National position of the Czech Republic (2020)

Introduction
This is the position of the Czech Republic on international law applicable to cyber operations. The position has been presented in two parts on 11 and 13 February 2021 in New York during the second substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security of the First Committee of the General Assembly of the United Nations.

Applicability of international law
 "[...]as stated by the GGE and many of my colleagues here, existing international law applies to cyberspace in its entirety. Indeed, existing international law provides us with all the necessary tools to prevent actual conflicts in cyber domain. The issue at stake is not a gap in existing law, but compliance with existing law and reaching a common understanding on how to apply the law to today’s environment."

"[...]the Czech Republic opposes negotiating a new legal instrument, because the developments in ICTs are so rapid and dynamic as to render any potential result of such effort obsolete, perhaps even before we all ratify the outcome. Instead, the Czech Republic prefers achieving a robust consensus on a dynamic application of international law which will be able to adapt to new developments."

"For obvious historical reasons, none of the existing international law instruments explicitly refer to cyber issues. However, this does not mean these instruments somehow cannot be applied to cyberspace. On the contrary, in its advisory opinion of 1971 the International Court of Justice found that an international instrument has to be interpreted and applied within the framework of the entire legal system prevailing at the time of the interpretation. This concept of dynamic, or evolutionary interpretation is also implied in Article 31(3)b of the Vienna Convention on the Law of Treaties." 

Sovereignty
 "[...]the Czech Republic recalls that the principles of sovereignty and sovereign equality of States are cornerstones of the UN Charter and thus concurs with the conclusion contained in the report of the UN GGE that in their use of ICT´s States are obliged to observe principles of international law, including the principle of sovereignty. The Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.

The Czech Republic firmly believes that under this principle States may freely exercise without interference in any form by another State both aspects of sovereignty in cyberspace, be it an internal one, with the exclusive jurisdiction over the ICTs located on its territory, or the external one, including the determination of its foreign policy, subject only to obligations under international law. The Czech Republic considers the following cyber operations in a State’s territory as violation of its sovereignty, if attributable to another State:

A. a cyber operation causing death or injury to persons or significant physical damage;

B.a cyber operation causing damage to or disruption of cyber or other infrastructure with a significant impact on national security, economy, public health or environment;

C.a cyber operation interfering with any data or services which are essential for the exercise of inherently governmental functions, and thereby significantly disrupting the exercise of those functions; for example, distributing ransomware which encrypts the computers used by a government and thus significantly delaying the payment of retirement pensions;

D. cyber operation against a State or entities or persons located therein, including international organisations, conducted by a physically present organ of another State;" 

International human rights law
 "[...]the Czech Republic also recognizes that the rights of states to exercise exclusive jurisdiction over the ICTs located on its territory gives rise not only to rights but also obligations. In particular, the Czech Republic wishes to reiterate that international human rights law is applicable to cyberspace in its entirety.

Indeed, the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in accordance with article 19 of the Universal Declaration of Human Rights and of the International Covenant on Civil and Political Rights (ICCPR).

Furthermore, the Czech Republic reiterates that freedom of peaceful assembly and of association, enshrined in Article 22 of the ICCPR, applies to cyberspace as much as it applies to the physical domain.

In this context, the Czech Republic calls attention to the recommendations of the UN Special Rapporteur that call on states to ensure that any interference with the rights to freedom of peaceful assembly and of association is “prescribed by law”. Furthermore, any restrictions implemented on the grounds of “national security”, “public safety” or “protection of morals” should be clearly and narrowly defined in law, so as to prevent their abuse by authorities.

Finally, the Czech Republic recalls that the right to privacy, enshrined in Article 17 of the ICCPR, is fully applicable in the digital sphere. States must demonstrate that any interference with an individual’s privacy is both necessary and proportionate to address the specific identified security risks. We see the role for a private sector here as well.

In this context, the Czech Republic calls upon all States to address cybersecurity concerns in accordance with their international human rights obligations to ensure the protection of all human rights online, in particular the three rights we just spoke of - freedom of opinion and expression, freedom of association and the right to privacy."

"[...]the Czech Republic welcomes initiative of Freedom Online Coalition and fully supports its recent Joint statement on Human Rights Impact of Cybersecurity Laws, Practices and Policies approved at the summit in Accra[...]." 

International humanitarian law (jus in bello)
 "[...] the Czech Republic recognizes that International humanitarian law (IHL) applies to cyber operations during armed conflicts, on the understanding that this neither encourages the militarization of cyberspace, nor legitimizes cyber warfare, just as IHL does not legitimize any other form of warfare.

It is essential to underline that IHL does not promote the militarisation of cyberspace. On the contrary, it reduce its lawful military use by creating limits and requiring for all used means and methods to be employed in accordance with its rules; including the principles of humanity and distinction and the principle of proportionality." 

Due diligence
 As for ensuring cyber security worldwide, the Czech Republic would like to point out one very important element - application of due diligence to the use of ICTs. As already mentioned by some of my colleagues in the segment on international law, and as recognized by the Czech Republic, States have a legal obligation to act against unlawful and harmful cyber activities emanating from their territory or conducted through cyber infrastructure under their governmental control, provided that they are aware of, or should reasonably be expected to be aware of, such activities. This is not an obligation of result, but rather an obligation of conduct. And here lies the key problem and link to capacity building.

The Czech Republic recognizes that logically, State’s capacity to adequately exercise its due diligence obligation is intrinsically linked to that State’s cyber resilience capacities. Such factors should be taken into consideration when evaluating the particular measures taken by the acting State. 