An Overview of the Report of the UN Panel of Experts established pursuant to the Security Council resolution 1874 (2009): Investigations into North Korean cyberattacks continue

On 2 March 2020, the President of the UN Security Council circulated a Final Report of the Panel of Experts of the Democratic People’s Republic of Korea (DPRK) Sanctions Committee (S/2020/151) that had been set up pursuant to Security Council Resolution 1874 (2009). In the Report, the Panel referred – not for the first time – to the cyberattacks conducted by North Korea, noting that, over the past several years, North Korea has intensified its use of cyber means to evade UN sanctions. The sanctions have been in place since 2006 when the Security Council determined in Resolution 1718 that ‘there is a clear threat to international peace and security’ in the wake of the announcement of withdrawal from the Nuclear Non-Proliferation (NPT) Treaty in 2003¹ and the subsequent resumption by the DPRK of nuclear weapons and ballistic missile programmes.

While DPRK cyberattacks have been analysed in past editions of INCYDER News,² this article examines them in relation to the UN sanctions regime and presents a tentative argument in respect of possible responses that an individual State could make against North Korea.

The Panel’s task

The DPRK Sanctions Committee established under SC Resolution 1718 (2006) consists of all the members of the Council and is mandated to ‘oversee the implementation, examine and take appropriate action regarding alleged sanctions violations and make recommendations to strengthen the effectiveness of the measures adopted by the Security Council’ (S/2019/971, para. 3). The Panel of Experts, composed of eight experts (previously seven before Resolution 2094 2013), is tasked with assisting the Committee and examining and analysing information regarding the implementation of sanctions. The Panel’s activity is not conducted on a compulsory basis, but the Security Council resolution ‘[u]rges all States, relevant United Nations bodies and other interested parties, to cooperate fully with the Committee […] and the Panel of Experts, in particular by supplying any information at their disposal on the implementation of the measures imposed by’ the past SC resolutions’ (S/RES/2515, para. 5). In 2019, the Panel visited nine States (S/2019/971, para. 44), at the invitation of or with agreement from each.

The Panel of Experts has been investigating a wide range of cases of attempted sanctions evasion, including illicit imports of petroleum and petroleum products, illicit exports of commodities such as coal and sand, imports of luxury goods and earning income through nationals overseas. Since 2019, the Panel has also been extensively reporting North Korean cyberattacks as possible violations of provisions including paragraph 8(d) of Resolution 1718 (2006), paragraphs 8 and 11 of Resolution 2094 (2013) and paragraph 32 of Resolution 2270 (2016) (S/2019/691, para. 57).

Cyber sanctions

According to the Panel, North Korea has targeted a variety of entities and individuals by cyber means, including UN representatives of the Member States of the Security Council (S/2020/151, paras. 115-116), the Sanctions Committee and the Panel of Experts (ibid., paras. 117-118). With regard to the Indian Space Research Organisation and Kudankulam Nuclear Power Plant (ibid., para. 119), and South Korea’s Daewoo Shipbuilding & Marine Engineering Co. Ltd. (S/2018/171, para. 121), in particular, the Panel viewed cyber attacks on them as possible violations of sanctions concerning the arms embargo.

North Korea has also targeted banks and cryptocurrency exchanges around the globe; it has engaged in cryptocurrency mining (S/2019/691, para. 66) and cryptojacking (S/2019/691, para. 67). The best-known instances are the cyber-heist at the Bangladesh Bank in 2016, during which $81 million was successfully transferred (S/2019/171, para. 112) and the WannaCry ransomware attack in 2017, which affected more than 200,000 computers in 150 countries and was widely attributed to North Korea (S/2019/171, p. 49, n. 106 and para. 114; S/2019/691, paras. 64-65). The comprehensive list of cases under investigation by the Panel is found in Annex 21 to S/2019/691. The Panel estimates the total amount of revenue brought in by the cyberattacks to be approximately $2 billion (S/2019/691, para. 57), and notes that such financial gain funds North Korea’s weapons of mass destruction (WMD) programmes. It recommends that ‘the Security Council consider explicitly addressing the DPRK’s evasion of sanctions through cyber means if drafting additional sanctions measures in the future’ (S/2020/151, para. 184). Possible additional sanctions measures to that end could include ‘complete or partial interruption of […] telegraphic, radio, and other means of communication’ (Article 41 of the UN Charter).

Violations of sovereignty or non-intervention in domestic affairs

Before moving on to the possible consequences of the adoption of additional Security Council Resolutions, the question may arise as to what other international obligations have been breached by North Korea. This is particularly relevant when individual victim States might wish to take countermeasures against North Korea if the Security Council fails, for political reasons, to address the DPRK cyberattacks as sanctions evasion activities.

A violation of sovereignty could be one of them, as analysed by INCYDER news. In this regard, the Tallinn Manual 2.0 notes that:

‘cyber crime as such does not violate sovereignty unless it is engaged in by, or attributable to, a State […] and meets the other criteria for violation of [sovereignty]. As an example, theft of Bitcoin by an organised crime group acting on its own accord would not violate the sovereignty of any State’ (Tallinn Manual 2.0, p. 26).

Thus, cyber theft of cryptocurrency attributable to North Korea might entail international State responsibility, on the condition that other requirements for sovereignty are met.

When the WannaCry attacks hit the UK’s National Health Service (NHS), no ransom was paid and no patient suffered direct harm from the attack (see the US Department of Justice’s criminal charges against Park Jin Hyok, p. 107, para. 225). Even so, it might be regarded as a violation of sovereignty as proposed in the Tallinn Manual 2.0, since medical services are one of the ‘inherently governmental functions’ (Tallinn Manual 2.0, pp. 21-24, paras. 15-22). States may vary in how they apply international law to cyber issues and seem cautious about articulating their opinions in legal terms in specific cases. That said, the WannaCry attack might be considered ‘the targeting of essential medical facilities’ in the light of the UK Attorney General’s view, and therefore could be regarded, at least by the UK, as a violation of the prohibition against intervention in the domestic affairs of a State. The same holds for the cyber heist at the Bangladesh Central Bank. The type of currency targeted – fiat or cryptocurrency – does not seem to make a difference, as the focus is on whether the campaign adversely affected the public or governmental function assigned to a victim entity by the State.

‘Cybercrime’ by a State

There were other cases in the WannaCry campaign where victims not engaged in government service paid the ransom in Bitcoin and the data remained encrypted even after the payment. Approximately 330 victims had paid a total of over $140,000 as of August 2017 (the US Department of Justice’s criminal charges against Park Jin Hyok, p. 117, para. 234(b)) and there were many cases of theft of cryptocurrency. The theft of cryptocurrency itself is not yet criminalised as a cybercrime under international law, but these incidents have several elements of a crime in common: computer intrusion, procurement and use of malware in victims’ computers, and alteration of or damage to data in victims’ computers. For the sake of argument, assume that all States involved are Contracting States to the Convention on Cybercrime of the Council of Europe. Under the law of State responsibility, if a government agent commits a cybercrime defined in the Convention, such as data alteration or use of malware, their State of nationality incurs an international responsibility for that act (Article 4 of International Law Commission (ILC)’s Articles on State Responsibility).

However, it is not so easy when it comes to computer intrusion into the networks of another State. Such hacking means illegal access provided under Article 2 of the Convention on Cybercrime. The Tallinn Manual notes on this topic that peacetime cyber espionage by States does not per se violate international law (Tallinn Manual 2.0, Rule 32). If this rule is supported by States, it is highly unlikely that such unauthorised access by a government organ would be accused of being an international wrongful act, even if the government agent is convicted as a spy under domestic criminal law.

Things are even harder if all States involved in a particular case do not share a common international treaty on cybercrimes. They might find it difficult to ascertain an international obligation to that effect. Although several regional conventions regulating cybercrimes have existed, they have not attracted ‘a very widespread and representative participation’³ from States. Also, it is far from clear whether ‘State practice, including that of States whose interests are specially affected, […] have been both extensive and virtually uniform in the sense of the provision invoked’.⁴ Unless there is such an obligation in force among States, including North Korea, be it an international convention or customary international law, an international responsibility is not incurred despite the attribution of the act.

Duplicated countermeasures by an individual State

With regard to attribution, the Panel indicates that the Reconnaissance General Bureau of North Korea is behind these cyberattacks, based on information from UN Member States and official documents such as the US Department of Justice’s criminal charges against Park Jin Hyok (an alleged member of the ‘Lazarus Group’ of cybercriminals controlled by the Bureau). If the Security Council agrees with the Panel’s findings and regards the DPRK’s cyberattacks as a violation of the Resolutions, these cyberattacks could amount to a breach of an international obligation under Article 25 of the UN Charter. It also implies that a State may be held responsible for the theft of foreign currency, both fiat and virtual, following the adoption of Security Council Resolutions under Chapter VII of the UN Charter, even though current international law does not expressly prohibit the act.

Still, a question remains as to whether there is room for an individual State to take unilateral countermeasures against North Korea. Professor Marco Roscini discussed the topic in the context of the Iranian uranium enrichment programme and concluded:

‘Article 25 of the UN Charter is an erga omnes partes obligation owed to all other UN Member States: for this type obligations, Article 42 (b)(i) of the ILC Articles prescribes that, although all Member States have a legal interest in the fulfilment of the obligation, only those “specially affected” by the breach are injured States and are thus entitled to adopt countermeasures under Article 49. In the present case, there are no States ‘specially affected’ by the breach of Article 25 of the UN Charter resulting from the continuation of the Iranian uranium enrichment programme’.⁵

The same issue may arise concerning the DPRK’s WMD programme, as there are suspicions that the US deployed cyber capabilities to sabotage it.⁶  Although there might be a case where a State is affected by both the launch of ballistic missiles and cyberattacks,⁷ this article focuses only on issues involving the latter.

According to the commentary of ILC’s Articles on State Responsibility, in case of the violations of collective obligations (explained below) that ‘specially affect’ a State, a victim State is entitled to invoke the responsibility under Article 42(b)(i).

‘Article 42 (b) deals with injury arising from violations of collective obligations, i.e. obligations that apply between more than two States and whose performance in the given case is not owed to one State individually, but to a group of States or even the international community as a whole’.⁸

In respect of the violations of the Council-imposed sanctions and consequent violations of Article 25 of the UN Charter, such collective obligation seems to be the most probable category. Other types of obligation, such as multilateral conventions of ‘bundles of bilateral relations’ (e.g. diplomatic and consular relations), and so-called integral obligation (e.g. disarmament),⁹  are less likely to be applied to collective security under the UN Charter.

One may ask which State suffered ‘particular adverse effect’¹⁰ and thus could be ‘an injured State’ as a result of North Korean cyberattacks; possibly only one whose nationals or government suffered massive loss from the cyberattacks, in terms of the number of computers damaged and the amount of currency stolen, for instance. At any rate, as long as the purpose of countermeasures is ‘the cessation of a continuing wrongful act’ (Tallinn Manual 2.0, p. 117, commentary para. 2), it is not permissible for an injured State to take such measures after completion of the preceding illegal act.

To tackle the threats posed by North Korea, the Panel of Experts and several US federal departments have encouraged¹¹ all States to be vigilant and adopt the necessary measures to mitigate the threat, such as the implementation of the Financial Action Task Force (FATF) standards, which implies that countermeasures are not necessarily a viable way of solving the issues for the time being.

Cyberattacks on the Panel of Experts and the Sanctions Committee

The DPRK’s cyberattacks have not been limited to those that are financially motivated. The Panel notes that both it and the Sanctions Committee have been targeted by a DPRK spearphishing operation since 2016 (S/2020/151, para. 117). Attacks like these provide an additional basis for tightening UN sanctions more severely and the Security Council might include these instances in the list of the DPRK’s sanctions evasions in its future resolutions. Depending on the gravity of such cyberattacks, the UN itself could bring an international claim against North Korea for damages caused to computers and other devices used by the UN or a member if any damage were to be suffered.¹²

Further investigations

On 30 March 2020, the Security Council extended the mandate of the Panel of Experts to 30 April 2021 by adopting Resolution 2515. As a result, the Panel has been authorised to continue its investigations into the DPRK cyberattacks, but moving forward is not without its challenges. Not all the investigations have been making the progress that was expected. The Panel does not have the power to undertake compulsory inspections in the territory of UN Member States and is heavily reliant on their cooperation. Therefore, according to a member of the Panel, ‘[i]mplementation [of the obligations of the SC resolutions] by the Member States is a key element of effective sanctions’.¹³ The reasons for such partial and seemingly less effective implementation are unknown to outsiders, but it is certain that some improvements are yet to be introduced. Otherwise, inadequate investigation and consequent inaction by the Security Council would send an undesirable signal to North Korea that it is free to do more.

Author: Keiko Kono, NATO CCDCOE Law Branch

This publication is a part of the INCYDER database, a research tool on International Cyber Developments (INCYDER), established by NATO CCDCOE to facilitate the work of researchers, lawyers, policy-makers and other cyber security-related practitioners. INCYDER offers up-to-date overviews and easy access to the most relevant legal and policy documents adopted by international organisations active in the cyber security domain along with practical summaries and analysis of recent trends within these organisations written by CCDCOE researchers.

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

 

1. Despite the announcement by the DPRK, it is still included in the list of State Parties of the NPT Treaty on the website of UN Office for Disarmament Affairs. With regard to an issue surrounding the vague status of the DPRK under the NPT Treaty, see Masahiko Asada, ‘Arms Control Law in Crisis? A Study of the North Korean Nuclear Issue’, Journal of Conflict and Security Law, Vol. 9 (2004), pp. 331-355. [↩]
2. ‘NotPetya and WannaCry Call for a Joint Response from International Community’, the NATO CCDCOE website, 30 June, 2017, https://ccdcoe.org/news/2017/notpetya-and-wannacry-call-for-a-joint-response-from-international-community/; Tomáš Minárik, ‘WannaCry Campaign: Potential State Involvement Could Have Serious Consequences’, the NATO CCDCOE website, 16 May, 2017, https://ccdcoe.org/news/2017/wannacry-campaign-potential-state-involvement-could-have-serious-consequences/. Regarding a view of the Director of the Tallinn Manual 2.0, see Michael Schmitt and Sean Fahey, ‘WannaCry and the International Law of Cyberspace’, Just Security, 27 December, 2017, https://www.justsecurity.org/50038/wannacry-international-law-cyberspace/ [↩]
3. North Sea Continental Shelf, Judgment; I.C.J. Reports 1969, p. 3, at p. 42, para. 73, https://www.icj-cij.org/files/case-related/51/051-19690220-JUD-01-00-EN.pdf [↩]
4. Ibid., p. 43, para. 74. [↩]
5. Marco Roscini, ‘Cyber Operations as Nuclear Counterproliferation Measures’, Journal of Conflicts and Security Law, Vol. 19 (2014), p. 145. [↩]
6. ‘Hand of U.S. Leaves North Korea’s Missile Program Shaken’, The New York Times, 18 April, 2017, https://www.nytimes.com/2017/04/18/world/asia/north-korea-missile-program-sabotage.html; ‘Exclusive: U.S. Tried Stuxnet-style Campaign against North Korea But Failed – Sources’, Reuters, 29 May, 2015, https://www.reuters.com/article/us-usa-northkorea-stuxnet/exclusive-u-s-tried-stuxnet-style-campaign-against-north-korea-but-failed-sources-idUSKBN0OE2DM20150529 [↩]
7. There might be potential instances where North Korean missiles fall into the Exclusive Economic Zone (EEZ) of neighbouring States and cause significant damage to fishery and any other activities involving littoral States’ sovereign rights in EEZ and continental shelf. [↩]
8. James Crawford, The International Law Commission’s Articles on State Responsibility: Introduction, Text and Commentaries (Cambridge University Press, 2002), p. 259, para. 11. As such an example, he lists Iraq-Kuwait War (1990-91). Idem, ‘State Responsibility’, Max Planck Encyclopedia of Public International Law (2006), para. 49, https://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1093?rskey=khHxRC&result=1&prd=OPIL [↩]
9. Idem, The International Law Commission’s Articles on State Responsibility, p. 258, para. 8; idem, ‘State Responsibility’, para. 44. [↩]
10. Idem, The International Law Commission’s Articles on State Responsibility, p. 259, para. 12. [↩]
11. The US Departments of State, the Treasury and Homeland Security and the FBI, ‘DPRK Cyber Threat Advisory: Guidance on the North Korean Cyber threat’, 15 April, 2020, https://www.treasury.gov/resource-center/sanctions/Programs/Documents/dprk_cyber_threat_advisory_20200415.pdf [↩]
12. Reparation for Injuries Suffered in the Service of the United Nations, Advisory Opinion: I. C. J. Reports 1949, p. 174, at pp. 180-181, https://www.icj-cij.org/files/case-related/4/004-19490411-ADV-01-00-EN.pdf [↩]
13. Maiko Takeuchi, ‘Smart Language: How to Address an Inherent Weakness Undermining the Implementation of U. N. Sanctions on North Korea’, US Naval War College International Law Studies, Vol. 96 (2020), p. 59. [↩]