National position of Romania (2021)

Introduction
This is the national position of Romania on international law applicable to cyberspace. The position has been submitted by Romania and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States. . The compendium has been publicly released in August 2021.

Applicability of international law
"An open, secure, stable, accessible and peaceful online environment and a responsible State behaviour in cyberspace cannot be imagined outside an international rules-based system, primarily founded on international law.

Given the specificities of cyberspace and of the incident of various information and communication technologies, the discussion on how international law applies in cyberspace is a complex one.

However, the fact that there is a need to further discuss on how exactly international law applies to cyberspace does not mean that international law does not apply to cyberspace and that we are facing a legal vacuum.

State practice will in time further crystalize the application of international law in cyberspace; as a matter of fact, not all aspects can or even should be clarified in detail in absence of relevant state practice. This is however, without prejudice to the obligation of States to act in a responsible manner including in cyberspace and assume conduct that is in line with general international law.

Romania is of the strong opinion that existing international law equally applies to cyberspace and that there is no need to develop international legal frameworks to address strictly cyberspace."

Sovereignty
 "Romania considers that respect for the state sovereignty is an international obligation per se, the breach of which constitutes an internationally wrongful act; States have an obligation to respect the sovereignty of other States and refrain from activities that constitute a violation of their sovereignty; this holds true both in what concerns the internal as well as the external facet of the principle of sovereignty.

At the same time, we acknowledge that the difficulty in relation to this principle lies in the absence in cyberspace context of the territoriality and physical dimensions, which are the specific elements of the analysis when dealing with the sovereignty in the traditional sense.

In relation to these aspects, RO is of the view that cyber operations (conducted by a State organ or by a person or entity exercising elements of governmental authority or by a person acting under the instructions of or under the direction or control of a State) that interferes with or prevents in any way a State from exercising its (internal and/ or external) sovereign prerogatives (i.e. authority over its territory, over the property and persons situated therein) constitute a violation of the principle of State sovereignty and, thus, a breach of international law.

If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned." 

Due diligence
 "The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.

This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.

The due diligence principle requires that States take action in respect of cyber activities if the following elements are cumulatively met:


 * the acts are conducted by a non-State actor or a third State) from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control);
 * the acts are contrary to the rights of a victim State and have serious adverse consequences for that State;
 * the State has actual or constructive knowledge of those acts."

Prohibition of intervention
 "[..]the principle of prohibition of the intervention in the internal affairs of another State should be addressed (situations of tampering with the electoral processes in other States are relevant as a discussion under this principle).

According to international law, States are under the duty not to intervene in matters within the domestic jurisdiction of any State, in accordance with the Charter; this means that no State has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.

In order for such intervention to be illegal under international law, it must be coerced, meaning that the goal of the intervention must be to effectively change the behavior of the target State; the incidence of coercion must be assessed on a case-bycase basis, in order to determine the violation of the principle of non-intervention.

In other words, the following criteria must be met in order for an act to qualify as prohibited intervention under international law:


 * the act must bear on those matters in which States may decide freely (internal and external affairs – the domain reservé of States);
 * the act must be coercive in nature;
 * there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.

Therefore, depending on the situation, interference in the internal or external affairs of Romania (that is interference which causes or may cause harm to Romania’s economic, political, social and/ or cultural system) may constitute a violation of the principle of non-intervention." 

Use of force
 "The prohibition of the threat or use of force is a well-established principle of international law, being included in art. 2(4) of the UN Charter. There are only three (well determined) exceptions to this prohibition: self-defense in the event of armed aggression, UNSC Chapter VII authorization of the use of force and consent of the State on whose territory the operation takes place.

In order to ascertain whether a cyber operation represents a threat or use of force and whether it even amounts to a cyberattack, a case-by-case analysis must be carried out to determine the circumstance in which the attack occurred, the nature of the operation (military or not) and the scale and the effects of the operation (by comparison against the scale and severity of a conventional (non-cyber) act of violence covered by the prohibition).

The elements of such an analysis, from the “scale and effects” perspective, are well established in the ICJ’s relevant jurisprudence.

It is also worth noting that not all cyber operations reach the threshold of use of force and even less operations reach the threshold of an armed attack; nevertheless such operations could still be in violation of international law (being a prohibited intervention or an otherwise violation of the principle of sovereignty)." 

International humanitarian law (jus in bello)
 "International Humanitarian Law (IHL) applies in the context of cyber operations carried out as part of an armed conflict (whether international or non-international).

In such circumstances, the planning of and carrying on of cyber operations must be done in conformity with the principles governing the conduct of hostilities, namely distinction, proportionality, necessity and precaution. 

Data as a military objective
 "There are ongoing discussions in relation to qualifying data as an object for the purposes of the application of IHL. We take the preliminary view that cyber operations against data do trigger the application of IHL. Therefore cyber-attacks can only be directed against those data that represent military objectives according to IHL and cannot be directed against those data that represent a civilian object which must be protected under the principle of distinction." 

Neutrality
 "We are also of the view that the principle of neutrality apply as well to cyber operations as part of an armed conflict and thus, belligerents must refrain from harming information and communication infrastructure situated on the territory of a neutral State or from launching attacks from such infrastructure." 

Human rights law
 "Human rights are protected similarly both in offline as well in online contexts.

International law does not recognise a right to States to derogate from their international human rights obligations as a defensive-type measure – for instance to restrict access to internet in all circumstance as a responsive measure to counter some types of conduct in cyberspace (which generally pertain to criminal law, like: countering terrorism, violent extremism or fraud).

The circumstances in which limitations to human rights are permitted are well established in international law and apply the same way in offline and in online contexts. In most cases, the factors to be weighted include whether the restriction serves a legitimate purpose, whether it has a legal basis and whether it is necessary and proportionate to the interest it aims to protect.

Therefore, whatever regulation a State adopts (by virtue of its sovereign right) it must conform with its international obligations in the field of human rights. Otherwise it entails its legal responsibility under the relevant international conventions.

It is our view that the existing human rights instruments provide sufficient scope for effectively safeguarding the protection of human rights in cyberspace." 

State responsibility
<section begin=RO_2021 state responsibility /> "There is an internationally wrongful act of a State when conduct consisting of an action or omission is:


 * attributable to the State under international law; and
 * constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components. <section end=RO_2021 state responsibility />

Attribution
<section begin=RO_2021 attribution /> "In cyber context, attribution (especially from the technical point of view) of the conduct to a State is difficult to determine given the fact that most of the times the actions are undertaken via proxies.

Therefore, if the conduct is not evident as being of a State organ, then, in order to be attributed to a State, it must be proven that it is:


 * of a person or entity exercising elements of the governmental authority of that State
 * of organs placed at the disposal of that State by another State
 * of a person or entities acting under the instructions of, or under the direction or control of that State

In order to determine the degree of control reference should be made to the jurisprudence of the ICJ and of the various international courts and tribunals that have dealt with matters of State attribution.

Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice).

At the same time, once the international responsibility of a State is entailed, the injured State(s) may recourse to countermeasures in order to induce that State to comply with its international obligations." <section end=RO_2021 attribution />