It’s a scenario that’s been on the very top of every cybersecurity official’s list of nightmares for a good while now: a cyberattack targeting critical IT infrastructures of a hospital, bringing all lifesaving operations to a halt with potentially deadly consequences. Unsurprisingly, these persistent anxieties have only increased in the midst of a global pandemic that is overstraining healthcare capacities even without any intervention from nefarious outside actors. And we are not talking about merely hypothetical cases. On March 13, Brno University Hospital, home to one of the largest COVID-19 testing facilities in the Czech Republic, had to cancel all operations and relocate patients to other hospitals after coming under attack – luckily, just before the new Coronavirus had really started to take hold of the country. Further reports of apparently unsuccessful cyberattacks against hospitals have been coming from Madrid and Paris.
Contrary to frequently imagined scenarios of adversarial agents remotely hacking into critical medical equipment (which is, or so one would hope, probably not directly connected to the internet and thus less vulnerable, though certainly not invincible, to malicious activity from outside actors), such attacks don’t need to be very sophisticated in order to be effective from the attacker’s perspective. In a health crisis, it might be enough to cripple a hospital’s administrative IT network by way of a relatively simple distributed denial-of-service (DDoS) attack to throw the entire institution in potentially fatal disarray. In this type of operation, the attackers hack into unsuspecting systems (these days frequently insufficiently secured IoT devices like networked fridges or light switches) to create a so-called botnet. Operated by means of a command-and-control (C2) infrastructure located on one or more interconnected servers, the compromised systems can then be used to launch a coordinated attack against a target network, overwhelming its connected computers by flooding it with meaningless requests. As a result, the affected network is unable to fulfil its supposed functions.
In such a situation, called in state cybersecurity authorities might attempt to track down the C2 infrastructure to act against it – but what if, as will usually be the case, these servers are located on foreign soil? The default avenue is to alert the other state’s authorities and to coordinate with the relevant internet service provider (ISP) to bring the malicious traffic to a halt. However, the state might be unwilling to cooperate quickly, or at all – possibly, as it is itself behind the attack or at least happy to tolerate the hackers’ malevolent conduct. This is where ‘hacking back’ or ‘active cyber defence’ policies enter the picture, as devised by an increasing number of states as part of their official cybersecurity strategies. In the case of an ongoing malicious cyber operation and uncooperative foreign authorities, so the theory goes, it might be feasible for state agents (hacking back by private entities raises different legal issues and is not the subject of this post) to stop the attack by counter-hacking into the botnet’s C2 infrastructure in order to take it down. Such an approach, however, doesn’t come without serious ramifications: Hacking back into the IT infrastructure used for the original attack risks to cause significant collateral damage, as the servers may be needed for other, completely uninvolved and essential functions. In other words, a counterattack for defensive purposes might end up jeopardising people’s lives as well.
To be sure, this does not mean that the active defence measure would necessarily be unlawful (if it was politically expedient is a different question). But the defending state will have to be able to justify its conduct under applicable international law, presumably either as self-defence in accordance with Article 51 UN Charter (if the cyberattack against the hospital amounted to an ‘armed attack’) or as a countermeasure, a legal remedy established in customary international law. Yet this is where the trouble starts: both rules require the defender to act against the state that is legally responsible for the original cyberattack; in other words, for the defensive hack back to be lawful, the DDoS attack must first be attributed to the state affected by the remedy. And for this, it is not sufficient to merely prove that the C2 servers are located on that state’s territory. The defending state must furthermore, with clear and convincing evidence, establish a link between the individuals that launched the cyberattack and the state, showing that they acted on its behalf.
Given the technical layout of global networks and the nature of software code, which both allow malicious actors to hide their tracks fairly effectively, attribution of cyberattacks has proven to be one of the most persistent problems for the application of international law – or any law, for that matter – to state conduct in cyberspace. It’s not that attribution is always impossible, as was occasionally argued in the early days of state-authored cyberattacks. Yet while official public attributions by state actors have gradually become more common in the past few years, the process remains incredibly time-consuming. Gathering forensic and other evidence that allows for conclusions with high confidence takes months, sometimes years; time hardly available in an emergency situation, when the lives of patients are at stake caused an ongoing DDoS attack against hospital infrastructures amid a pandemic.
In light of this dilemma, states might be inclined to resort to one of the more esoteric and rarely discussed ways to preclude the wrongfulness of protective conduct: the plea of necessity. A legal defence generally accepted as part of customary international law, the rule condones measures that violate another state’s rights if they are the only way to ‘protect the essential interests of a state against a grave and imminent peril’, in the words of Article 25 of the International Law Commission’s Articles on State Responsibility. Contrary to self-defence or countermeasures, the plea does not require attribution prior to acting defensively, as the measure is directed against the ‘grave and imminent peril’ itself – the DDoS attack – and not against the responsible party, even if the factual outcome will naturally be identical.
While this may sound tempting, however, necessity is a rather blunt legal instrument; like all norms derived from the legal-theoretical concept of the state of exception, it addresses the emergency situation by suspending the normal operation of the legal regime concerned, creating frictions with the rule of law. Invoking necessity legitimates a state to act outside of its normatively expected performance. Resorting to the exception too frequently will lead to its normalisation, eroding and eventually superseding the rule itself. Even if the cyberattacks against hospitals we are witnessing at the moment might be owed to the dire global situation with COVID-19, prompting malicious actors to exploit the crisis for their strategic gain, hacking critical infrastructures will surely stay with us after the virus has subsided. In light of this, the customary plea of necessity is hardly a sustainable basis for state measures against cyberattacks. One way to move forward and to alleviate the inherent tensions between necessity and the rule of law, therefore, would be for the community of states to develop a specific emergency regime for cyberspace, a treaty that prescribes the preconditions and legal consequences of engaging in active cyber defence measures against cyberattacks. Given the current state of multilateralism, the intensifying great power competition between the United States and China, and fundamental differences concerning the clarification and development of international norms for cyberspace, it may be difficult to imagine the community of states coming together to agree on such a treaty. Still, special international regimes for specific emergency situations are not unheard of, and the urgent question of the safety of hospitals facing COVID-19 might prove to be an actual opportunity to reconsider the legal architecture of transnational cyber infrastructures.
Israel Public Policy Institute (IPPI) serves as a platform for exchange of ideas, knowledge and research among policy experts, researchers, and scholars. The opinions expressed in this text are solely that of the author/s and do not necessarily reflect the views of IPPI.
Why Germany should practice the cyber norms it preaches: “The Case of a Vulnerabilities Equities Process”
The year 2021 has seen new momentum in the global debate about cyber norms, that is, rules for…
How does the DSA contribute to platform governance and tackle disinformation?
Introduction The adoption of the Digital Services Act (DSA) has been a welcome landmark step in European digital…
"The pandemic has put a magnifying glass on misinformation”
Disinfo Talks is an interview series with experts from around the world, who tackle the challenge of disinformation through…