Your network has been locked! You need to pay $2,000,000 now, or $4,000,000 after doubled.
What sounds like a typical internet scam pop-up advertisement, are actually the words of a group posing a serious threat to the United States of America and its economy. A cyberattack on the "Colonial Pipeline" by a group called "DarkSide" has caused a pipeline responsible for 45% of the U.S. east coast's supply for diesel, petrol, and jet fuel to stop operation. The outcome of this shortage will be noticeable in the economy as a whole, down to the smallest business operations thinkable.
With digitalization shaping every part of our lives, cyber-attacks become more and more likely to cause problems for states and the private sector. Especially problematic will be the legal evaluation of attacks on pipelines, which, unlike the American example, operate cross-border and have multiple different states rely on it.
Cyber-attacks have been an issue of Public International Law for a long time. Especially, its utilization in military contexts and how it fits into the framework of law concerned with armed conflicts is a question of concern for international legal scientists.
A cyber attack on a pipeline could first be evaluated under Peacekeeping Law or Ius ad Bellum. It could be of concern as both an infringement of the UN Charter's ban on the use of force as well as a response to such infringement justified on the grounds of self-defense or a UN Security Council resolution. Cyber-attacks may constitute the use of force when they are directed towards an outcome that in their severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy is comparable to physical attacks. The destruction of an economically important pipeline would fit these criteria. It may also be justifiable as a proportional measure of self-defense, since the destruction of a pipeline is a relatively effective measure that does not endanger a great number of civilians, severely targeting a state's war prowess without putting harm on its civil population.
This is moreover a factor in Humanitarian International Law, where the destruction of economic structures is preferred over the forbidden attack on civilians. However, these legal concerns only connect to cyber-attacks executed by states. In the case of the US Oil and Gas Pipeline, the Cyber Attack was done by a non-state organization, therefore, excluding the applicability of the law of armed state-state conflicts.
Cyber attacks from non-state actors might however still be relevant under Public International Law in cases where the harm done by them falls under the law of state responsibility, through the American "Unwilling or Unable" doctrine when states fail to prevent the danger these groups pose to other states, through cyber attacks carried out by non-state actors that were nevertheless acting as an instrument of a state, or even through responsibility to protect the civil population from such attacks. All these might cause grounds for intervention on behalf of the UN Security Council or enactment of the right to self-defense. However, the law of peacekeeping is not a "right to war" anymore and demands a restrictive interpretation. The damage done by cyber-attacks must therefore be extremely high to seriously trigger such mechanisms.
Cyber attacks can constitute many different criminal offenses depending on their specific nature. German criminal law introduced its § 303b StGB, which likens destructive cyberattacks to property damage offenses. In the case of the US Oil and Gas pipeline, while there was no permanent damage done, the locking of important systems to force the owners to pay millions of dollars is more akin to blackmail.
But more important than which specific criminal laws are violated is the question of which is the law that determines this. Which persons and deeds are subject to a state's criminal judiciary is determined by different principles. International criminal law functions as a coordination process to balance the rule of law in all states with procedural rights and the obligation not to violate state sovereignty by interfering with their system of fighting crime.
The two central principles of international criminal law are the principle of territorial and personal jurisdiction. According to the principle of territorial jurisdiction, a state can prosecute crimes committed on the territory of its sovereignty. The meaning of the personal jurisdiction principle is two-fold: Active personal jurisdiction refers to jurisdiction over acts committed by persons having the nationality of the forum state, while passive personal jurisdiction concerns crimes to which nationals of the forum state are the victim.
Moreover, the principle of universal jurisdiction singles out crimes so severely that they can be prosecuted by any state. A recent example of this is Germany prosecuting Syrian regime supporters participating in the crimes against humanity committed by the Assad regime in the Al Katib case. Another principle, the protective principle, regards states' right to prosecute crimes that endanger the security of their population.
In cases where a non-governmental organization performs a cyber attack on a cross-border pipeline, the following criminal law systems are therefore empowered to enact their jurisdiction in different states. Firstly, the state of which the attackers are nationals can prosecute them based on active personal jurisdiction. More difficult however is the question, which state has territorial jurisdiction. Due to the internet, cyber attacks can be conducted while accessing the internet all around the world. The main damage will be done in either all states of the cross-border pipeline or in part of them while affecting all. Generally, all states in which a crime is conducted are empowered by territorial jurisdiction.
This however might not include each state that, while not directly suffering damage, is indirectly affected by the cyber attack. States that experience only second-order effects of the attack could still invoke the protective principle. This however presumes a cyber-attack with consequences so severe that they endanger a state's safety. Possible examples of this are already hard to construct in the first place: If the pipeline supplied a state with energy that is highly dependent on it and would struggle to keep the public order and not turn into a failed state without the energy from said pipeline might invoke this principle to enact its jurisdiction over such cyber attacks. This is however only thinkable in a minority of cases.
Lastly, the principle of universal jurisdiction is quite far-fetched in this context. Cyber attacks to pipelines are unlikely to constitute human rights violations so terrible that this principle would come to fruition. But with a large cross-border pipeline
Lastly, it stands to reason how such a cyber attack would affect the private law sector. In this scenario, the pipelines would be owned and operated by private or public companies from the different states that have a stake in the pipeline. As a cyber attack would affect the whole pipeline all stakeholders would likely suffer financial or property damage from it. Moreover, there might be contractors who could invoke hardship clauses or liability regulations to approach the operators with damage claims. Lastly, the owners of the pipeline would have damage claims against the attackers based on tort laws. Again, all these conflicts would be connected by the overarching question of which law would govern such claims, which courts would have jurisdiction, and which procedural order the proceedings would follow.
Pursuant to the principle of party autonomy, in civil law conflict parties generally can agree on governing law and responsible courts or tribunals. This is especially common in international commercial contract disputes. Where such a "Dispute Resolution Agreement" does not exist, the framework of private international law provides the guidelines on what is applicable. Private international law has been discussed by the state community since the late 19th century, but a directly applicable worldwide PIL convention has never been passed. While certain principles have prevailed through law and thought, states generally decide in their national law how international cases apply to them. The European Union has in the last decades approached a more uniform framework in its Rome I-IV regulations. Generally speaking, however, it can be difficult and costly to determine which jurisdiction applies, wherefore the choice of international contractors for an agreement on dispute resolution seems reasonable.
As can be seen, international law provides frameworks for dealing with the fallout of such cyber attacks. The more pressing issue is however based not on law but in reality: Digitalisation and globalization have made it very easy for hackers to shroud their identity and location in darkness, or hide in states that would not extradite them. Finding and captivating these criminals while still protecting the privacy of the rest of the population is thereby a far greater challenge than figuring out the applicable law.
July 17, 2021