In May 2021, a major American energy pipeline faced a massive cyber-attack that caused the US to lose 1.2 million barrels of fuel a day. Shortly after the attack, US intelligence found that the party responsible for the attack was from Russia. However, in terms of the Russian government’s involvement in the hack, US President Joe Biden stated “[s]o far there is no evidence based on, from our intelligence people, that Russia is involved, though there is evidence that the actors, ransomware, is in Russia. They have some responsibility to deal with this.” This quote raises important issues in terms of international law. Biden presumably made this statement based on intelligence that the Russian government did not formally implement this attack. However, the part that says “[t]hey have some responsibility to deal with this” touches on an important element that will be discussed in this article. Even when a government does not directly implement an attack, it can have some responsibility under the Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA). This article looks at how the recent attack against the US potentially could be attributed to Russia under international law.
Cyber-attacks prove particularly difficult to tie to a state’s government; even if the attack clearly came out of a certain state, it is hard to know who in the state specifically launched the attack. Often the attack is directly tied to some rogue group. In this case, a hacker group known as DarkSide is responsible for the hack. However, DarkSide’s presence has since disappeared from the internet, making it more difficult to prove who is involved with the group. As stated above, ARSIWA provides a framework for attributing “wrongful acts” under international law. Article Two of ARSIWA lists the criteria for committing a “wrongful act” as when the act “(a) is attributable to the State under international law; and (b) constitutes a breach of an international obligation of the State.” Article Four says that “[t]he conduct of any State organ shall be considered an act of that State under international law, whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State.” Given that President Biden and US intelligence currently believe that the Russian government is not directly involved, the Russian government could escape attribution under Article Four because the intelligence likely fails to show that the Russian government implemented the attack, so the hacking could not be attributed to any “organ” of the Russian government.
However, even if the attack was not directly implemented by the Russian government, ARSIWA could still find the act attributable to Russia through another article. Article Eight of ARSIWA states that “[t]he conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.” If evidence eventually shows that someone in the Russian government coordinated with DarkSide to carry out the attack, then it would be an instance where DarkSide would be “under the direction or control of” Russia in carrying out the cyber-attack. Some members of US Congress have already raised this prospect to a certain degree, with Maine Senator Angus King arguing that DarkSide “is supposedly a criminal gang. But I’m not sure how you distinguish that from whether or not they have some connection to the Russian government.” Some experts have noted that since this hack occurred a month after the Biden administration enacted sanctions to punish Russia over hacks on the federal government, the Russia government could have motivation to have assisted in the hack of the US pipeline as retaliation.
If the act of a cyber-attack is attributed to Russia, in order for the attack to be considered a “wrongful” act under ARSIWA, Russia must have violated its international obligations. If Russia coordinated with a terrorist group to carry out an attack on US soil or launched a missile at the US, these attacks would violate Russia’s international obligations under the UN Charter, specifically Article 2(4), which states “[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”
Many scholars have debated whether a cyber-attack rises to the level of a use of force, and Columbia Law Professor Matthew C. Waxman provides a particularly interesting analysis of this debate. Waxman notes that the US and its allies have historically believed that “use of force” is exclusive to “military attacks or armed violence.” However, he also acknowledges Article 51 provides that “[n]othing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” Waxman raises the possibility that since the UN took the step to refer to an “armed attack” instead of “use of force” in Article 51, this means that the UN intended for “use of force” to consist of a broader category.
Waxman also raises two other possibilities relating to the meaning of Article 2(4), looking at the purpose of the article. He argues that it is likely that Article 2(4) sought to prevent “coercion” through any means, and that could include economic pressure, which is typically the effect of cyber-attacks. While the US generally recovered the economic damage from the pipeline hacking, it is conceivable that either a larger hack on the US or a similar hack against a smaller state could result in coercion of the state.
Finally, Waxman discusses how Article 2(4)’s purpose could also be to protect a state’s right “to freedom from interference.” Based on this logic, any element of a cyber-attack that interferes in a State’s affairs could impact the State’s “freedom from interference.” The hack clearly “interfered” with the US’s energy market.
It is also important to note that with the sanctions that the Biden administration instituted in April were in response to Russia’s cyber-attacks on the US, and the Biden administration specifically said that the hacks from Russia violated “well-established principles of international law, including respect for the territorial integrity of states.” While the US is not always compliant with international law, the fact that the sanctions used this language and that the international community did not create a controversy over them suggests at least some acceptance from the international community that cyber-attacks warrant punitive responses under international law. The Biden administration chose to use the phrase “territorial integrity,” which repeats language found in Article 2(4).
If it is proven that Russia violated its international obligation and committed a “wrongful act” under ARSIWA, there is still the question of what remedy Russia would owe the US. Article 30 of ARSIWA specifies that Russia must “offer appropriate assurances and guarantees of non-repetition, if circumstances so require.” The language of Article 30 could “require” Russia to provide funds to the US to help recover the damage from the cyber-attack, commit to never enable a cyber-attack again, or provide concrete steps on what Russia will do to ensure that its government never coordinates with groups like DarkSide again. Given that Russia has emphatically denied that it was involved in the hack, if Russia is found to have contributed to the attack in any manner then its government would not likely, at least initially, be able to put forward any type of remedy.
The US could go to the UN Security Council to try to have sanctions enforced to make Russia provide this remedy, but Russia would of course veto any proposed sanctions. Fortunately for the US, the European Union has decried past hacks from Russia, so the US could likely get Western allies to enact a series of coordinated sanctions. However, Russia has repeatedly defied sanctions, so it is unlikely these sanctions would prompt real action from Russia.
The uncertainty between the US and Russia on this latest hack, illustrates how cyber-attacks continue to provide new territory that international law has not conclusively covered. The US government has increased its use of cyber-attacks in the last few years, so the further development of international law on cyber-warfare will have implications for major players in the the international community. This reality demonstrates the need for international community to provide full context of how traditional international laws applies to cyber-attacks.
Todd Carney earned his JD from Harvard University in 2021. Originally from Chicago, IL, he earned his Bachelor of Arts in Public Communications in 2013, and worked in New York and DC in digital advertising prior to attending law school.
Suggested citation: Todd Carney, Russia’s Responsibility for the Hack on the US Pipeline Under International Law, JURIST – Professional Commentary, June 18, 2021, https://www.jurist.org/commentary/2021/06/todd-carney-russia-us-pipeline-hack/.
This article was prepared for publication by Heidi J. T. Exner, JURIST’s Community Engagement Director and Staff Editor. Please direct any questions or comments to her at commentary@jurist.org