National position of the United Kingdom (2022)

Introduction
This is the national position of the Unite Kingdom on international law applicable to cyberspace. The position has been delivered on 19 May 2022 by UK Attorney General Suella Braverman during a speech at Chatham House titled “International Law in Future Frontiers”.

Applicability of international law
 "Commentators often talk in hushed tones of cyber weapons, with little understanding of what they are, or of the rules which govern how they are used. This misunderstanding means we can see every cyber incident as an act of warfare which threatens to bring down the modern world around us and it’s not uncommon for even seasoned observers to think in this way, as they speak of cyber as a new battlespace where no rules apply. But cyberspace is not a lawless ‘grey zone’. International law governs and plays a fundamental role in regulating cyberspace.

Which is why today I would like to set out how the UK considers international law applies in cyberspace during peacetime, against the backdrop of the Prime Minister’s Integrated Review and the Government’s National Cyber Strategy. With particular focus on the rule on non-intervention, its application to key sectors, and avenues for response.

I’m focusing on the law applicable in peacetime because the UK has already set out that cyber operations are capable of breaching the prohibition on the threat or use of force, and that the law applicable in armed conflict applies just the same to the use of cyber means as other means of waging war. And I want to be clear that in the same way that a country can lawfully respond when attacked militarily, there is also a basis to respond, and options available, in the face of hostile cyber operations in peacetime." 

Sovereignty
 "States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention." 

State responsibility
 "I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation." 

Attribution
 "Coordination between States, in a more general sense, is also crucial in responding to hostile State activity in cyberspace and imposing a cost on those who seek to abuse the freedom and opportunity that technological progress has provided them. States are developing more sophisticated and coordinated diplomatic and economic responses. This can be seen in the response to the recent operation targeting Microsoft Exchange servers, where 39 partners including NATO, the EU and Japan coordinated in attributing hostile cyber activity to China. It can also be seen in the response to the Russian SolarWinds hack which saw coordinated US, UK and allied sanctions and other measures." 

Countermeasures
 "[..] [U]nder the international law doctrine of countermeasures, a State may respond to a prior unlawful act, in ways which would under normal circumstances be unlawful, in order to stop the offending behaviour and ensure reparation. The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another State. It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option in order to bring unlawful behaviour in cyberspace to an end.

However, some countries simply do not have the capability to respond effectively by themselves in the face of hostile and unlawful cyber intrusions. It is open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding collectively." 

Prohibition of intervention
 "Turning to the law - one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention.

Customary international law is the general practice of States accepted as law. As such, it is not static. It develops over time according to what States do and what they say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs States’ behaviour.

A well-known formulation of the rule on non-intervention comes from the International Court of Justice in its Military and Paramilitary Activities judgment. According to the Court in that case, all States or groups of States are forbidden from intervening -

…directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.

The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.

It serves as a benchmark by which to assess lawfulness, to hold those responsible to account, and to calibrate responses.

This rule is particularly important in cyberspace for two main reasons.

First, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to State sovereignty. As long ago as 1966, the UK made clear its position that:

…the principle of non-intervention, as it applied in relations between States, [is] not explicitly set forth in the United Nations Charter but flow[s] directly and by necessary implication from the prohibition of the threat or use of force and from the principle of the sovereign equality of States…

Four years later, in 1970, the UK set out its view that “non-intervention reflected the principle of the sovereign equality of states.” And that these principles were equally valid and interrelated. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.

States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.

What matters in practice is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyber activity which traverses multiple international boundaries millions of times a second.

Second, the rule on non-intervention is also of increasing relevance due to the prevalence of hostile activity by States that falls below the threshold of the use of force or is on the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which States can define behaviour as unlawful.

Having identified the importance of the rule on non-intervention, I will now turn to the threshold for its application. The fact that behaviour attributed to another State is unwelcome, irresponsible, or indeed hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offending behaviour must be coercive.

Coercion was rightly described in the Military and Paramilitary Activities case as “the very essence” of a prohibited intervention. It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information-gathering and influencing activities that States carry out as part of international relations.

But what exactly is coercion?

Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.

But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking.

Of course, in considering whether the threshold for a prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.

It is therefore important to bring the non-intervention rule to life in the cyber context, through examples of what kinds of cyber behaviours could be unlawful in peacetime. To move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.

And being clear on what is unlawful means we can then be clearer on the range of potential options that can lawfully be taken in response. That is, the kinds of activities which would require legal justification, for example, as a proportionate response to prior illegality by another State. This is crucial in enabling States to act within the law whilst taking robust and decisive action.

With that in mind, today I will set out new detail to illustrate how this rule applies. A non-exhaustive list, to move this discussion forward. I will cover four of the most significant sectors that are vulnerable to disruptive cyber conduct: energy security; essential medical care; economic stability; and democratic processes.

Ensuring the provision of essential medical services and secure and reliable energy supply to a population are sovereign functions of a State. They are matters in respect of which international law affords free choice to States. The Integrated Review highlights the interconnected nature of the global health system, and the importance of building resilience to address global health risks. Covid is a clear example. Likewise, energy security is recognised as including protection of critical national infrastructure from cyber security risks.

Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies would breach the rule on non-intervention.

Of course, every case needs to be assessed on its facts, but prohibited cyber activity in the energy and medical sectors could include:

disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention.

Such cyber operations could include disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy.

Lastly, democratic processes. Free and open elections, using processes in which a population has confidence, are an essential part of the political system in democratic States. All States have the freedom to make their views known about processes in other countries – delivering hard, sometimes unwelcome messages, and drawing attention to concerns. This is part and parcel of international relations. However, covert cyber operations by a foreign State which coercively interfere with free and fair electoral processes would constitute a prohibited intervention.

Again, every activity needs to be assessed on its facts, but such activities could include:

operations that disrupt the systems which control electoral counts to change the outcome of an election; or operations to disrupt another State’s ability to hold an election at all, for example by causing systems to malfunction with the effect of preventing voter registration. I hope that these illustrative examples will assist in the future when considering what is unlawful in cyberspace.

I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation." 

Retorsion
 "If a State carries out irresponsible, hostile, or unlawful cyber activity, what then are the options available to the victim State?

There are a wide range of effective response options available to impose a cost on States carrying out irresponsible or hostile cyber activity, regardless of whether the cyber activity constitutes an internationally unlawful act. These kinds of measures, referred to as acts of retorsion in international law, could include economic sanctions, restrictions on freedom of movement, exclusion from international groupings and wider diplomatic measures. So, there are always options available to stand up to unacceptable behaviour. And you do not have to look far to see how the impact of taking these kinds of measures is amplified when acting alongside other like-minded States.

Let me be clear. This means that when states like Russia or China carry out irresponsible or hostile cyber activity, the UK and our allies are always able to take action, whether or not the activity was itself unlawful. Today that might be in response to hostile cyber activity occurring in Ukraine, tomorrow it could be a response to hostile activity in Taiwan." 

Peaceful settlement of disputes
 "Where a State falls victim to unlawful cyber activity carried out against it by another State, it may also be appropriate to pursue remedies through the courts. Current events in Ukraine have demonstrated the continued relevance of forums like the International Court of Justice (ICJ) in the context of a wider response. The UK has accepted the compulsory jurisdiction of the ICJ, and we encourage others to do likewise." 