National position of Norway (2021)

Introduction
This is the national position of Norway on international law applicable to cyberspace. The position has been submitted by Norway and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States. . The compendium has been publicly released in August 2021.

Applicability of international law
 "International law applies in cyberspace. This has been recognised by the international community. The 2012–2013 United Nations Group of Governmental Experts (GGE) concluded as much in its consensus report, and wrote as follows:

‘International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.’

This was reconfirmed in the subsequent consensus report by the 2015 GGE, which also underscored that the UN Charter applies in its entirety. The UN General Assembly welcomed the 2015 report of the GGE in its resolution 70/237 and called upon Member States to be ‘guided in their use of information and communications technologies’ by the report.

In the Final Substantive Report of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG), all UN Member States reaffirmed the conclusions of previous GGEs that international law applies in cyberspace. Moreover, the report called upon States ‘to avoid and refrain from taking any measures not in accordance with international law, and in particular the Charter of the United Nations.’ The report also concluded that ‘further common understandings need to be developed on how international law applies to State use of ICTs.’

Compliance with international law is fundamental for preserving international peace and security in cyberspace."

"Existing international law, that is customary international law and international treaties, has not been developed with cyberspace in mind. However, the application of the rules of international law to new areas, for example in response to technological developments, is nothing new. If the law in certain areas is perceived as unclear when applied to activities in cyberspace, this must be resolved in the usual way through interpretation. This applies both to general international law, for instance the rules that relate to sovereignty and state responsibility, and to the specialised regimes of international law, such as international human rights law and international humanitarian law.

Norway is of the view that there is no need for specific legal instruments to set out rights and obligations of States in respect of activities in cyberspace." 

Sovereignty
 "The principle of sovereignty is one of the fundamental principles of international law and applies in cyberspace. It refers to the supreme authority of every State within its territory to the exclusion of other States, and also in its relations with other States.

The internal dimension of a State’s sovereignty includes the exclusive right to exercise jurisdiction within its territory, including over the information systems located on its territory, and to exercise independent State powers. The external dimension includes the right of the State to decide its foreign policy and to enter into international agreements. Both dimensions of sovereignty apply in cyberspace, subject only to obligations under international law.

Norway is of the view that sovereignty constitutes both an international law principle from which various rules derive, such as the prohibition of intervention and the prohibition of the use of force, and a primary rule in its own right capable of being violated. Thus, cyber operations that do not amount to a prohibited intervention or a prohibited use of force may nevertheless amount to a violation of a State’s sovereignty under international law.

The International Court of Justice (ICJ) has consistently held that States have an obligation to respect the territorial integrity and political independence of other States as a matter of international law. In a cyber context this means that a State must not conduct cyber operations that violate another State’s sovereignty.

A cyber operation that manifests itself on another State’s territory may, depending on its nature, the scale of the intrusion and its consequences, constitute a violation of sovereignty.

Causing physical damage by cyber means on another State’s territory may easily qualify as a violation of territorial sovereignty. For example, a cyber operation against an industrial control system at a petrochemical plant that led to a malfunction and a subsequent fire would constitute a violation of the State’s territorial sovereignty. In addition to physical damage, causing cyber infrastructure to lose functionality may also be taken into consideration and may amount to a violation. This includes the use of crypto viruses to encrypt data and thus render them unusable for a substantial period of time.

The principle of sovereignty encompasses cyber infrastructure located in a State’s territory irrespective of whether it is governmental or private.

Similarly, a cyber operation that interferes with or usurps the inherently governmental functions of another State may constitute a violation of sovereignty.

This is based on the premise that a State enjoys the exclusive right to exercise within its territory, ‘to the exclusion of any other State, the functions of a State’. Accordingly, what matters is not whether physical damage, injury, or loss of functionality has resulted, but whether the cyber operation has interfered with data or services that are necessary for the exercise of inherently governmental functions. Cases in point would include altering or deleting data or blocking digital communication between public bodies and citizens so as to interfere with the delivery of social services, the conduct of elections, the collection of taxes, or the performance of key national defence activities. Another example could be the manipulation of police communications so that patrol cars are unable to communicate with police dispatch/operation centres. In this context it is irrelevant whether the inherently governmental function is performed by central, regional or local governments and authorities, or by non-governmental bodies in the exercise of powers delegated by such governments or authorities. Conducting elections is a clear example of an inherently governmental function. In contrast to the case of a cyber operation in breach of the prohibition of intervention, there is no requirement for the interference to reach to the level of coercion.

The precise threshold of what constitute a cyber operation in violation of sovereignty is not settled in international law, and will depend on a case-by-case assessment." 

Prohibition of intervention


"The prohibition of intervention applies to a State’s cyber operations as it does to other State activities. Accordingly, a State must not carry out cyber operations in breach of the prohibition of intervention, according to customary international law.

A cyber operation must therefore not be carried out to compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé) – such as a State’s political, economic, social or cultural system or the formulation of its foreign policy. The constituent element of coercion means that cyber activities that are merely influential or persuasive will not qualify as illegal intervention.

Holding elections is an example of a matter within a State’s domaine réservé. Thus, carrying out cyber operations with the intent of altering election results in another State, for example by manipulating election systems or unduly influencing public opinion through the dissemination of confidential information obtained through cyber operations (‘hack and leak’), would be in violation of the prohibition of intervention. Another example is a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action." 

Self-defence, armed attack and use of force


Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.

There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.

Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.

A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.

Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).

A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.

"A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means. 

State responsibility


"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory." 

Attribution
 "A State may be held responsible under international law for cyber operations conducted by an organ of the State or by actors exercising governmental authority on behalf of the State.

A State may be held responsible under international law for cyber operations conducted by non-State actors if these are conducted on the direct instructions of the State or under its direction or effective control. It may be technically challenging to establish that a relationship between a State and a non-State actor amounts to direct instructions, direction or effective control. However, this is a question of evidence, and not of lack of clarity of international law." 

Due diligence


"[..] Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory".

[...]

"[..]a State may be held responsible under international law if it knows or should have known that cyber operations that target third States are being carried out from or via its territory, and fails to take adequate measures.

As a consequence of the right to exercise sovereignty over cyber infrastructure located on its territory, States also have a corresponding obligation not to knowingly allow their territory to be used for acts causing significant harm to the rights of other States under international law. This customary international law obligation, often referred to as the due diligence principle, was recognised by the ICJ in the 1949 Corfu Channel judgment, and is reflected in numerous rules in specialised regimes of international law. Norway is of the view that the due diligence obligation applies in situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity, and accordingly also applies to cyber operations.

Accordingly, if a State possesses knowledge of a cyber operation being carried out from or via its territory causing serious adverse consequences with respect to a right of the target State under international law, it is required to take adequate measures to address the situation.

The due diligence standard is the conduct that is generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance. It is an obligation of conduct, not of result. Applied to cyber activities, what is required is for the State to take all reasonably available measures to terminate the cyber operation. A breach of the obligation consists not of failing to achieve the desired result, but of failing to take the necessary, diligent steps towards that end. It is irrelevant whether the cyber operation in question is conducted by a third State or a non-State actor. Likewise, it is irrelevant whether the cyber operation in question is conducted by an actor physically present on the State’s territory or by an actor making remote use of ICT infrastructure on the State’s territory.

In addition to actual knowledge of the use of cyber infrastructure within its territory for harmful cyber operations against another State, a State may also violate its due diligence obligation if it is in fact unaware of the activities in question but objectively should have known about them and fails to address the situation. Accordingly, knowledge also encompasses those situations in which a State in the normal course of events would have become aware that its territory was being used for harmful cyber operations. This implies that the criterion that a State ‘should have known’is more likely to be met if for instance the operation used publicly known and easily detected malware, as opposed to highly sophisticated and previously unknown malware.

There is currently no legal basis for a general obligation to prevent cyber operations, and States are consequently not under an obligation to monitor all cyber activities on their territories.

Norway considers the due diligence obligation to be of particular importance in a cyber context. In situations where a targeted State cannot directly attribute (technically and legally) a wrongful cyber operation – for instance election interference – to the State from whose territory it is being carried out, the territorial State may nevertheless still be held accountable on the basis of a breach of the due diligence obligation." 

Retorsion
 "A State may respond to any form of cyber operation by retorsion. Retorsion refers to the taking of measures that are lawful but unfriendly, directed against another State. Retorsion may therefore be used regardless of whether international law has been violated and regardless of whether State responsibility applies. Examples of acts of retorsion are breaking off or limiting diplomatic relations, for instance by declaring a diplomat persona non grata, or the imposition of sanctions. Publicly declaring that another State is responsible for a cyber operation is in itself an act of retorsion." 

Countermeasures
<section begin=NO_2021 countermeasures /> "If a State is the victim of an internationally wrongful cyber operation and another State can be held responsible under customary international law on State responsibility, the injured State may, depending on the circumstances, be entitled to take countermeasures.

A countermeasure is an act that would otherwise be contrary to international law, but where the injured State can invoke the prior internationally wrongful act as a ground for precluding wrongfulness. If there is doubt regarding the attribution of a cyber operation to a State under international law, it may be preferable for the injured State to make use of acts of retorsion rather than countermeasures in order to avoid the possibility of incurring State responsibility for its response.

Countermeasures may only be taken to induce a State to cease an internationally wrongful act or resume its compliance with an international obligation. They are not to be used for punishment and retaliation. Countermeasures must be limited to what is considered necessary and proportional, and may only target the State to which the cyber operation or internationally wrongful act can be attributed. There is no requirement for countermeasures to be of the same nature as the internationally wrongful acts to which they are a response, and countermeasures in response to cyber operations may therefore be carried out within or outside cyberspace. Countermeasures must not violate the prohibition on the threat or use of force or international humanitarian law.

The State held responsible should be notified of both the violation of international law and the grounds for attribution, as well as of the intention to introduce countermeasures. Countermeasures may only be taken if a State has sufficient grounds for attributing the conduct in question to a particular State under international law. What constitutes sufficient grounds will be fact-specific and case-specific, and can be particularly challenging to determine in the case of cyber operations. The State taking countermeasures must be confident in its attribution before resorting to countermeasures. However, the State taking countermeasures need not publish detailed grounds for its attribution or give a detailed technical account of this to the State identified as responsible as this might reveal sensitive methods of interception and detection or offensive and defensive capabilities.

Countermeasures may be taken without prior notification to the responsible State if providing such notification might reveal sensitive methods or capabilities or prevent the countermeasures from having the necessary effect. For example, the injured State could carry out a cyber operation to disrupt the capability of the aggressor State conducting the internationally wrongful cyber operation such as election interference. This countermeasure would in other circumstances be in violation of the aggressor State’s sovereignty." <section end=NO_2021 countermeasures />

Plea of necessity
<section begin=NO_2021 necessity /> "In a situation of necessity, a State may be able to respond to a cyber operation in a way that is in principle in breach of an international obligation and nevertheless not incur responsibility for its actions under international law.

Necessity refers to those exceptional situations where the only way a State can safeguard an essential interest threatened by a grave and imminent peril, whether cyber in nature or not, is by temporary non-compliance with international obligations of lesser weight or urgency. For instance, if infrastructure in a third country is used in an internationally wrongful cyber operation, the injured State may under certain conditions launch a cyber operation to destroy or disrupt the internationally wrongful cyber operation, even if this violates the territorial sovereignty of the third State." <section end=NO_2021 necessity />

International humanitarian law (jus in bello)
<section begin=NO_2021 IHL />

"International humanitarian law (IHL) applies in the event of an armed conflict. Whether an (international or non-international) armed conflict exists will depend on the specific circumstances.

This specialised regime of international law, also called jus in bello, governs actions, including cyber operations, when they are conducted in connection with an armed conflict.

International humanitarian law aims to minimise the human suffering caused by armed conflict. It thus regulates and limits cyber operations during armed conflicts, just as it regulates and limits the use of any other weapons, means and methods of warfare in an armed conflict.

IHL does not legitimise the use of force in cyberspace. Any use of force by States – either by digital or by conventional means – remains governed by the Charter of the United Nations and the relevant rules of customary international law, also called jus ad bellum. Of particular relevance is the prohibition against the use of force. International disputes must be settled by peaceful means, in cyberspace as in all other domains.

[...]

Under IHL, medical services must be protected and respected, including when carrying out cyber operations during armed conflict. IHL also prohibits attacking, destroying, removing or rendering useless objects indispensable to the survival of the population, including through cyber means and methods of warfare. ‘Objects indispensable to the survival of the civilian population’ include ICT infrastructure for food production or drinking water installations." <section end=NO_2021 IHL />

Attack (international humanitarian law)
<section begin=NO_2021 Attack (international humanitarian law) /> "The general rules for legitimate military targets are the same regardless of whether conventional or digital means are used. A cyber operation conducted in connection with an armed conflict must be assessed according to its consequences, and may qualify as an attack under international humanitarian law. ‘Attack’ is a key concept of international humanitarian law, and is understood to mean ‘acts of violence against the adversary, whether in offence or defence’. Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited." <section end=NO_2021 Attack (international humanitarian law) />

Principle of precautions
<section begin=NO_2021 Precautionary obligations /> "Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited." <section end=NO_2021 Precautionary obligations />

International human rights law
<section begin=NO_2021 international human rights law />

"International human rights law applies to cyber activities just as it does to any other activity. States must comply with their human rights obligations also in cyberspace, as they must in the physical world. States must both respect and protect human rights, including the right to freedom of expression and the right to privacy.

Neither the individuals that are subject to a State’s jurisdiction, nor the concept of jurisdiction, is altered by the fact that the activity attributed to the State is a cyber activity. In this respect, cyber activity is no different from other means that States may use to violate their human rights obligations towards their citizens." <section end=NO_2021 international human rights law />