No CrossRef data available.
Article contents
Legal challenges of attributing malicious cyber activities against space activities
Published online by Cambridge University Press: 02 October 2024
Abstract
Malicious cyber activities against space activities (MCASAs) add to the complexities of the legal attribution of malicious cyber activities violating international law. The ‘space’ implies the possibility of applying international space law considering the lex specialis derogat legi generali (more specific rules will prevail over more general rules) principle. However, neither the attribution rules of international space law nor of general international law could completely tackle this dilemma. This study categorizes MCASAs into three categories based on the role of the involved space activities and analyses the crux of legal attribution in each scenario. It proposes different coping approaches, including a four-pronged way, introducing a peculiarity test, and specifying substantive international obligations of the states responsible for space activities.
Keywords
- Type
- ORIGINAL ARTICLE
- Information
- Copyright
- © The Author(s), 2024. Published by Cambridge University Press on behalf of The Foundation of the Leiden Journal of International Law in association with the Grotius Centre for International Law, Leiden University
Footnotes
*
The author sincerely appreciates the insightful and constructive comments and recommendations from the anonymous reviewers. This work was financially supported by the Education Department of Hainan Province [grant number Hnky2023ZD-1] and Hainan University [grant number kyqd(sk)2101].
References
1 ILC Articles on Responsibility of States for Internationally Wrongful Acts, 2001 YILC, Vol. II (Part Two).
2 W. Akoto, ‘Hackers Could Shut Down Satellites – or Turn Them into Weapons’, The Conversation, 12 February 2020, available at theconversation.com/maliciousactors-could-shut-down-satellites-or-turn-them-into-weapons-130932.
3 J. Muylaert and L. Del Monte, ‘Cybersecurity of Space Missions’, Presentation at the Workshop of the European Interparliamentary Space Conference of 14 May 2018.
4 Intelsat, ‘Intelsat Works with Sri Lankan Authorities to Halt Unauthorized Use of Its Satellite’, 11 April 2007, available at investors.intelsat.com/news-releases/news-release-details/intelsat-works-sri-lankan-authorities-halt-unauthorized-use-its.
5 P. Tullis, ‘GPS Is Easy to Hack, and the U.S Has No Backup’, Scientific American, 1 December 2019, available at www.scientificamerican.com/article/gps-is-easy-to-hack-and-the-u-s-has-no-backup/.
6 R. von Solms and J. van Niekerk, ‘From Information Security to Cyber Security’, (2013) 38 Computers and Security 97.
7 D. Li, ‘Cyber-Attacks on Space Activities: Revisiting the Responsibility Regime of Article VI of the Outer Space Treaty’, (2023) 63 Space Policy 101522, at 1.
8 UNGA, The ‘Space2030’ Agenda and the Global Governance of Outer Space Activities, UN Doc. A/AC.105/1166 (13 December 2017).
9 Committee on the Peaceful Uses of Outer Space, The Proposal of the Ukrainian Delegation on the Establishment of a New Item on the Agenda of the Legal Subcommittee on the Cybersecurity of Space Activities, UN Doc. A/AC.105/C.2/2021/CRP.27 (8 June 2021).
10 See, for instance, White House, National Security & Defense: Memorandum on Cybersecurity Principles for Space Systems, 4 September 2020, Space Policy Directive-5, available at trumpwhitehouse.archives.gov/presidential-actions/memorandum-space-policy-directive-5-cybersecurity-principles-space-systems/.
11 UNOOSA, Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies, UN Doc. A/RES/2222 (XXI) (1967).
12 B. Cheng, Studies in International Space Law (1997), 230; S. Hobe, B. Schmidt-Tedd and K. U. Schrogl (eds.), Cologne Commentary on Space Law-vol. I (2009), 48.
13 H. Thirlway, The Sources of International Law (2019), 147.
14 S. Aoki, ‘Identifying the Scope of the Applicable International Law Rules towards Malicious Cyber Activities against Space Assets’, (2018) 61 Proceedings of the International Institute of Space Law 687, at 699.
15 R. Popova, ‘Cyber Law and Outer Space (Activities): Legal and Regulatory Challenges’, (2018) 61 Proceedings of the International Institute of Space Law 659, at 660.
16 M. Maybaum, ‘Technical Methods, Techniques, Tools and Effects of Cyber Operations’, in K. Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. International Law, International Relations and Diplomacy (2013), 103.
17 S. A. Kaiser, ‘When Cyber Activities Are Space Activities: Definitions Are Key’, (2020) 63 Proceedings of the International Institute of Space Law 297, at 303.
18 M. Mejía-Kaiser, ‘Space Law and Unauthorised Cyber Activities’, in Ziolkowski, supra note 16, at 349.
19 See Kaiser, supra note 17, at 297.
20 F. G. von der Dunk, ‘International Space Law’, in F. G. von der Dunk and F. Tronchetti (eds.), Handbook of Space Law (2015), 29.
21 T. Neger and E. Walter, ‘Space Law-An Independent Branch of the Legal System’, in C. Brünner and A. Soucek (eds.), Outer Space in Society, Politics and Law (2011), 234, at 238.
22 Z. Huang, ‘Attribution Rules in ILC’s Articles on State Responsibility: A Preliminary Assessment on Their Application to Cyber Operations’, (2014) 14 Baltic Yearbook of International Law 41, at 43.
23 R. Geiss and H. C. Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’, in Ziolkowski, supra note 16, at 623.
24 H-G. Dederer and T. Singer, ‘Adverse Cyber Operations: Causality, Attribution, Evidence, and Due Diligence’, (2019) 95 International Law Studies 430, at 438.
25 S. J. Shackelford and R. B. Andres, ‘State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem’, (2011) 42 Georgetown Journal of International Law 971, at 982.
26 N. Tsagourias and M. Farrell, ‘Cyber Attribution: Technical and Legal Approaches and Challenges’, (2020) 31 EJIL 941, at 946.
27 Ibid., at 950.
28 See Y. Dinstein, ‘Computer Network Attacks and Self-Defence’, (2002) 76 Computer Network Attack and International Law 99, at 112; M. Roscini, ‘World Wide Warfare - Jus ad Bellum and the Use of Cyber Force’, (2010) 14 Max Planck Yearbook of United Nations Law 85, at 97; D. Tran, ‘The Law of Attribution: Rules for Attribution the Source of a Cyber-Attack’, (2018) 20 Yale Journal of Law & Technology 376, at 381.
29 See D. E. Graham, ‘Cyber Threats and the Law of War’, (2010) 4 Journal of National Security Law & Policy 87, at 92; M. C. Waxman, ‘Cyber Attacks as “Force” Under UN Charter Article 2(4)’, (2011) 87 International Law Studies 43, at 50.
30 See Huang, supra note 22, at 50.
31 M. N. Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare (2013), at 32.
32 K. Macak, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’, (2016) 21 Journal of Conflict and Security Law 405, at 411.
33 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, Judgment of 27 June 1986, [1986] ICJ Rep. 14, at 54, para. 115.
34 J. Crawford, State Responsibility: The General Part (2013), at 149.
35 Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Merits, Judgment of 26 February 2007, [2007] ICJ Rep. 43, at 214, para. 413.
36 See Shackelford and Andres, supra note 25, at 988; C. Payne and L. Finlay, ‘Addressing Obstacles to Cyber-Attribution: A Model Based on State Response to Cyber-Attack’, (2017) 49 George Washington International Law Review 535, at 557; see Macak, supra note 32, at 421.
37 ICTY, Prosecutor v. Tadić, Judgement, Case No. IT-94-1-A, Appeals Chamber, 15 July 1999.
38 Ibid.
39 See P. Margulies, ‘Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility’, (2013) 14 Melbourne Journal of International Law 496, at 507; L. Finlay and C. Payne, ‘The Attribution Problem and Cyber Armed Attacks’, (2019) 113 American Journal of International Law Unbound 202, at 205.
40 See Tsagourias and Farrell, supra note 26, at 964.
41 See Macak, supra note 32, at 422.
42 See Shackelford and Andres, supra note 25; Huang, supra note 22; Finlay and Payne, supra note 39.
43 See Graham, supra note 29, at 93; M. J. Sklerov, ‘Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent’, (2009) 201 Military Law Review 1, at 48.
44 See Payne and Finlay, supra note 36, at 565; Huang, supra note 22, at 51–3.
45 L. Grosswald, ‘Cyberattack Attribution Matters Under Article 51 of the U.N. Charter’, (2011) 36 Brooklyn Journal of International Law 1151, at 1155.
46 See Tsagourias and Farrell, supra note 26, at 17–23; Tran, supra note 28, at 426–35; Y. Shany and M. N. Schmitt, ‘An International Attribution Mechanism for Hostile Cyber Operations’, (2020) 96 International Law Studies 196, at 215–18; W. Banks, ‘Cyber Attribution and State Responsibility’, (2021) 97 International Law Studies 1039, at 1070.
47 See Margulies, supra note 39, at 500–1.
48 Ibid., at 514.
49 Ibid.
50 See, for example, Dederer and Singer, supra note 24, at 446–8; Payne and Finlay, supra note 36, at 566; N. Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’, (2012) 17 Journal of Conflict and Security Law 229, at 243–4.
51 See Shany and Schmitt, supra note 46, at 215.
52 ‘KA-SAT Network Cyber Attack Overview’, Viasat, 30 March 2022, available at news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview.
53 CyberPeace Institute, ‘Viasat Case Study’, June 2022, available at cyberconflicts.cyberpeaceinstitute.org/law-and-policy/cases/viasat.
54 See Crawford, supra note 34, at 333.
55 Ibid., at 335.
56 See Hobe, Schmidt-Tedd and Schrogl, supra note 12, at 107.
57 See Kaiser, supra note 17, at 303.
58 Commentaries to the Draft Articles on Responsibility of States for Internationally Wrongful Acts (2001), Report of the ILC, Supplement No. 10 (A/56/10), Ch. IV.E.2.
59 See Hobe, Schmidt-Tedd and Schrogl, supra note 12, at 112.
60 See 1986 Outer Space Act of the United Kingdom, c. 38 § 1–2.
61 B. Cheng, ‘Article VI of the 1967 Space Treaty Revisited: “International Responsibility”, “National Activities”, and “The Appropriate State”’, (1998) 26 Journal of Space Law 7, at 23–6.
62 C. J. Robinson, ‘Changing Responsibility for a Changing Environment: Evaluating the Traditional Interpretation of Article VI of the Outer Space Treaty in Light of Private Industry’, (2020) 5 University of Bologna Law Review 1, at 14.
63 See Cheng, supra note 61, at 22.
64 Ibid., at 24.
65 Ibid., at 25.
66 See Robinson, supra note 62, at 14; see also ibid.
67 See Hobe, Schmidt-Tedd and Schrogl, supra note 12, at 114.
68 See Commentaries, supra note 58.
69 Ibid.
70 B. Simma and D. Pulkowski, ‘Leges speciales and self-contained regimes’, in J. Crawford et al. (eds.), The Law of International Responsibility (2010), 139, at 146.
71 See Bosnia and Herzegovina v. Serbia and Montenegro case, supra note 35, at 217, para. 420.
72 V. Lanovoy, ‘Complicity in an Internationally Wrongful Act’, in A. Nollkaemper and I. Plakokefalos (eds.), Principles of Shared Responsibility in International Law: An Appraisal of the State of the Art (2014), 134, at 141.
73 H. P. Aust, Complicity and the Law of State Responsibility (2011), at 198.
74 Ibid., at 200–10.
75 See Commentaries, supra note 58, at 156.
76 See Lanovoy, supra note 72, at 150.
77 Ibid., at 153–5.
78 Ibid., at 155.
79 Ibid.; see Commentaries, supra note 58, at 156.
80 See Aust, supra note 73, at 197.
81 See Commentaries, supra note 58.
82 See Aust, supra note 73, at 213.
83 See Crawford, supra note 34, at 338.
84 Ibid.
85 See Bosnia and Herzegovina v. Serbia and Montenegro, supra note 35, at 222, para. 432.
86 See Aust, supra note 73, at 225–7.
87 See Crawford, supra note 34, at 334.
88 Corfu Channel case (United Kingdom of Great Britain and Northern Ireland v. Albania.), Judgment of 9 April 1949, [1949] ICJ. 4, at 22.
89 A. Berkes, ‘The Standard of “Due Diligence” as a Result of Interchange between the Law of Armed Conflict and General International Law’, (2018) 23 Journal of Conflict and Security Law 433, at 433.
90 A. Coco and T. de Souza Dias, ‘“Cyber Due Diligence”: A Patchwork of Protective Obligations in International Law’, (2021) 32 EJIL 771, at 776; ILC, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with commentaries, UN Doc. A/56/10 (2001), 144, at 154.
91 See E. T. Jensen and S. Watts, ‘Cyber Due Diligence’, (2021) 73 Oklahoma Law Review 645, at 679–80.
92 See Coco and de Souza Dias, supra note 90.
93 T. Dias and A. Coco, Cyber Due Diligence in International Law, Project Report, Oxford Institute for Ethics, Law and Armed conflict, at 163, available at www.elac.ox.ac.uk/wp-content/uploads/2022/03/finalreport-bsg-elac-cyberduediligenceininternationallawpdf.pdf.
94 United Nations Office for Disarmament Affairs, Factsheet: Developments in the Field of Information and Telecommunications in the Context of International Security, July 2019, available at front.un-arm.org/wp-content/uploads/2019/07/Information-Security-Fact-Sheet-July-2019.pdf.
95 Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/RES/53/70 (1999).
96 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/68/98 (2013).
97 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/70/174 (2015).
98 Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, UN Doc. A/76/135 (2021).
99 I. Y. Liu, ‘The Due Diligence Doctrine under Tallinn Manual 2.0’, (2017) 33 Computer Law & Security Review 390, at 395.
100 F. G. von der Dunk, ‘The Origins of Authorisation: Article VI of the Outer Space Treaty and International Space Law’, in F. G. von der Dunk (ed.), National Space Legislation in Europe: Issues of Authorisation of Private Space Activities in the Light of Developments in European Space Cooperation (2011), 3, at 16.
101 See Aust, supra note 73, at 198.
102 Ibid.
103 Ibid., at 200.
104 Ibid., at 200–10.
105 See Commentaries, supra note 58.
106 See Lanovoy, supra note 72, at 144; I. Brownlie, System of the Law of Nations: State Responsibility Part 1 (1983), at 191.
107 See Cheng, supra note 61, at 23.
108 UNOOSA, ‘National Space Law’, available at www.unoosa.org/oosa/en/ourwork/spacelaw/nationalspacelaw/index.html; see R. S. Jakhu (ed.), National Regulation of Space Activities (2010); K. Abhijeet, ‘State Practices Regarding International Responsibility for National Activities in Outer Space’, (2020) 44 Journal of Space Law 352, at 366–70.
109 See Abhijeet, ibid., at 366.
110 Antarctic Act 1994, available at ∼°www.legislation.gov.uk/ukpga/1994/15#:∼:text=An%20Act%20to%20make%20new%20provision%20in%20connection,and%2090°%20West%20longitude%3B%20and%20for%20connected%20purposes; C. J. Bastmeijer, ‘Implementing the Antarctic Environmental Protocol: Supervision of Antarctic Activities’, (2003) 11 Tilburg Law Review 407, at 417–18.
111 D. Livingstone and P. Lewis, ‘Space, the Final Frontier for Cybersecurity?’, International Security Department, September 2016, available at www.chathamhouse.org/sites/default/files/publications/research/2016-09-22-space-final-frontier-cybersecurity-livingstone-lewis.pdf.
112 Report of the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security. UN Doc. A/75/816 (2021).
113 H. Moynihan, ‘The Application of International Law to State Cyberattacks: Sovereignty and Non-intervention’, International Law Programme, December 2019, available at www.chathamhouse.org/sites/default/files/publications/research/2019-11-29-Intl-Law-Cyberattacks.pdf.
114 J. P. Jurich, ‘Cyberwar and Customary International Law: The Potential of a Bottom-up Approach to an International Law of Information Operations’, (2008) 9 Chicago Journal of International Law 275, at 295; P. Martinez, ‘The Role of Soft Law in Promoting the Sustainability and Security of Space Activities’, (2020) 44 Journal of Space Law 522, at 545.