Responsibility of international organizations for cyber attacks in international law

Озинковская-Бюрабекова Е. В., магистрант

Университет КазГЮУ

Казахстан, Астана ОТВЕТСТВЕННОСТЬ МЕЖДУНАРОДНЫХ ОРГАНИЗАЦИЙ ЗА

КИБЕР АТАКИ В МЕЖДУНАРОДНОМ ПРАВЕ

It is very difficult to analyse the question of responsibility of States for cyber attacks. Even more limited practice exists about the responsibility of international organisations for cyber operations. Nevertheless, understanding and commending the importance of the topic, the International Law Commission suggested to governments to pay attention to this issue and issued Articles on the Responsibility of International Organisations. Thus, the elements of the Articles are appropriate for evaluation of the problem of discussion.

According to the Articles on the Responsibility of International Organisations, international organisation is an entity established by a treaty regulated by international law and exercising its legal personality on international arena.1 As well as different entities the States may be the members of international organisations. That point that organisation should be established by specific document or other relevant instrument and be the responsible part of international law community means that it creates particular obligations of organisation. Clearly, international organisation would be tied in its activities by that principles which contained in its constitutive documents, treaties to which organisation is Party and particularly international law. If to apply this statement to the cyber context, it is evident that international organisation is bound by all mentioned above in the cyberspace and in its cyber activities. It is possible to conclude so because to the extent international law applies to the ordinary operations of international organisation, it does the same regarding the cyber activities of the entity.

States, acting as the members of international organisation, may establish different specific legal rules regarding cyber operations. It may differ from the customary international law which, however, would be still applicable to such rules. Nevertheless, such situation appears advantageous for one part of Member States and unfavourable for others. While one owns and operates its own strong cyber infrastructure, others heavily depend on the cyber infrastructure of more developed partners. Even some international organisations rely on someone else’s cyber capacity. Thus, establishing new rules about cyber activities inside the specific community or particular international organisation may be dangerous due to the differences in the capacity to perform specific obligations. Namely, what could be observed by one Member, could not achieved by another.

Cyber attack by or against an international organisation should be analysed individually in each case and with attention and respect to the nature, structure, mission and functions. Examine a situation in which cyber attack was conducted against an international organisation. In this case, injured organisation cannot claim a violation of its sovereignty, because the organisation itself does not enjoy sovereignty separately from the State the organisation is located in. The State, where the organisation’s injured infrastructure is located, may claim violation of sovereignty. Consider another situation in which cyber attack was conducted by an international organisation itself. For example, international organisation decides to intervene in the process of elections and selects a State where the elections are in the process. By conducting cyber attacks on governmental websites and media of that State and trying to penetrate into the State with its influential information which may change the minds of the nationals, international organisation would violate customary international law and particularly the prohibition of intervention. If examine Article 2 (7) of the United Nations Charter, it is clear that United Nations as an international organisation shall not intervene in domestic affairs of any State. 2 The exception is only threat to the peace and acts of aggression and intervention by cyber attack in the process of elections may not be excused by this. In this case, an international organisation would be responsible for its cyber attack.

International organisations, as any other members of the international law community, are responsible for internationally wrongful acts they commit. 3 In other words, international organisations are responsible for cyber attacks and other operations in the cyberspace. However, such attacks and operations should be attributable to an organisation for other Members of the community and injured Parties to be able to claim organisation’s responsibility. Unfortunately, while it is easy to trace cyber attack directly conducted by employees or agents of an international organisation, it is almost impossible to attribute an attack to organisation which hired third party individuals.