National position of Finland (2020)

Introduction
This is the national position of Finland on international law applicable to cyber operations. The position, which has been prepared in the MFA in consultation with other relevant authorities, was published on 15 October 2020. The English version of the document has been published on 19 October 2020.

Applicability of international law
 "In line with its general support to rules-based international cooperation and respect for international law, Finland sees international law as an essential framework for responsible State behaviour in cyberspace. In the same vein, the UN Group of Governmental Experts (GGE) has reaffirmed that “international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment”. As this formulation, reflecting the specific mandate of the GGE, focuses on questions of international peace and security, there is reason to underline that the same applies to other rights and obligations of States, whether based on treaty law or customary international law." 

Sovereignty
 "It is undisputed that the principle of State sovereignty applies in cyberspace. While cyberspace as a whole cannot be subject to appropriation by any State, each State has jurisdiction over the cyber infrastructure and the persons engaged in cyber activities within its territory."

"Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace. Whether an unauthorized cyber intrusion violates the target State’s sovereignty depends on its nature and consequences and is subject to a case-by-case assessment." 

State responsibility
 "The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged." 

Attribution
 "An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged. It is in this regard useful to distinguish identification as a technical operation from attribution as a legal operation. Identification may be technically challenging given the often covert nature of hostile cyber activities but this is without consequence to the legal rules of attribution."

"Public attribution, as a sovereign choice, is primarily a question of political consideration. Public attribution may nevertheless have legal effects to the extent it includes determinations of conduct that constitutes an internationally wrongful act." 

Countermeasures
 "An internationally wrongful act may justify recourse to countermeasures by the injured State if the State responsible for an internationally wrongful act declines to cease the wrongful conduct or pay reparation. Countermeasures may only be taken with the purpose of ensuring compliance, not for retaliation. Countermeasures may furthermore not breach the prohibition of the threat or use of force, or other peremptory norms of general international law, and must be consistent with other customary law requirements and limitations concerning countermeasures, most of which are reflected in the International Law Commission’s Articles on State Responsibility. Some of the procedural requirements concerning countermeasures may nevertheless require adjustment. For instance, it may be possible to attribute a hostile cyber operation only afterward whereas countermeasures normally should be taken while the wrongful act is ongoing. There is no general obligation for a State taking countermeasures to disclose the information on the basis of which the action is taken. At the same time, it is in each State’s best interests to ensure that a decision to take countermeasures is based on solid evidence, given that recourse to countermeasures would otherwise constitute an internationally wrongful act. A State that responds to a hostile cyber operation must therefore have adequate proof of the source of the operation and convincing evidence of the responsibility of a particular State." 

Self-defence, armed attack and use of force
 "While there is currently no established definition of a cyberattack that would pass the threshold of “use of force” in the sense of article 2(4) of the UN Charter, or “armed attack” in the sense of article 51, it is widely recognized that such a qualification depends on the consequences of a cyberattack. For a cyberattack to be comparable to use of force, it must be sufficiently serious and have impacts in the territory of the target State, or in areas within its jurisdiction, that are similar to those of the use of force. A threat of such a cyberattack could also violate Article 2(4) of the Charter, if the threat is sufficiently precise and directed against another State. Similarly, most commentators agree that when the scale and effects of a cyberattack correspond to those of an armed attack responding to the cyberattack is justifiable as self-defence. It is obvious that the attack must have caused death, injury or substantial material damage, but it is impossible to set a precise quantitative threshold for the effects, and other circumstantial factors must be taken into account in the analysis, as well."

"A question has also been raised, whether a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy should be equated to an armed attack. This question merits further consideration. Any interpretation of the use of force in cyberspace should respect the UN Charter and not just the letter of the Charter but also its object and purpose, which is to prevent the escalation of armed activities. This would mean, for instance, that the distinction between armed attack as a particularly serious violation of the Charter, on the one hand, and any lesser uses of force, on the other, is preserved. Similarly, the conditions for the exercise of the right of self-defence apply in cyberspace as they do with regard to the use of armed force. The right of self-defence arises if a cyberattack comparable to an armed attack occurs and can be attributed to a particular State. It is reasonable to think that a State victim to such an attack can respond with either cyber means or armed action. At the same time, the use of force must not be disproportionate or excessive." 

International humanitarian law (jus in bello)
 "International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or met the threshold of armed conflict. At the same time, when cyber means are used in the context of a pre-existing armed conflict, as has been done in many current conflicts, there is no reason to deny the need for the protections that international humanitarian law provides. This includes that cyber means and methods of warfare must be used consistently with the principles of distinction, proportionality and precautions, as well as the specific rules flowing from these principles. When assessing the capacity of cyber means and methods to cause prohibited harm, their foreseeable direct and indirect effects shall be taken into account. Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data.

The unique characteristics of cyberspace, such as interconnectedness and anonymity, may affect how international humanitarian law is interpreted and applied with regard to certain cyber means and methods warfare. The related problems can nevertheless mostly be solved on the basis of existing rules. New technologies do not render the existing rules of international humanitarian law meaningless or necessarily require new legal regulation. Furthermore, while international humanitarian law is lex specialis in an armed conflict, it does not override other areas of international law, such as human rights law, which may continue to apply throughout the conflict." 

Data as an object under IHL
"Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data". 

Principle of precaution
<section begin=FI_2020 Precautionary obligations /> "This includes that cyber means and methods of warfare must be used consistently with the principles of distinction, proportionality and precautions, as well as the specific rules flowing from these principles. When assessing the capacity of cyber means and methods to cause prohibited harm, their foreseeable direct and indirect effects shall be taken into account. Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data." <section end=FI_2020 Precautionary obligations />

International human rights law
<section begin=FI_2020 international human rights law /> "A number of specific human rights such as the freedom of opinion and expression, including the right to access to information, and the right to privacy are particularly relevant in cyberspace. It should nevertheless be underlined that individuals enjoy the same international human rights with respect to cyber-related activities as otherwise and, accordingly, that States are bound by all their human rights obligations both online and offline. Furthermore, each State has to protect individuals within its territory and subject to its jurisdiction from interference with their rights by third parties." <section end=FI_2020 international human rights law />