Scenario 23: Vaccine research and testing

From International cyber law: interactive toolkit
Revision as of 06:38, 8 August 2021 by Uncleistvan1BBB (talk | contribs) (added sovereignty)
Jump to navigation Jump to search

__NUMBEREDHEADINGS__ A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

Scenario

Keywords

Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law

Facts

[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

Examples

Legal analysis

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

Attribution

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[1]
  2. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance";[2]
  3. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State.[3]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[4]

[L2] Both the cyber espionage operation and the DDoS attack are attributable to State B. State A considered the possibility that this hostile cyber operation is, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B is responsible. However, in light of its increasingly strained diplomatic relationship with State B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B is responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Draft Articles on the Responsibility of States for Internationally Wrongful Acts. Consequently, the balance of the analysis of this scenario considers whether State B breached international law either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

Breach of an international obligation

[L3] This section considers whether the cyber espionage and the DDoS attack by State B breach an international obligation owed to State A—specifically, whether State B breached the international law rules prohibiting violations of State sovereignty and intervention into the domaine réservé of another State, perpetrated an unlawful use of force against State A, or violated the human rights of inhabitants of State A.

Obligation to respect the sovereignty of other States

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[5]

Multiple declarations by the UN,[6] the African Union,[7] the European Union,[8] NATO,[9] OSCE,[10] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty.[11] However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[12] It has also been adopted by several States including Austria,[13] Brazil, [14] Canada,[15] the Czech Republic,[16] Estonia,[17] Finland,[18] France,[19] Germany,[20] Iran,[21] Italy,[22] Japan,[23] the Netherlands,[24] New Zealand,[25] Norway,[26] Romania[27] and Sweden.[28]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[29] This view has been adopted by one State, the United Kingdom,[30] and has been partially endorsed by the U.S. Department of Defense General Counsel.[31] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention or use of force).

It is understood that sovereignty has both an internal and an external component.[32] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[33][34] This encompasses both private and public infrastructure.[35] The external component entails that States are “free to conduct cyber activities in [their] international relations”, subject to their international law obligations.[36]

As a general rule, each State must respect the sovereignty of other States.[37]However, within the cyber realm – and particularly regarding remote cyber operations – there is still no agreement on the criteria[38] and the required threshold[39] to qualify an operation as a sovereignty violation.[40] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[41] Accordingly, the assessment needs to be done on a case-by-case basis.[42]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[43] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[44]
  2. Causation of physical damage or injury by remote means;[45] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[46]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of the operating system or other software was proposed but not universally accepted);[47] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[48]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[49] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[50]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[51]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Canada,[52] Germany[53] and the Netherlands;[54] and followed to some extent by other States, such as the Czech Republic,[55] Norway,[56] Sweden[57] and Switzerland.[58] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”;[59]similarly, Iran has argued that “unlawful intrusion to the (public or private) cyber structures” abroad may qualify as a breach of sovereignty.[60]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[61]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of the Czech Republic (2024) (2024), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L4] State B’s DDoS attack (incident 2) violated State A’s sovereignty. Under one view, which is held by a number of states, as well as numerous scholars, a remotely conducted cyber operation breaches the sovereignty of another State if it causes concrete effects within the territory of the victim State.[62] A contrasting view, succinctly expressed by France, is that that a cyber operation penetrating a State’s systems violates that State’s sovereignty even if the cyber operation does not cause concrete effects within victim State territory.[63] One can conclude with a high degree of certainty that, by interfering with the dissemination of virus testing information and test results, State B caused the virus to spread more rapidly among people in State A than it otherwise would have done. The inability of State A’s population to know how and when to schedule testing or to obtain the results of completed tests in a timely manner meant that people were unable to identify themselves as carriers of the virus, were unaware they posed a public health risk, and likely were slow to implement appropriate precautions. That lack of information means persons carrying the virus almost certainly unknowingly spread it to others. Likewise, State A more than likely experienced an increased mortality rate from the virus because the inability of the population to get tested and to obtain test results delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment.

[L5] For this prong of analysis of incident 2, the physical effects must be ascertained and causally linked to the cyber operation.[64] Mere rescheduling of planned surgeries or a minor delay in delivering the test results would be a less serious effect than directly interfering with the immediate delivery of medical care; likewise, the impossibility of testing at one location could simply result in people taking the test elsewhere, so it may be difficult to pinpoint the causal link between the cyber operation and the additional infections.

[L6] There exists some uncertainty whether interference in, or usurpation of, inherently government functions is a relevant test for determining the existence of a violation of sovereignty, even though several States have already made declarations in favour of this interpretation. Applying that analysis to incident 2, State B also breached State A’s sovereignty by interfering with its ability to carry out its inherently governmental function of managing the public health crisis ongoing within its territory.[65] By denying State A’s populace access to critical information about operations at the State’s primary virus testing facility, State B’s DDoS attack interfered with a vital aspect of State A’s plan for managing the health crisis. The act of interfering with State A’s inherently governmental function, wholly apart from whether that interference causes concrete effects to manifest in State A, results in a sovereignty violation.[66]

[L7] As for State B exfiltrating the vaccine research from State A (incident 1), under the facts of this scenario, this likely does not constitute a sovereignty violation.[67] First, State A suffered no damage or destruction to its cyber infrastructure. Second, State B did not, merely by exfiltrating vaccine research, necessarily cause increased spread of the virus or higher mortality rates among those infected with the virus in State A. If, however, State B accessing the clinical trial data caused the clinical trial to fail procedural protocols and need to be restarted, the resulting delay in State A’s vaccine development effort may shift the analysis in favour of a breach of sovereignty. Finally, State B did not impair the ability of State A to perform its inherently governmental functions; in particular its ability to manage the public health crisis within its borders.

Checklist

  • Sovereignty
    • What is the victim State’s position on whether sovereignty is a primary rule of international law, and if so, the content of this rule?
    • Was the operation: (a) conducted remotely; or (b) conducted from within the territory of the victim State and without its consent?
    • Did the operation cause physical damage, significant loss of functionality, or destruction of cyber infrastructure in the victim State?
    • Did the operation cause damage to or destruction of something other than cyber infrastructure in the victim State?
    • Did the operation, directly or indirectly, cause injury or death to individuals?
    • Did the operation interfere with the victim State performing its inherently governmental functions?
    • Did the operation usurp the performance of an inherently governmental function of the victim State?
    • If the facts support finding a violation of sovereignty, is there a circumstance precluding the wrongfulness of that violation?
  • Prohibition of intervention
    • Did the operation interfere with or usurp a matter unregulated by international law or left solely to the prerogative of the victim State under international law?
    • Did the operation amount to a coercive act, and if so, under what definition of “coercion”?
    • If the facts support finding a violation of the prohibition on intervention, is there a circumstance precluding the wrongfulness of that violation?
  • Use of force
    • Did the operation cause physical effects in the territory of the victim State?
    • If no physical effects manifested in the territory of the victim State, what is the victim State’s position on whether cyber operations not causing concrete effects can qualify as a use of force?
    • If physical effects resulted from the operation, were more than a de minimis number of persons in the victim State injured or killed? Did the operation result in significant physical damage or destruction of objects?
    • Did the effects generated in the victim State result immediately or near immediately from the operation?
    • Are the effects generated in the victim State directly traceable to the operation as the cause?
    • Is the perpetrator of the operation a State organ that might be expected to employ kinetic means typically characterised as a use of force (e.g., armed forces or intelligence agencies)?
    • Is the system targeted in the victim State public (governmental) or private (non-governmental)?
    • Is the scale of the effects generated in the victim State reasonably quantifiable?
  • International human rights
    • Did the operation interfere with an individual right recognized under a human rights treaty to which the States are party or that is recognized by customary international law?
    • Does the State perpetrating the operation control the territory in which the victim’s rights are violated, or does an organ of the perpetrating State exercise power or control over the victim?
    • If the organ of the State perpetrating the cyber operation does not exercise power or control over the victim in a physical sense, does that State organ exercise control over the victim’s ability to enjoy a human right recognized under a human rights treaty to which the States are party or recognized by customary international law?
    • If the operation interferes with an individual right recognized under an applicable human rights treaty or under customary international law, is that interference (a) authorized by a domestic law; (b) undertaken in the pursuit of a legitimate public interest (e.g., national security, public order, or public health) or to protect the rights of others; (c) necessary to achieve that the public interest; and (d) conducted in a manner proportionate to the desired end?
    • Did the victim State fulfil its positive obligations under IHRL (e.g., protecting the right to life of those under its jurisdiction)?

Appendixes

See also

Notes and references

  1. ILC Articles on State Responsibility, Art 4(1).
  2. ILC Articles on State Responsibility, Art 5.
  3. ILC Articles on State Responsibility, Art 6.
  4. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  5. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  6. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  7. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024).
  8. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  9. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  10. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  11. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information andTelecommunications in the Context of International Security, UN Doc A/68/98 (24 June 2013) para 20; UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) paras 27, 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 70, 71(b).
  12. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, rule 4 (‘A State must not conduct cyber operations that violate the sovereignty of another State’), and commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  13. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  14. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 18.
  15. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  16. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  17. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 25.
  18. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  19. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  20. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  21. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  22. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 4.
  23. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (16 June 2021) 3.
  24. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  25. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 2.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 67.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 76.
  28. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 2.
  29. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  30. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’). The approach has been maintained in UK’s 2021 and 2022 national positions.
  31. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  32. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  33. Tallinn Manual 2.0, rule 2.
  34. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules'). This has been endorsed by several States, including China, the Czech Republic, Estonia, Finland, France, Germany, Israel, Italy, the Netherlands, Norway, Sweden, Switzerland and the United States.
  35. Tallinn Manual 2.0., commentary to rule 4, para 5. See also the national positions of Norway, Sweden and Switzerland.
  36. Tallinn Manual 2.0., rule 3; see also the national positions of the Czech Republic, the Netherlands and Norway.
  37. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  38. Some States have referred to the nature of the operation, its consequences, and/or the scale or severity of the effects, as the relevant factors that should be assessed. See e.g. the national positions of Canada, Finland, Germany, New Zealand, Norway, Sweden and Switzerland. New Zealand also highlighted the nature of the target in this regard.
  39. Some States have highlighted the requirement of certain level beyond “negligible” or “de minimis” effects, such as Canada and Germany. See similarly, New Zealand’s national position. For further discussion on the required threshold, see Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Texas Law Review 1639; Harriet Moynihan, ‘The Application of International Law to State Cyberattacks. Sovereignty and Non-Intervention’, Chatham House (2 December 2019) paras 60 and ff.
  40. Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549.
  41. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  42. See e.g. the national position of Canada, Finland, New Zealand, Norway, Sweden and Switzerland.
  43. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  44. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9. See also, the national positions of Canada and New Zealand.
  45. Tallinn Manual 2.0, commentary to rule 4, para 11.
  46. Tallinn Manual 2.0, commentary to rule 4, para 12.
  47. Tallinn Manual 2.0, commentary to rule 4, para 13. Additionally, there was agreement between the experts that ‘a cyber operation necessitating repair or replacement of physical components of cyber infrastructure amounts to a violation because such consequences are akin to physical damage or injury’. See also in this respect Canada’s national position.
  48. Tallinn Manual 2.0, commentary to rule 4, para 14.
  49. Tallinn Manual 2.0, commentary to rule 4, para 15.
  50. Tallinn Manual 2.0, commentary to rule 4, para 16. Other examples may include law enforcement, taxation, foreign relations and national defense. See e.g. the national positions of Canada, Germany and Norway. See also Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549, 557.
  51. Tallinn Manual 2.0, commentary to rule 4, para 18.
  52. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  53. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  54. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  55. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic (11 February 2020) 3.
  56. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68.
  57. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 2
  58. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 3.
  59. Ministry of Defense of France, 'International Law Applied to Operations in Cyberspace' (9 September 2019) 6.
  60. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace (August 2020) para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state’).
  61. In favour: see, e.g., Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3; Romania’s national position (‘If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned’).
  62. See Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253.
  63. See French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7.
  64. Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253 (effects), 258, 268 (causal nexus per analogiam).
  65. Tallinn Manual 2.0, commentary to rule 4, paras 15–16; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  66. Tallinn Manual 2.0, commentary to rule 4, para 19; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  67. See Tallinn Manual 2.0, rule 4 and commentary to rule 4, para 27; Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6. But see, French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7; Iran, Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace.

Bibliography and further reading

  • Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  • American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123.
  • Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43.
  • Australia, Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace (2019).
  • Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020).
  • Bankovic and Others v. Belgium, 2001-XII Eur. Ct. H.R. 333.
  • William Banks, State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0, (2017) 95 Tex. L. Rev. 1487.
  • Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
  • Ian Brownlie, International Law and the Use of Force by States (OUP 1963).
  • Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  • Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16.
  • Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
  • James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
  • James Crawford, State Responsibility: The General Part, (CUP 2008).
  • James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
  • Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665.
  • Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000.
  • Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73.
  • Convention for the Protection of Human Rights and Fundamental Freedoms (opened for signature in Rome on 4 November 1950, entered into force 3 September 1953).
  • Council of the European Union, "Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  • Oliver Corten, The Law against War (Hart Pub. 2010).
  • Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020).
  • Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 Va. J. Int’l L. 291.
  • Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009] ICJ Rep 213.
  • Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012).
  • Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
  • Draft Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  • Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019).
  • Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583.
  • Brian Egan, Legal Advisor, U.S. Dep’t of State, ‘International Law and Stability in Cyberspace’, Speech at Berkeley Law School (10 November 2016).
  • David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights.
  • French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019.
  • G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  • G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011).
  • G20 Leaders’ Communiqué (15–16 November 2015).
  • Christine Gray, International Law and the use of force (OUP 2018).
  • Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  • Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791.
  • Duncan B. Hollis & Tsvetelina van Benthem, ‘What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?’ Lawfare (March 30, 2021). 
  • International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171.
  • International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3.
  • International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247.
  • Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020).
  • Island of Palmas (Neth. v. U.S.), 2 RIAA 829 (Perm. Ct. Arb. 1928).
  • Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security’ (undated).
  • Harold Hongju Koh, Legal Adviser, U.S. Dep’t of State, ‘International Law in Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-Agency Legal Conference' (Sept. 18, 2002), reprinted in 54 Harv. Int’l L.J. Online 1, 4 (2012).
  • Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012).
  • David Kretzmer, ‘The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum’ (2013) 24 EJIL 235.
  • Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136.
  • Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226.
  • Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. Int'l L. & Com. Reg. 443
  • Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56/1 Harv Int’l L.J. 81.
  • Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247.
  • Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of cyber operations: an international law perspective on the Park Jin Hyok case’, (2020) 9 Cambridge Int’l L, J. 51.
  • Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14.
  • Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020.
  • G Nolte and A Randelzhofer, ‘Article 51’ in B Simma et al (eds), The Charter of the United Nations: A Commentary (3rd ed, OUP 2012) vol II.
  • North Atlantic Treaty Organization, 'Wales Summit Declaration' (5 September 2015).
  • Office of the General Counsel, U.S. Department of Defense, Law of War Manual (rev. ed., Dec. 2016).
  • Oil Platforms (Iran v US) [2003] ICJ Rep 161.
  • Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  • Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020).
  • President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  • Norbert Riedel, ‘Cyber Security as a Dimension of Security Policy’ (18 May 2015).
  • Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014).
  • Michael N. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
  • Michael N. Schmitt, The Use of Cyber Force and International Law, in Oxford Handbook on the Use of Force in International Law 1110 (Marc Weller ed. 2015).
  • Michael N. Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 Chi. J. Int’l L. 30.
  • Michael N. Schmitt and Liis Vihul, Respect for Sovereignty in Cyberspace (2017) 95 Tex. L. Rev. 1639.
  • Statute of the International Court of Justice, of 26 June 1945.
  • Nicholas Tsagourias ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 (2) Journal of Conflict and Security Law 23.
  • United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017).
  • UNGA Res 2625 (XXV) (24 October 1970).
  • UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  • UN GGE 2015 ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report’ (22 July 2015) UN Doc A/70/174.
  • UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011).
  • UN Human Rights Committee, ICCPR General Comment No. 27 (1 November 1999).
  • UN Human Rights Committee, General Comment No. 24 (Nov. 4, 1994).
  • UN Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016).
  • UN Human Rights Council, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting).
  • UN Human Rights Council, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  • United States, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  • Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988).
  • Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123.
  • Warsaw Summit Communiqué (9 July 2016).
  • Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771 (citing Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017)).
  • Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights (Jul. 17, 2006).
  • Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018).
  • Katja Ziegler, ‘Domaine Réservé’, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013).

Contributions

Previous: Scenario 22: Methods of warfare Next: Scenario 24: Internet outage
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_23:_Vaccine_research_and_testing?oldid=2559"