Difference between revisions of "Attribution"

From International cyber law: interactive toolkit
Jump to navigation Jump to search
(updating the tags and titles of articles)
Line 49: Line 49:
   
 
==National positions==
 
==National positions==
===[[National position of Australia|Australia]]===
+
===[[National position of Australia (2020)|Australia (2020)]]===
{{#lst:National position of Australia|AUS attribution }}
+
{{#lst:National position of Australia (2020)|AU_2020 attribution}}
===[[National position of Estonia|Estonia]]===
+
===[[National position of Brazil (2021)|Brazil (2021)]]===
{{#lst:National position of Estonia|EE attribution }}
+
{{#lst:National position of Brazil (2021)|BR_2021 }}
===[[National position of Finland|Finland]]===
+
===[[National position of Estonia (2019)|Estonia (2019)]]===
{{#lst:National position of Finland|FI attribution }}
+
{{#lst:National position of Estonia (2019)|EE_2019 }}
===[[National position of France|France]]===
+
===[[National position of Finland (2020)|Finland (2020)]]===
{{#lst:National position of France|FR attribution }}
+
{{#lst:National position of Finland (2020)|FI_2020 }}
===[[National position of Germany|Germany]]===
+
===[[National position of France (2019)|France (2019)]]===
{{#lst:National position of Germany|DE attribution }}
+
{{#lst:National position of France (2019)|FR_2019 }}
===[[National position of Israel|Israel]]===
+
===[[National position of Germany (2021)|Germany (2021)]]===
{{#lst:National position of Israel|IL attribution }}
+
{{#lst:National position of Germany (2021)|DE_2021 }}
===[[National position of Japan|Japan]]===
+
===[[National position of Israel (2020)|Israel (2020)]]===
{{#lst:National position of Japan|JP attribution }}
+
{{#lst:National position of Israel (2020)|IL_2020 }}
===[[National position of New Zealand|New Zealand]]===
+
===[[National position of Japan (2021)|Japan (2021)]]===
{{#lst:National position of New Zealand|NZ attribution }}
+
{{#lst:National position of Japan (2021)|JP_2021 }}
===[[National position of Norway: 2021|Norway: 2021]]===
+
===[[National position of the Netherlands (2019)|Netherlands (2019)]]===
{{#lst:National position of Norway:2021 |NO_2021 attribution }}
+
{{#lst:National position of the Netherlands|NL_2019 }}
===[[National position of Romania: 2021|Romania: 2021]]===
+
===[[National position of New Zealand (2020)|New Zealand (2020)]]===
{{#lst:National position of Romania:2021 |RO_2021 attribution }}
+
{{#lst:National position of New Zealand (2020)|NZ_2020 }}
===[[National position of Switzerland|Switzerland]]===
+
===[[National position of Norway (2021)|Norway (2021)]]===
{{#lst:National position of Switzerland|CH attribution }}
+
{{#lst:National position of Norway (2021)|NO_2021 }}
===[[National position of the Netherlands|The Netherlands]]===
+
===[[National position of Romania (2021)|Romania (2021)]]===
{{#lst:National position of the Netherlands|NL attribution }}
+
{{#lst:National position of Romania (2021)|RO_2021 }}
===[[National position of the United Kingdom|United Kingdom]]===
+
===[[National position of Switzerland (2021)|Switzerland (2021)]]===
{{#lst:National position of the United Kingdom|UK_2018 attribution }}
+
{{#lst:National position of Switzerland (2021)|CH_2021 }}
===[[National position of the United Kingdom: 2021|United Kingdom: 2021]]===
+
===[[National position of the United Kingdom (2018)|United Kingdom (2018)]]===
{{#lst:National position of the United Kingdom: 2021|UK_2021 attribution }}
+
{{#lst:National position of the United Kingdom (2018)|UK_2018 }}
===[[National position of the United States of America: 2012|United States of America: 2012]]===
+
===[[National position of the United Kingdom (2021)|United Kingdom (2021)]]===
{{#lst:National position of the United States of America: 2012|US_2012 attribution }}
+
{{#lst:National position of the United Kingdom (2021)|UK_2021 }}
===[[National position of the United States of America: 2016|United States of America: 2016]]===
+
===[[National position of the United States of America (2012)|United States (2012)]]===
{{#lst:National position of the United States of America: 2016|US_2016 attribution }}
+
{{#lst:National position of the United States of America (2012)|US_2012 }}
  +
===[[National position of the United States of America (2016)|United States (2016)]]===
 
  +
{{#lst:National position of the United States of America (2016)|US_2016 }}
   
 
== Appendixes ==
 
== Appendixes ==

Revision as of 20:12, 19 September 2021

As a rule, the conduct of State organs is attributable to the State in question;[1] by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.[2]

State organs and persons and entities in exercise of governmental authority

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[3]
  2. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;[4]
  3. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."[5]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[6]

Non-State actors

Non-State actors
Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
  1. "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";[7]
  2. "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";[8]
  3. "an insurrectional movement which becomes the new Government of a State";[9] or
  4. "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".[10]

Additionally,

  1. the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".[11]

Evidentiary standards

Evidentiary standards
Evidentiary standards applicable to the attribution of cyber activities are context-dependent.[12] The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,[13] and these matters are instead ordinarily determined by the relevant forum.[14]

However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."[15] This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."[16] Nevertheless, there is no obligation to publicly provide the evidence.[17]

Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.[18]

National positions

Australia (2020)

"Australia will, in its sole discretion, and based on its own judgement, attribute unlawful cyber activities to another State. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners. A cyber activity will be attributable to a State under international law where, for example, the activity was conducted by an organ of the State; by persons or entities exercising elements of governmental authority; or by non-State actors operating under the direction or control of the State."[19]

Brazil (2021)

"State sovereignty is one of the founding principles of international law. As the ICJ has stated in the Corfu Channel Case, “between independent States, the respect for territorial sovereignty is an essential foundation for ‘international relations’”. It is applicable as a standalone rule, including to the use of ICTs by States, and entails an independent obligation of “every State to respect the territorial sovereignty of others”. Currently, there is neither broad state practice nor sufficient opinio juris to generate new customary international norm allowing for the violation of State sovereignty, including by means of ICTs.

Violations of State sovereignty by another State, including by means of ICTs, constitute an internationally wrongful act and entail the international responsibility of the State in violation. Interceptions of telecommunications, for instance, whether or not they are considered to have crossed the threshold of an intervention in the internal affairs of another State, would nevertheless be considered an internationally wrongful act because they violate state sovereignty. Similarly, cyber operations against information systems located in another State’s territory or causing extraterritorial effects might also constitute a breach of sovereignty."[20] The principle of non-intervention, which is considered customary international law, refers to “the right of every sovereign State to conduct its affairs without outside interference”. In the Declaration on the Principles of International Law concerning Friendly Relations and Co-operation among States, the General Assembly affirmed that “the strict observance by States of the obligation not to intervene in the affairs of any other State is an essential condition to ensure that nations live together in peace with one another”. Even though Resolution 2625 (XXV) preceded the widespread use of ICTs, the customary norm prohibiting intervention in the internal affairs of another State applies irrespective of the means or medium used and extends to the use of ICTs by States.

To violate the principle of non-intervention, the malicious use of ICTs against another State must involve an element of coercion affecting the right of the victim State to freely choose its political, economic, social and cultural system, and to formulate its foreign policy. If attributable to a State, this breach entails this State’s international responsibility.

There has been a growing discussion on whether cyberoperations aimed at interfering in the electoral processes of another State could amount to violations of the principle of non-intervention. Considering that elections are at the core of a State’s internal affairs, should the malicious use of ICTs against a State involve some level of coercion, then it must be prohibited by the principle of non-intervention."[21] "As stated in previous reports of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, international law is applicable to the use of ICTs by States. This includes the legal prohibition of the use of force in international relations, which is enshrined in the UN Charter and is also part of customary international law. It is a peremptory norm, to which only two exceptions are permitted: self-defense and authorization under Chapter VII of the Charter.

The United Nations Charter does not refer to specific weapons or other means of use of force, and therefore the legal prohibition applies to all of them. Cyber operations may amount to an illegal use of force if they are attributable to a State and if their impact is similar to the impact of a kinetic attack. It is generally understood that, to date, no state has claimed that the rule prohibiting the use of force was violated due to the conduction of a cyberattack. The lack of such a precedent only reinforces the need for caution when making analogies between cyber and kinetic actions in assessments related to jus ad bellum.

General Assembly Resolution 3314(XXIX), which contains the definition of aggression, enumerates a series of acts that qualify as such: invasion of territory by armed forces, military occupation, bombardments or the use of any weapons against the territory of another state, blockade of the ports or coasts by the armed forces, among others. Although it is not binding, GA Res 3314(XXIX) has been considered highly authoritative and has guided the ICJ in its caselaw. In many instances, it might prove difficult to establish a direct analogy between the acts listed in GA Res 3314 (XXIX) and cyber operations, due to their unique characteristics. Therefore, it is advisable to update the multilateral understanding of which acts amount to the use of force and aggression, so as to include instances of cyberattacks. While it might be challenging to find consensus on grey areas, such as the characterization of digital attacks with no direct physical effects, there are points of convergence that should be consolidated multilaterally to provide more clarity and legal certainty."[22] "Amongst the gravest forms of the use of force in international relations are armed attacks, which trigger the right of states to resort to self-defense, in accordance with article 51 of the UN Charter. Being self-defense an exception to the general principle on the prohibition to the use of force, it needs to be interpreted restrictively. This view is in line with the case law of the International Court of Justice, the principal judicial organ of the United Nations.

As a consequence, self-defense is only triggered by an armed attack undertaken by or attributable to a State. It is not possible to invoke self-defense as a response to acts by non-State actors, unless they are acting on behalf or under the effective control of a state. This norm becomes even more relevant with cyber operations, where technical, legal and operational challenges to determine attribution might make it impossible to verify potential abuses of the right of self defense, which in turns creates the risk of low impact persistent unilateral military action undermining the collective system established under the Charter.

In the same vein, contemporary international law does not allow for self-defense on the basis that the territorial state would be “unwilling and unable” to repress non-state actors whose cyber acts have extraterritorial effects. The definition of “armed attack” is limited to the use of force attributable to a state and, therefore, actions from non-state actors with similar effects might amount to serious crimes, but not an “armed attack”. If such a situation arises, the territorial state should adopt measures, in good faith and within its capabilities, to cease the action and ensure accountability.

If it fails to do so, this omission might constitute an internationally wrongful act, thus entailing this states’international responsibility. According to customary international law, in this case the victim state is entitled to remedies, to be pursued only through peaceful means.

Moreover, self-defense should be a temporary remedy. Member states that exercise their right to self-defense must immediately report it to the Security Council, in line with article 51 of the Charter. Given the novelty of cyberattacks and the uncertainties related to it, reporting to the Security Council is even more important. As the ICJ highlighted, “the absence of a report may be one of the factors indicating whether the State in question was itself convinced that it was acting in self defense”. Once the incident is reported to the Security Council, it is expected that the temporary act of self-help is replaced by collective action, adopted and pursued in line with the UN Charter.

For Brazil, the right to self-defense exists once there is an actual or imminent armed attack. Under international law, there is no right to “preventive self-defense” - a notion that does not find legal grounds neither in art. 51 of the Charter nor in customary international law. Finally, as with responses to armed activities using conventional weapons, self-defense against armed attacks caused by digital means must be necessary and proportionate."[23] "Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."[24] "States and international courts have consistently recognized some of the ILC articles on state responsibility as customary international law, such as the rules for attribution. In the absence of any lex specialis for cyberspace, the customary norms concerning the attribution of conduct to a State are also applicable to the State’s use of ICTs. Hence, cyber operations are attributable to a State if they are conducted by a State organ, by persons or entities exercising elements of governmental authority, or by persons or groups “acting on the instructions of, or under the direction or control of,” the State. Regarding the latter criteria, for a private person or entity’s conduct be attributable to a State, it has to be proved that the state had “effective control” over the operations. It is clear, therefore, that a connection “must exist between the conduct of a [state] and its international responsibility.”

The technical difficulties in tracing cyber operations and in determining its authorship may lead to additional challenges in attributing an internationally wrongful act to a State. However, these added difficulties must not serve as a justification to lower the bar for determinations on attribution, which must be substantiated."[25] "On the other hand, there are questions on the customary status of other set of articles on state responsibility emanated from the ILC, such as the ones on countermeasures. There are different views on the existence of widespread state practice and opinio juris capable of giving rise to customary international law on the legality and the requirements of countermeasures. Furthermore, it is generally accepted that the ILC provisions on countermeasures went beyond the codification of customary norms and had a strong element of progressive development of international law. In this regard, it is important to recall that several states have criticized countermeasures because they would be prone to abuses, especially due to the material inequality of states.

Particularly on ICTs, there are many factors advising a cautious approach on countermeasures. First, there is an added difficulty to attribute cyber activities to a particular State, which is aggravated by the fact that States have different technical resources and capabilities to both identify the origins of a cyber activity and to verify claims of breaches of international obligations through cyber means. Second, cyber operations can be designed to mask or spoof the perpetrator, which in turns increase the risks of miscalculated responses against innocent actors. Finally, the speed with which the precipitating wrongful cyber operations may unfold poses a high risk of escalation, with potential rippling effects to the kinetic domain.

With this in mind, Brazil considers that there needs to be further discussions on the legality of countermeasures as a response to internationally wrongful acts, including in the cyber context. The discussions must fully take into account the UN Charter in its entirety, thus excluding from the outset any possibility of using force as a countermeasure – a view that has already been confirmed by the ILC. The priority of peaceful settlement of disputes, in line with articles 2(3) and 33 of the UN Charter, must also be reaffirmed."[26] "International humanitarian law (IHL) is fairly equipped to answer many of the questions associated with new technologies, including ICTs. There is no doubt that IHL applies to States use of ICTs during an armed conflict. The fact that a specific weapon has been invented after the development of humanitarian law does not exempt it from regulation. Quoting from the ICJ Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, excluding cyber operations from IHL scope of application “would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to al1 forms of warfare and to al1 kinds of weapons, those of the past, those of the present and those of the future.”

IHL applies to situations amounting to armed conflict independently of its classification as such by the parties. For IHL, it does not matter whether the armed conflict is lawful or not, because its objective is to minimize human suffering and provide a minimum level of protection to civilians in any scenario of hostilities. Hence, the recognition that international humanitarian law applies to the cyberspace does not in any way endorse its militarization or legitimize cyberwarfare, but only ensures a minimum level of protection if an armed conflict arises.

There are two instances where IHL might apply to cyber activities. First, if they are carried out as part of an ongoing armed conflict, contributing to conventional operations conducted by the parties. Second, if the cyber activities themselves cross the threshold of violence to be characterized as an armed conflict.

Of particular importance, the 2015 GGE report has noted the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction.

For Brazil, the IHL principle of precaution is also applicable to the use of ICTs by States, meaning that parties must “take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects”."[27]

"In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks. The principle of distinction determines that cyberattacks must target military objectives and must not be indiscriminate. In case of doubt whether a cyber infrastructure that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it shall be presumed not to be so used.

While holding the view that IHL applies to cyberspace, there are issues that deserve further reflection, such as the definition of cyberattack for the purposes of article 49 of AP I; the consideration of civilian data as a civilian object that entails protection under IHL; and when a civilian acting in the cyberspace might be considered as taking direct part in hostilities.

In any event, where IHL is silent or ambiguous, the “Martens clause” remains applicable, ensuring that, in cases not covered by existing rules, “civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from the dictates of public conscience”."[28] "[..] according to AP I, States have an obligation, “in the study, development, acquisition or adoption of a new weapon, means or method of warfare,” to “determine whether its employment would, in some or all circumstances,” be prohibited. This norm, although being less strict than some States wished during the negotiations of AP I, already encompasses some precautionary elements. It must guide the development, acquisition and adoption of cyber capabilities."[29]

Estonia (2019)

"[...] as also many states and several international organizations have acknowledged – existing international law applies in cyberspace. Among others, the European Union, NATO, OECD and ASEAN have made similar addresses. Estonia has constantly upheld this position. We do believe and state that both the rights and obligations of international law, including those stated in the UN Charter, do apply to states when using IT and communication technologies. And for that we believe that the Tallinn Manuals vastly developed academic understanding of existing international law. I would like to reiterate, when it comes to legal questions of do’s and don’ts surrounding state behaviour in cyberspace, the answer must be sought from existing international law."[30] "Sovereignty entails not only rights, but also obligations."[31] "[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."[32] "[...] states must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information. As I mentioned here last year, we have to also consider the capacities of different states to be able to control such operations that exploit their infrastructure or systems. Therefore, meeting this expectation should encompass taking all feasible measures, rather than achieving concrete results.

And this also means that further effort must go to cyber capacity building and development cooperation to increase states’ capacity to prevent and respond to cyber threats. I hope that Estonia can serve as a model in partnering with other countries, especially in assisting those that do not have robust enough cyber defence systems. Our attention so far has been to Georgia and Ukraine – countries that face constant malicious cyber operations. Because by the end of the day – our own cyber security also depends on this."[33] "[...] states have the right to attribute cyber operations both individually and collectively according to international law. Our ability and readiness to effectively cooperate among allies and partners in exchanging information and attributing malicious cyber activities has improved. The opportunities for malicious actors to walk away from their harmful actions with plausible deniability are clearly shrinking. Last year demonstrated that states are able to attribute harmful cyber operations both individually or in a coordinated manner. It is not something unachievable and endlessly complex. At the end of the day what is required from the attributing state, is not absolute certainty but what is reasonable. When assessing malicious cyber operations we can consider technical information, political context, established behavioural patterns and other relevant indicators."[34] "More than simply attributing, we must take a stance that harmful cyber operations cannot be carried out without consequences. One good example would be EU’s Cyber Diplomacy Toolbox, which foresees a framework for joint EU diplomatic response to malicious cyber activities. Two weeks ago, EU Member States agreed on a horizontal framework which will allow to impose restrictive measures, or sanctions, against malicious cyber operations in similar manner as it is possible for terrorist acts or use of chemical weapons. Several allies have already taken diplomatic steps or set in place economic restrictive measures against adversarial states, or individuals responsible for harmful cyber operations."[35] "[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.

Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace."[36] "[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner."[37]

Finland (2020)

"It is undisputed that the principle of State sovereignty applies in cyberspace. While cyberspace as a whole cannot be subject to appropriation by any State, each State has jurisdiction over the cyber infrastructure and the persons engaged in cyber activities within its territory."

"Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace. Whether an unauthorized cyber intrusion violates the target State’s sovereignty depends on its nature and consequences and is subject to a case-by-case assessment."[38] "The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace."

"If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."[39] "An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged. It is in this regard useful to distinguish identification as a technical operation from attribution as a legal operation. Identification may be technically challenging given the often covert nature of hostile cyber activities but this is without consequence to the legal rules of attribution."

"Public attribution, as a sovereign choice, is primarily a question of political consideration. Public attribution may nevertheless have legal effects to the extent it includes determinations of conduct that constitutes an internationally wrongful act."[40] "An internationally wrongful act may justify recourse to countermeasures by the injured State if the State responsible for an internationally wrongful act declines to cease the wrongful conduct or pay reparation. Countermeasures may only be taken with the purpose of ensuring compliance, not for retaliation. Countermeasures may furthermore not breach the prohibition of the threat or use of force, or other peremptory norms of general international law, and must be consistent with other customary law requirements and limitations concerning countermeasures, most of which are reflected in the International Law Commission’s Articles on State Responsibility. Some of the procedural requirements concerning countermeasures may nevertheless require adjustment. For instance, it may be possible to attribute a hostile cyber operation only afterward whereas countermeasures normally should be taken while the wrongful act is ongoing. There is no general obligation for a State taking countermeasures to disclose the information on the basis of which the action is taken. At the same time, it is in each State’s best interests to ensure that a decision to take countermeasures is based on solid evidence, given that recourse to countermeasures would otherwise constitute an internationally wrongful act. A State that responds to a hostile cyber operation must therefore have adequate proof of the source of the operation and convincing evidence of the responsibility of a particular State."[41] "While there is currently no established definition of a cyberattack that would pass the threshold of “use of force” in the sense of article 2(4) of the UN Charter, or “armed attack” in the sense of article 51, it is widely recognized that such a qualification depends on the consequences of a cyberattack. For a cyberattack to be comparable to use of force, it must be sufficiently serious and have impacts in the territory of the target State, or in areas within its jurisdiction, that are similar to those of the use of force. A threat of such a cyberattack could also violate Article 2(4) of the Charter, if the threat is sufficiently precise and directed against another State. Similarly, most commentators agree that when the scale and effects of a cyberattack correspond to those of an armed attack responding to the cyberattack is justifiable as self-defence. It is obvious that the attack must have caused death, injury or substantial material damage, but it is impossible to set a precise quantitative threshold for the effects, and other circumstantial factors must be taken into account in the analysis, as well."

"A question has also been raised, whether a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy should be equated to an armed attack. This question merits further consideration. Any interpretation of the use of force in cyberspace should respect the UN Charter and not just the letter of the Charter but also its object and purpose, which is to prevent the escalation of armed activities. This would mean, for instance, that the distinction between armed attack as a particularly serious violation of the Charter, on the one hand, and any lesser uses of force, on the other, is preserved. Similarly, the conditions for the exercise of the right of self-defence apply in cyberspace as they do with regard to the use of armed force. The right of self-defence arises if a cyberattack comparable to an armed attack occurs and can be attributed to a particular State. It is reasonable to think that a State victim to such an attack can respond with either cyber means or armed action. At the same time, the use of force must not be disproportionate or excessive."[42] "International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or met the threshold of armed conflict. At the same time, when cyber means are used in the context of a pre-existing armed conflict, as has been done in many current conflicts, there is no reason to deny the need for the protections that international humanitarian law provides. This includes that cyber means and methods of warfare must be used consistently with the principles of distinction, proportionality and precautions, as well as the specific rules flowing from these principles. When assessing the capacity of cyber means and methods to cause prohibited harm, their foreseeable direct and indirect effects shall be taken into account. Constant care shall be taken to ensure the protection of civilians and civilian objects, including essential civilian infrastructure, civilian services and civilian data.

The unique characteristics of cyberspace, such as interconnectedness and anonymity, may affect how international humanitarian law is interpreted and applied with regard to certain cyber means and methods warfare. The related problems can nevertheless mostly be solved on the basis of existing rules. New technologies do not render the existing rules of international humanitarian law meaningless or necessarily require new legal regulation. Furthermore, while international humanitarian law is lex specialis in an armed conflict, it does not override other areas of international law, such as human rights law, which may continue to apply throughout the conflict."[43] "A number of specific human rights such as the freedom of opinion and expression, including the right to access to information, and the right to privacy are particularly relevant in cyberspace. It should nevertheless be underlined that individuals enjoy the same international human rights with respect to cyber-related activities as otherwise and, accordingly, that States are bound by all their human rights obligations both online and offline. Furthermore, each State has to protect individuals within its territory and subject to its jurisdiction from interference with their rights by third parties."[44]

France (2019)

"Cyberattacks may constitute a violation of sovereignty. The international norms and principles that flow from State sovereignty apply to the use of ICT by States and to their territorial jurisdiction over ICT infrastructure. France exercises its sovereignty over the information systems located on its territory".[45]

"Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ, a person or an entity exercising elements of governmental authority or by a person or persons acting on the instructions of or under the direction or control of a State constitutes a breach of sovereignty."[46]

"The principle of sovereignty applies to cyberspace. France exercises its sovereignty over the information systems located on its territory. The gravity of a breach of sovereignty will be assessed on a case-by-case basis in accordance with French cyberdefence governance arrangements in order to determine possible responses in compliance with international law".[47] "A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State."[48] "The attribution of a cyberattack having its origin in another State is a national political decision. When a cyberattack is detected, France takes the necessary steps to categorise it, which may include neutralising its effects.

Identification of the instigator is based mainly, though not solely, on technical information gathered during investigations of the cyberattack, especially identification of the attack and transit infrastructure for the cyberoperation and its location, identification of the adversary methods of operation (AMO), the overall chronology of the perpetrator’s activities, the scale and gravity of the incident and the compromised perimeter, or the effects sought by the attacker. This information can help to determine whether or not a link exists between the instigators and a State.

A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State.

The identification of a State as being responsible for a cyberattack that is an internationally unlawful act does not in any way oblige the victim State to make a public attribution. Such attribution is a discretionary choice made, inter alia, according to the nature and origin of the operation, the specific circumstances and the international context. It is a sovereign decision insofar as France reserves the right to attribute publicly, or not, a cyberattack against it and to bring that information to the attention of its population, other States or the international community. This policy does not rule out close coordination with France’s allies and partner States, including international or regional organisations, in particular the European Union (EU) and the North Atlantic Treaty Organisation (NATO). However, while the decision may go as far as collective attribution of a cyberattack, it lies solely with France. In addition, international law does not require States to provide the evidence on which the public attribution of a cyberattack is based, though such information helps to legitimise the validity of such attribution. In all events, a decision not to publicly attribute a cyberattack is not a final barrier to the application of international law, and in particular to assertion of the right of response available to States.

The capabilities of the Armed Forces Ministry contribute to the process of characterising cyber-attacks against the French State. The public attribution of a cyberattack against France is a national political decision. Although this power may be exercised in coordination with other States or international organisations, it is prima facie a sovereign prerogative."[49] "In general, France can respond to cyberattacks by taking counter-measures. In response to a cyberattack that infringes international law (including use of force), France may take counter-measures designed to (i) protect its interests and ensure they are respected and (ii) induce the State responsible to comply with its obligations.

Under international law, such counter-measures must be taken by France in its capacity as victim. Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.

Counter-measures must also be taken in compliance with international law, in particular the prohibition of the threat or use of force. Consequently, they form part of a peaceful response, their sole purpose being to end the initial violation, including in reaction to a cyberoperation that constitutes a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter. The response to a cyberoperation may involve digital means or not, provided that it is commensurate with the injury suffered, taking into account the gravity of the initial violation and the rights in question.

Lastly, the use of counter-measures requires the State responsible for the cyberattack to comply with its obligations.The victim State may, in certain circumstances, derogate from the obligation to inform the State responsible for the cyberoperation beforehand, where there is a need to protect its rights. The possibility of taking urgent counter-measures is particularly relevant in cyberspace, given the widespread use of concealment procedures and the difficulties of traceability."[50] "Many States are acquiring the capacity to prepare and conduct operations in cyberspace. When carried out to the detriment of the rights of other States, such operations may breach international law. Depending on the extent of their intrusion or their effects, they may violate the principles of sovereignty, non-intervention or even the prohibition of the threat or use of force. States targeted by such cyberattacks are entitled to respond to them within the framework of the options offered by international law. In response to a cyberattack, France may consider diplomatic responses to certain incidents, counter-measures, or even coercive action by the armed forces if an attack constitutes armed aggression."[51]

Interference by digital means in the internal or external affairs of France, i.e. interference which causes or may cause harm to France’s political, economic, social and cultural system, may constitute a violation of the principle of non-intervention.[52] "France exercises its sovereignty over the information systems located on its territory. In compliance with the due diligence requirement, it ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors."[53]

"The failure by another State to comply with its due diligence requirement is not a sufficient ground for the use of force against it in the context of cyberattacks carried out from its territory.

In accordance with the due diligence principle, “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”, including acts that infringe the territorial integrity or sovereignty of another State. In addition, States must ensure that non-state actors do not use their territory to carry on such activities, and not use proxies to commit internationally wrongful acts using ICTs. The fact that a State fails to comply with its due diligence obligation can justify the taking of political and diplomatic measures that may include counter-measures or a referral to the UNSC. The fact that a State does not take all reasonable measures to stop wrongful acts against other States perpetrated from its territory by non-state actors, or is incapable of preventing them, cannot constitute an exception to the prohibition of the use of force.

Under these conditions, France does not recognise the extensive approach to self-defence expressed by a majority of the Tallinn Manual Group of Experts which allows a State that is victim of a large-scale cyberattack perpetrated by non-state actors from the territory of another State to use self-defence against that State, including if such a response is carried out in compliance with the principle of necessity, is the only means to counter the armed attack, and the territorial State is unwilling or unable to prevent the perpetration of such acts."[54] "France also does not rule out the option of invoking a state of distress or necessity in order to protect a vital interest against a cyberattack which is below the threshold of armed attack but constitutes a serious and imminent danger. In such cases, the measures taken remain peaceful and do not seriously harm a vital interest of the State concerned. Such measures in response to a cyberattack against France in breach of international law are not taken systematically, but according to a discretionary political decision."[55] "Some cyberoperations may violate the prohibition of the threat or use of force. The most serious violations of sovereignty, especially those that infringe France’s territorial integrity or political independence, may violate the prohibition of the threat or use of force, which applies to any use of force, regardless of the weapons employed. In digital space, crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation. A cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.

However, not every use of force is an armed attack within the meaning of Article 51 of the United Nations Charter, especially if its effects are limited or reversible or do not attain a certain level of gravity.

The prohibition of the use of force enshrined in the United Nations Charter applies to cyberspace. Certain cyberoperations may constitute a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter."[56] In an armed conflict situation, cyberspace is an area of confrontation in its own right linked to other areas of confrontation. The offensive cyber capability implemented in the theatres of engagement of the French armed forces is controlled by means of a doctrine and a framework for use in accordance with which it is required to comply with international humanitarian law (IHL).[57] Cyberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict (IAC). Likewise, prolonged cyberoperations by government armed forces against one or more armed groups or by several armed groups between themselves may constitute a non-international armed conflict (NIAC), where such groups show a minimum level of organisation and the effects of such operations reach a sufficient threshold of violence. They are generally military operations concurrent with conventional military operations: that is why it is not difficult to categorise an armed conflict situation. While an armed conflict consisting exclusively of digital activities cannot be ruled out in principle, it is based on the capacity of autonomous cyberoperations to reach the threshold of violence required to be categorised as such. Although virtual, cyberoperations still fall within the geographical scope of IHL, insofar as their effects must arise on the territory of the States party to the IAC and on the territory where the NIAC hostilities occur.[58] "The use of a cyber weapon in an armed conflict situation obeys the principles governing the conduct of hostilities. A cyber weapon, which is governed by IHL, may be used in combination with conventional military resources or in isolation. In support of conventional means, it produces the same intelligence, neutralisation and deception effects as those conventional means, which have long been subject to the targeting procedures used by the French armed forces in compliance with IHL.

The specific nature and complexity of offensive cyber warfare resources demand risk control arrangements just as robust as those applied to conventional operations, taking into account the inherent features of the conduct of operations in cyberspace. In practice, the risks linked to the use of a cyber weapon, especially the immediacy of the action, the duality of targets and the hyperconnectivity of networks, demand a specific digital targeting process spanning all phases of the cyberoperation in order to ensure compliance with the principles of distinction, precaution and proportionality, inter alia in order to minimise potential civilian damage and loss of life. The process involves long and specific planning carried out in close coordination with the planning of operations in the physical sphere."[59] "In order to ensure application of the rules governing the conduct of hostilities (distinction, proportionality and precaution, prohibition of superfluous injury and unnecessary suffering), a specific digital targeting process is used for cyberoperations, under the responsibility of the commander-in-chief of the armed forces, with the input, inter alia, of operational staff and specialist operational legal advisers. It cannot be ruled out that a serious breach of these principles arising from a cyberoperation could constitute a war crime within the meaning of the Rome Statute.

The principle of distinction

Under the principle of distinction, the parties to an armed conflict must at all times distinguish between the civilian population and combatants, and between civilian objects and military objectives. In this regard, cyber-attacks carried out in an armed conflict situation which are not directed against a specific military objective or whose effects cannot be contained are prohibited. If there is doubt as to whether an individual is a combatant, he or she must be considered a civilian61. Likewise, an object normally used for civilian purposes is presumed not to be used to make an effective contribution to military action. On this point France does not follow the Tallinn Manual, which considers that if there is doubt over the use of a civilian object for military purposes, a determination as to such use should be made only following a careful assessment.

From this standpoint and under the authority of the commander-in-chief of the armed forces, offensive cyber warfare operations are planned and coordinated taking all measures possible in practice to ensure that the targeted objectives are not civilians or civilian objects. Commanders are thus careful to gather the necessary intelligence to identify the objective and choose the most suitable means in order to apply the principle of distinction. Even if cyber weapons can have immediate effects, their integration into the operational manoeuvre is based on often long and specific planning designed to gather the information necessary to identify the nature of the targeted system (such as a map of the enemy network) in order to ensure compliance with IHL. A cyberoperation will be cancelled if the target under consideration proves not to be a military objective.

The distinction between military objectives and civilian objects.

In cyberspace, ICT equipment or systems and the data, processes or flows which constitute a service may be a military objective if (i) they contribute to military action by their nature (armed forces computer workstations, military command, localisation or surveillance networks, etc.), their location (places from which the cyber-attacks are carried out), their purpose (foreseeable use of ICT networks for military purposes) or their use (use of part of the network for military purposes), and (ii) their total or partial destruction, capture or neutralisation confers a definite military advantage. Under these circumstances, a propaganda centre may be a lawful military objective and the target of a cyberattack if it disseminates instructions linked to the conduct of hostilities.

Conversely, all objects which are not military objectives are deemed to be civilian objects. An attack carried out in cyberspace may not be directed against ICT systems used by schools, medical institutions or any other exclusively civilian service, or against systems whose destruction would only entail tangible effects on civilian objects, unless those objects are used for military purposes. Given the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction.

Cyberoperations must also take into account the special protection of certain objects, such as medical units, cultural property, the natural environment, objects indispensable to the survival of the civilian population and installations that contain dangerous forces. This protection extends to ICT equipment and services and to the data needed to operate them, such as medical data linked to the operation of a hospital.

ICT infrastructure or a system used for both civilian and military purposes may, after detailed analysis on a case-by-case basis, be deemed a military objective. They may be targeted provided that the principles of proportionality and precaution are respected. Given the hyperconnectivity of systems, commanders exercise vigilance over the action as a whole in order to avoid effects on civilians and civilian objects, or at least keep them to a minimum, in compliance with the principles of precaution and proportionality."[60] "Cyber-combatants, especially military personnel assigned to a cyberspace operations command, a group of hackers under State command or members of organised armed groups perpetrating cyberoperations against the adversary may be attacked, unless they are hors de combat.

Any other person is considered to be a civilian and enjoys general protection against the dangers arising from military operations, unless and for such time as they take a direct part in hostilities. A cyberoperation which is carried out to adversely affect the military operations or military capacity of a party to an armed conflict to the detriment of that party and to the advantage of an adversary, or which is likely to cause loss of human life, injury and civilian damage may be deemed a direct participation in hostilities.

For example, the penetration of a military system by a party to an armed conflict with a view to gathering tactical intelligence for the benefit of an adversary for the purposes of an attack constitutes direct participation in hostilities. The same applies to installing malicious code, preparing a botnet in order to launch an attack by denial of service, or developing software specifically intended for the perpetration of a hostile act." [61]

"Cyber-combatants integrated into or affiliated with the armed forces or members of organised armed groups may be targeted by conventional means, in the same way as civilians conducting offensive activities that constitute direct participation in hostilities. Given the difficulties of identifying the perpetrators of a cyberattack, the targeting of such individuals remains marginal."[62] "When cyberoperations are conducted, constant care should be taken to spare the civilian population, civilians and civilian objects.

Even though the necessary precautions may be taken, if the neutralisation or destruction of a military objective by digital means nevertheless risks causing civilian damage, it must not exceed the concrete and direct military advantage anticipated. The risks inherent in cyberspace (immediacy of effects, intrinsic duality of military objectives, hyperconnectivity, difficulty of tracing operations, vulnerability of systems) must therefore be taken into account in order to determine the modes of action and means to be implemented in cyber warfare in order to ensure compliance with the principle of proportionality.

Even though the anticipated effect of a cyber weapon may be difficult to measure, given the interconnectivity of information systems, especially on account of the risk of propagation beyond the target, these risks may be contained by the development of specific cyber weapons whose use is decided according to the desired effects, determined beforehand (activation of malware only in the presence of a specific network previously identified by a penetration of the system, existence of a deactivation time, etc.).

The use of malware which deliberately reproduces and propagates with no possible control or reversibility, and is hence likely to cause significant damage to critical civilian systems or infrastructure, is contrary to IHL, in the same way as the temporary interruption without military advantage of an adversary system followed by physical damage to civilian infrastructure.

The assessment of the effects of a cyberoperation takes into account all the foreseeable damage caused by the cyber weapon, whether direct (such as damage to the ICT equipment directly targeted or interruption of the system) or indirect (such as the effects on the infrastructure controlled by the targeted system, or on persons affected by the malfunction or destruction of the targeted systems or infrastructure, or by the alteration and corruption of content data).

In order for offensive cyber warfare operations to be conducted in compliance with the principle of precaution, the Armed Forces Ministry consults operational experts in military cyberdefence under the responsibility of the cyberdefence commander (COMCYBER). They possess the necessary technical knowledge, are able to exploit the available information (intelligence, strict identification of targets, correlation between the weapon and the desired effects, etc.) and have been given specific training in the complexity of cyber weapons.

These precautionary measures in attack are backed up by precautionary measures against the effects of an attack which a State should take in order to protect the civilian population and civilian objects against the dangers resulting from cyberoperations."[63] "Despite the complexity of cyberspace, the framework for cyberoperations carried out in an armed conflict situation is still determined by compliance with the principles of precaution and proportionality. As such, the digital targeting process takes account of a cyber weapon’s direct and indirect effects.

Despite the interconnectivity of military and civilian systems, the fact of being able to configure a cyber weapon according to the specifically desired effects of an operation helps to avoid excessive damage in relation to the concrete and direct military advantage anticipated. The non-lethal nature of cyber weapons and the possibility of limiting their effects to a previously identified system contribute to the obligation to choose the means and methods of attack most likely to avoid, or at least reduce to a minimum, any incidental loss of civilian lives, injury to civilians or damage to civilian objects."[64] "Cyberoperations carried out in the context of an international armed conflict, or which trigger such a conflict, are subject to the law of neutrality. As such, the States party to an IAC may neither carry out cyberoperations linked to the conflict from installations situated on the territory of a neutral State or under the exclusive control of a neutral State, nor take control of computer systems of the neutral State in order to carry out such operations. The neutral State must prevent any use by belligerent States of ICT infrastructure situated on its territory or under its exclusive control. However, it is not required to prevent belligerent States from using its ICT networks for communication purposes.

Routing a cyberattack via the systems of a neutral State without any effect on that State does not breach the law of neutrality, which prohibits only the physical transit of troops or convoys."[65]

"The law of neutrality applies to cyberoperations. Belligerents must refrain from causing harmful effects to digital infrastructure situated on the territory of a neutral State or from launching a cyberattack from such infrastructure."[66]

Germany (2021)

"The legal principle of State sovereignty applies to States’ activities with regard to cyberspace. State sovereignty implies, inter alia, that a State retains a right of regulation, enforcement and adjudication (jurisdiction) with regard to both persons engaging in cyber activities and cyber infrastructure on its territory. It is limited only by relevant rules of international law, including international humanitarian law and international human rights law. Germany recognizes that due to the high degree of cross-border interconnectedness of cyber infrastructures, a State’s exercise of its jurisdiction may have unavoidable and immediate repercussions for the cyber infrastructure of other States. While this does not limit a State’s right to exercise its jurisdiction, due regard has to be given to potential adverse effects on third States.

By virtue of sovereignty, a State’s political independence is protected and it retains the right to freely choose its political, social, economic and cultural system. Inter alia, a State may generally decide freely which role information and communication technologies should play in its governmental, administrative and adjudicative proceedings. Foreign interference in the conduct of elections of a State may under certain circumstances constitute a breach of sovereignty or, if pursued by means of coercion, of the prohibition of wrongful intervention. Moreover, by virtue of its sovereignty, a State may decide freely over its foreign policy also in the field of information and communication technologies.

Furthermore, a State’s territorial sovereignty is protected. Due to the rootedness of all cyber activities in the actions of human beings using physical infrastructure, cyberspace is not a deterritorialized forum. In this regard, Germany underlines that there are no independent ‘cyber borders’ incongruent with a State’s physical borders which would limit or disregard the territorial scope of its sovereignty. Within its borders, a State has the exclusive right – within the framework of international law – to fully exercise its authority, which includes the protection of cyber activities, persons engaging therein as well as cyber infrastructures in the territory of a State against cyber and non-cyber-related interferences attributable to foreign States."[67]

"Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law. In this regard, State sovereignty constitutes a legal norm in its own right and may apply directly as a general norm also in cases in which more specific rules applicable to State behaviour, such as the prohibition of intervention or the use of force, are not applicable. Violations of State sovereignty may inter alia involve its territorial dimension; in this regard, the following categories of cases may be relevant (without excluding the possibility of other cases):

Germany essentially concurs with the view proffered, inter alia, in the Tallinn Manual 2.0 that cyber operations attributable to a State which lead to physical effects and harm in the territory of another State constitute a violation of that State’s territorial sovereignty. This encompasses physical damage to cyber infrastructure components per se and physical effects of such damage on persons or on other infrastructure, i.e. cyber or analogue infrastructure components connected to the damaged cyber component or infrastructure located in the vicinity of the damaged cyber infrastructure (provided a sufficient causal link can be established).

Germany generally also concurs with the view expressed and discussed in the Tallinn Manual 2.0 that certain effects in form of functional impairments with regard to cyber infrastructures located in a State’s territory may constitute a violation of a State’s territorial sovereignty. In Germany’s view, this may also apply to certain substantial non-physical (i.e. software-related) functional impairments. In such situations, an evaluation of all relevant circumstances of the individual case will be necessary. If functional impairments result in substantive secondary or indirect physical effects in the territory of the target State (and a sufficient causal link to the cyber operation can be established), a violation of territorial sovereignty will appear highly probable.

In any case, negligible physical effects and functional impairments below a certain impact threshold cannot – taken by themselves – be deemed to constitute a violation of territorial sovereignty.

Generally, the fact that a piece of critical infrastructure (i.e. infrastructure which plays an indispensable role in ensuring the functioning of the State and its society) or a company of special public interest in the territory of a State has been affected may indicate that a State’s territorial sovereignty has been violated. However, this cannot in and of itself constitute a violation, inter alia because uniform international definitions of the terms do not yet exist. Also, cyber operations in which infrastructures and/or companies which do not qualify as ‘critical’ or ‘of particular public interest’ are affected may likewise violate the territorial sovereignty of a State."[68] "As a corollary to the rights conferred on States by the rule of territorial sovereignty, States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States’ – this generally applies to such use by State and non-State actors. The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context as well and gains particular relevance here because of the vast interconnectedness of cyber systems and infrastructures."[69]

"[..] a State may also become liable under international law in connection with another State’s or a non-State actor’s actions if the first State fails to abide by its obligations stemming from the ‘due diligence’ principle."[70] "The prohibition of a wrongful intervention between States is not explicitly mentioned in the UN Charter. However, it is a corollary of the sovereignty principle, can be derived from art. 2 para. 1 UN Charter and is grounded in customary international law. Generally, for State-attributable conduct to qualify as a wrongful intervention, the conduct must (1) interfere with the domaine réservé of a foreign State and (2) involve coercion. Especially the definition of the latter element requires further clarification in the cyber context.

In its Nicaragua judgement, the International Court of Justice (ICJ) held that ‘[t]he element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.’ Malicious cyber activities will only in some cases amount to direct or indirect use of force. However, measures below this threshold may also qualify as coercive. Generally, Germany is of the opinion that cyber measures may constitute a prohibited intervention under international law if they are comparable in scale and effect to coercion in non-cyber contexts.

Coercion implies that a State’s internal processes regarding aspects pertaining to its domaine réservé are significantly influenced or thwarted and that its will is manifestly bent by the foreign State’s conduct. However, as is widely accepted, the element of coercion must not be assumed prematurely. Even harsher forms of communication such as pointed commentary and sharp criticism as well as (persistent) attempts to obtain, through discussion, a certain reaction or the performance of a certain measure from another State do not as such qualify as coercion. Moreover, the acting State must intend to intervene in the internal affairs of the target State – otherwise the scope of the non-intervention principle would be unduly broad.

In the context of wrongful intervention, the problem of foreign electoral interference by means of malicious cyber activities has become particularly virulent. Germany generally agrees with the opinion that malicious cyber activities targeting foreign elections may – either individually or as part of a wider campaign involving cyber and non-cyber-related tactics – constitute a wrongful intervention. For example, it is conceivable that a State, by spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots. Such activities may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion in the above-mentioned sense. A detailed assessment of the individual case would be necessary.

Also, the disabling of election infrastructure and technology such as electronic ballots, etc. by malicious cyber activities may constitute a prohibited intervention, in particular if this compromises or even prevents the holding of an election, or if the results of an election are thereby substantially modified.

Furthermore, beyond the mentioned examples, cyber activities targeting elections may be comparable in scale and effect to coercion if they aim at and result in a substantive disturbance or even permanent change of the political system of the targeted State, i.e. by significantly eroding public trust in a State’s political organs and processes, by seriously impeding important State organs in the fulfilment of their functions or by dissuading significant groups of citizens from voting, thereby undermining the meaningfulness of an election. Due to the complexity and singularity of such scenarios, it is difficult to formulate abstract criteria. Discussions in this context are still ongoing."[71] "So far, the vast majority of malicious cyber operations fall outside the scope of ‘force’. However, cyber operations might in extremis fall within the scope of the prohibition of the use of force and thus constitute a breach of art. 2 para. 4 UN Charter.

The ICJ has stated in its Nuclear Weapons opinion that Charter provisions ‘apply to any use of force, regardless of the weapons employed.’ Germany shares the view that with regard to the definition of ‘use of force’, emphasis needs to be put on the effects rather than on the means used.

Cyber operations can cross the threshold into use of force and cause significant damage in two ways. Firstly, they can be part of a wider kinetic attack. In such cases they are one component of a wider operation clearly involving the use of physical force, and can be assessed within the examination of the wider incident. Secondly, outside the wider context of a kinetic military operation, cyber operations can by themselves cause serious harm and may result in massive casualties.

With regard to the latter case, Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgement, by the scale and effects of such a cyber operation. Whenever scale and effects of a cyber operation are comparable to those of a traditional kinetic use of force, it would constitute a breach of art. 2 para. 4 UN Charter.

The determination of a cyber operation as having crossed the threshold of a prohibited use of force is a decision to be taken on a case-by-case basis. Based on the assessment of the scale and effects of the operation, the broader context of the situation and the significance of the malicious cyber operation will have to be taken into account. Qualitative criteria which may play a role in the assessment are, inter alia, the severity of the interference, the immediacy of its effects, the degree of intrusion into a foreign cyber infrastructure and the degree of organization and coordination of the malicious cyber operation."[72] "Germany reiterates its view that IHL applies to cyber activities in the context of armed conflict. The fact that cyberspace as a domain of warfare was unknown at the time when the core treaties of IHL were drafted does not exempt the conduct of hostilities in cyberspace from the application of IHL. As for any other military operation, IHL applies to cyber operations conducted in the context of an armed conflict independently of its qualification as lawful or unlawful from the perspective of the ius ad bellum.

An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means. Germany holds the view that cyber operations of a non-international character, e.g. of armed groups against a State, which reach a sufficient extent, duration, or intensity (as opposed to acts of limited impact) may be considered a non-international armed conflict and thereby also trigger the application of IHL.

At the same time, cyber actions can become part of an ongoing armed conflict. In order to fall within the ambit of IHL, the cyber operation must show a sufficient nexus with the armed conflict, i.e. the cyber operation must be conducted by a party to the conflict against its opponent and must contribute to its military effort.

Cyber operations between a non-State actor and a State alone may provoke a non-international armed conflict. However, this will only seldom be the case due to the level of intensity, impact and extent of hostilities required. Thus, activities such as a large-scale intrusion into foreign cyber systems, significant data theft, the blocking of internet services and the defacing of governmental channels or websites will usually not singularly and in themselves bring about a non-international armed conflict."[73]

"The basic principles governing the conduct of hostilities, including by cyber means, such as the principles of distinction, proportionality, precautions in attack and the prohibition of unnecessary suffering and superfluous injury, apply to cyber attacks in international as well as in non-international armed conflicts.

Germany defines a cyber attack in the context of IHL as an act or action initiated in or through cyberspace to cause harmful effects on communication, information or other electronic systems, on the information that is stored, processed or transmitted on these systems or on physical objects or persons. The occurrence of physical damage, injury or death to persons or damage or destruction to objects comparable to effects of conventional weapons is not required for an attack in the sense of art. 49 para. 1 Additional Protocol I to the Geneva Conventions. However, the mere intrusion into foreign networks and the copying of data does not constitute an attack under IHL."[74] "The principle of distinction obliges States to differentiate between military and civilian objects, as well as between civilians, on the one hand, and combatants, members of organized armed groups and civilians taking direct part in hostilities, on the other hand. While IHL does not prohibit an attack on the latter, civilians (not taking direct part in hostilities) and civilian objects must be spared.

Civilians operating in cyberspace can be considered as taking direct part in hostilities with the result of losing their protection from attack and the effects of the hostilities, provided the following conditions are met: Their acts are likely to adversely affect the military operations or military capacity of a party, there is a direct causal link between their acts and the adverse effects and the acts are specifically designed to inflict harm in support of a party to an armed conflict and to the detriment of another (belligerent nexus). Thus, Germany agrees with the view that, for example, ‘electronic interference with military computer networks […], whether through computer network attacks or computer network exploitation, as well as wiretapping […] [of an] adversary’s high command or transmitting tactical targeting information for an attack’, could suffice in order to consider a civilian person as directly participating in hostilities."[75] "[...] a civilian object like a computer, computer networks, and cyber infrastructure, or even data stocks, can become a military target, if used either for both civilian and military purposes or exclusively for the latter. However, in cases of doubt, the determination that a civilian computer is in fact used to make an effective contribution to military action may only be made after a careful assessment. Should substantive doubts remain as to the military use of the object under consideration, it shall be presumed not to be so used.

The benchmark for the application of the principle of distinction is the effect caused by a cyber attack, irrespective of whether it is exercised in an offensive or a defensive context. Thus, computer viruses designed to spread their harmful effects uncontrollably cannot distinguish properly between military and civilian computer systems as is required under IHL and their use is therefore prohibited as an indiscriminate attack. In contrast, malware that spreads widely into civilian systems but damages only a specific military target does not violate the principle of distinction. Given the complexity of cyber attacks, the limited options to comprehensively appraise their nature and effects and the high probability of an impact on civilian systems, having recourse to the appropriate expertise to assess potential indiscriminate effects throughout the mission planning process is of key importance to Germany.

A cyber attack directed against a military target which is nevertheless expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, is also prohibited under IHL if such incidental effects would be excessive in relation to the concrete and direct military advantage anticipated. If a cyber attack is executed in conjunction with other forms of military action, such as attacks with conventional weapons directed against the same installation, the military advantage and the collateral damage must be considered with regard to the ‘attack […] as a whole and not only […] [with regard to] isolated or particular parts of the attack.’

Assessing collateral damage and incidental injury or loss of life when conducting a proportionality analysis can be even more difficult in the context of cyber operations as compared to more traditional, i.e. physical, means or methods of warfare. This however does not discharge those planning and coordinating attacks from taking into account their foreseeable direct and indirect effects."[76] "A corollary to the prohibition of indiscriminate cyber attacks is the duty to take constant care to spare the civilian population, civilians and civilian objects during hostilities involving cyber operations.

Those who plan, approve or execute attacks must take all feasible precautions in the choice of means and methods with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects. This might encompass gathering intelligence on the network in question through mapping or other processes in order to assess the attack’s likely effects. Also, the inclusion of a deactivation mechanism or a specific configuration of the cyber tool which limits the effects on the intended target might be considered. Moreover, if it becomes apparent that the target is not a military one or is subject to special protection, those who plan, approve or execute the cyber attack must refrain from executing or suspend the attack. The same applies when the attack may be expected to cause excessive collateral damage to civilians and civilian objects."[77] "The obligation to take precautions in attack is complemented by the obligation to conduct weapon reviews of any new means or method of cyber warfare to determine whether its employment would, in some or in all circumstances, be prohibited by international law. The findings of such reviews, to the extent that they identify legal constraints for the employment of means and methods in particular operational settings, should serve as a basis for operational planning. However, the means and methods used in cyber warfare are typically tailored to their targets, as they generally involve exploiting vulnerabilities that are specific to the target and the operational context. This entails that the development of means or the adoption of the method will often coincide with the planning of a concrete operation. Thus, the obligation to take precautions in attack and the requirement of a legal review remain separate requirements, but may overlap in substance."[78] "Attributing a cyber incident is of critical importance as a part of holding States responsible for wrongful behaviour and for documenting norm violations in cyberspace. It is also a prerequisite for certain types of responsive action. As regards the attribution of certain acts to States under international law, Germany applies the relevant customary law rules on State responsibility also to acts in cyberspace, subject to any lex specialis provisions. Inter alia, cyber operations conducted by State organs are attributable to the State in question. The same applies with regard to persons or entities which are empowered by the law of a State to exercise elements of the governmental authority and act in that capacity in the particular instance. Attribution is not excluded because such organ, person or entity acting in an official capacity exceeds its authority or contravenes instructions – cyber operations conducted ultra vires are likewise attributable to the State in question. This applies a maiore ad minus when only parts of an operation are ultra vires.

Generally, the mere (remote) use of cyber infrastructure located in the territory of a State (forum State) by another State (acting State) for the implementation of malicious cyber operations by the latter does not lead to an attribution of the acting State’s conduct to the forum State. However, the forum State may under certain circumstances incur responsibility on separate grounds, for example if its conduct with regard to another State’s use of its cyber infrastructure for malicious purposes qualifies as aid or assistance. This inter alia applies if the forum State actively and knowingly provides the acting State with access to its cyber infrastructure and thereby facilitates malicious cyber operations by the other State.

Moreover, cyber operations conducted by non-State actors which act on the instructions of, or under the direction or control of, a State are attributable to that State. The same principles apply as in the physical world: if a State recurs to private actors in order to commit an unlawful deed, the actions by the private actor will regularly be attributable to the State. States should recognize that they are accountable for the actions of proxies acting under their control. The State must have control over a specific cyber operation or set of cyber operations conducted by the non-State actor. While a sufficient degree or intensity of such control is necessary, the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation. A comprehensive assessment of the circumstances of the individual case will be necessary to establish an attributive link.

Beyond the mentioned situations of attribution and aid and assistance, a State may also become liable under international law in connection with another State’s or a non-State actor’s actions if the first State fails to abide by its obligations stemming from the ‘due diligence’ principle.

The application of the international rules on State responsibility and hence the act of formally attributing a malicious cyber operation to a State under international law is first and foremost a national prerogative; however, international cooperation and exchange of information with partners in this regard can be of vital importance. In practice, establishing the facts upon which a decision on attribution may be based is of specific concern in the context of cyber operations since the author of a malicious cyber operation may be more difficult to trace than that of a kinetic operation. At the same time, a sufficient level of confidence for an attribution of wrongful acts needs to be reached. Gathering relevant information about the incident or campaign in question has a technical dimension and may involve processes of data forensics, open sources research, human intelligence and reliance upon other sources – including, where applicable, information and assessments by independent and credible non-state actors. Generating the necessary contextual knowledge, assessing a suspected actor’s motivation for conducting malicious cyber operations and weighing the plausibility of alternative explanations regarding the authorship of a certain malicious cyber act will likewise be part of the process. All relevant information should be considered.

Germany agrees that there is no general obligation under international law as it currently stands to publicize a decision on attribution and to provide or to submit for public scrutiny detailed evidence on which an attribution is based. This generally applies also if response measures are taken. Any such publication in a particular case is generally based on political considerations and does not create legal obligations for the State under international law. Also, it is within the political discretion of a State to decide on the timing of a public act of attribution. Nevertheless, Germany supports the UN Group of Governmental Experts’ position in its 2015 report that accusations of cyber-related misconduct against a State should be substantiated. States should provide information and reasoning and – if circumstances permit – attempt to communicate and cooperate with the State in question to clarify the allegations raised. This may bolster the transparency, legitimacy and general acceptance of decisions on attribution and any response measures taken.

Attribution in the context of State responsibility must be distinguished from politically assigning responsibility for an incident to States or non-State actors: Generally, such statements are made at the discretion of each State and constitute a manifestation of State sovereignty. Acts of politically assigning responsibility may occur in cooperation with partners. As regards attribution in the legal sense, findings of national law-based (court) proceedings involving acts of attribution, for example in the context of criminal liability of certain office holders or non-State actors, may serve as indicators in the process of establishing State responsibility. However, it should be borne in mind that the criteria of attribution under international law do not necessarily correspond to those under domestic law and that additional or specific criteria are generally relevant when establishing State responsibility for individually attributed conduct. Moreover, the adoption of targeted restrictive measures against natural or legal persons, entities or bodies under the EU Cyber Sanctions Regime does not as such imply the attribution of conduct to a State by Germany in a legal sense."[79] "A State may engage in measures of retorsion to counter a cyber operation carried out against it. Retorsions are unfriendly acts directed against the interests of another State without amounting to an infraction of obligations owed to that State under international law. Since retorsions are predominantly rooted in the political sphere, they are not subject to such stringent legal limitations as other types of response such as countermeasures.

Measures of retorsion may be adopted to counter (merely) unfriendly cyber operations perpetrated by another State. They may likewise be enacted in reaction to an unlawful cyber operation if more intensive types of response (countermeasures, self-defence) are unavailable for legal reasons (for example, in cases in which counter-measures would be disproportionate) or politically unfeasible. Moreover, they may be adopted as a reaction to an unlawful cyber operation in combination with other types of response, such as countermeasures, as part of a State’s comprehensive, multi-pronged response to malicious cyber activities directed against it."[80] "The law of countermeasures allows a State to react, under certain circumstances, to cyber-related breaches of obligations owed to it by another State by taking measures which for their part infringe upon legal obligations it owes to the other State. If certain legal conditions are met, such measures do not constitute wrongful acts under the international law of State responsibility. Germany agrees that cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures.

As regards the limitations to countermeasures, Germany is of the opinion that, generally, the same conditions apply as in non cyber-related contexts: In particular, countermeasures may only be adopted against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations arising from its responsibility (in particular cessation of the wrongful act). Also, they must be proportionate and respect fundamental human rights, obligations of a humanitarian character prohibiting reprisals and peremptory norms of international law.

Due to the multifold and close interlinkage of cyber infrastructures not only across different States but also across different institutions and segments of society within States, cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects. Against this background, States must be particularly thorough and prudent in examining whether or not the applicable limitation criteria to cyber countermeasures are met.

A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures." [81] "The wrongfulness of a State’s cyber operation that contravenes its international obligations may be precluded by exception if that State acted out of necessity. This entails that a State may – under certain narrow circumstances – act against malicious cyber operations by resorting, for its part, to active counter-operations even in certain situations in which the prerequisites for countermeasures or self-defence are not met.

The draft articles on State responsibility, which reflect customary law in this regard, inter alia require that the act must be ‘the only way for the State to safeguard an essential interest against a grave and imminent peril’. Whether an ‘interest’ is ‘essential’ depends on the circumstances. Germany holds the view that, in the cyber context, the affectedness of an ‘essential interest’ may inter alia be explained by reference to the type of infrastructure actually or potentially targeted by a malicious cyber operation and an analysis of that infrastructure’s relevance for the State as a whole. For example, the protection of certain critical infrastructures may constitute an ‘essential interest’. It might likewise be determined by reference to the type of harm actually or potentially caused as a consequence of a foreign State’s cyber operation. For example, the protection of its citizens against serious physical harm will be an ‘essential interest’ of each State – regardless of whether a critical infrastructure is targeted or not. Nevertheless, given the exceptional character of the necessity argument, an ‘essential interest’ must not be assumed prematurely.

A case-by-case assessment is necessary to determine whether a peril is ‘grave’. The more important an ‘essential interest’ is for the basic functioning of a State, the lower the threshold of the ‘gravity’ criterion should be. Germany agrees that a ‘grave peril’ does not presuppose the occurrence of physical injury but may also be caused by large-scale functional impairments.

A State, when confronted with a cyber threat, does not yet need to have assessed the total and final damage potential in order to invoke necessity. Necessity may be invoked when the origin of a cyber measure has not (yet) been clearly established; however, States should always make efforts to clarify attribution and (State) responsibility in order to be able to substantiate their grounds for action."[82] "The right to self-defence according to art. 51 UN Charter is triggered if an armed attack occurs. Malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effect. Germany concurs with the view expressed in rule 71 of the Tallinn Manual 2.0.

Furthermore, Germany acknowledges the view expressed in the ICJ’s Nicaragua judgment, namely that an armed attack constitutes the gravest form of use of force. Assessing whether the scale and effects of the cyber operation are grave enough to consider it an armed attack is a political decision taken in the framework of international law. Physical destruction of property, injury and death (including as an indirect effect) and serious territorial incursions are relevant factors. The decision is not made based only on technical information, but also after assessing the strategic context and the effect of the cyber operation beyond cyberspace. This decision is not left to the discretion of the State victim of such a malicious cyber operation, but needs to be comprehensibly reported to the international community, i.e. the UN Security Council, according to art. 51 UN Charter.

The response to malicious cyber operations constituting an armed attack is not limited to cyber counter-operations. Once the right to self-defence is triggered, the State under attack can resort to all necessary and proportionate means in order to end the attack. Self-defence does not require using the same means as the attack which provided the trigger for its exercise.

Acts of non-State actors can also constitute armed attacks. Germany has expressed this view both with regard to the attacks by Al Qaeda and the attacks of ISIS.

In Germany’s view, art. 51 UN Charter requires the attack against which a State can resort to self-defence to be ‘imminent’. The same applies with regard to self-defence against malicious cyber operations. Strikes against a prospective attacker who has not yet initiated an attack do not qualify as lawful self-defence."

Israel (2020)

"First — and this has already been acknowledged by many others— the customary prohibition set out in Article 2(4) of the Charter of the United Nations, on “the threat or use of force” in international relations, is clearly applicable in the cyber domain.

We share the support among States for the view that a cyber operation can amount to use of force if it is expected to cause physical damage, injury, or death, which would establish the use of force if caused by kinetic means. For example, hacking into the computers of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains can amount to use of force. As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force.

Second, when the use of force in the cyber domain, by either a State or non-State actor, can be considered as an actual or imminent armed attack, the State under attack may act in accordance with its inherent right to self-defense, as enshrined in Article 51 of the U.N. Charter. Of course, the exercise of this right is subject to the customary principles of necessity and proportionality.

Finally, the use of force in accordance with the right of self-defense, against an armed attack conducted through cyber means, may be carried out by either cyber or kinetic means; just as use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means."[83] "To begin with, there are diverging views regarding whether sovereignty is merely a principle, from which legal rules are derived, or a binding rule of international law in itself, the violation of which could be considered an internationally wrongful act. This issue has many facets, and while I will not offer any definitive position for the time being, I would like to stress a number of important points.

A second, and related, point is that States undoubtedly have sovereign interests in protecting cyber infrastructure and data located in their territory. However, States may also have legitimate sovereign interests with respect to data outside their territory. For example, as governments store more and more of their data by using cloud services provided by third parties, whose servers are located abroad, how do we describe the interest that they have in relation to that data? Would the interest in protecting the data not be a sovereign interest in this case as well? Or, alternatively, when a State conducts a criminal investigation and needs to access data located abroad from its own territory, under what circumstances does it need to request the consent of the territorial State? Of course, there are no easy answers to these questions, and some of them are currently being discussed, such as in the context of the protocol to the Budapest Cybercrime Convention currently being negotiated to address this very topic.

These questions reflect an inherent tension between States’ legitimate interest and the concept of territorial sovereignty, as we understand it in the physical world. In practice, States occasionally do conduct cyber activities that transit through, and target, networks and computers located in other States, for example for national defense, cybersecurity, or law enforcement purposes. Under existing international law, it is not clear whether these types of actions are violations of the rule of territorial sovereignty, or perhaps that our understanding of territorial sovereignty in cyberspace is substantively different from its meaning in the physical world."[84] "Another matter closely related to the issue of sovereignty is that of non-intervention. Traditionally, this concept has been understood as having a high threshold. It has been taken to mean that State A cannot take actions to “coerce” State B in pursuing a course of action, or refraining from a course of action, in matters pertaining to State B’s core internal affairs, such as its economic or foreign policy choices. Its traditional application has focused on military intervention and support to armed groups seeking the overthrow of the regime in another State. This could presumably also relate to support given to armed groups in the cyber domain, such as providing information regarding cyber vulnerabilities of the State.

A more recent issue that has come to the fore relates to interference in national elections. We concur with the various positions expressed in this regard, such as that which was presented by former U.S. State Department Legal Adviser Brian J. Egan, and more recently reiterated by U.S. Department of Defense General Counsel Paul C. Ney Jr., that a “cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention.”[85] "The concept of due diligence means that States should take reasonable measures to avoid or minimize harm to other States, and seems to be useful in fields such as international environmental law. In the 2015 UN GGE Report, the concept was addressed as the basis for a voluntary, non-binding norm of responsible State behavior, providing that States should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible State behavior, as it does not, at this point in time, translate into a binding rule of international law in the cyber context. This was the position expressed by other States as well."[86]

"[..] we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context. For instance, in the field of environmental law, where much of the focus and application of due diligence obligations has been in recent years, the acting State typically has control, or at least oversight, over the harmful activity (for example, regulating a polluting power plant). However, cyberspace is mostly private and decentralized.

The inherently different features of cyberspace—its decentralization and private characteristics—incentivize cooperation between States on a voluntary basis, such as with the case of national Computer Emergency Response Teams (CERTs). CERTs are already doing what could arguably fall into that category: exchanging information with one another, as well as cooperating with each other in mitigating incidents. However, we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form."[87] "The issue of attribution is also widely debated with respect to cyber operations. Some have suggested that there needs to be more legal certainty with respect to attribution, in order to avoid mistaken attribution, which can lead to conflict escalation. This is increasingly becoming more of a theoretical issue. Over time, the attribution capabilities of States have improved, and even States with lesser capabilities have been able to rely on solid information provided by other States and by the private sector. In any event, this is a technical matter—a factual one—and I would advise against over-regulating the issue.

That being said, there is also the question of public perceptions—because sometimes, when an offensive cyber operation is public, and the attribution is public, the government needs to communicate with its citizens, and with the international community at large, in order for its positions and actions to be understood. But there will be cases when a State will prefer not to disclose the attack, the attribution, or any ensuing actions taken—for diverse reasons such as national security and foreign relations. Either way, as a matter of international law, the choice whether or not to disclose the attribution information remains at the exclusive discretion of the State."[88] "With respect to the issue of countermeasures, I would like to echo the positions taken by the United Kingdom, the United States, and other States, to the effect that there is no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade, allowing the responsible State to reconsider its actions without frustrating the ability of the injured State to take the intended countermeasures. However, in the cyber domain, where the pace of events can be extremely fast and the other side may thwart the action if it anticipates it, announcing a cyber-countermeasure in advance would often negate its utility and effectiveness, and in some instances undermine the interests of the injured State, as well as render the countermeasure obsolete."[89] "I’ll start by stating the obvious: the law of armed conflict and its fundamental principles generally apply to cyber operations conducted in the context of an armed conflict. Indeed, “the right of belligerents to adopt means of injuring the enemy is not unlimited” even in the cyber domain.

Israel is a party to the four Geneva Conventions and other treaties governing particular aspects of conduct in armed conflict and is also bound by applicable customary law. Israel—like the United States and others—is not a party to the First and Second Additional Protocols to the four Geneva Conventions and is not bound by them as a matter of treaty law. However, we see the following as consistent with the relevant customary law and the Additional Protocols."[90] "One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality.

The definition of attack in LOAC requires several elements, but I will focus on those aspects carrying special relevance in the cyber context. Specifically, I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis.

One aspect of this element concerns the reasonably expected consequences of the act in question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence, and entail adequate causal proximity to the act.

A second aspect of this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art “attack” into the LOAC discourse. For this reason, practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property, and detention have never been considered to be attacks as such, and, accordingly, were not considered as subject to LOAC targeting rules.

Only when a cyber operation is expected to cause physical damage, will it satisfy this element of an attack under LOAC. In the same vein, the mere loss or impairment of functionality to infrastructure would be insufficient in this regard, and no other specific rule to the contrary has evolved in the cyber domain.

However, if an impediment to functionality is caused by physical damage, or when an act causing the loss of functionality is a link in a chain of the expected physical damage, that act may amount to an attack. For example, if a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft that operation may constitute an attack (subject, of course, to the additional elements for attacks under LOAC).

The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss or impairment of functionality.

Finally, the fact that a cyber operation is not an attack does not mean that no legal limitations apply thereto. Indeed, there are general obligations in LOAC that apply to all military operations regardless of being attacks or not. Central among those is the requirement to consider the danger posed to the civilian population in the conduct of military operations. It is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects to the civilian population in their military operations. But there are also more specific protections that may apply to actions other than attacks. For example, cyber operations affecting medical units are regulated and limited, inter alia, by the LOAC obligation to respect and protect medical units, which applies regardless of whether the act constitutes an attack or not."[91] "[..]another question which is especially relevant to the cyber domain is whether the term “object,” as it is understood in LOAC, encompasses computer data. This bears implications with regard to the implementation of the LOAC rules relating to distinction, precautions, and proportionality.

Objects for the purposes of LOAC have always been understood to be tangible things and this understanding is not domain-specific. It is therefore our position that, under the law of armed conflict, as it currently stands, only tangible things can constitute objects.

Here, again, this does not mean that cyber operations adversely affecting computer data are unregulated. In particular, when an operation involving the deletion or alteration of computer data is still reasonably expected to cause physical damage to objects or persons and fulfills the other elements required to constitute an attack, the operation would be subject to LOAC targeting rules. Likewise, one must have regard to rules, which are not dependent on the concept of objects, such as the obligation to respect and protect medical units."[92]

Japan (2021)

"Any international disputes involving cyber operations must be settled through peaceful means pursuant to Article 2(3) of the UN Charter. In addition, pursuant to Article 33 of the UN Charter, the parties to any dispute involving cyber operations, the continuance of which is likely to endanger the maintenance of international peace and security, must first of allseek a solution by negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice. In order to ensure the peaceful settlement of disputes, the powers of the Security Council based on Chapters VI and VII of the UN Charter and the functions of the other UN organs, including ICJ based on Chapter XIV of the UN Charter and the Statute of the International Court of Justice should be used in disputes stemming from cyber operations."[93] "A State must not violate the sovereignty of another State by cyber operations. Moreover, a State must not intervene in matters within domestic jurisdiction of another State by cyber operations."[94]

"On the other hand, regarding a violation of sovereignty that does not necessarily constitute an intervention, in the Lotus case, the Permanent Court of International Justice held that a State may not exercise its power in the territory of another State, while, in the Island of Palmas case, the Arbitral Tribunal stated as follows: "Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State." Taking these and other judgments into account, the Government of Japan considers that there exist certain forms of violation of sovereignty which may not necessarily constitute unlawful intervention prohibited under the principle of non-intervention.

With respect to violation of sovereignty, the International Court of Justice (ICJ), in the Nicaragua case (1986), held that the United States had acted in breach of its obligation under customary international law not to intervene in the affairs of another State, and, in addition, that the United States, by directing or authorizing overflights of Nicaraguan territory, had acted in breach of its obligation under customary international law not to violate the sovereignty of another State. In addition, in the Costa Rica v. Nicaragua case (2015), the ICJ cited the absence of evidence that Costa Rica exercised authority on Nicaragua ’s territory as the reason for dismissing Nicaragua's claim concerning the violation of its territorial integrity and sovereignty. Considering these cases, it can be presumed that, in some cases, a violation of sovereignty constitutes a violation of international law even when it does not fall within the scope of unlawful intervention."[95]

"An act of causing physical damage or loss of functionality by means of cyber operations against critical infrastructure, including medical institutions, may constitute an unlawful intervention, depending on the circumstances, and at any rate, it may constitute a violation of sovereignty. As various opinions were expressed on the relationship between violation of sovereignty and unlawful intervention at the sixth GGE and the OEWG, it is desirable that a common understanding be forged through State practices and future discussions."[96] "With respect to the principle of non-intervention, cyber operations may constitute unlawful intervention when requirements including the element of coercion, which are clarified in the Nicaragua judgement (1986), are met."[97]

"An act of causing physical damage or loss of functionality by means of cyber operations against critical infrastructure, including medical institutions, may constitute an unlawful intervention, depending on the circumstances, and at any rate, it may constitute a violation of sovereignty. As various opinions were expressed on the relationship between violation of sovereignty and unlawful intervention at the sixth GGE and the OEWG, it is desirable that a common understanding be forged through State practices and future discussions." [98] "Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."[99]

"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."[100] "There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law. There are legal, political and technical aspects in discussing the attribution of conduct to a State with respect to cyber operations.

To invoke State responsibility under international law with respect to any act in cyberspace, it is necessary to consider whether the act is attributable to a specific State. On this topic, Articles 4 to 11 of the ILC’s Articles on State Responsibility provide useful reference. As a general rule, in such cases as a cyber operation conducted by a State organ, the act is considered to be attributable to the State. A cyber operation conducted by a non-State actor is, in principle, not attributable to a State. However, according to Article 8 of the ILC’s Articles on State Responsibility, the conduct of a person or group of persons shall be considered an act of a State if the person or group of persons is in fact acting on the instructions of, or under the direction or control of that State in carrying out the conduct." [101] "Under international law, it is permitted, under certain conditions, to take countermeasures against internationally wrongful acts.

In general terms, under international law, a State which has been injured by an internationally wrongful act of another State may take, under certain conditions, countermeasures in order to induce the responsible State to comply with (i) the obligation to cease the international wrongful act and (ii) the obligation to make reparation.

General international law does not confine countermeasures to those with the same means as the preceding internationally wrongful act in response to which they are taken. Japan considers that this is the same for the countermeasures against internationally wrongful acts in cyberspace."[102] "The Government of Japan is of the view that a State may invoke necessity under international law when the requirements shown in Article 25 of the ILC’s Articles on State Responsibility are satisfied." [103] "States have a due diligence obligation regarding cyber operations under international law. Norm 13(c) and (f) and the second half of paragraph 28(e) of the 2015 GGE report are related to this obligation.

In the Corfu Channel case (1949), the ICJ referred to the existence of "every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States". In relation to cyber operations, the due diligence obligation in this sense has significance."[104]

"The outer limit of the due diligence obligation of territorial States with respect to cyber operations is not necessarily clear. By reference to these judgements related to the concept of the due diligence obligation, it seems necessary to consider on a case-by-case-basis the scope of the obligation taking into account such factors as the seriousness of the cyber operations in question and the capacity of the territorial States to influence a person or group of persons conducting the attacks.

In light of the above, at the least, for example, when a State has received a credible notification from another State of the possibility that a person or group of persons located in its territory and receiving from it financial and other forms of support may be involved in a cyber operation that may cause serious adverse consequences, such as damage to a target State's critical infrastructure, the due diligence obligation owed by the informed State is presumed to include the obligation to exercise its capacity to influence the state-supported person or group of personsso as to prevent them from implementing such cyber operations.

One characteristic of cyber operations is the difficulty of making judgment as to attribution to a State. In this respect, the due diligence obligation may provide grounds for invoking the responsibility of the State from the territory of which a cyber operation not attributable to any State originated. It is possible at least to invoke the responsibility of such a State for a breach of its due diligence obligation, even if it is difficult to prove the attribution of a cyber operation to any State." [105] "Under certain circumstances, a cyber operation may constitute the threat or use of force prohibited by Article 2(4) of the UN Charter. Pursuant to this article, all States shall refrain in their international relations from the threat or use of force. The Government of Japan presumes that as a general rule the threat of force refers to a State's act of threatening another State by indicating its intention or attitude of using force, without actually using force, unless its arguments or demands are accepted. The obligation to refrain from the threat or use of force in international relations is an important obligation relating to cyber operations."[106] "When a cyber operation constitutes an armed attack under Article 51 of the UN Charter, States may exercise the inherent right of individual or collective self-defence recognized under Article 51 of the UN Charter."[107] "International humanitarian law is also applicable to cyber operations.

In situations of armed conflict, the methods and means of warfare used by the parties to the conflict are subject to regulations under international humanitarian law. This extends to cyber operations implemented by the parties to the conflict. Several principles under international humanitarian law, including the principle of humanity, necessity, proportionality and distinction, are also applicable to acts in cyberspace. In paragraph 28(d) of the 2015 GGE report, those principles are referred to as "established international legal principles." This reference, considered together with the fact that this report affirms the applicability of existing international law, can be interpreted to affirm the applicability of those principles. Meanwhile, Article 49 of the Additional Protocol I to the Geneva Conventions stipulates: "'Attacks' means acts of violence against the adversary, whether in offence or in defence." The Government of Japan understands that cyber operations that may cause the destruction or neutralization of military targets, for example, may also constitute "attacks" under international humanitarian law, depending on the circumstances.

In principle, the existence of an "armed conflict" is a prerequisite for the application of international humanitarian law. Under the Geneva Conventions, there is no particular definition of an "armed conflict," and therefore, whether or not a certain incident constitutes an "armed conflict" needs to be decided on a case-by-case basis, taking into account a number of elements, such as the manner of the actual attack and the intent of each party to the incident, in a comprehensive manner. If the effects of cyber operations are taken into consideration, the conduct of cyber operations alone may reach the threshold of an "armed conflict."

As affirming the applicability of international humanitarian law to cyber operations contributes to the regulation of methods and means of warfare, the argument that doing so will lead to the militarization of cyberspace is groundless. For example, cyber operations during armed conflict that cause physical damage or loss of functionality to medical institutions may constitute a violation of international humanitarian law16 and therefore should be appropriately regulated. On the other hand, modes of combat in cyberspace are different from those in traditional domains. Therefore, how international humanitarian law regarding, for example, the scope of combatants applies to cyberspace should be further discussed." [108] "International human rights law is also applicable to cyber operations. Individuals enjoy the same human rights with respect to cyber operations that they otherwise enjoy. Pursuant to international human rights law, States are under the obligation to respect human rights. The human rights that must be respected in cyberspace include all human rights that are recognized under international human rights law, such as civil, political, economic, social and cultural rights. The human rights that are particularly relevant in the context of cyberspace include the right to privacy, freedom of thought and conscience, freedom of expression, and guarantee of due process. The final sentence of paragraph 28(b) of the 2015 GGE report affirms the above. While Norm 13(e) of the report affirms some of the obligations under international human rights law, it does not change the obligations that are not mentioned therein."[109]

Netherlands (2019)

"The principle of sovereignty, i.e. that states are equal and independent and hold the highest authority within their own borders, is one of the fundamental principles of international law. More specific rules of international law, such as the prohibition of the use of force, the principle of non-intervention and the right of self-defence stem from this principle. These rules will be discussed in more detail below.

According to some countries and legal scholars, the sovereignty principle does not constitute an independently binding rule of international law that is separate from the other rules derived from it. The Netherlands does not share this view. It believes that respect for the sovereignty of other countries is an obligation in its own right, the violation of which may in turn constitute an internationally wrongful act. This view is supported, for example, by the case law of the International Court of Justice, which ruled in Nicaragua v. United States of America that the United States had acted in breach of its obligation under customary international law not to violate the sovereignty of another state. Below the government will discuss the significance of this obligation in more detail.

Firstly, sovereignty implies that states have exclusive jurisdiction over all persons, property and events within their territory, within the limits of their obligations under international law, such as those relating to diplomatic privileges and immunity, and those arising from human rights conventions. This is the internal aspect of sovereignty. Secondly, sovereignty implies that states may freely and independently determine their own foreign policy, enter into international obligations and relations, and carry out activities beyond their own borders, provided they respect the rules of international law. This is the external aspect of sovereignty.

Both aspects apply equally in cyberspace. States have exclusive authority over the physical, human and immaterial (logical or software-related) aspects of cyberspace within their territory. Within their territory they may, for example, set rules concerning the technical specifications of mobile networks, cybersecurity and resilience against cyberattacks, take measures to combat cybercrime, and enforce the law with a view to protecting the confidentiality of personal data. In addition, they may independently pursue foreign ‘cyber’ policy and enter into treaty obligations in the area of cybersecurity. The Netherlands’ decision to accede to the Convention on Cybercrime of the Council of Europe is an example of the exercise of Dutch sovereignty.

States have an obligation to respect the sovereignty of other states and to refrain from activities that constitute a violation of other countries’ sovereignty. Equally, countries may not conduct cyber operations that violate the sovereignty of another country. It should be noted in this regard that the precise boundaries of what is and is not permissible have yet to fully crystallise. This is due to the firmly territorial and physical connotations of the traditional concept of sovereignty. The principle has traditionally been aimed at protecting a state's authority over property and persons within its own national borders. In cyberspace, the concepts of territoriality and physical tangibility are often less clear. It is possible, for example, for a single cyber operation to be made up of numerous components or activities initiated from or deployed via different countries in a way that cannot always be traced. In addition, there are various ways of masking the geographic origin of activities performed in cyberspace. What is more, data stored using a cloud-based system is often moved from one location to another, and those locations are not always traceable. So it is by no means always possible to establish whether a cyber operation involves a cross-border component and thus violates a country's sovereignty. Even if the origin or route of a cyber operation can be established, these kinds of operations do not always have a direct physical or tangible impact.

From the perspective of law enforcement (which is part of a state’s internal sovereignty), the manner in which the principle of sovereignty should be applied has not fully crystallised at international level either. Shared investigative practices do seem to be developing in Europe and around the world, however. Data relevant to criminal investigations is increasingly stored beyond national borders, for example in the cloud, in mainly private data centres. And when it comes to criminal offences committed on, or by means of, the internet, the location of data – including malicious software or code – and physical infrastructure is often largely irrelevant. It is easy to hide one’s identity and location on the internet, moreover, and more and more communications are now encrypted. Even in purely domestic criminal cases – including cybercrime – where the suspect and victim are both in the Netherlands, cyber investigations often encounter data stored beyond our borders, particularly when investigators require access to data held by online service providers or hosting services, or need to search networks or (covertly) gain remote entry to an automated system. The act of exercising investigative powers in a cross-border context is traditionally deemed a violation of a country’s sovereignty unless the country in question has explicitly granted permission (by means of a treaty or other instrument). Opinion is divided as to what qualifies as exercising investigative powers in a cross-border context and when it is permissible without a legal basis founded in a treaty. In cyberspace too, countries’ practices differ in their practical approaches to the principle of sovereignty in relation to criminal investigations. The Netherlands actively participates in international consultations on the scope for making investigations more effective, paying specific attention to ensuring the right safeguards are in place.

In general the government endorses Rule 4, proposed by the drafters of the Tallinn Manual 2.0, on establishing the boundaries of sovereignty in cyberspace.5 Under this rule, a violation of sovereignty is deemed to occur if there is 1) infringement upon the target State’s territorial integrity; and 2) there has been an interference with or usurpation of inherently governmental functions of another state. The precise interpretation of these factors is a matter of debate."[110] "The development of advanced digital technologies has given states more opportunities to exert influence outside their own borders and to interfere in the affairs of other states. Attempts to influence election outcomes via social media are an example of this phenomenon. International law sets boundaries on this kind of activity by means of the non-intervention principle, which is derived from the principle of sovereignty. The non-intervention principle, like the sovereignty principle from which it stems, applies only between states.

Intervention is defined as interference in the internal or external affairs of another state with a view to employing coercion against that state. Such affairs concern matters over which, in accordance with the principle of sovereignty, states themselves have exclusive authority. National elections are an example of internal affairs. The recognition of states and membership of international organisations are examples of external affairs.

The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law. In essence it means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state. Although there is no clear definition of the element of coercion, it should be noted that the use of force will always meet the definition of coercion. Use of force against another state is always a form of intervention."[111] "Article 2(4) of the UN Charter lays down a prohibition on the threat or use of force. It reads as follows: ‘All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.’ This prohibition applies to the use of force in any form, regardless of the weapons or means employed.

The prohibition of the use of force is virtually absolute. There are only three situations in which the threat or use of force does not contravene international law. One is in the case of self-defence against an armed attack (article 51 of the UN Charter). Another concerns certain actions implementing a UN Security Council resolution under Chapter 7 of the Charter.7 The final exception is when the use of force takes place with the agreement of the state in whose territory that force will be used.

When applying this prohibition in the context of cyberspace, the question arises: when can cyber operations be considered ‘use of force’, given that no use is made of ‘weapons’ in the usual (physical) sense of the word? The government believes that cyber operations can fall within the scope of the prohibition of the use of force, particularly when the effects of the operation are comparable to those of a conventional act of violence covered by the prohibition. In other words, the effects of the operation determine whether the prohibition applies, not the manner in which those effects are achieved. This position is supported by the case law of the International Court of Justice, which has ruled that the scale and effects of an operation must be considered when assessing whether an armed attack in the context of the right of self-defence has taken place (see below). There is no reason not to take the same approach when assessing whether an act may be deemed a use of force within the meaning of article 2 (4) of the UN Charter. A cyber operation would therefore in any case be qualified as a use of force if its scale and effects reached the same level as those of the use of force in non-cyber operations.

International law does not provide a clear definition of ‘use of force’. The government endorses the generally accepted position that each case must be examined individually to establish whether the ‘scale and effects’ are such that an operation may be deemed a violation of the prohibition of use of force. In their 2011 advisory report ‘Cyber Warfare’, the Advisory Council on International Affairs (AIV) and the Advisory Committee on Issues of Public International Law (CAVV) noted that, ‘The customary interpretation of this provision is that all forms of armed force are prohibited. Purely economic, diplomatic and political pressure or coercion is not defined as force under article 2, paragraph 4. Suspending trade relations or freezing assets, for example, can be very disadvantageous to the state affected but has not to date been considered a prohibited form of force within the meaning of the Charter. Armed force that has a real or potential physical impact on the target state is prohibited.’ In the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.

It is necessary, when assessing the scale and effects of a cyber operation, to examine both qualitative and quantitative factors. The Tallinn Manual 2.0 refers to a number of factors that could play a role in this regard, including how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature and whether it is carried out by a state. These are not binding legal criteria. They are factors that could provide an indication that a cyber operation may be deemed a use of force, and the government endorses this approach. It should be noted in this regard that a cyber operation that falls below the threshold of use of force may nonetheless be qualified as a prohibited intervention or a violation of sovereignty."[112] "The due diligence principle holds that states are expected to take account of other states’ rights when exercising their own sovereignty. The principle is articulated by the International Court of Justice, for example, in its judgment in the Corfu Channel Case, in which it held that states have an obligation to act if they are aware or become aware that their territory is being used for acts contrary to the rights of another state. It should be noted that not all countries agree that the due diligence principle constitutes an obligation in its own right under international law. The Netherlands, however, does regard the principle as an obligation in its own right, the violation of which may constitute an internationally wrongful act.

In the context of cyberspace, the due diligence principle requires that states take action in respect of cyber activities:

  • carried out by persons in their territory or where use is made of items or networks that are in their territory or which they otherwise control;
  • that violate a right of another state; and
  • whose existence they are, or should be, aware of.

To this end a state must take measures which, in the given circumstances, may be expected of a state acting in a reasonable manner. It is not relevant whether the cyber activity in question is carried out by a state or non-state actor, or where this actor is located. If, for example, a cyberattack is carried out against the Netherlands using servers in another country, the Netherlands may, on the basis of the due diligence principle, ask the other country to shut down the servers, regardless of whether or not it has been established that a state is responsible for the cyberattack.

It is generally accepted that the due diligence principle applies only if the state whose right or rights have been violated suffers sufficiently serious adverse consequences. The precise threshold depends on the specific circumstances of the case. It is clear, however, that such adverse consequences do not necessarily have to include physical damage."[113] "For a state to be held responsible under international law for a cyber operation and, by extension, for a target state to be able to take a countermeasure in response,16 it must be possible to attribute the operation to the state in question. Any attribution of cyber operations is always based on a government decision. Special attention is paid to the degree to which the government has information of its own at its disposal or to which it is able to reach an independent conclusion concerning information it has obtained.

In the context of cyberspace, three forms of attribution can be distinguished:

- Technical attribution – a factual and technical investigation into the possible perpetrators of a cyber operation and the degree of certainty with which their identity can be established. - Political attribution – a policy consideration whereby the decision is made to attribute (publicly or otherwise) a specific cyber operation to an actor without necessarily attaching legal consequences to the decision (such as taking countermeasures). The attribution need not necessarily relate to a state; it may also concern a private actor. - Legal attribution – a decision whereby the victim state attributes an act or omission to a specific state with the aim of holding that state legally responsible for the violation of an obligation pursuant to international law.

In the case of legal attribution a distinction must be made between operations carried out by or on behalf of a state and operations carried out by non-state actors. An act by a government body in its official capacity (for example the National Cyber Security Centre) is always attributable to the state. An act by a non-state actor is in principle not attributable to a state. However, the situation changes if a state has effective control over the act or accepts it as its own act after the fact. In such a case, the non-state actor (or ‘proxy’) carries out the operation on the instructions of, or under the direction or control of that state. The threshold for establishing effective control is high. A financial contribution to the activities of a non-state actor, for example, is not sufficient.

In order to attribute a cyber operation it is not required that a state disclose the underlying evidence. Evidence in the legal sense becomes relevant only if legal proceedings are instituted. A state that takes countermeasures or relies on its inherent right of self-defence (see below) in response to a cyber operation may eventually have to render account for its actions, for example if the matter is brought before the International Court of Justice. In such a situation, it must be possible to provide evidence justifying the countermeasure or the exercise of the right of self-defence. This can include both information obtained through regular channels and intelligence.

Under international law there is no fixed standard concerning the burden of proof a state must meet for (legal) attribution, and thus far the International Court of Justice has accepted different standards of proof. The CAVV and the AIV rightly observe as follows in this regard: ‘International law does not have hard rules on the level of proof required but practice and case law require sufficient certainty on the origin of the attack and the identity of the author of the attack before action can be taken.’ In the government’s view, the burden of proof will indeed vary in accordance with the situation, depending on the seriousness of the act considered to be in breach of international law and the intended countermeasures."[114] "Retorsion relates to acts that, while unfriendly, are not in violation of international law. This option is therefore always available to states that wish to respond to undesirable conduct by another state, because it is a lawful exercise of a state’s sovereign powers. States are free to take these kinds of measures as long they remain within the bounds of their obligations under international law.

A state may respond to a cyber operation by another state, for example, by declaring diplomats ‘persona non grata’, or by taking economic or other measures against individuals or entities involved in the operation. Another retorsion measure a state may consider is limiting or cutting off the other state’s access to servers or other digital infrastructure in its territory, provided the countries in question have not concluded a treaty on mutual access to digital infrastructure in each other’s territory."[115] "As the international debate on the application and scope of international law in cyberspace proceeds, some countries continue to engage in harmful activities. Diplomatic measures against undesirable state-led cyber operations, ideally coordinated at international level or in coalition with like-minded countries, can be an effective way to strengthen the international legal order and protect security interests at home and abroad. The government is therefore working to strengthen our capacity to mount a diplomatic and political response to cyber operations that undermine our interests. The international response after the foiled cyber operation targeting the OPCW is a good example of this. The efforts of the mission network are essential in this respect, so as to ensure coordinated action. When assessing the options for responding, the focus above all must be on carefully and comprehensively weighing up the Netherlands’ interests, including those in the realm of security.

In order to provide further structure to international cooperation at EU level, an EU cyber diplomacy 'toolbox’ has been developed, at the Netherlands’ initiative.6 The toolbox is a framework which allows various instruments of the Common Foreign and Security Policy to be used to hold parties conducting harmful cyber activities to account. In this connection, on 17 May 2019 an EU cyber sanctions regime was introduced at the Netherlands’ initiative, making it possible to freeze assets and impose entry bans."[116] "If state is the victim of a violation by another state of an obligation under international law (i.e. an internationally wrongful act), it may under certain circumstances take countermeasures in response. Countermeasures are acts (or omissions) that would normally constitute a violation of an obligation under international law but which are permitted because they are a response to a previous violation by another state. In cyberspace, for example, a cyber operation could be launched to shut down networks or systems that another state is using for a cyberattack. A countermeasure is different to the practice of retorsion in that it would normally be contrary to international law. For this reason, countermeasures are subject to strict conditions, including the requirement that the injured state invoke the other state’s responsibility. This involves the injured state establishing a violation of an obligation under international law that applies between the injured state and the responsible state, and requires that the cyber operation can be attributed to the responsible state.

In addition, the injured state must in principle notify the other state of its intention to take countermeasures. However, if immediate action is required in order to enforce the rights of the injured state and prevent further damage, such notification may be dispensed with. Furthermore, countermeasures must be temporary and proportionate, they may not violate any fundamental human rights, and they may not amount to the threat or use of force."[117] "Necessity is a ground justifying an act which, under certain strict conditions, offers justification for an act that would otherwise be deemed internationally wrongful, such as deploying offensive cyber capabilities against another state. A state may invoke necessity if the following conditions are met:

  • there is an immediate and serious threat to an essential interest of the state concerned;
  • there is no other way to respond to this threat other than to temporarily suspend compliance with one or more of the state’s obligations under international law;
  • the temporary non-compliance does not constitute a serious interference with the essential interests of another state towards which the obligation under international law exists or of the international community, and invocation of necessity in regard to this specific obligation is permitted under international law;
  • the state itself has not contributed to the situation of necessity.

Thus, the ground of necessity may be invoked only in exceptional cases where not only are there potentially very serious consequences, but there is also an essential interest at stake for the state under threat. What constitutes an ‘essential interest’ is open to interpretation in practice, but in the government’s view services such as the electricity grid, water supply and the banking system certainly fall into this category.

As regards the ‘very serious consequences’ required for establishing the existence of a situation of necessity, it should be noted that the damage does not already have to have taken place, but it must be imminent and objectively verifiable. There is no established standard on the degree to which the damage in question can be deemed sufficiently serious to justify invoking the ground of necessity. This must be determined on a case-by-case basis. Damage that merely amounts to an impediment or inconvenience is not sufficient. The damage caused or threatened does not necessarily have to be physical: situations in which virtually the entire internet is rendered inaccessible or where there are severe shocks to the financial markets could be classified as circumstances in which invoking necessity may be justified. Equally, establishing the existence of a situation of necessity does not require a state to determine the precise origin of the damage or whether another state can be held responsible for it. This ground for justification is primarily aimed at giving a state the opportunity to protect its own interests and minimise the damage it suffers.

A state that invokes a situation of necessity has limited options for taking action. This ground may be invoked in respect of violations of obligations under international law only provided there is no other real possibility of taking action to address the damage caused or threatened, and provided there is no interference with the essential interests of another state or of the international community as a whole."[118] "A state targeted by a cyber operation that can be qualified as an armed attack may invoke its inherent right of self-defence and use force to defend itself.20 This right is laid down in article 51 of the UN Charter. This therefore amounts to a justification for the use of force that would normally be prohibited under article 2(4) of the UN Charter. For this reason strict conditions are attached to the exercise of the right of self-defence.

An armed attack is not the same as the use of force within the meaning of article 2(4) of the UN Charter (see above). In the Nicaragua case, the International Court of Justice defined an armed attack as the most serious form of the use of force. This implies that not every use of force constitutes an armed attack.

To determine whether an operation constitutes an armed attack, the scale and effects of the operation must be considered. International law is ambiguous on the precise scale and effects an operation must have in order to qualify as an armed attack. It is clear, however, that an armed attack does not necessarily have to be carried out by kinetic means. This view is in line with the Nuclear Weapons Advisory Opinion of the International Court of Justice, in which the Court concluded that the means by which an attack is carried out is not the decisive factor in determining whether it constitutes an armed attack. The government therefore endorses the finding of the CAVV and the AIV that ‘a cyber attack that has comparable consequences to an armed attack (fatalities, damage and destruction) can justify a response with cyber weapons or conventional weapons (...)’. There is therefore no reason not to qualify a cyberattack against a computer or information system as an armed attack if the consequences are comparable to those of an attack with conventional or non-conventional weapons.

At present there is no international consensus on qualifying a cyberattack as an armed attack if it does not cause fatalities, physical damage or destruction yet nevertheless has very serious non-material consequences. The government endorses the position of the International Court of Justice, which has observed that an armed attack must have a cross-border character. It should be noted that not all border incidents involving weapons constitute armed attacks within the meaning of article 51 of the UN Charter. This depends on the scale and effects of the incident in question.

The burden of proof for justifiable self-defence against an armed attack is a heavy one. The government shares the conclusion of the CAVV and the AIV that ‘No form of self-defence whatever may be exercised without adequate proof of the origin or source of the attack and without convincing proof that a particular state or states or organised group is responsible for conducting or controlling the attack.’ States may therefore use force in self-defence only if the origin of the attack and the identity of those responsible are sufficiently certain. This applies to both state and non-state actors.

When exercising their right of self-defence, states must also meet the conditions of necessity and proportionality. In this regard the government shares the view of the CAVV and the AIV that invoking the right of self-defence is justifiable only ‘provided the intention is to end the attack, the measures do not exceed that objective and there are no viable alternatives. The proportionality requirement rules out measures that harbour the risk of escalation and that are not strictly necessary to end the attack or prevent attacks in the near future.’"[119] "A key component of IHL is international law on neutrality. Neutrality requires that states which are not party to an armed conflict refrain from any act from which involvement in the conflict may be inferred or acts that could be deemed in favour of a party to the conflict. In its relations with parties to the armed conflict the neutral state is required to treat all parties equally in order to maintain its neutrality. A state may not, for example, deny access to its IT systems to one party to the conflict but not to the other. In its response to the above-mentioned advisory report by the AIV/CAVV, the government noted that, ‘In an armed conflict involving other parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here.’"[120] "Human rights are just as valid in cyberspace as they are in the physical domain. There is no difference between online and offline rights. This has been recognised by the United Nations General Assembly, among others. However, it is clear that ongoing digitalisation and technological advances are raising new questions and presenting new challenges when it comes to the application of human rights. The increased scope for collecting, storing and processing data creates issues concerning the right to privacy. Similarly, the increased options for people to express their views via online platforms raise questions with regard to the freedom of expression. It is conceivable that in the future a number of these issues will require further regulation at national or international level. At present, however, the government believes that the existing range of human rights instruments provides sufficient scope for effectively safeguarding the protection of human rights in cyberspace.

It is also clear that access to the internet is becoming increasingly important to the effective exercise of human rights, not only for human rights defenders and NGOs (which can use social media to draw attention to human rights violations and mobilise support), but for everyone. Rights such as freedom of expression and freedom of association and assembly have gained a new dimension with the advent of social media, as have the right to education and the right to health, given the wealth of information and training courses available online. The right to privacy and the right to family life are another example, thanks to the increased scope for digital communication. At the same time the risk of violations of human rights online has also increased. There is now more scope for surveillance, and disinformation has become more widespread.

The growing relevance of the internet to human rights underlines the need for a secure, open and free internet. The government is working at international level to promote this aim."[121] "A key component of IHL is international law on neutrality. Neutrality requires that states which are not party to an armed conflict refrain from any act from which involvement in the conflict may be inferred or acts that could be deemed in favour of a party to the conflict. In its relations with parties to the armed conflict the neutral state is required to treat all parties equally in order to maintain its neutrality. A state may not, for example, deny access to its IT systems to one party to the conflict but not to the other. In its response to the above-mentioned advisory report by the AIV/CAVV, the government noted that, ‘In an armed conflict involving other parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here.’"[122] "IHL also lays down specific rules regarding attacks aimed at persons or objects, which apply equally to cyber operations carried out as part of an armed conflict. When planning and carrying out such operations, states must act in accordance with, for example, the principles of distinction and proportionality, as well as the obligation to take precautionary measures."[123]

New Zealand (2020)

"The United Nations Charter and customary international law rules concerning the use of force apply to state activity in cyberspace. Relevant obligations include:

a. the requirement to settle disputes by peaceful means;

b. the prohibition on the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations; and

c. the right of self-defence against an imminent or ongoing armed attack.

State cyber activity can amount to a use of force for the purposes of international law. Whether it does in any given context depends on an assessment of the scale and effects of the activity. State cyber activity will amount to a use of force if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law. Such effects may include death, serious injury to persons, or significant damage to the victim state’s objects and/or state functioning. In assessing the scale and effects of malicious state cyber activity, states may take into account both the immediate impacts and the intended or reasonably expected consequential impacts.

Cyber activity that amounts to a use of force will also constitute an armed attack for the purposes of Article 51 of the UN Charter if it results in effects of a scale and nature equivalent to those caused by a kinetic armed attack. As an example, cyber activity that disables the cooling process in a nuclear reactor, resulting in serious damage and loss of life, would constitute an armed attack."[124]

"Where malicious cyber activity gives rise to a situation leading to international friction or a dispute endangering the maintenance of peace and security, any UN Member State may bring the situation or dispute to the attention of the UN Security Council and/or General Assembly.

A state subjected to malicious cyber activity amounting to an armed attack has further recourse to the inherent right of individual and/or collective self-defence in accordance with Article 51 of the UN Charter. The right to self-defence also arises when an armed attack is imminent, including by cyber means. Any exercise of that right:

a. may include, but is not limited to, cyber activities; and

b. must be consistent with relevant UN Charter and customary international law obligations, including notification to the United Nations, necessity, and proportionality."[125] "Malicious state cyber activity may be inconsistent with the rule of non-intervention. Such activity will violate the rule of non-intervention if it:

a. has significant effects on a matter which falls within the target state’s inherently sovereign functions / domaine réservé (e.g. the right freely to choose its political, economic, social and cultural system, or matters such as taxation, national security, policing, border control, and the formulation of foreign policy); and

b. is coercive (i.e. there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions). Coercion can be direct or indirect and may range from dictatorial threats to more subtle means of control. While the coercive intention of the state actor is a critical element of the rule, intention may in some circumstances be inferred from the effects of cyber activity.

Examples of malicious cyber activity that might violate the non-intervention rule include: a cyber operation that deliberately manipulates the vote tally in an election or deprives a significant part of the electorate of the ability to vote; a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network."[126] "The principle of sovereignty prohibits the interference by one state in the inherently governmental functions of another and prohibits the exercise of state power or authority on the territory of another state. In the physical realm, the principle has legal effect through the prohibition on the use of force, through the rule of non-intervention and also through a standalone rule of territorial sovereignty. Subject to limited exceptions (e.g. authorisation by the United Nations Security Council, self-defence, consent), that standalone rule prohibits a state from sending its troops or police forces into or through, or its aircraft over, foreign territory, and prohibits a state from carrying out official investigations or otherwise exercising jurisdiction on foreign territory.

In the cyber realm, the principle of sovereignty is given effect through the prohibition on the use of force and the rule of non-intervention. New Zealand considers that the standalone rule of territorial sovereignty also applies in the cyber context but acknowledges that further state practice is required for the precise boundaries of its application to crystallise.

In New Zealand’s view, the application of the rule of territorial sovereignty in cyberspace must take into account some critical features that distinguish cyberspace from the physical realm. In particular: i) cyberspace contains a virtual element which has no clear territorial link; ii) cyber activity may involve cyber infrastructure operating simultaneously in multiple territories and diffuse jurisdictions; and iii) the lack of physical distance in cyberspace means malicious actors can apply instantaneous effects on targets without warning. These features present unique opportunities for malicious actors and significant defensive challenges for states. They also make it difficult for states to prevent malicious cyber activity being conducted from or routed through their territory.

Bearing those factors in mind, and having regard to developing state practice, New Zealand considers that territorial sovereignty prohibits states from using cyber means to cause significant harmful effects manifesting on the territory of another state. However, New Zealand does not consider that territorial sovereignty prohibits every unauthorised intrusion into a foreign ICT system or prohibits all cyber activity which has effects on the territory of another state. There is a range of circumstances – in addition to pure espionage activity – in which an unauthorised cyber intrusion, including one causing effects on the territory of another state, would not be internationally wrongful. For example, New Zealand considers that the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors.

A detailed factual enquiry is required in each case to determine whether state cyber activity that has effects manifesting on the territory of another state, but which does not amount to a use of force or a prohibited intervention, nonetheless involves a violation of the standalone rule of territorial sovereignty. That factual enquiry should take into account the scale and significance of the effects, the objective of the activity, and the nature of the target."[127] "An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled. Some states consider that, subject to certain knowledge and capacity requirements, customary international law requires states to take reasonable measures to put an end to malicious cyber activity which is conducted from, or routed through, their territory, if the activity is contrary to the rights of another state.

New Zealand is not yet convinced that a cyber-specific “due diligence” obligation has crystallised in international law. It is clear that states are not obliged to monitor all cyber activities on their territories or to prevent all malicious use of cyber infrastructure within their borders. If a legally binding due diligence obligation were to apply to cyber activities, New Zealand considers it should apply only where states have actual, rather than constructive, knowledge of the malicious activity, and should only require states to take reasonable steps within their capacity to bring the activity to an end."[128] "Regardless of whether the activity amounts to an internationally wrongful act, a state may always attribute political responsibility for malicious state cyber activity and may always respond with retorsion (i.e. unfriendly acts not inconsistent with international law)."[129] "Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities. An internationally wrongful act can be attributed to a state if it was carried out by organs of the state, persons or entities empowered to exercise elements of governmental authority on behalf of that state, or agents acting on the instructions of, or under the direction or control of the state; or where the state acknowledges and adopts the act as its own. States may also be internationally responsible for aiding or assisting internationally wrongful cyber activity carried out by another state."[130] "States should act in good faith and take care when attributing legal responsibility to another state for malicious cyber activity. While international law prescribes no clear evidential standard for attributing legal responsibility for internationally wrongful acts, a victim state must be sufficiently confident of the identity of the state responsible. What constitutes sufficient confidence in any case will depend on the facts and nature of the activity. While any legal attribution should be underpinned by a sound evidential basis, there is no general obligation on the attributing state to disclose that basis. However, a state may choose as a matter of policy to disclose specific information that it considered in making its attribution decision, and may be required to defend any such decision as part of international legal proceedings.[131] "If State A attributes internationally wrongful cyber activity to State B, State A may demand reparation and guarantees of non repetition and/or utilise peaceful dispute resolution mechanisms, including the International Court of Justice where available. State A may also respond with countermeasures against State B. Countermeasures are otherwise internationally wrongful acts that are permitted when undertaken to induce another state to comply with its obligations under international law. They may include, but are not limited to, cyber activities that would otherwise be prohibited by international law. Any countermeasure must: a. be undertaken to induce compliance by the state in breach of international law;

b. be directed at the state responsible for the internationally wrongful act;

c. not rise to the level of use of force or breach peremptory norms of international law; and

d. be necessary and proportionate.

Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law. In those circumstances, collective countermeasures would be subject to the same limitations set out above."[132] "In situations of armed conflict, international humanitarian law applies to cyber activities. A cyber activity may constitute an “attack” for the purposes of international humanitarian law where it results in death, injury, or physical damage, including loss of functionality, equivalent to that caused by a kinetic attack. All cyber “attacks” must comply with the principles of military necessity, humanity, proportionality and distinction."[133] "International human rights law applies to cyber activities. States must comply with their obligations to protect and respect human rights online, including the right to freedom of expression and the right not to be subjected to arbitrary and unlawful interference with privacy. States are obliged to respect and ensure human rights to those individuals within their territory and subject to their jurisdiction. The circumstances in which states exercise jurisdiction, through cyber means, over individuals outside their territory is currently unsettled and would benefit from further discussion in multilateral fora."[134]

Norway (2021)

Key message
Sovereignty is not just a principle, but also a primary rule of international law.

A State must not conduct cyber operations that violate another State’s sovereignty.

Whether a cyber operation violates the target State’s sovereignty depends on the nature of the operation, the scale of the intrusion and its consequences, and must be assessed on a case-by-case basis.

"The principle of sovereignty is one of the fundamental principles of international law and applies in cyberspace. It refers to the supreme authority of every State within its territory to the exclusion of other States, and also in its relations with other States.

The internal dimension of a State’s sovereignty includes the exclusive right to exercise jurisdiction within its territory, including over the information systems located on its territory, and to exercise independent State powers. The external dimension includes the right of the State to decide its foreign policy and to enter into international agreements. Both dimensions of sovereignty apply in cyberspace, subject only to obligations under international law.

Norway is of the view that sovereignty constitutes both an international law principle from which various rules derive, such as the prohibition of intervention and the prohibition of the use of force, and a primary rule in its own right capable of being violated. Thus, cyber operations that do not amount to a prohibited intervention or a prohibited use of force may nevertheless amount to a violation of a State’s sovereignty under international law.

The International Court of Justice (ICJ) has consistently held that States have an obligation to respect the territorial integrity and political independence of other States as a matter of international law. In a cyber context this means that a State must not conduct cyber operations that violate another State’s sovereignty.

A cyber operation that manifests itself on another State’s territory may, depending on its nature, the scale of the intrusion and its consequences, constitute a violation of sovereignty.

Causing physical damage by cyber means on another State’s territory may easily qualify as a violation of territorial sovereignty. For example, a cyber operation against an industrial control system at a petrochemical plant that led to a malfunction and a subsequent fire would constitute a violation of the State’s territorial sovereignty. In addition to physical damage, causing cyber infrastructure to lose functionality may also be taken into consideration and may amount to a violation. This includes the use of crypto viruses to encrypt data and thus render them unusable for a substantial period of time.

The principle of sovereignty encompasses cyber infrastructure located in a State’s territory irrespective of whether it is governmental or private.

Similarly, a cyber operation that interferes with or usurps the inherently governmental functions of another State may constitute a violation of sovereignty.

This is based on the premise that a State enjoys the exclusive right to exercise within its territory, ‘to the exclusion of any other State, the functions of a State’. Accordingly, what matters is not whether physical damage, injury, or loss of functionality has resulted, but whether the cyber operation has interfered with data or services that are necessary for the exercise of inherently governmental functions. Cases in point would include altering or deleting data or blocking digital communication between public bodies and citizens so as to interfere with the delivery of social services, the conduct of elections, the collection of taxes, or the performance of key national defence activities. Another example could be the manipulation of police communications so that patrol cars are unable to communicate with police dispatch/operation centres. In this context it is irrelevant whether the inherently governmental function is performed by central, regional or local governments and authorities, or by non-governmental bodies in the exercise of powers delegated by such governments or authorities. Conducting elections is a clear example of an inherently governmental function. In contrast to the case of a cyber operation in breach of the prohibition of intervention, there is no requirement for the interference to reach to the level of coercion.

The precise threshold of what constitute a cyber operation in violation of sovereignty is not settled in international law, and will depend on a case-by-case assessment."[135]

Key message
Cyber operations that compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé), will constitute an intervention in violation of international law.

"The prohibition of intervention applies to a State’s cyber operations as it does to other State activities. Accordingly, a State must not carry out cyber operations in breach of the prohibition of intervention, according to customary international law.

A cyber operation must therefore not be carried out to compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé) – such as a State’s political, economic, social or cultural system or the formulation of its foreign policy. The constituent element of coercion means that cyber activities that are merely influential or persuasive will not qualify as illegal intervention.

Holding elections is an example of a matter within a State’s domaine réservé. Thus, carrying out cyber operations with the intent of altering election results in another State, for example by manipulating election systems or unduly influencing public opinion through the dissemination of confidential information obtained through cyber operations (‘hack and leak’), would be in violation of the prohibition of intervention. Another example is a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action."[136]

Key message
A cyber operation may, depending on its scale and effects, violate the prohibition on the threat or use of force in Article 2(4) of the UN Charter.

A cyber operation that is in violation of the prohibition on the threat or use of force may, depending on its scale and effects, constitute an armed attack under international law. An armed attack is the gravest form of the use of force.

Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.

There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.

Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.

A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.

Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).

A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.[137]

"A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means.[138]

Key message
In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law.

A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."[139] "A State may be held responsible under international law for cyber operations conducted by an organ of the State or by actors exercising governmental authority on behalf of the State.

A State may be held responsible under international law for cyber operations conducted by non-State actors if these are conducted on the direct instructions of the State or under its direction or effective control. It may be technically challenging to establish that a relationship between a State and a non-State actor amounts to direct instructions, direction or effective control. However, this is a question of evidence, and not of lack of clarity of international law." [140] "[..] a State may be held responsible under international law if it knows or should have known that cyber operations that target third States are being carried out from or via its territory, and fails to take adequate measures.

As a consequence of the right to exercise sovereignty over cyber infrastructure located on its territory, States also have a corresponding obligation not to knowingly allow their territory to be used for acts causing significant harm to the rights of other States under international law. This customary international law obligation, often referred to as the due diligence principle, was recognised by the ICJ in the 1949 Corfu Channel judgment, and is reflected in numerous rules in specialised regimes of international law. Norway is of the view that the due diligence obligation applies in situations where there is a risk of transboundary harm from hazardous activities, regardless of the nature of the activity, and accordingly also applies to cyber operations.

Accordingly, if a State possesses knowledge of a cyber operation being carried out from or via its territory causing serious adverse consequences with respect to a right of the target State under international law, it is required to take adequate measures to address the situation.

The due diligence standard is the conduct that is generally considered to be appropriate and proportional to the degree of risk of transboundary harm in the particular instance. It is an obligation of conduct, not of result. Applied to cyber activities, what is required is for the State to take all reasonably available measures to terminate the cyber operation. A breach of the obligation consists not of failing to achieve the desired result, but of failing to take the necessary, diligent steps towards that end. It is irrelevant whether the cyber operation in question is conducted by a third State or a non-State actor. Likewise, it is irrelevant whether the cyber operation in question is conducted by an actor physically present on the State’s territory or by an actor making remote use of ICT infrastructure on the State’s territory.

In addition to actual knowledge of the use of cyber infrastructure within its territory for harmful cyber operations against another State, a State may also violate its due diligence obligation if it is in fact unaware of the activities in question but objectively should have known about them and fails to address the situation. Accordingly, knowledge also encompasses those situations in which a State in the normal course of events would have become aware that its territory was being used for harmful cyber operations. This implies that the criterion that a State ‘should have known’is more likely to be met if for instance the operation used publicly known and easily detected malware, as opposed to highly sophisticated and previously unknown malware.

There is currently no legal basis for a general obligation to prevent cyber operations, and States are consequently not under an obligation to monitor all cyber activities on their territories.

Norway considers the due diligence obligation to be of particular importance in a cyber context. In situations where a targeted State cannot directly attribute (technically and legally) a wrongful cyber operation – for instance election interference – to the State from whose territory it is being carried out, the territorial State may nevertheless still be held accountable on the basis of a breach of the due diligence obligation."[141] "A State may respond to any form of cyber operation by retorsion. Retorsion refers to the taking of measures that are lawful but unfriendly, directed against another State. Retorsion may therefore be used regardless of whether international law has been violated and regardless of whether State responsibility applies. Examples of acts of retorsion are breaking off or limiting diplomatic relations, for instance by declaring a diplomat persona non grata, or the imposition of sanctions. Publicly declaring that another State is responsible for a cyber operation is in itself an act of retorsion."[142] "If a State is the victim of an internationally wrongful cyber operation and another State can be held responsible under customary international law on State responsibility, the injured State may, depending on the circumstances, be entitled to take countermeasures.

A countermeasure is an act that would otherwise be contrary to international law, but where the injured State can invoke the prior internationally wrongful act as a ground for precluding wrongfulness. If there is doubt regarding the attribution of a cyber operation to a State under international law, it may be preferable for the injured State to make use of acts of retorsion rather than countermeasures in order to avoid the possibility of incurring State responsibility for its response.

Countermeasures may only be taken to induce a State to cease an internationally wrongful act or resume its compliance with an international obligation. They are not to be used for punishment and retaliation. Countermeasures must be limited to what is considered necessary and proportional, and may only target the State to which the cyber operation or internationally wrongful act can be attributed. There is no requirement for countermeasures to be of the same nature as the internationally wrongful acts to which they are a response, and countermeasures in response to cyber operations may therefore be carried out within or outside cyberspace. Countermeasures must not violate the prohibition on the threat or use of force or international humanitarian law.

The State held responsible should be notified of both the violation of international law and the grounds for attribution, as well as of the intention to introduce countermeasures. Countermeasures may only be taken if a State has sufficient grounds for attributing the conduct in question to a particular State under international law. What constitutes sufficient grounds will be fact-specific and case-specific, and can be particularly challenging to determine in the case of cyber operations. The State taking countermeasures must be confident in its attribution before resorting to countermeasures. However, the State taking countermeasures need not publish detailed grounds for its attribution or give a detailed technical account of this to the State identified as responsible as this might reveal sensitive methods of interception and detection or offensive and defensive capabilities.

Countermeasures may be taken without prior notification to the responsible State if providing such notification might reveal sensitive methods or capabilities or prevent the countermeasures from having the necessary effect. For example, the injured State could carry out a cyber operation to disrupt the capability of the aggressor State conducting the internationally wrongful cyber operation such as election interference. This countermeasure would in other circumstances be in violation of the aggressor State’s sovereignty."[143] "In a situation of necessity, a State may be able to respond to a cyber operation in a way that is in principle in breach of an international obligation and nevertheless not incur responsibility for its actions under international law.

Necessity refers to those exceptional situations where the only way a State can safeguard an essential interest threatened by a grave and imminent peril, whether cyber in nature or not, is by temporary non-compliance with international obligations of lesser weight or urgency. For instance, if infrastructure in a third country is used in an internationally wrongful cyber operation, the injured State may under certain conditions launch a cyber operation to destroy or disrupt the internationally wrongful cyber operation, even if this violates the territorial sovereignty of the third State."[144]

Key message
International humanitarian law applies to cyber operations in connection with an armed conflict.

"International humanitarian law (IHL) applies in the event of an armed conflict. Whether an (international or non-international) armed conflict exists will depend on the specific circumstances.

This specialised regime of international law, also called jus in bello, governs actions, including cyber operations, when they are conducted in connection with an armed conflict.

International humanitarian law aims to minimise the human suffering caused by armed conflict. It thus regulates and limits cyber operations during armed conflicts, just as it regulates and limits the use of any other weapons, means and methods of warfare in an armed conflict.

IHL does not legitimise the use of force in cyberspace. Any use of force by States – either by digital or by conventional means – remains governed by the Charter of the United Nations and the relevant rules of customary international law, also called jus ad bellum. Of particular relevance is the prohibition against the use of force. International disputes must be settled by peaceful means, in cyberspace as in all other domains.

The general rules for legitimate military targets are the same regardless of whether conventional or digital means are used. A cyber operation conducted in connection with an armed conflict must be assessed according to its consequences, and may qualify as an attack under international humanitarian law. ‘Attack’ is a key concept of international humanitarian law, and is understood to mean ‘acts of violence against the adversary, whether in offence or defence’. Cyber attacks during armed conflicts are subject to the same restrictions and regulations under international humanitarian law as conventional attacks, including the principles of humanity, military necessity, proportionality and distinction. The concept of attack is particularly relevant to the rules and principles on the selection of targets and precautions. Attacks against civilians or civilian objects are for example prohibited.

Under IHL, medical services must be protected and respected, including when carrying out cyber operations during armed conflict. IHL also prohibits attacking, destroying, removing or rendering useless objects indispensable to the survival of the population, including through cyber means and methods of warfare. ‘Objects indispensable to the survival of the civilian population’ include ICT infrastructure for food production or drinking water installations."[145]

Key message
States must comply with their human rights obligations in cyberspace, just as they must in the physical world. States must both respect and protect human rights.

"International human rights law applies to cyber activities just as it does to any other activity. States must comply with their human rights obligations also in cyberspace, as they must in the physical world. States must both respect and protect human rights, including the right to freedom of expression and the right to privacy.

Neither the individuals that are subject to a State’s jurisdiction, nor the concept of jurisdiction, is altered by the fact that the activity attributed to the State is a cyber activity. In this respect, cyber activity is no different from other means that States may use to violate their human rights obligations towards their citizens."[146]

Romania (2021)

"Romania considers that respect for the state sovereignty is an international obligation per se, the breach of which constitutes an internationally wrongful act; States have an obligation to respect the sovereignty of other States and refrain from activities that constitute a violation of their sovereignty; this holds true both in what concerns the internal as well as the external facet of the principle of sovereignty.

At the same time, we acknowledge that the difficulty in relation to this principle lies in the absence in cyberspace context of the territoriality and physical dimensions, which are the specific elements of the analysis when dealing with the sovereignty in the traditional sense.

In relation to these aspects, RO is of the view that cyber operations (conducted by a State organ or by a person or entity exercising elements of governmental authority or by a person acting under the instructions of or under the direction or control of a State) that interferes with or prevents in any way a State from exercising its (internal and/ or external) sovereign prerogatives (i.e. authority over its territory, over the property and persons situated therein) constitute a violation of the principle of State sovereignty and, thus, a breach of international law.

If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned."[147] "The due diligence principle entails that a State may be responsible for the effects of the conduct of private persons, if it failed to take necessary measures to prevent those effects.

This principle (which implies a certain obligation of conduct on the part of States) was enunciated by the ICJ in its Corfu Channel judgment emphasizing that every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.

The due diligence principle requires that States take action in respect of cyber activities if the following elements are cumulatively met:

  • the acts are conducted by a non-State actor or a third State) from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control);
  • the acts are contrary to the rights of a victim State and have serious adverse consequences for that State;
  • the State has actual or constructive knowledge of those acts."[148]

"[..]the principle of prohibition of the intervention in the internal affairs of another State should be addressed (situations of tampering with the electoral processes in other States are relevant as a discussion under this principle).

According to international law, States are under the duty not to intervene in matters within the domestic jurisdiction of any State, in accordance with the Charter; this means that no State has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.

In order for such intervention to be illegal under international law, it must be coerced, meaning that the goal of the intervention must be to effectively change the behavior of the target State; the incidence of coercion must be assessed on a case-bycase basis, in order to determine the violation of the principle of non-intervention.

In other words, the following criteria must be met in order for an act to qualify as prohibited intervention under international law:

  • the act must bear on those matters in which States may decide freely (internal and external affairs – the domain reservé of States);
  • the act must be coercive in nature;
  • there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.

Therefore, depending on the situation, interference in the internal or external affairs of Romania (that is interference which causes or may cause harm to Romania’s economic, political, social and/ or cultural system) may constitute a violation of the principle of non-intervention."[149] "The prohibition of the threat or use of force is a well-established principle of international law, being included in art. 2(4) of the UN Charter. There are only three (well determined) exceptions to this prohibition: self-defense in the event of armed aggression, UNSC Chapter VII authorization of the use of force and consent of the State on whose territory the operation takes place.

In order to ascertain whether a cyber operation represents a threat or use of force and whether it even amounts to a cyberattack, a case-by-case analysis must be carried out to determine the circumstance in which the attack occurred, the nature of the operation (military or not) and the scale and the effects of the operation (by comparison against the scale and severity of a conventional (non-cyber) act of violence covered by the prohibition).

The elements of such an analysis, from the “scale and effects” perspective, are well established in the ICJ’s relevant jurisprudence.

It is also worth noting that not all cyber operations reach the threshold of use of force and even less operations reach the threshold of an armed attack; nevertheless such operations could still be in violation of international law (being a prohibited intervention or an otherwise violation of the principle of sovereignty)."[150] "International Humanitarian Law (IHL) applies in the context of cyber operations carried out as part of an armed conflict (whether international or non-international).

In such circumstances, the planning of and carrying on of cyber operations must be done in conformity with the principles governing the conduct of hostilities, namely distinction, proportionality, necessity and precaution.[151] "There are ongoing discussions in relation to qualifying data as an object for the purposes of the application of IHL. We take the preliminary view that cyber operations against data do trigger the application of IHL. Therefore cyber-attacks can only be directed against those data that represent military objectives according to IHL and cannot be directed against those data that represent a civilian object which must be protected under the principle of distinction."[152] "We are also of the view that the principle of neutrality apply as well to cyber operations as part of an armed conflict and thus, belligerents must refrain from harming information and communication infrastructure situated on the territory of a neutral State or from launching attacks from such infrastructure."[153] "Human rights are protected similarly both in offline as well in online contexts.

International law does not recognise a right to States to derogate from their international human rights obligations as a defensive-type measure – for instance to restrict access to internet in all circumstance as a responsive measure to counter some types of conduct in cyberspace (which generally pertain to criminal law, like: countering terrorism, violent extremism or fraud).

The circumstances in which limitations to human rights are permitted are well established in international law and apply the same way in offline and in online contexts. In most cases, the factors to be weighted include whether the restriction serves a legitimate purpose, whether it has a legal basis and whether it is necessary and proportionate to the interest it aims to protect.

Therefore, whatever regulation a State adopts (by virtue of its sovereign right) it must conform with its international obligations in the field of human rights. Otherwise it entails its legal responsibility under the relevant international conventions.

It is our view that the existing human rights instruments provide sufficient scope for effectively safeguarding the protection of human rights in cyberspace."[154] "There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

  • attributable to the State under international law; and
  • constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components.[155] "In cyber context, attribution (especially from the technical point of view) of the conduct to a State is difficult to determine given the fact that most of the times the actions are undertaken via proxies.

Therefore, if the conduct is not evident as being of a State organ, then, in order to be attributed to a State, it must be proven that it is:

  • of a person or entity exercising elements of the governmental authority of that State
  • of organs placed at the disposal of that State by another State
  • of a person or entities acting under the instructions of, or under the direction or control of that State

In order to determine the degree of control reference should be made to the jurisprudence of the ICJ and of the various international courts and tribunals that have dealt with matters of State attribution.

Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice).

At the same time, once the international responsibility of a State is entailed, the injured State(s) may recourse to countermeasures in order to induce that State to comply with its international obligations."[156]

Switzerland (2021)

"In accordance with Art. 2 para. 3 and Art. 33 of the UN Charter, disputes which may endanger the maintenance of international peace and security should be settled by peaceful means. This includes diplomatic proceedings, arbitration or recourse to the International Court of Justice (ICJ). As a neutral country with long-standing experience and engagement in the provision of good offices, Switzerland is committed to upholding this principle in cyberspace, emphasising the overriding aim of ensuring that cyberspace is used for peaceful purposes only. Switzerland therefore welcomes the UN GGE's 2015 report and the OEWG 2019/2021 report confirming the peaceful settlement of disputes as one of the UN Charter's central principles, which is also applicable to cyberspace. Consequently, disputes in cyberspace should also be settled by peaceful means, not with unilateral measures."[157] "State sovereignty is also applicable to cyberspace. Owing to the special characteristics of cyberspace, which has no clear territorial boundaries, putting the principle of sovereignty into practice is a particular challenge. One major issue is who has jurisdiction over or access to digital data. In the cyber context, the key question is which states have legitimate control over digital data and are authorised to access that data – which may, depending on the circumstances, be stored on a different territory or may not be localised geographically. Conversely, in terms of interstate relations at cybersecurity level, the principle of sovereignty provides wide scope for protection against cyber operations.For example, state sovereignty protects information and communication technologies (ICT) infrastructure on a state's territory against unauthorised intrusion or material damage. This includes the computer networks, systems and software supported by the ICT infrastructure, regardless of whether the infrastructure is private or public.

Switzerland recognises that defining what constitutes a violation of the principle of sovereignty in cyberspace is particularly challenging and has yet to be clarified conclusively. It supports considering the following two criteria in such assessments: first, does the incident violate the state's territorial integrity and second, does it constitute interference with or usurpation of an inherently governmental function. A precise definition of these criteria is a question of interpretation and subject to debate. The current debate includes among other aspects i) incidents whereby the functionality of infrastructure or related equipment has been damaged or limited, ii) cases where data has been altered or deleted, interfering with the fulfilment of inherently governmental functions such as providing social services, conducting elections and referendums, or collecting taxes, and iii) situations in which a state has sought to influence, disrupt or delay democratic decision-making processes in another state through the coordinated use of legal and illegal methods in cyberspace e.g. propaganda, disinformation and covert actions by intelligence services. The assessment of an individual case depends on the nature of the cyber incident and its repercussions."[158] "The principle of non-intervention is the corollary of the sovereign equality of all states (Art. 2 para. 1 UN Charter) and is considered customary international law. In this context, intervention is understood to be the direct or indirect interference by one sovereign state in the internal or external affairs of another using coercive measures. It covers those areas where the state has exclusive jurisdiction (known as domaine réservé). The non-intervention principle protects a state's ability to shape its own internal affairs (political, economic, social and cultural systems) as well as its foreign policy. An infringement of sovereignty and a prohibited intervention are not the same. The latter must be coercive in nature, i.e. through its intervention a state seeks to cause another to act (or refrain from acting) in a way it would not otherwise. This means that the threshold for a breach of the non-intervention principle is significantly higher than that for a violation of state sovereignty.

The prohibition of intervention is also applicable to cyberspace. This means that in cyberspace, an unlawful act of interference by one state in the political or economic affairs of another may, in addition to constituting a violation of sovereignty, also breach the non-intervention principle under international law if the respective requirements are fulfilled. The distinction between exerting influence, which is permissible, and coercion, which is not, must be determined on a case-by-case basis. This is particularly true of economic coercion, which could be the case if a company that is systemically relevant was paralysed through a cyber operation. An assessment of whether the operation can be deemed coercive in nature, and thereby be in breach of the non-intervention principle, can only be made on a case-by-case basis."[159] "One of the key founding principles of the UN Charter is the prohibition on the use of force (Art. 2 para. 4). There are only two exceptions: if the use of force is authorised by the UN Security Council (Art. 42) or if the strict conditions under which the right of self-defence may be exercised are fulfilled (Art. 51).

The prohibition on the use of force and the right of self-defence are also applicable to cyberspace. The right of self-defence may only be exercised if an armed attack occurs first. In accordance with ICJ case law, not every violation of the prohibition on the use of force constitutes an armed attack, but only its gravest form. In order to qualify, the scale and effect of the attack must reach a certain threshold of gravity. The ICJ has also determined that an armed attack does not necessarily have to involve kinetic military action or the use of weapons because the means by which an attack is perpetrated is not the decisive factor. A state is permitted to exercise its right of self-defence in response to a cyber incident if the incident amounts in scale and effect to that of a kinetic operation in terms of inflicting death or serious injury to persons, or extensive material damage to objects. There are no binding quantitative or qualitative guidelines as to when the threshold of an armed attack in terms of scale and effect has been reached. Current discussions on how to define an armed attack in cyberspace are focusing on attacks on critical infrastructure (e.g. nuclear power plants, power grids) which reach the required threshold in terms of scale and effect i.e. serious injury to persons and/or extensive damage to objects.

The purpose of the UN Charter must guide the interpretation of the prohibition on the use of force and the right to exercise self-defence in the face of an armed attack. The Charter's objective is to maintain and, where necessary, restore international peace and security. Consequently, even if an armed attack occurs, a state is only permitted to undertake countermeasures that are necessary and proportionate in order to repel the attack. The right of self-defence only applies if the UN Security Council has not taken the necessary measures to maintain international peace and security (Art. 51 UN Charter). If the actions taken in self-defence exceed this framework, the state itself is in breach of the prohibition on the use of force."[160] "If the threshold for an armed attack has not been reached, states can have recourse to immediate and proportionate non-violent countermeasures".[161]

"In cases where an act violates international law and can be legally attributed to a state, the injured state(s) may also take countermeasures in the form of reprisals, provided that the applicable rules governing state responsibility are observed. Although reprisals are contrary to international law, they are justified in response to a prior breach of international law. However, such a countermeasure must not violate certain fundamental substantive obligations such as the prohibition on the use of force, fundamental human rights, most norms of international humanitarian law, peremptory norms (jus cogens) and the obligation to respect diplomatic and consular inviolability. Military force, i.e. measures leading to loss of life and limb, are therefore prohibited.

Countermeasures must impose a (legal) disadvantage aimed at prompting the state concerned to cease its conduct that is in breach of international law and/or to make reparations. In principle, the responsible state can only impose countermeasures if it has first called for the violation(s) to cease and has announced what measures it is planning to take. Exceptions may be made for cyber operations requiring an immediate response in order for the injured state to enforce its rights and prevent further damage. Countermeasures must always be proportional, whatever the circumstances.

A countermeasure in response to a cyber incident does not necessarily have to take place in the cyber domain. In accordance with the rules governing state responsibility, other measures that aim to enforce the responsible state's compliance with its international obligations are also permissible. Cyber countermeasures do not have to directly target the computer system originally used to commit the incident in question; injured states are permitted to take other measures as long as they are aimed at the responsible state ceasing its conduct that is in breach of international law. This means that depending on the specific circumstances, it may be permissible under international law to use cyber countermeasures to block the computer system abroad originally used to commit the incident. Likewise, in some cases it may be permissible to compromise computer systems abroad even if they were not the original source of the incident."[162] "In addition to countermeasures, the rules governing state responsibility also provide for special circumstances precluding the wrongfulness of conduct that would otherwise not be in conformity with the international obligations of the state concerned. For example, a state may be exempted from complying with such an obligation if it is the only way for it to safeguard its essential interests from grave and imminent peril. Therefore the narrowly defined exceptions provided for by the rules governing state responsibility may also apply in the context of cyber operations."[163] "Retorsion allows states to respond to such activities regardless of whether international law has been violated or not. It refers to unfriendly but lawful measures in response to unwelcome acts by another state. Typical examples of retorsion include refraining from signing a trade agreement that would benefit both parties, recalling an ambassador, or breaking off diplomatic relations as a last resort."[164] "As a matter of principle, Switzerland considers the rights and obligations of neutral countries in international armed conflicts to be applicable to cyberspace as well. If such an international armed conflict arises, a neutral country has a duty to prevent any infringements of its neutrality, such as the use of its territory by one of the conflicting parties. Parties to the conflict are obliged n turn to respect the territorial integrity of the neutral country. Therefore they may not conduct related cyber operations from installations that are either on the territory or under the exclusive control of the neutral country. Parties to the conflict are also prohibited from taking control of a neutral country's computer systems in order to carry out such operations.

Because of the global cross border nature of cyberspace, there are also limits to the rights and duties of a neutral country in terms of territoriality – airspace can be closed for certain flying objects, for example, but the same targeted approach cannot be used for data traffic oncthe internet. Another issue is that data are not only transmitted via terrestrial and cable channels but also via satellites located in outer space, which puts them outside the scope of application of the law of neutrality. Such factors must be taken into consideration when it comes to applying the rights and duties of neutral countries in cyberspace.

In principle, belligerent states are not permitted to damage the data networks of neutral countries when undertaking combat operations via their own computer networks. Neutral countries may not support conflicting parties with either troops or their own weapons. In terms of military cyber operations in connection with an international armed conflict, this means that a neutral country must prevent parties to the conflict from using its military-controlled systems or networks. In general, military networks are shielded and not publicly accessible."[165] "The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."[166] "Attribution of a cybersecurity incident refers to the identification of the perpetrator and describes a holistic, interdisciplinary process. This includes analysing the technical and legal aspects of the incident, factoring in the geopolitical context, and using the entire intelligence spectrum for the purpose of gathering information. Using this approach, a state can attribute a cyber incident to another state or a private actor, either publicly or not, and it can decide to take further political measures.

The process described above includes legal attribution, which ascertains whether a cyber incident can be legally attributed to a state and if that state can be held responsible under international law in accordance with the rules on state responsibility; it also concerns how the injured state may respond (known as countermeasures, see section 6.2). The conduct of any state organ or person exercising an inherently governmental function is always legally attributable to the state concerned.18 If a cyber incident is carried out by a non-state actor, it can only be attributed to a state under certain conditions. In such cases, state responsibility only arises if the non-state actor acts on the instructions of a state, or under the direction or control of state organs. If this requirement is met, the conduct constitutes an act by the state and is attributable to that state. The injured state is also permitted to take countermeasures (see section 6.2). If the required interstate dimension is lacking however, international law does not in principle permit countermeasures against another state.

The decision to attribute conduct is at the discretion of the injured state and there is no obligation under international law to disclose the information leading to such a decision. Allegations of the organisation or implementation of an unlawful act against another state should however be substantiated."[167] "The principle of due diligence has evolved over a long period of time. Switzerland views due diligence as part of customary international law and applicable to cyberspace. The ICJ describes the concept of due diligence as a standard of conduct meaning "every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States." The doctrine of due diligence reflects fundamental principles of international law (including state sovereignty, equality, territorial integrity and non-interference).

The principle of due diligence is also applicable to cyberspace. Consequently, a state that is or should be aware of cyber incidents that violate the rights of another state is obliged to take all reasonable measures that are appropriate to stop or minimise the risks of such incidents. Due diligence is a variable standard and depends on the capacities and capabilities of a state as well as the particular circumstances of each case. Territorial states are obliged to use all reasonable means to prevent serious harm being caused to another state by activities taking place within their territory or in an area under their effective control. This makes due diligence an obligation of conduct, not of result. If the aforementioned conditions exist, the state in question is obliged under international law to close any loopholes immediately and assist in intercepting and tracing the incident.

Due diligence applies in particular to actions by private individuals that violate the rights of other states (e.g. hackers) and cannot be (clearly) attributed to the state in accordance with the rules of attribution (see section 6.1). If the aforementioned conditions exist and the state in question fails to fulfil due diligence requirements, the injured state may take countermeasures in accordance with the rules governing state responsibility in order to induce the responsible state to meet its obligations. Possible countermeasures outlined above may be taken both outside and inside the cyber domain. The responsible state may also be required to make reparations."[168] "Human rights are a cornerstone of international law. They are enshrined in a number of treaties including the UN Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR). Fundamental human rights are also part of customary international law and can in part be categorised as jus cogens. Today, state obligations in respect of human rights have several dimensions. States must refrain from interfering with human rights (obligation to respect), protect individuals and groups against any such interference by third parties (obligation to protect) and take positive action to facilitate the enjoyment of basic human rights (obligation to fulfil).

Human rights also apply in the digital space and are a key pillar in the international regulatory framework for digitalisation. Individuals therefore have the same rights in the digital space as they do in physical space. This also applies to state security activities in cyberspace i.e. part of the digital space. Human rights obligations are equally binding upon states operating in cyberspace as in physical space. This also applies when the cyber operation in question is being carried out extraterritorially, to the extent that the States exercise their sovereign authority in doing so. If a cyber-related activity results in a violation of human rights, the victim will in principle have recourse to the enforcement mechanisms of the applicable domestic and international treaties in the same way as if the violation had been committed in physical space. Human rights monitoring bodies and tribunals can expand the scope and applicability of human rights in their practice.

A number of specific human rights may be particularly affected by cyber-related activities. An individual's right of access to information, right to privacy, or freedom of expression for example, could be restricted because of cyber operations or other cyber-related measures.

A state must be able to justify restricting these or other human rights in cyberspace based on the same rules that apply in physical space. In principle, any act of state interference requires an adequate legal basis. The state must also be able to demonstrate that in the balance of interests its actions are appropriate, necessary and reasonable in order to meet a legitimate objective.

Switzerland considers the applicability of human rights to cyberspace to be an unequivocal principle. However, new questions may arise when considering how this applies in individual cases. For example, if cyber-related activities are used to block access to social media, the question of freedom of expression may need to be clarified – at what point can this legally protected right be interfered with? Can the individual continue to exercise this right through alternative communication channels? To what extent are private actors also bound by human rights obligations? Human rights bodies need to develop their work in this field in order to ensure the application of human rights in cyberspace."[169] "Switzerland considers international law to be applicable to cyberspace, which includes the application of IHL in the context of armed conflicts. Switzerland's foreign policy priorities include ensuring respect as well as strengthening and promoting IHL. Switzerland is well known for its neutrality, humanitarian tradition and role as depositary of the Geneva Convention. This position paper therefore addresses IHL issues in greater depth.

IHL is applicable once an international or non-international armed conflict de facto exists. It is applicable in any armed conflict and to all parties to a conflict. IHL addresses the realities of war without considering the reasons for or the legality of the use of force. It does not deal with the legality of war, nor does it legitimise the use of force between states. The purpose of IHL is to regulate the conduct of hostilities and to protect victims of armed conflict, in particular by restricting the use of certain means and methods of warfare. The ICJ clearly stated that the established principles and rules of IHL apply to “all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.

This is applicable to cyberspace in the same way as for traditional and new operational spaces (outer space, airspace, land, maritime space, electromagnetic space, information space). IHL is therefore the main body of international law governing cyber operations that have a connection with an armed conflict. Implementing IHL effectively contributes to ensuring international security. Existing IHL, particularly its fundamental principles, places important limits on the execution of cyber operations in armed conflicts."[170] "IHL prohibits or restricts means (weapons) and methods of warfare through general principles – regulating conduct or prohibiting certain effects – and specific rules addressing particular means and methods of warfare. As regards weapons, IHL distinguishes between the legality of a particular type of weapon (weapons law) and the legality of how it is used (law of targeting). The inherent characteristics of certain weapon categories entail that their use – in some or all circumstances – is unlawful per se. The admissibility of all other weapons depends on whether their use is in conformity with IHL.

This is also applicable to cyberspace. In fact, developing or using new means and methods of warfare must be in compliance with existing international law, particularly IHL. This is true even if a weapon is not covered by a specific norm and the treaty provisions governing the conduct of hostilities do not explicitly refer to new technologies. The customary rules of IHL apply equally to all means and methods of warfare, including in cyberspace. Indeed, it is a long standing principle that the right of parties to an armed conflict to choose methods or means of warfare is not unlimited."[171]


"Legality of a particular type of weapon

IHL stipulates that any means or method of warfare possessing one or more of the following characteristics is inherently unlawful if:

(1) it is of a nature to cause superfluous injury or unnecessary suffering;

(2) it is indiscriminate by nature, because it cannot be directed against a specific military objective or its effects cannot be limited as required by IHL;

(3) it is intended, or may be expected, to cause widespread, long-term or severe damage to the natural environment; or

(4) it is specifically prohibited by treaty or customary international law. This is applicable to cyberspace and, therefore, to cyber means and methods of warfare."[172]

"With regard to the lawful use of cyber means and methods of warfare, the rules and principles governing the conduct of hostilities must be respected. Belligerents must in particular comply with the principles of distinction, proportionality and precaution by:

(1) distinguishing between military objectives on the one hand, and civilians or civilian objects on the other hand and, in case of doubt, presume civilian status;

(2) evaluating whether the incidental harm expected to be inflicted on the civilian population or civilian objects would be excessive in relation to the concrete and direct military advantage anticipated from that particular attack;;

(3) taking all feasible precautions to spare civilians and civilian objects.

This is also applicable in cyberspace, when using cyber means and methods of warfare. The aforementioned principles are applicable in particular to cyber operations that amount to an attack within the meaning of IHL i.e. acts of violence against the adversary, whether in offence or defence. What exactly constitutes a 'cyber attack' in an armed conflict has yet to be clarified.

It encompasses at the very least cyber operations that are reasonably expected to cause, directly or indirectly, injury or death to persons, or physical damage or destruction to objects. The question, how exactly data is protected in the absence of such physical damage, remains a challenge. In practice, a responsible actor should generally be able to assess the potential impact of their actions and any resulting damage. As this estimation depends, amongst other things, largely on the information available at the time when decisions about an operation are taken, the obligation to take all precautionary measures practically possible to spare civilians and civilian objects plays a particularly important role in the use of cyber means and methods of warfare."[173] "States and parties to a conflict have an overarching obligation to “respect and ensure respect” for IHL “in all circumstances”. It is uncontested that preparatory measures must be taken to implement IHL and that its implementation needs to be supervised. This requires states and parties to a conflict, inter alia, to take measures to ensure that the development and use of means and methods of warfare fully comply with IHL, and to prevent outcomes that would be unlawful.

This is also applicable to cyberspace and the cyber means and methods of warfare. As with any other weapon, means or method of warfare, States have the positive obligation to determine, in their study, development, acquisition or adoption, whether their employment would, in some or all circumstances, violate existing international law. In this regard, the obligation to assess the legality of a new weapon as set out in Art. 36 of Additional Protocol I to the Geneva Conventions is an important element to prevent or restrict the development and employment of new cyber weapons that would fail to meet in particular the obligations set out above."[174] "Full compliance with IHL is not limited to the rules and principles governing the conduct of hostilities. There are other specific rules of IHL that must be respected, including when conducting military operations that do not qualify as an 'attack'. For example, certain categories of persons and objects are subject to special protection, such as medical, religious or humanitarian personnel and objects, which must be respected and protected in all circumstances.

This is also applicable to cyberspace. For cyber operations that are linked to any of these specially protected persons or objects, or to other activities governed by IHL, all of the relevant, specific rules must be observed."[175]

United Kingdom (2018)

"[..]a further contested area amongst those engaged in the application of international law to cyber space is the regulation of activities that fall below the threshold of a prohibited intervention, but nonetheless may be perceived as affecting the territorial sovereignty of another state without that state’s prior consent. Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.[176] "There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control.

These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."[177] "As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.

There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances.

However, the UK can and does attribute malicious cyber activity where we believe it is in our best interests to do so, and in furtherance of our commitment to clarity and stability in cyberspace. Sometimes we do this publicly, and sometimes we do so only to the country concerned. We consider each case on its merits.

For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community."[178] "Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.

These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.

In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.

In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."[179] "In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.

The international law prohibition on intervention in the internal affairs of other states is of particular importance in modern times when technology has an increasing role to play in every facet of our lives, including political campaigns and the conduct of elections. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of this principle is to ensure that all states remain free from external, coercive intervention in the matters of government which are at the heart of a state’s sovereignty, such as the freedom to choose its own political, social, economic and cultural system.

The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states."[180] "[..]in addition to the provisions of the UN Charter, the application of international humanitarian law to cyber operations in armed conflicts provides both protection and clarity. When states are engaged in an armed conflict, this means that cyber operations can be used to hinder the ability of hostile groups such as Daesh to coordinate attacks, and in order to protect coalition forces on the battlefield. But like other responsible states, this also means that even on the new battlefields of cyber space, the UK considers that there is an existing body of principles and rules that seek to minimise the humanitarian consequences of conflict."[181] First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.

The next relevant provision of the UN Charter is in Article 2(4) which prohibits the threat or use of force against the territorial independence or political integrity of any state. Any activity above this threshold would only be lawful under the usual exceptions – when taken in response to an armed attack in self-defence or as a Chapter VII action authorised by the Security Council. In addition, the UK remains of the view that it is permitted under international law, in exceptional circumstances, to use force on the grounds of humanitarian intervention to avert an overwhelming humanitarian catastrophe.

Thirdly, the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter.

If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.

Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means."[182]

United Kingdom (2021)

"Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any State or in any other manner inconsistent with the purposes of the United Nations. Depending on the facts and circumstances in each case, conduct by States carried out in cyberspace is capable of constituting a threat or use of force if the actual or threatened conduct has or would have the same or similar effects of conduct using kinetic means. The circumstances in which the threat or use of force is not unlawful under international law are the same irrespective of whether the conduct is by kinetic or cyber means."[183] "An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means. Factors in considering the scale and effects of an attack may include the (actual or anticipated) physical destruction of property, injury and death. The exercise of the inherent right of self-defence against an imminent or on-going armed attack whether by kinetic or cyber means, may itself be by cyber or kinetic means and must always fulfil the requirements of necessity and proportionality. Whether or not to have recourse to the exercise of the inherent right of self-defence will always be carefully considered having regard to all the circumstances."[184] "Article 2(3) and the provisions of Chapter VI of the Charter on the peaceful settlement of disputes can equally apply in relation to States’ activities in cyberspace. Thus, in accordance with Article 33(1), States that are party to any cyber-related international dispute the continuation of which is likely to endanger the maintenance of international peace and security, shall endeavour to settle such dispute by peaceful means as described in Article 33 of the Charter: negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice."[185] "Below the threshold of the threat or use of force, the customary international law rule prohibiting interventions in the domestic affairs of States applies to States’ operations in cyberspace as it does to their other activities. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of the rule on non-intervention is to ensure that all States remain free from external coercive intervention in matters affecting a State’s powers, which are at the heart of a State’s sovereignty such as the freedom to choose its own political, social, economic and cultural system.

As the UK has noted previously, while the precise boundaries of this rule continue to be the subject of on-going debate, it provides a clearly established basis in international law for assessing the legality of State conduct. Thus the use of hostile cyber operations to manipulate the electoral system in another State to alter the results of an election, to undermine the stability of another State’s financial system or to target the essential medical services of another State could all, depending on the circumstances, be in violation of the international law prohibition on intervention.

The International Court of Justice has established that a prohibited intervention is one bearing on matters which each State is permitted, by the principle of State sovereignty, to decide freely."[186] "Sovereignty, as a general principle, is a fundamental concept in international law. The United Kingdom recalls that any prohibition on the activities of States whether in relation to cyberspace or other matters, must be clearly established either in customary international law or in a treaty binding upon the States concerned. The United Kingdom does not consider that the general concept of sovereignty by itself provides a sufficient or clear basis for extrapolating a specific rule or additional prohibition for cyber conduct going beyond that of non-intervention referred to above. At the same time, the United Kingdom notes that differing viewpoints on such issues should not prevent States from assessing whether particular situations amount to internationally wrongful acts and arriving at common conclusions on such matters."[187] "A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility. As well as bearing responsibility for acts of its organs and agents, a State is also responsible in accordance with international law where, for example, a person or a group of persons acts on its instructions or under its direction or control."[188] "UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour. The UK recognises the importance of States taking appropriate, reasonably available, and practicable steps within their capacities to address activities that are acknowledged to be harmful in order to enhance the stability of cyberspace in the interest of all States. But the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace."[189] "The term ‘attribution’ is used in relation to cyberspace in both a legal and non-legal sense. It is used in a legal sense to refer to identifying those who are responsible for an internationally wrongful act. It is also used in a non-legal sense to describe the identification of actors (including non-state actors) who have carried out cyber conduct which may be regarded as hostile or malicious but does not necessarily involve an internationally wrongful act.

For the UK, there are technical and diplomatic considerations in determining whether to attribute publicly such activities in cyberspace. The decision whether to make a public attribution statement is a matter of policy. Each case is considered on its merits. The UK will publicly attribute conduct in furtherance of its commitment to clarity and stability in cyberspace or where it is otherwise in its interests to do so.

Whatever the nature of the attribution, there is no general legal obligation requiring a State to publicly disclose any underlying information on which its decision to attribute conduct is based."[190] "Resort may be had to countermeasures in response to an internationally wrongful act, in accordance with international law, in relation to States’ activities in cyberspace as in relation to their other activities. This includes both resorting to countermeasures against a State whose cyber activities constitute internationally wrongful acts and carrying out countermeasures by means of cyber operations. Countermeasures need not be symmetrical: where the internationally wrongful act is itself not a cyber activity, the response may nonetheless involve cyber-based countermeasures (and vice versa).

An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations. Any measures adopted must be commensurate with the injury suffered. They must be carried out in accordance with the conditions and restrictions established in international law and must in particular not contravene the prohibition on the threat or use of force, must be necessary and proportionate to the purpose of inducing the responsible State to comply with its obligations and must not contravene any other peremptory norm of international law.

The application of international law to the use of countermeasures in cyberspace must take account of the nature of cyber activities, which might commence and then cease almost instantaneously or within a short timeframe. In those circumstances, a wider pattern of cyber activities might collectively constitute an internationally wrongful act justifying a response.

The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances. Prior notice may not be a legal obligation when responding to covert cyber intrusion with countermeasures or when resort is had to countermeasures which themselves depend on covert cyber capabilities. In such cases, prior notice could expose highly sensitive capabilities and prejudice the very effectiveness of the countermeasures in question. However any decision to resort to countermeasures without prior notice must be necessary and proportionate to the purpose of inducing compliance in the circumstances."[191] "Human rights obligations apply to States’ activities in cyberspace as they do to in relation to their other activities. The UK continues to support the view set out in Human Rights Council Resolution 20/8 that ‘the same rights that people have offline must also be protected online…’. States have an obligation to act in accordance with applicable international human rights law, including customary international law, and international conventions to which they are a party, such as the International Covenant on Civil and Political Rights, other UN treaties, and regional instruments such as the European Convention on Human Rights.

States’ respect for their human rights obligations in relation to their activities in cyberspace is essential to ensuring an open, secure, stable, accessible and peaceful environment and certain rights may have particular relevance to States’ activities in cyberspace including the right not to be subjected to arbitrary or unlawful interference with privacy, family, home or correspondence, the right to freedom of thought, conscience and religion and the right to freedom of expression."[192] "IHL applies to operations in cyberspace conducted in the furtherance of hostilities in armed conflict just as it does to other military operations.

IHL seeks to limit the effects of armed conflict - it protects persons who are not, or who are no longer, participating in hostilities, and limits the methods and means of warfare employed by the belligerents."[193]

"IHL seeks to limit the effects of armed conflict and it is not therefore correct that its applicability to cyber operations in armed conflict would encourage the militarisation of cyberspace."[194]

"A cyber operation is capable of being an ‘attack’ under IHL where it has the same or similar effects to kinetic action that would constitute an attack. Where an operation in cyberspace amounts to an ‘attack’, the principles of distinction, proportionality, humanity and military necessity apply in the same way as they do to an attack by any other means. Those responsible for planning, deciding upon, or executing attacks necessarily have to reach decisions on the basis of their assessment of the information from all sources which is reasonably available to them at the relevant time. All relevant rules of IHL must be observed when planning and conducting operations whether by cyber or other means – the complexity of cyber operations is no excuse for a lower standard of protection to be afforded to civilians and civilian objects."[195] "Civilians are protected from attack unless and for such time as they take a direct part in hostilities. To the extent that civilians carry out cyber operations in an armed conflict that amount to attacks, they would lose their protected status under IHL and, by taking a direct part in hostilities, become legitimate military targets." [196]

United States (2012)

"Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. For example, cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force."[197] "A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”[198]

"[...]the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack”—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity."[199] "In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense, and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality."[200] "The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives."[201]

"As you all know, information and communications infrastructure is often shared between state militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation."[202] "States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. The U.S. Government undertakes at least two stages of legal review of the use of weapons in the context of armed conflict: first, an evaluation of new weapons to determine whether their use would be per se prohibited by the law of war; and second, specific operations employing weapons are always reviewed to ensure that each particular operation is also compliant with the law of war."[203] "States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered."[204] "States are legally responsible for activities undertaken through “proxy actors,” who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful."[205] "[...]cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges — in particular, those concerning attribution — are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones."[206] "At the same time that cyber activity can pose a threat, we all understand that cyber-communication is increasingly becoming a dominant mode of expression in the 21st century. More and more people express their views not by speaking on a soap box at Speakers’ Corner, but by blogging, tweeting, commenting, or posting videos and commentaries. The 1948 Universal Declaration of Human Rights (UDHR)—adopted more than 70 years ago—was remarkably forward-looking in anticipating these trends. It says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” In short, all human beings are entitled to certain rights, whether they choose to exercise them in a city square or an Internet chat room. This principle is an important part of our global diplomacy, and is encapsulated in the Internet Freedom agenda about which my boss, Secretary Clinton, has spoken so passionately."[207]

United States (2016)

"[..] remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects.

Most States, including the United States, engage in intelligence collection abroad. As President Obama said, the collection of intelligence overseas is “not unique to America.” As the President has also affirmed, the United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decisionmakers have access to timely, accurate, and insightful information. Indeed, the President issued a directive in 2014 to clarify the principles that would be followed by the United States in undertaking the collection of signals intelligence abroad.

Such widespread and perhaps nearly universal practice by States of intelligence collection abroad indicates that there is no per se prohibition on such activities under customary international law. I would caution, however, that because “intelligence collection” is not a defined term, the absence of a per se prohibition on these activities does not settle the question of whether a specific intelligence collection activity might nonetheless violate a provision of international law.

Although certain activities—including cyber operations — may violate another State’s domestic law, that is a separate question from whether such activities violate international law. The United States is deeply respectful of other States’ sovereign authority to prescribe laws governing activities in their territory. Disrespecting another State’s domestic laws can have serious legal and foreign policy consequences. As a legal matter, such an action could result in the criminal prosecution and punishment of a State’s agents in the United States or abroad, for example, for offenses such as espionage or for violations of foreign analogs to provisions such as the U.S. Computer Fraud and Abuse Act. From a foreign policy perspective, one can look to the consequences that flow from disclosures related to such programs. But such domestic law and foreign policy issues do not resolve the independent question of whether the activity violates international law."[208] In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. This is a challenging area of the law that raises difficult questions. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions. Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.

Relatedly, consider the challenges we face in clarifying the international law prohibition on unlawful intervention. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. For increased transparency, States need to do more work to clarify how the international law on non-intervention applies to States’ activities in cyberspace."[209] "The Internet must remain open to the free flow of information and ideas. Restricting the flow of ideas also inhibits spreading the values of understanding and mutual respect that offer one of the most powerful antidotes to the hateful and violent narratives propagated by terrorist groups.

That is why the United States holds the view that use of the Internet, including social media, in furtherance of terrorism and other criminal activity must be addressed through lawful means that respect each State’s international obligations and commitments regarding human rights, including the freedom of expression, and that serve the objectives of the free flow of information and a free and open Internet. To be sure, the incitement of imminent terrorist violence may be restricted. However, certain censorship and content control, including blocking websites simply because they contain content that criticizes a leader, a government policy, or an ideology, or because the content espouses particular religious beliefs, violates international human rights law and must not be engaged in by States." [210] "From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.

Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.

Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.

The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.

I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law."[211] "[..]a State can always undertake unfriendly acts that are not inconsistent with any of its international obligations in order to influence the behavior of other States. Such acts—which are known as acts of retorsion—may include, for example, the imposition of sanctions or the declaration that a diplomat is persona non grata."[212] "The customary international law doctrine of countermeasures permits a State that is the victim of an internationally wrongful act of another State to take otherwise unlawful measures against the responsible State in order to cause that State to comply with its international obligations, for example, the obligation to cease its internationally wrongful act. Therefore, as a threshold matter, the availability of countermeasures to address malicious cyber activity requires a prior internationally wrongful act that is attributable to another State. As with all countermeasures, this puts the responding State in the position of potentially being held responsible for violating international law if it turns out that there wasn’t actually an internationally wrongful act that triggered the right to take countermeasures, or if the responding State made an inaccurate attribution determination. That is one reason why countermeasures should not be engaged in lightly.

Additionally, under the law of countermeasures, measures undertaken in response to an internationally wrongful act performed in or through cyberspace that is attributable to a State must be directed only at the State responsible for the wrongful act and must meet the principles of necessity and proportionality, including the requirements that a countermeasure must be designed to cause the State to comply with its international obligations—for example, the obligation to cease its internationally wrongful act — and must cease as soon as the offending State begins complying with the obligations in question.

The doctrine of countermeasures also generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken—in other words, the doctrine generally requires what I will call a “prior demand.” The sufficiency of a prior demand should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.

I also should note that countermeasures taken in response to internationally wrongful cyber activities attributable to a State generally may take the form of cyber-based countermeasures or non-cyber-based countermeasures. That is a decision typically within the discretion of the responding State and will depend on the circumstances."[213] "Turning to cyber operations in armed conflict, I would like to start with the U.S. military’s cyber operations in the context of the ongoing armed conflict with the Islamic State of Iraq and the Levant (ISIL). As U.S. Defense Secretary Ashton Carter informed Congress in April 2016, U.S. Cyber Command has been asked “to take on the war against ISIL as essentially [its] first major combat operation […] The objectives there are to interrupt ISIL command-and-control, interrupt its ability to move money around, interrupt its ability to tyrannize and control population[s], [and] interrupt its ability to recruit externally.

The U.S. military must comply with the United States’ obligations under the law of armed conflict and other applicable international law when conducting cyber operations against ISIL, just as it does when conducting other types of military operations during armed conflict. To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations. For example, such operations must only be directed against military objectives, such as computers, other networked devices, or possibly specific data that, by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Such operations also must comport with the requirements of the principles of distinction and proportionality. Feasible precautions must be taken to reduce the risk of incidental harm to civilian infrastructure and users. In the cyber context, this requires parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users.

Not all cyber operations, however, rise to the level of an “attack” as a legal matter under the law of armed conflict. When determining whether a cyber activity constitutes an “attack” for purposes of the law of armed conflict, States should consider, among other things, whether a cyber activity results in kinetic or non-kinetic effects, and the nature and scope of those effects, as well as the nature of the connection, if any, between the cyber activity and the particular armed conflict in question.

Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war."[214] "[..] another element of the United States’ strategic framework for international cyber stability: the development of international consensus on certain additional voluntary, non-binding norms of responsible State behaviour in cyberspace that apply during peacetime.

Internationally, the United States has identified and promoted four such norms:

  • First, a State should not conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information with the intent of providing competitive advantages to its companies or commercial sectors.
  • Second, a State should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public.
  • Third, a State should not conduct or knowingly support activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents. A State also should not use CSIRTs to enable online activity that is intended to do harm.
  • Fourth, a State should cooperate, in a manner consistent with its domestic and international obligations, with requests for assistance from other States in investigating cyber crimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from its territory.

These four U.S.-promoted norms seek to address specific areas of risk that are of national and/or economic security concern to all States. Although voluntary and non-binding in nature, these norms can serve to define an international standard of behavior to be observed by responsible, like-minded States with the goal of preventing bad actors from engaging in malicious cyber activity. If observed, these measures—which can include measures of self-restraint—can contribute substantially to conflict prevention and stability. Over time, these norms can potentially provide common standards for responsible States to use to identify and respond to behavior that deviates from these norms. As more States commit to observing these norms, they will be increasingly willing to condemn the malicious activities of bad actors and to join together to ensure that there are consequences for those activities.

It is important, however, to distinguish clearly between international law, on the one hand, and voluntary, non-binding norms on the other. These four norms identified by the United States, or the other peacetime cyber norms recommended in the 2015 UN GGE report, fall squarely in the voluntary, non-binding category. These voluntary, non-binding norms set out standards of expected State behavior that may, in certain circumstances, overlap with standards of behavior that are required as a matter of international law. Such norms are intended to supplement existing international law. They are designed to address certain cyber activities by States that occur outside of the context of armed conflict that are potentially destabilizing. That said, it is possible that if States begin to accept the standards set out in such non-binding norms as legally required and act in conformity with them, such norms could, over time, crystallize into binding customary international law. As a result, States should approach the process of identifying and committing to such non-binding norms with care."[215]

Appendixes

See also

Notes and references

  1. ILC Articles on State Responsibility, Art 4.
  2. ILC Articles on State Responsibility, Art 8.
  3. ILC Articles on State Responsibility, Art 4(1).
  4. ILC Articles on State Responsibility, Art 6.
  5. ILC Articles on State Responsibility, Art 5.
  6. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  7. ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
  8. ILC Articles on State Responsibility, Art 9.
  9. ILC Articles on State Responsibility, Art 10(1).
  10. ILC Articles on State Responsibility, Art 10(2).
  11. ILC Articles on State Responsibility, Art 11.
  12. See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
  13. ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
  14. Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
  15. Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
  16. Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
  17. According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century'; see also Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, para 13.
  18. Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49 para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)
  19. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  20. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 18.
  21. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 18-19.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 19.
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20.
  24. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20-21.
  25. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 21.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 21.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 22.
  28. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 23.
  29. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 23.
  30. President of Estonia: international law applies also in cyber space, 29 May 2019
  31. President of Estonia: international law applies also in cyber space, 29 May 2019
  32. President of Estonia: international law applies also in cyber space, 29 May 2019
  33. President of Estonia: international law applies also in cyber space, 29 May 2019
  34. President of Estonia: international law applies also in cyber space, 29 May 2019
  35. President of Estonia: international law applies also in cyber space, 29 May 2019
  36. President of Estonia: international law applies also in cyber space, 29 May 2019
  37. President of Estonia: international law applies also in cyber space, 29 May 2019
  38. International law and cyberspace - Finland's national position
  39. International law and cyberspace - Finland's national position
  40. International law and cyberspace - Finland's national position
  41. International law and cyberspace - Finland's national position
  42. International law and cyberspace - Finland's national position
  43. International law and cyberspace - Finland's national position
  44. International law and cyberspace - Finland's national position
  45. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  46. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  47. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  48. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 10.
  49. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 10-11.
  50. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7-8.
  51. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  52. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  53. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  54. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 9-10.
  55. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 8.
  56. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  57. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 12.
  58. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 12.
  59. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 13.
  60. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 14-15.
  61. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 15.
  62. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 15.
  63. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 15-16.
  64. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  65. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  66. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  67. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 2-3.
  68. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 3-4.
  69. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 3.
  70. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 11.
  71. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 4-6.
  72. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 6.
  73. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 7.
  74. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 8.
  75. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 8.
  76. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 8-9.
  77. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 9-10.
  78. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 10.
  79. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 10-12.
  80. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 13.
  81. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 13-14.
  82. Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 14-15.
  83. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  84. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  85. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  86. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  87. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  88. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  89. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  90. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  91. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  92. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  93. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
  94. "Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 2
  95. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 2-3
  96. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 3
  97. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 2
  98. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 3
  99. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 3-4
  100. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4
  101. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4
  102. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4-5
  103. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  104. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  105. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 5
  106. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
  107. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6
  108. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 6-7
  109. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 7-8
  110. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 1-3.
  111. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 3.
  112. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 3-4.
  113. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 4-5.
  114. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 6-7.
  115. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7.
  116. Dutch Minister of Foreign Affairs, Letter to the parliament on the international legal order in cyberspace, 5 July 2019., 2-3.
  117. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7-8.
  118. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7-8.
  119. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 8-9.
  120. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  121. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5-6.
  122. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  123. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  124. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 1-2.
  125. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 4.
  126. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 2.
  127. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 2-3.
  128. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  129. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  130. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  131. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  132. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3-4.
  133. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 4.
  134. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 4.
  135. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 67-68.
  136. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 68-69.
  137. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 69-70.
  138. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 73-74.
  139. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  140. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71.
  141. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71-72.
  142. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 72.
  143. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 72-73.
  144. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 73.
  145. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 74-75.
  146. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 75.
  147. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 76.
  148. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 76.
  149. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  150. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  151. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  152. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
  153. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
  154. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
  155. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
  156. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78-79.
  157. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 2
  158. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 2-3
  159. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 3
  160. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 4
  161. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 4
  162. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 6-7
  163. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 7
  164. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 6
  165. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 4-5
  166. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 5
  167. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 5-6
  168. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 7
  169. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 8
  170. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 8-9
  171. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 9
  172. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 9-10
  173. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 9-10
  174. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 9-10
  175. Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 10-11
  176. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  177. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  178. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  179. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  180. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  181. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  182. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  183. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  184. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  185. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  186. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  187. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  188. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  189. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  190. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  191. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  192. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  193. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  194. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  195. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  196. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  197. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 3-4
  198. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 4
  199. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 7-8
  200. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 5
  201. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 5
  202. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 8
  203. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 6
  204. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 6
  205. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 6-7
  206. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 8
  207. Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 9-10
  208. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 11-13.
  209. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 13-14.
  210. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 16-17.
  211. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 17-20.
  212. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 20.
  213. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 21-22.
  214. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 8-10.
  215. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 22-25.

Bibliography and further reading