National position of Estonia (2019)

Introduction
This is the national position of Estonia on international law applicable to cyberspace operations. It was expressed in Tallinn on 29 May 2019 at the opening of the CyCon 2019 conference by the President of Estonia, Kersti Kaljulaid.

Applicability of international law
 "[...] as also many states and several international organizations have acknowledged – existing international law applies in cyberspace. Among others, the European Union, NATO, OECD and ASEAN have made similar addresses. Estonia has constantly upheld this position. We do believe and state that both the rights and obligations of international law, including those stated in the UN Charter, do apply to states when using IT and communication technologies. And for that we believe that the Tallinn Manuals vastly developed academic understanding of existing international law. I would like to reiterate, when it comes to legal questions of do’s and don’ts surrounding state behaviour in cyberspace, the answer must be sought from existing international law." 

Sovereignty
 "Sovereignty entails not only rights, but also obligations." 

State responsibility
 "[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out." 

Due diligence
 "[...] states must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information. As I mentioned here last year, we have to also consider the capacities of different states to be able to control such operations that exploit their infrastructure or systems. Therefore, meeting this expectation should encompass taking all feasible measures, rather than achieving concrete results.

And this also means that further effort must go to cyber capacity building and development cooperation to increase states’ capacity to prevent and respond to cyber threats. I hope that Estonia can serve as a model in partnering with other countries, especially in assisting those that do not have robust enough cyber defence systems. Our attention so far has been to Georgia and Ukraine – countries that face constant malicious cyber operations. Because by the end of the day – our own cyber security also depends on this." 

Attribution
 "[...] states have the right to attribute cyber operations both individually and collectively according to international law. Our ability and readiness to effectively cooperate among allies and partners in exchanging information and attributing malicious cyber activities has improved. The opportunities for malicious actors to walk away from their harmful actions with plausible deniability are clearly shrinking. Last year demonstrated that states are able to attribute harmful cyber operations both individually or in a coordinated manner. It is not something unachievable and endlessly complex. At the end of the day what is required from the attributing state, is not absolute certainty but what is reasonable. When assessing malicious cyber operations we can consider technical information, political context, established behavioural patterns and other relevant indicators." 

Targeted restrictive measures
 "More than simply attributing, we must take a stance that harmful cyber operations cannot be carried out without consequences. One good example would be EU’s Cyber Diplomacy Toolbox, which foresees a framework for joint EU diplomatic response to malicious cyber activities. Two weeks ago, EU Member States agreed on a horizontal framework which will allow to impose restrictive measures, or sanctions, against malicious cyber operations in similar manner as it is possible for terrorist acts or use of chemical weapons. Several allies have already taken diplomatic steps or set in place economic restrictive measures against adversarial states, or individuals responsible for harmful cyber operations." 

Countermeasures
 "[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.

Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace." 

Self-defence, armed attack and use of force
 "[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner." 

Bibliography and further reading

 * Michael N. Schmitt, "Estonia Speaks Out on Key Rules for Cyberspace", JustSecurity, 10 June 2019