HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

The Sony Hack: Cyber Attacks and International Law

Article Cover Image

About The Author

Helen Morse (Writer)

Helen is studying Law (European & International) LLB at the University of Sheffield, now entering her final year having spent an Erasmus year at the University of Vienna, Austria. Helen is interested in international and commercial law. Outside of law, Helene is a keen sports woman, playing at county level.

In November 2014 Sony Pictures Entertainment was hacked leaving employees unable to use IT services, whilst also exposing sensitive information and leaking clips of unreleased films onto the Internet. A group called #GOP, later identified as the ‘Guardians of Peace’, claimed to be behind the cyber-attack. However, quickly after the incident, there was mounting speculation that North Korea was actually responsible, as a reaction to Sony’s soon-to-be-released film ‘The Interview’. The film depicts an assassination attempt on the North Korean leader, Kim Jong-un.

An investigation by the Federal Bureau of Investigation (FBI) followed and by 19th December 2014 it was confirmed that North Korea was behind the attack on Sony Pictures. In response, President Barack Obama did not think the actions of North Korea constituted an act of war, but instead called it ‘an act of cyber vandalism’ and went on to say that the USA ‘will respond proportionately.’ On December 22nd North Korea experienced Internet interferences and connectivity issues, causing speculation that the USA were behind the outages, however this has not been confirmed. On 2nd January 2015 President Obama signed an executive order imposing increased economic sanctions on North Korea in response to the Sony Hack, based on the principles of international law.

Against the back-drop of the Sony Hack, this article will examine the options States have available to them in response to cyber-attacks and whether the specific measures taken by the USA against North Korea were strictly lawful under international law. In this technological age we live in, it is not unreasonable to say cyber-attacks and cyber warfare will become the norm, even overtaking the traditional concepts of armed and military conflict. Therefore, it is necessary to understand and evaluate how cyber warfare fits within the current international law framework.

Does the cyber-attack on Sony Pictures fall under Article 2(4) UN Charter?

Article 2(4) United Nations Charter reads:

All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.

Firstly, it has long been established that the provisions of the UN Charter are regarded as rules of general customary international law, as confirmed by the International Court of Justice (ICJ) in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) [1986]. This means that a country which is not a member of the UN is still bound by the provisions of the UN Charter and what is discussed below with regard to Article 2(4) is relevant to all nations.

To begin our analysis it is necessary to establish the exact meaning of ‘force’ as used in Article 2(4) under international law. If it has a broad meaning and includes cyber-force such as that exercised by North Korea against Sony, then North Korea would be in violation of the international law. However, if the word ‘force’ in Article 2(4) has a narrow meaning and only refers to armed force, then this will restrict the USA’s options to respond lawfully to a cyber-attack.

This issue is far from a settled area of law interpretation and similar debates have been had over the years as to whether the ‘threat or use of force’ also includes other types of force such as economic or political coercion. The USA and other Western States typically advocated a narrow reading of Article 2(4) to only include the prohibition of armed, military force whilst developing nations pushed for the opposite. Having said that, there is mounting commentary that the USA’s attitude towards the meaning of ‘force’ has shifted amongst the increase of cyber-warfare - see the article entitled ‘Cyber Attacks as “Force” under UN Charter Article 2(4)’ for further insight.

Despite this, it is generally understood that Article 2(4) only prohibits armed force as other types of “force” are dealt with in other areas of international law. For instance, economic coercion is expressly prohibited in the UN General Assembly Resolution ‘Declaration on Friendly Relations’. Equally, Article 2(4) has been the subject of many extensive and learned analyses in cases such as the Advisory Opinion on Legality of Nuclear Weapons rendered upon request of UNGA [1996]; Yugoslavia v. NATO countries [1999]; and Congo v Uganda [2000], but notably they have all concerned the use of armed force. Therefore, as it currently stands, the use of cyber-force against Sony by North Korea does not violate Article 2(4) of the UN Charter.  

Does the USA have the right to ‘self-defence’?

Under Article 51 UN Charter, Member States have the right to ‘self-defence’ if an ‘armed attack occurs’ against them. This line of analysis can be dealt with quickly because, as established above, a cyber-attack is not an ‘armed attack’. The only way a cyber-attack could rise to the level of an ‘armed attack’, justifying a response under Article 51, is if it causes a loss of life or economic collapse, but the Sony Hack only resulted in an embarrassing breach of security and data loss.

Therefore, the USA’s economic sanctions (and potentially its cyber retaliation measures) against North Korea in response to the Sony Hack are not justified or lawful under Article 51’s right to self-defence.

Does the cyber-attack by North Korea constitute an ‘internationally wrongful act’?

Encompassed in the International Law Commission’s (ILC’s) Articles on State Responsibility, States are entitled to take countermeasures against another State if that State commits an ‘internationally wrongful act’ against it. As set out in Article 2 of the ILC’s Articles, there is an internationally wrongful act when there is conduct by a State consisting of an action or omission which is:

(a) attributable to the State under international law; and

(b) constitutes a breach of an international obligation of the State.

First looking at part (a) of this provision, attribution is covered by Chapter 2 of the ILC’s Articles on State Responsibility. If the FBI’s investigations are correct and the Sony Hack was conducted by North Korea’s Bureau 121, then there would be no doubt as to the attribution of the cyber-attack. Employees of Bureau 121 work for North Korea’s General Bureau of Reconnaissance, i.e. a ‘state organ’, whose actions are attributable to North Korea as recognised by Article 4, even if they were acting ultra vires. Even if the Sony Hack was conducted by a non-state organ, the cyber-attack may still be attributable to North Korea if the hackers were ‘acting on the instructions of, or under the direction or control of’ North Korea (Article 8) or North Korea later ‘acknowledges and adopts the conduct in question as its own’ (Article 11).

Now moving on to part (b), one potential characterisation of the cyber-attack on Sony could be that it was an unlawful intervention against the USA. The principle of non-intervention by States is well established in customary international law, as re-affirmed by the ICJ on numerous occasions, particularly in the Nicaragua case mentioned earlier, and reflected in a number of international treaties. The ICJ stated in the Nicaragua case that ‘the principle forbids all States or groups of States to intervene directly or indirectly in the internal or external affairs of other States…bearing on matters in which each State is permitted…to decide freely.’ Disrupting a private company’s activities is not the type of coercive action that intrudes into the domaine reserve of a sovereign State. This means that the cyber-attack on Sony cannot be characterised as an unlawful intervention by North Korea under international law.

Alternatively, the cyber-attack by North Korea could be said to be a breach of the USA’s sovereignty. The principle of State sovereignty is one of the oldest doctrines of international law and is synonymous with independence. In the Island of Palmers Case [1932], it was stated that ‘sovereignty in relations between states signifies independence. Independence in regard to a portion of the globe is the right to exercise therein to the exclusion of any other state the functions of a State.’ After the Nicaragua case, it was confirmed that any interference with a State’s sovereignty constitutes a breach of international law. Specifically, the recently published Tallinn Manual expressly confirms the applicability of this principle to the area of cyber warfare too.

The Tallinn Manual states that State sovereignty of cyber infrastructure in a State’s territory incorporates the right to protect that infrastructure, whether it is owned by the government or not. This means a cyber-operation by one State against the cyber infrastructure of another will certainly violate that State’s sovereignty if physical damage is caused. However, it is still uncertain whether a cyber-attack can be characterised as a breach of State sovereignty if it only causes harm to data, as distinct from physical damage or loss. It cannot be said with certainty that a cyber-attack like that of the Sony Hack is a breach of the USA’s State sovereignty, even though the USA would argue very strongly that it is, as there was no physical damage. The area of cyber-warfare is a relatively new phenomenon and, as is often the case, the law is playing catch-up.

Were the ‘countermeasures’ taken by the USA lawful?

For argument’s sake, let us assume for the rest of the article that the cyber-attack against Sony is attributable to North Korea and is characterised as a breach of USA’s sovereignty, thus making it an ‘internationally wrongful act’. In that case, how can the USA respond lawfully within the limits of international law?

As mentioned earlier, Article 22 and Articles 49-54 of the ILC’s Articles of State Responsibility allow States to take ‘countermeasures’ when they have had an ‘internationally wrongful act’ committed against them. Countermeasures are actions taken by States, not involving the use of armed force, in order to induce a return to a state of lawfulness.

Countermeasures are subject to a number of strict limitations. One of the leading cases on countermeasures is Gabčíkovo-Nagymaros Project (Hungary/Slovakia) [1997] in which the ICJ set out that for a countermeasure to be lawful it must meet the conditions below:

  1. the countermeasure must be taken in response to a previous intentional wrongful act of another state and must be directed against that state;
  2. the injured state must first call upon the state committing the wrongful act to stop its conduct or make a reparation;
  3. the countermeasure must be proportionate to the injury suffered; and
  4. the measure must be reversible.

Focusing initially on the ‘hack-back’ possibly conducted by the USA against North Korea, it could be argued that the entirety of North Korea experiencing an Internet outage is a far larger intrusion than a single US company being hacked, and thus was not a proportionate response. However, Internet usage in North Korea is primarily reserved for government purposes, so it is unclear how many North Korean citizens would have actually been affected by the outages. Equally, there is no evidence to suggest any information was destroyed or leaked, as happened with Sony’s data, thus strengthening the argument that this was in fact an appropriate countermeasure to the cyber-attack on Sony. If the USA was responsible for the Internet outages in North Korea and assuming the other countermeasure conditions were satisfied, then this is likely to be a lawful response to the Sony Hack under international law.

With regard to the economic sanctions President Obama authorised on 2nd January, they were targeted towards the arms of the North Korean government, limiting government officials’ access to capital and their ability to enter the United States. The conditions on countermeasures do not say that the countermeasure has to be of the same form as the ‘internationally wrongful act’, merely that it is proportionate. Therefore, it can be strongly argued here that the economic sanctions restricted to North Korean government officials is a proportionate response to the Sony Hack as they do not affect the entirety of the North Korean population. Accordingly, the economic sanctions, again assuming the other conditions were met, would be a lawful response to the Sony Hack under international law.

Conclusion  

I hope this examination of the Sony Hack demonstrates that this is a curious and unsettled branch of international law that will have to continue to evolve as technology and new types cyber threats advance. There are strong arguments that trying to shoe-horn laws on cyber warfare into the existing provisions of international law does not work, as my discussions around Article 2(4) and Article 51 UN Charter suggest. Initiatives such as the Tallinn Manual, specifically on the issue of cyber-warfare, seem a sensible way forward. However, as it is still in its infancy, it is non-binding and contains a number of uncertainties, such as the exact scope of intrusion into a State’s cyber infrastructure needed to constitute a breach of State sovereignty. Overall, this is an area of international law which is still under-going development, and confirmation on certain principles is needed, but it is likely to become an increasing problem as States turn to cyber-warfare more and more.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Anti-Terror, Armed Conflict, International Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

Robot Wars? Autonomous Weapons and International Humanitarian Law

15th Sep 2017 by Joseph Mahon

Drones, Donald and Distinction: Civilian Protection in Contemporary Warfare

4th Aug 2017 by Joseph Mahon

Up In the Air: The International Law of Satellites

24th Feb 2016 by Keir Baker

The Syria Airstrikes: Creative Ambiguity and Transient Definitions

23rd Dec 2015 by Rebecca Von Blumenthal

Drone Strikes under International Law

3rd Mar 2015 by Alex Hitchcock

The Legality of Armed Intervention

7th Oct 2014 by Francesca Norris

Section Pick May

The Caspian Sea Convention: International Law Meets International Relations

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription