Illegal: The SolarWinds Hack under International Law

In late 2020, news surfaced about one of the most extensive attacks on an information technology (IT) supply chain to date. Hackers exploited a vulnerability in the update sys-tem of Orion, a network-monitoring and management software developed by the company SolarWinds. Malicious code embedded in Orion updates created a backdoor into the systems used by numerous private and public entities. This backdoor was then used to insert additional malware into affected systems – in particular, spyware to exfiltrate confidential or sensitive data. Considering both the importance of preserving the integrity of IT supply chains and the diverse risks of harm that attacks such as the SolarWinds hack give rise to, this article examines this cyber operation according to the relevant rules of international law – notably those on sovereignty, non-intervention, general due diligence duties and international human rights law. It concludes that the operation may have been illegal on multiple fronts.


Introduction
The so-called 'SolarWinds hack' made the headlines in late 2020 as 'the largest and most sophisticated sort of operation [ever] seen'. 1 The cyber operation exploited a vulnerability in the update system of Orion, a network-monitoring and management software developed by Texas-based company SolarWinds. While, on its face, unremarkable, this programme plays a significant part in the so-called 'information technology' (IT) supply chain of the USA and at least seven other countries: a widespread network of private and public actors using different IT products for the provision of key services, ranging from energy to health and education. Malicious code embedded in Orion updates created a backdoor into the systems used, among others, by cybersecurity firm FireEye, 2 Microsoft, 3 Cisco, at least a hospital and a university 4 and a number of US governmental agencies. 5 This backdoor was then used to insert additional malware into affected systems -in particular, spyware to exfiltrate confidential or sensitive data.
While the purpose of the operation may have been primarily espionage, it is now clear that the harm it caused was multi-layered, pervasive and reaching far beyond its targets of interest. In particular, by compromising a software update system used by thousands of users worldwide, the hack has undermined public trust in a fundamental cyber-security mechanism. 6 Even more worrying is what could have happened and what might still happen in similar future operations. For instance, the official announcement that 'Black Start' -the detailed US plans to restore power in the event of a cataclysmic blackout -was compromised during the operation prompted some to speculate that the hackers were hoping to gain backdoor access into the US electric grid and laboratories developing and transporting new generations of nuclear weapons. It cannot be excluded, at this stage, that this and other pieces of malware inserted through this hack or other vulnerabilities 7 may eventually have detrimental effects on operational 2 FireEye, 'Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor', Mandiant (13 December 2020), available at www.fireeye.com/blog/ threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. technology 8 -that is, 'programmable systems or devices that interact with the physical environment'. 9 These considerations highlight the dangers of tampering with IT supply chains. 10 Whilst cyber-security policies and measures are often focused on the protection of the end user's own systems and infrastructure, weak links in the IT supply chain may be more vulnerable and, thus, seen as particularly enticing targets. 11 Compromised products or services supplied through such chains may be used by a wide variety of users -public and private -greatly facilitating the spread of malicious code and widening the pool of possible targets, as was the case for SolarWinds. For this reason, multiple norms of responsible state behaviour in the use of information and communications technologies (ICTs), recommended by the United Nations (UN) Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE), concern the integrity of the IT supply chain. 12 Considering both the importance of preserving the integrity of IT supply chains and the diverse risks of harm that operations such as the SolarWinds hack may give rise to, in what follows, we assess its legality under international law. The hack was met with a flurry of political statements and academic commentary. With the benefit of temporal distance, now is a good time for a sober legal analysis, starting with five preliminary points. First, as some of us have argued elsewhere, 13 we accept that international law applies in full and by default to ICTs. Second, international law does not protect IT supply chains per se. Rather, it regulates specific types of conduct -actions and omissions -that impact the legally protected interests of states, private entities and individuals. Thus, protection under international law depends not on the IT products themselves but, rather, on who uses them and for what purpose. Third, operations such as the SolarWinds hack, which unfold primarily as breaches of confidentiality of 8 EJIL (2022) Legal/Illegal infiltrated systems, bring us directly into a topic that is almost 'taboo' in international legal discourse: espionage. Early legal 14 and policy 15 commentary on SolarWinds focused on its cyber-espionage dimension, overwhelmingly concluding that the operation was politically legitimate and/or lawful under international law. However, it is worth stressing that there is no espionage exception to the application of other rules of international law. 16 This means that, even if there is no prohibition of espionage per se, it may very well be that certain espionage operations, through their means, methods or effects, violate applicable international law. Fourth, even if international law is not displaced by the intelligence-gathering purpose of the operation, uncertainty remains in its application in this and similar scenarios involving harmful cyber operations. The relevant rules -sovereignty, non-intervention, human rights, among others -all contain their own interpretative controversies. But even if these questions emerge recurrently, 17 the discussion has evolved and grown in sophistication, reigniting and shedding new light on foundational debates in international law. 18 Fifth, any discussion of the legality under international law of the SolarWinds and similar hacks necessarily begins with the question of attribution of conduct to a state. 19 Attribution of cyber operations is a notoriously difficult question in its own right, but it falls beyond the scope of this article. 20 For the sake of analysis, we assume that the SolarWinds hack is attributable to a state, a conclusion that was drawn by the USA when formally attributing the operation to Russia. 21 In what follows, we analyse two main 'families' of international obligations. On the one hand, we query whether carrying out or supporting the SolarWinds hack constituted a breach of certain international obligations to refrain from causing harm to other states and individuals. Such 'negative' duties may derive from (i) international law protecting state sovereignty; (ii) the principle of non-intervention; and (iii) international human rights law. On the other hand, we inquire whether SolarWinds and similar IT supply chain attacks engage states' positive duties to prevent and redress harm by third parties. These obligations include the Corfu Channel and no-harm principles as well as positive human rights obligations, all of which require states to exercise due diligence in their use of ICTs. 22 We conclude that the operation was likely illegal under most of these rules.

The SolarWinds Hack as Unlawful Conduct A States' Sovereign Rights over Cyber Infrastructure
If the SolarWinds hack was indeed carried out by a state actor against IT systems used in or by other states, it may qualify as a violation of state sovereignty. 23 Two difficulties ought to be cleared before finding such a violation. First, the very existence of a specific rule protecting state sovereignty is questioned. Second, the scope of such a rule is contested -that is, it is not yet settled which types of unauthorized intrusions into a state's digital infrastructure would constitute a violation.
Assuming that a specific rule protecting state sovereignty exists, a breach may arise by an infringement upon a state's territorial integrity or interference with inherently sovereign functions. Beyond the infliction of physical damage or injury in another state's territory or areas under its effective control, there is controversy as to how a state's territorial integrity may be violated. Specifically, it is unclear whether causing a 'loss of functionality' of cyber infrastructure located in another state suffices for a  25 There is no evidence that the SolarWinds hack produced such results. Nevertheless, as noted earlier, the risk of remote damage or disruption to operational technology controlling physical devices remains latent. Additionally, some Tallinn Manual experts suggested that loss of functionality entailing a violation of sovereignty would occur if 'the operating system or other data[base] upon which the targeted cyber infrastructure relies in order to perform its intended purpose' needs to be reinstalled (not merely rebooted). 26 Reinstallation of affected programmes is exactly what the US Cybersecurity and Infrastructure Security Agency (CISA) directed all affected users to do following the SolarWinds hack. 27 To be sure, Orion, the targeted software, did not stop functioning altogether because of the hack, even if, to remove the infection, affected companies and institutions had to replace programmes and/or rebuild their networks, incurring significant costs. One could nonetheless argue that Orion did stop working as it should -that is, with the necessary safety functions. After all, who would use a network-monitoring software involving sensitive data if there was no safety mechanism to protect it against data breaches? This seems to be a paradigmatic example of the loss of a core software function, meeting the required threshold.
In any event, violations of sovereignty may also arise from remote interference with a state's inherently governmental functions, whether with physical or non-physical manifestations. 28 There is no question that the functions exercised by the US Treasury, State and Energy departments, along with the Pentagon -all significantly affected by the SolarWinds hack -are inherently sovereign. Thus, at the very least, insofar as remote control was obtained over these key governmental IT systems, a violation of US sovereignty occurred.

B Rule of Non-Intervention
Whether or not a specific rule protecting sovereignty exists in international law, the SolarWinds hack may have constituted an unlawful act of intervention in the USA's internal affairs. The hack posed a significant threat to US national security. As noted above, it targeted, among many others, the US Treasury and Commerce departments as well as the Energy Department, which is responsible for the management of US nuclear weapons. Ensuring cyber defences appropriate to remediate this breach has been a complex and costly endeavour. 29  that the hack led to a quick rearrangement of priorities at the time of a raging global pandemic.
According to the International Court of Justice (ICJ) in Nicaragua, a prohibited intervention bears 'on matters in which each state is permitted, by the principle of state sovereignty, to decide freely'. 30 Examples include 'the choice of a political, economic, social and cultural system, and the formulation of foreign policy' (so-called domaine réservé), whether these are carried out by private or public entities. 31 Moreover, a wrongful intervention is one that 'uses methods of coercion in regard to such choices, which must remain free ones'. 32 Following the SolarWinds hack, the breadth of the mitigation measures put forward by CISA, 33 together with the drastic increase in government funds dedicated to cyber-security and modernization projects, signal that policy choices falling within the USA's domaine réservé were significantly impacted. When the threatened or actual harm of a cyber operation results in a policy choice that the state would not have made without that operation, there may be a strong indication of an intervention into a state's zone of free choice.
Coercion is precisely about that: depriving a state of its freedom of choice, making it do things it would not otherwise do by means such as force, threats, deception and other non-consensual acts. 34 But it remains unclear whether 'coercion' implies some form of intentionality vis-à-vis the result of the operation. Experts disagree on this point. 35 Especially in operations where the primary purpose is espionage, this question becomes critical. In Nicaragua, the ICJ did not speak of intention in the paragraphs specifying the content of the non-intervention rule. 36 Thus, if it is not intention but, rather, foreseeability of effects that counts, the SolarWinds hack was illegal under the rule.

The Failure to Protect against the SolarWinds Hack as Unlawful Conduct
Irrespective of attribution, the state from whose territory the operation originated may also have violated positive international obligations. As some of us have argued elsewhere, 37 states are bound by several protective international obligations requiring them to exercise 'due diligence' with a view to preventing, stopping or redressing certain harmful cyber operations. Two of these rules are of general application in international law: the so-called Corfu Channel and no-harm principles.

A The Corfu Channel Principle
In the 1949 Corfu Channel case, the ICJ famously held that it is 'every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States'. 38 This duty to protect the rights of other states applies regardless of attribution -that is, who or what was responsible for the harmful conduct. Like other due diligence obligations, compliance with the Corfu Channel principle depends on the duty-bearer's actual or constructive knowledge of the act in question and its reasonable capacity to prevent or halt it in the circumstances. 39 As affirmed by the Tallinn Manual 2.0 experts, 40 the signatories of the Oxford Statements on International Law Protections in Cyberspace 41 and several states, 42 this duty applies by default to states' use of ICTs.
It appears that SolarWinds originated from Russia and has had significant adverse consequences for other states, including the USA and the United Kingdom. We have argued that some of these consequences may have amounted to violations of sovereignty and non-intervention, at the very least with respect to the USA. Irrespective of whether sovereignty is protected by a self-standing rule, and whether interventions are only prohibited if intentionally coercive, the hack was contrary to the victim state's right to carry out its sovereign functions freely.
It is also likely that the hack was contrary to the duty to protect foreign nationals from unfair competition. 43 This obligation is found in Article 10bis of the 1967 Paris Convention for the Protection of Industrial Property, 44 incorporated in Article 2.1 of the World Trade Organization's 1994 Agreement on Trade-Related Aspects of Intellectual Property Rights. 45 Notably, both Russia and the USA are parties thereto. Whether or not industrial espionage is covered by these provisions, 46 the SolarWinds hack did constitute an act of unfair competition, given its insidiousness, scale and consequences for public and private entities. No fewer than 18,000 institutions were affected, among which were several leading IT companies whose sensitive files on developing technologies may have been accessed and whose reputation may have been permanently tainted. 47 The origin state, insofar as it should have known about the hack and failed to exercise due diligence with a view to preventing or halting it, breached the Corfu Channel principle.

B The No-Harm Principle
Even if the SolarWinds hack did not result in acts contrary to the rights of other states, the origin state may have violated the so-called no-harm principle. This principle requires states to exercise due diligence in preventing, stopping or redressing foreseeable and significant transboundary harm, including where it results from lawful activity carried out by non-state actors. 48 According to the International Law Commission (ILC), the principle covers 'harm caused to persons, property or the environment', including 'detrimental effects on matters such as, for example, human health, industry, property, environment or agriculture'. 49 Thus, it appears broad enough to cover ICT-related harms.
As the then ILC special rapporteur clarified, the commission's work on the topic concerned 'all physical uses of territory giving rise to adverse physical transboundary effects' and was not limited to 'questions of an ecological nature'. 50 But while the ILC's work was limited to physical consequences for pragmatic reasons of scope, 51 the no-harm principle also applies to non-physical harms. State practice and opinio juris in support of this assertion can be found in the ILC's very first survey on the topic, 52 which points to a number of treaties requiring parties to seek to prevent interference with other states' radio broadcasts 53 as well to other treaties extending the duty to any other telecommunications services. 54 The harm caused by the SolarWinds hack as described above is certainly significant. Assuming that the hack and related harm were foreseeable, and that the origin state 47  failed to exercise due diligence in preventing or mitigating it, such a state is liable to provide reparation for the harm caused. Failing to redress the harm constitutes a violation of the no-harm principle. 55

The SolarWinds Hack as a Violation of Human Rights
International human rights law provides a wide catalogue of duties -both negative and positive -that states are bound to observe online as they do offline. Operations such as the SolarWinds hack can trigger such positive and negative duties under a range of rights, from privacy to life, health and education. Even if the operation was limited to a breach of data confidentiality, the attackers likely accessed not only state secrets but also private information. 56 If personal data, such as employees' credentials, student records or patient information, were accessed, a violation of states' negative and positive obligations to respect and protect the right to privacy under international human rights law may have occurred. While the right to privacy is not absolute, arbitrary interference therewith is prohibited. Such an interference would be arbitrary if it is not prescribed by law, legitimate, necessary or proportionate. 57 Notably, 'any capture of communications data is potentially an interference with privacy and, … the collection and retention of communications data amounts to an interference with privacy whether or not those data are subsequently consulted or used'. 58 Even mere intrusions into hospital systems and databases can be damaging or at least disruptive to the provision of health care. 59 Whilst the information available on the SolarWinds hack does not allow conclusions to be drawn on this point, concerns arise about the risks that IT supply chain attacks might pose to the rights to life and health. The right to life may be breached when a state does not act to address foreseeable life-threatening harms, regardless of actual loss of life. 60 That the hack also targeted a university 61 is furthermore cause for concern about a possible interference with the right to education, especially considering that Orion has been used as a school network management software by several higher education institutions in the USA. 62 Identifying the state(s) responsible for a breach of negative human rights obligations presupposes tracing the factual origin of the attacks and legally attributing them to one or more states. 63 Conversely, positive human rights duties to protect those rights are owed, and may have been violated, not only by the state(s) harbouring the hackers but also by other states with jurisdiction over individual victims. For both negative and positive human rights obligations, at least under the International Covenant on Civil and Political Rights, 64 jurisdiction may be established extraterritorially to the extent that a state exercises: (i) physical control over the IT communications infrastructure used for the hack; (ii) regulatory control over third parties that control the relevant infrastructure or data; 65 or (iii) functional control over the victims' enjoyment of human rights, even if remote. 66 The functional approach to extraterritorial jurisdiction has not only been endorsed by the UN Human Rights Committee 67 but has also long been advanced by several academics 68 and embraced by at least one state. 69 Any state with jurisdiction over the individuals affected, including the targeted states, has breached the positive human rights obligations described above insofar as they (i) knew or should have known of the risk of harm arising from the hack; (ii) had the capacity to prevent, mitigate or redress such harm (especially the necessary IT infrastructure and resources); and, yet, (iii) failed to exercise due diligence -that is, their best efforts to protect the rights in question. 70

Conclusion
At a time when the debate about how international law applies to ICTs is fast progressing, the SolarWinds hack has brought to the fore some of the most unsettled aspects of the relevant rules. As we have shown, a strong case can be made that the state to which the hack can be attributed violated its negative duties to respect the sovereignty and not to intervene in the internal affairs of, at least, the USA. It may also be held liable for violating human rights, notably the right to privacy. Irrespective of the EJIL (2022) Legal/Illegal legal attribution of the hack to any particular entity, the hack's origin state appears to have breached the Corfu Channel and no-harm principles by failing to exercise due diligence in preventing, halting or redressing the harm resulting from the hack. Any state with jurisdiction over the individuals affected, including the targeted states, may have also breached their positive obligations to protect human rights from the risk of harm. Categorical answers are difficult in this environment where 'operating in the grey' is almost elevated to a virtue. However, what academic commentary and state reactions around the SolarWinds hack have demonstrated is that, when certain types of operations raise the risk of harm beyond tolerable levels, zones of legal certainty ought to be highlighted.