As technology advances, so does the intricacy and sophistication of cyber operations. This trend creates an urgent need for robust regulatory frameworks, particularly concerning international law and cyber activities. Recent episodes of state-sponsored cyber espionage, most notably those attributed to the Chinese Communist Party, have thrown this necessity into sharp relief. The spectrum of these activities extends from harmless data collection to orchestrated digital attacks capable of destabilising states. This broad range presents a daunting challenge to states, non-state actors, and international institutions alike as they grapple with the task of modernizing international law to fit the realities of this new digital age.
Case Study: Chinese State-Sponsored Cyber Espionage
In a recent instance, Mandiant, a cybersecurity firm, reported that a group of hackers backed by China exploited a zero-day vulnerability in Barracuda Networks’ email security gear. This exploitation led to hundreds of organisations, many of them government agencies, being compromised. It is believed to be a part of a broader espionage campaign in support of the Chinese government.
The flaw, identified in Barracuda’s Email Security Gateway (ESG) appliances, allowed the attackers to infiltrate systems by sending an email containing a specially crafted TAR file as an attachment. Following successful infiltration, they installed custom backdoor malware on the devices.
Mandiant identified UNC4841 as the threat group behind these attacks, suggesting it shares ties with other Chinese state-sponsored hacking groups. The group leveraged the Barracuda ESG vulnerabilities to deploy custom malware, including SeaSpy, SaltWater, and SeaSide, designed for command and control communications, downloading and executing files, executing commands, and providing proxying capabilities. The group also deployed a rootkit named SandBar, which appeared to hide the SeaSpy malware.
These attacks were flagged by Barracuda on May 18, with Mandiant and multiple intelligence and government partners assisting in the investigation. In response to the continued access by hackers, despite the deployment of patches, Barracuda urged its customers to replace compromised appliances.
UNC4841 moved swiftly in response to Barracuda’s remediation efforts, modifying their malware and deploying additional persistence mechanisms. The group was observed exfiltrating email-related data from victims, including European and Asian government officials in Southeast Asia and high-profile academics in Hong Kong and Taiwan.
Translating International Law for Cyberspace
These episodes emphasise the urgent need for a robust legal framework governing cyber activities. Currently, existing international law, primarily derived from treaties, international customs, general principles of law recognised by nations which adhere to a rules-based order, and judicial decisions, is silent on the matter of cyber activities.
Challenges of Sovereignty and Jurisdiction in Cyberspace
Transposing conventional concepts such as sovereignty and jurisdiction into the cyberspace context is fraught with difficulty. It remains unclear whether a cyber operation that originates in one state’s territory but has effects in another state constitutes an infringement of the latter’s sovereignty.
Furthermore, establishing jurisdiction in cyberspace is another separate challenge. While the principle of territorial jurisdiction stands, pinning down the precise location of a cybercrime and the jurisdiction that should be responsible for it often proves elusive.
International Humanitarian Law and Cyber Warfare
The guidelines set out by International Humanitarian Law (IHL) for conduct during warfare become complex when applied to the context of cyber warfare. Particularly problematic is differentiating between combatants and civilians in cyberspace, given that civilian infrastructure is often intertwined with military purposes.
The Need for Cyber Rules of Engagement
Just as the rules of engagement (ROE) establish circumstances for engagement in traditional warfare, a similar set of rules is needed for cyber warfare. However, the anonymity of the internet and the widespread use of proxies often make the identification of cyber attackers challenging, thus complicating the process of establishing such rules.
For example, the recent UNC4841 attacks were sophisticated and complex, exploiting a previously unknown vulnerability and deploying custom malware. While Mandiant attributed the attacks to a Chinese state-sponsored group with high confidence, achieving such a level of attribution in real-time during an ongoing attack is exceedingly challenging.
The U.S. Department of Defense’s Law of War Manual and Cyber Activities
The U.S. Department of Defense has made significant strides towards clarifying the applicability of international law to cyber operations. Its Law of War Manual offers interpretations of existing laws in the context of cyber activities, focusing on three key areas:
- sovereignty,
- state responsibility, and
- the law of armed conflict.
However, the Law of War Manual only represents one state’s interpretation, and thus far, no international consensus on these interpretations has been reached.
source: Raytheon Intelligence & Space
Given the rapidly evolving landscape of cyber activities and their ever-growing influence on international relations and conflicts, an urgent need exists for international law to evolve accordingly. As state-sponsored cyber espionage activities continue to pose significant threats, establishing a comprehensive legal framework that ensures stability and upholds rights in cyberspace is of paramount importance. It’s clear that a state of lawlessness in cyberspace is untenable, and efforts to implement legal regulations that reflect this reality must be prioritised.