About the Author: The author is a 2021 graduate of National Law University, Delhi.
Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:
“From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.”
In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.
Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent.
As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation.
Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps.
Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.
Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.
In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.
Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council Resolution 1373 demand that States deny safe haven to terrorist activities.
Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.
If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the ‘due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible.
Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory.
As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory. However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.
- SOVEREIGNTY AND NON-INTERVENTION
The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.
The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner.
It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner.
The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.
However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing it “a clear violation of the rule of non-intervention.”
In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.
The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world.
Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility.
In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention.
The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.
*Views expressed in the blog are personal and should not be attributed to the institution.