. Int'l Humanitarian L. 22 (2013); Kilovaty, supra note 7, at 115–16; Kilovaty, Ido, Rethinking the Prohibition on the Use of Force in the Light of Economic Cyber Warfare: Towards a Broader Scope of Article 2(4) of the UN Charter, 4 J. L. & Cyber Warfare 210 (2015) (emphasizing the need to apply the prohibition on the threat or use of force to economic cyberattacks like kinetic cyberattacks). See also Kilovaty, supra notes 24–25; Fleck, supra note 7; Deeks, supra note 7.
291 Schmitt, supra note 3, at 20; see also Tallinn Manual 2.0, supra note 1, at 331, paras. 2–3.
292 Liu, Ian Yuying, State Responsibility and Cyberattacks: Defining Due Diligence Obligations, 4 Indon. J. Int'l & Comp. L. 191, 195 (2017); Corn & Jensen, Part 1, supra note 45 (“the prevailing view is that most, if not all, documented cyber actions taken by states to date have fallen below the ‘use of force’ threshold”).
293 Tallinn Manual 2.0, supra note 1, Art. 71, at 342, para. 10 (“A case illustrating the unsettled nature of the armed attack threshold is that of the 2010 Stuxnet operation. In light of the damage they caused to Iranian centrifuges, some members of the International Group of Experts were of the view that the operations had reached the armed attack threshold (unless justifiable on the basis of anticipatory self-defense (Rule 73).”). See also Kilovaty, supra note 7, at 92.
294 Margulies, supra note 264, at 514–18.
295 For a debate over questions relating to the adaptability of law to cyberspace, see, e.g., Johnson, David R. & Post, David G., Law and Borders: The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367 (1996); Goldsmith, Jack L., Against Cyberanarchy, 65 U. Chi. L. Rev. 1199 (1998); Roger Brownsword, So What Does the World Need Now? Reflections on Regulating Technologies, in Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes 23 (Roger Brownsword & Karen Yeung eds., 2008); Mireille Hildebrandt, Technology and the End of Law, in Facing the Limits of the Law 443 (Erik Claus, Wouter Devroe & Bert Keirsbilck eds., 2009); Jack Goldsmith & Tim Wu, Who Controls the Internet? Illusions of a Borderless World (2006); Lessig, Lawrence, The Law of the Horse: What Cyberlaw Might Teach, 113 Harv. L. Rev. 501 (1999).
296 See Tallinn Manual 2.0, supra note 1, Rule 69, as opposed to the flexible approach advocated by some authors. Supra note 290.
297 Tallinn Manual 2.0, supra note 1, at 330, para. 5; Tsagourias, supra note 290, at 21 (opining that “non-state actors, or at least those showing some form of organization, should be viewed as direct addressees of the customary rule prohibiting the threat or use of force”); Kilovaty, supra note 7, at 119–20. For the state of general international law on the matter, see Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 ICJ 136, 194 (July 9); Sean Murphy, Self-Defense and the Israeli Wall Advisory Opinion: An Ipse Dixit from the ICJ?, 99 AJIL 62 (2005). Cf. Statement by the President George W. Bush in his Address to the American Nation (Sept. 11, 2001), available at https://georgewbush-whitehouse.archives.gov/news/releases/2001/09/20010911-16.html (declaring that the United States came under terrorist attack before attributing the attack to any particular entity).
298 Tallinn Manual 2.0, supra note 1, at 331, 334. The Rules cite the Nicaragua “scale and effects” standard for categorizing a prohibited use of force as an armed attack. See Military and Paramilitary Activities, supra note 31, at 103–04.
299 Allan, supra note 31. While it was unlikely that the attack on the dam could have resulted in much harm at the time of the attack (as it was closed for maintenance), obtaining through a cyberoperation the capacity to interfere with it in the future, might be regarded as the first step in an act of aggression.
300 Tallinn Manual 2.0, supra note 1, at 333 (defining “use of force” as “acts that injure or kill persons or physically damage or destroy objects”).
301 For a rule reflecting the “pin-prick” theory, see Tallinn Manual 2.0, supra note 1, at 342, para. 11. See also, Roscini, supra note 29, at 108–10.
302 Tallinn Manual 2.0, supra note 1, at 17 (Rule 4).
303 Id. at 20. The experts were divided as to whether infringements falling short of non-functionality and which do not constitute interference in internal affairs violate sovereignty. Id. at 21.
304 See Corn, supra note 16; Corn & Taylor, supra note 46, at 201–11. See also Schmitt & Vihul, supra note 46, at 1649 et seq.
305 Jensen, Eric Talbot, The Tallinn Manual 2.0: Highlights and Insights, 48 George. J. Int'l L. 735, 743 (2017) (discussing whether sovereignty is a binding norm and arguing that neither of the disputed approaches—sovereignty as a rule or a principle—is universally accepted, citing former Department of State Legal Advisor Brian Egan, opining that the international community is currently “faced with a relative vacuum of public State practice”).
306 Tallinn Manual 2.0, supra note 1, at 21
307 Id. at 18.
308 This is consistent with the approach regarding sovereignty as a principle, see Corn & Taylor, supra note 46 (non-intervention and due diligence might be considered rules which derived from the principle of sovereignty).
309 See, e.g., Declaration on Principles of International Law Concerning Friendly Relations and Co-operation Among States in Accordance with the Charter of the United Nations, Principle 3, UN Doc. A/RES/25/2625 (Oct. 24, 1970).
310 Tallinn Manual 2.0, supra note 1, at 312 (Rule 66).
311 Military and Paramilitary Activities, supra note 31, at 108.
312 Tallinn Manual 2.0, supra note 1, at 317, paras. 17–18. Declaration on Principles of International Law, supra note 302, clarifies that: “No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State… . No State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind… .”
313 Restricting freedom of choice in political affairs could further constitute a breach of the human rights of individuals within a state. International Covenant on Civil and Political Rights, Art. 25, Dec. 16, 1966, 999 UNTS 171: “Every citizen shall have the right and the opportunity, … (b) To vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors.”
314 See supra note 187; Eric Auchard, Macron Campaign Was Target of Cyber Attacks by Spy-Linked Group, Reuters (Apr. 24, 2017), at https://www.reuters.com/article/us-france-election-macron-cyber/macron-campaign-was-target-of-cyber-attacks-by-spy-linked-group-idUSKBN17Q200; Sumi Somaskanda, The Cyber Threat To Germany's Elections Is Very Real, Atlantic (Sept. 20, 2017), at https://www.theatlantic.com/international/archive/2017/09/germany-merkel-putin-elections-cyber-hacking/540162; Nick Allen, Dutch Spies “Caught Russian Election Hackers on Camera,” Telegraph (Jan. 26, 2018), at https://www.telegraph.co.uk/news/2018/01/26/dutch-spies-caught-russian-election-hackers-camera.
315 Tallinn manual 2.0, supra note 1, at 312.
316 See White House Press Release, supra note 169.
317 Koh, Harold Hongju, The Trump Administration and International Law, 56 Washburn L.J. 413, 450 (2017) (“even if the Russians did not actually manipulate polling results, illegal coercive interference in another country's electoral politics—including the deliberate spreading of false news—constitutes a blatant intervention in violation of international law”); Ohlin, supra note 59, 1595–98 (suggesting that influence operations could be considered as a violation of the self-determination rule); Egan, supra note 267, at 172.
318 Ohlin, supra note 59, at 1592 (noting “there are substantial impediments to concluding that Russian hacking … constituted illegal coercion,” but that it depends on factual elements). It may be noted that it took more than a year after the 2016 U.S. elections to uncover the relevant evidence needed to file criminal charges against Russian nationals and to attribute direct responsibility to Russia for their activities.
319 Id. at 1594 n. 60 (citing Egan remarking that: “[A] cyber operation by a State that interferes with another country's ability to hold an election or that manipulates another country's election results would be a clear violation of the rule of non-intervention.”).
320 ICA, supra note 135.
321 Cole, Esposito, Biddle & Grim, supra note 134.
322 Mcfadden, Arkin & Monahan, supra note 137; Indictment (U.S. v. Internet Research Agency), supra note 173. See also Russia Election Interference, supra note 138.
323 Wright, supra note 5.
324 Kilovaty, Ido, Doxfare – Politically Motivated Leaks and the Future of the Norm on Non-intervention in the Era of Weaponized Information, 9 Harv. Nat'l Security J. 149, 157–59, 174–77 (2018) (describing a disruption process of “doxfare,” an operation undertaken by state-sponsored groups with a view to intruding networks and computers, gathering non-public data and leaking it at a chosen timing to influence the victim state's internal or external affairs).
325 Tallinn Manual 2.0, supra note 1, at 313, para. 3.
326 Id. at 30 (Rule 6) (“A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States.”).
327 Id. at 36.
328 Report of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, at para. 28(e), UN Doc. A/70/174 (2015) (emphasis added).
329 Jensen, supra note 305, at 745 n.45.
330 Maurer, Tim, “Proxies” and Cyberspace, 21 J. Conflict & Security L. 383 (2016).
331 Jensen, Eric Talbot, Cyber Sovereignty: The Way Ahead, 50(2) Tex. Int'l L.J. 275, 299 (2015) (asserting that the duty to monitor is controversial as it compromises potential human rights obligations). See also Jensen, Eric Talbot, Cyber Deterrence, 26 Emory Int'l L. Rev. 773, 810, 824 (2012) (citing President Obama stating: “Our pursuit of cybersecurity will not—I repeat, will not include—monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties … .”).
332 Tallinn Manual 2.0, supra note 1, at 43.
333 The OPM hack and the Sony hack were launched from Chinese territory and the Bundestag hack was launched from Russian region. None of the three attacks was attributed to the host state, which might suggest some hesitation in relying on constructive knowledge as basis for claiming attribution.
334 It is noteworthy in that regard that most of the Tallinn experts were of the view that states may respond to an armed attack with an act of self-defense even if the attacker is a non-state actor. Tallinn Manual 2.0, supra note 1, at 345, paras. 18–19 (the majority of the IGE concluded it is state practice relying on the international community resolutions regarding the 9/11 attack). See also Jupillat, Nicolas, Armed Attacks in Cyberspace: The Unseen Threat to Peace and Security that Redefines the Laws of State Responsibility, 92 U. Det. Mercy L. Rev. 115, 122 (2015) (claiming that self-defense must remain an answer to armed attacks carried out by states only, but open to lowering the threshold of state responsibility to deter states hiding behind proxies).
335 Colonel Gary Corn, a legal advisor of the U.S. Cyber Command, and Professor Eric Talbot Jensen have claimed that, so far, all U.S. reactions to cyberoperations directed against it were in the form of retorsions. Corn & Jensen Part 1, supra note 45.
336 According to the ASR, resort to countermeasures depends on several factors, including intent to induce compliance, prior notification, limits on application to fundamental international law norms, and proportionality. ASR, supra note 262, Arts. 49–54. Note that the UK attorney general has doubted whether there is a need to present a notification before engaging in cybernetic countermeasures. Wright, supra note 5 (“The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures. In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it.”).
337 Nakashima, supra note 78.
338 Pascucci, Peter P., Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution, 26 Minn. J. Int'l L. 419 (2017) (discussing difficulties in implementing proportionality and distinction rules in cyberspace).
339 See White House Press Release, supra note 254.
340 Pasucci, supra note 338, at 461 (“In cyberwar, the application of the principles of distinction and proportionality fail to adequately provide protection of the civilian population because the definitions and current application are based upon the historical application to kinetic warfare.”). See also Duncan Hollis, Re-thinking the Boundaries of Law in Cyberspace: A Duty to Hack?, in Cyber War: Law and Ethics for Virtual Conflicts 129 (J. Ohlin, Kevin Govern & Claire Finkelstein eds., 2015) (criticizing the insistence of relying on analogy while rejecting more appropriate non-analogous solutions); Crootof, Rebecca, Autonomous Weapon Systems and the Limits of Analogy, 9 Harv. Nat'l. Security J. 51 (2018) (emerging technologies create more and more situations where no analogy to other existing areas of law application will be appropriate).
341 Egan, supra note 267, at 179–80.
342 Report of the UN Group of Governmental Experts, supra note 328.
343 See, e.g., G7 Declaration on Responsible States Behavior in Cyberspace, Apr. 11, 2017, available at https://www.mofa.go.jp/files/000246367.pdf. See also Taddeo, Mariarosaria, Deterrence by Norms to Stop Interstate Cyber Attacks, 27 Minds & Machines 387 (2017).
344 See, e.g., White House, Fact Sheet: President Xi Jinping's State Visit to the United States (Sept. 25, 2015), available at https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states (containing agreement on IP theft and cybersecurity).
345 See, e.g., Posner, Eric A. & Goldsmith, Jack, Further Thoughts on Customary International Law, 23 Mich. J. Int'l L. 191, 193 (2001).
346 Koh, supra note 317, at 418.
347 One may note in this regard that Brian Egan, the U.S. State Department's previous legal adviser, criticized the relative silence of states regarding cyberoperations, arguing that it increases uncertainty which “could give rise to misperceptions and miscalculations by States, potentially leading to escalation and, in the worst case, conflict.” Egan, supra note 267, at 172.
348 Cf. Waxman, Matthew C., Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int'l L. 421, 424 (2011).
349 Sullivan, supra note 125.
350 White House Press Release, supra note 169 ; Egan, supra note 267, at 172.
351 For a discussion of the legal implications of lack of a legal explanation for recent uses of forces in Syria, see Marko Milanović, The Syria Strikes: Still Clearly Illegal, EJIL: Talk! (Apr. 15, 2018), at https://www.ejiltalk.org/the-syria-strikes-still-clearly-illegal. The exception to the trend of not providing a legal explanation for recent interventions in Syria is the UK Prime Minister's Office, Syria Action – UK Government Legal Position (Apr. 14, 2018), available at https://www.gov.uk/government/publications/syria-action-uk-government-legal-position/syria-action-uk-government-legal-position.
352 Sullivan, supra note 125.
353 See, e.g., Hersch Lauterpacht, The Development of International Law by the International Court 387 (1958, 1982 reprint).
354 See generally Stone, Randall W., Informal Governance in International Organizations, 8 Rev. Int'l Org. 121 (2013).
355 The Final Act of the Conference on Security and Cooperation in Europe, Aug. 1, 1975, Part X, 14 ILM 1292 (1975).
356 Joint Comprehensive Plan of Action, at pmbl., July 14, 2015, available at https://www.state.gov/documents/organization/245317.pdf.
357 Thomas Giegerich, Retorsion, in Max Planck Encyclopedia of Public International Law 983 (2011).
358 Corn & Jensen Part 1, supra note 45.
359 For a discussion of international law governing espionage, see Pun, supra note 57; Asaf Lubin, Espionage as a Sovereign Right Under International Law and Its Limits, 24 ILSA Q. 22 (2015–2016).
360 See supra notes 101 and 102.
361 For an exposition of the idea of establishing an international attribution agency, see Smith, supra note 240.
362 For a discussion, see Hurd, Ian, Is Humanitarian Intervention Legal? The Rule of Law in an Incoherent World, 25 Ethics & Int'l Aff. 293 (2011).
363 UN Charter Art. 2(3).
364 Väljataga, supra note 6.
365 See, e.g., Tim Jordan, Cyberpower: The Culture and Politics of Cyberspace and the Internet 1 (1999); Kücklich, Julian Raul, Virtual Worlds and their Discontents Precarious Sovereignty, Governmentality, and the Ideology of Play, 4 Games & Culture 340 (2009).
366 Adams, Jackson & Albakajai, Mohamad, Cyberspace: A New Threat to the Sovereignty of the State, 4 Mgmt. Stud. 256, 256–57 (2016) (depicting “the virtual nature of the cyberspace implies dematerialization (everything is paperless), detemporalization (instant communication), and deterritorialization (breaking the geographical boundaries and distances) of online activities and interactions”).
367 Charles Arthur, Internet Regulation: Is It Time to Rein in the Tech Giants?, Guardian (July 2, 2017), at https://www.theguardian.com/technology/2017/jul/02/is-it-time-to-rein-in-the-power-of-the-internet-regulation.
The authors thank participants in the international workshop on the Tallinn Manuals and Customary International Law held in Jerusalem on December 10, 2017, and in particular Professor Michael N. Schmitt and Nimrod Karin, for their useful comments provided in relation to an earlier draft. Thanks is also due to our research assistants Sima Granovsky, Ya'ara Mordecai, and Yael Oppenheim for their assistance, and to the four anonymous reviewers of the Journal. Responsibility for any errors remains with us.
Email your librarian or administrator to recommend adding this journal to your organisation's collection.
* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.
Usage data cannot currently be displayed