| Several States, including Austria, Estonia, France, Germany, Japan, the Netherlands, the United Kingdom, and the United States, have expressly confirmed the applicability of the law of countermeasures to cyber operations. Others, including Brazil, China, and Cuba, have expressed caution in this regard. Countermeasures should be distinguished from retorsions, which are unfriendly but lawful acts by the aggrieved party against the wrongdoer.
As a matter of general international law, an injured State may only take countermeasures against the responsible State if the following conditions are met:
Additionally, the countermeasures must fulfil the following requirements:
Taken countermeasures must be suspended if the internationally wrongful act has ceased and if “the dispute is pending before a court or tribunal which has the authority to make decisions binding on the parties”, and they must be terminated as soon as the responsible State has complied with its (secondary) obligations.
There is a debate as to whether States that have not themselves been directly injured by an unlawful cyber operation may engage in countermeasures in support of the injured State (sometimes referred to as collective countermeasures). In particular, one State has recently put forward the view that non-injured States “may apply countermeasures to support the state directly affected by the malicious cyber operation”. This would apply where diplomatic action is insufficient, but no lawful recourse to use of force exists. This interpretation would allow States to offer active assistance to States, which may not possess sufficient cyber capabilities themselves to counter an ongoing unlawful cyber operation. This view has found some support in scholarship, but was since rejected by at least one other State, with other parts of scholarship reluctant to endorse it. Therefore, it has to be regarded as a call for progressive development of international law, rather than a statement of the current state of international law.
Whether a particular measure fulfils these conditions is an objective question, while the burden of proof that the relevant conditions have been fulfilled falls on the injured State. The exact standard of proof required is unsettled in international law and it will depend on the relevant forum. However, relevant international jurisprudence tends to rely in this regard on the standard of “clear and convincing evidence”. This standard translates in practice into a duty to “convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true.” Importantly, if a State does resort to countermeasures on the basis of an unfounded assessment that a breach has occurred, it may incur responsibility for its own wrongful conduct.
Publicly available national positions that address this issue include: (2020), (2021), (2022), (2019), (2021), (2020), (2019), (2021), (2020), (2021), (2021), (2019), (2020), (2021), (2022), (2021), (2021), (2021), (2022), (2021), (2018), (2021), (2022), (2016), (2020), (2021).
"If a State is a victim of malicious cyber activity, which is attributable to a perpetrator State, the victim-State may be able to take countermeasures (whether in cyberspace or through another means) under certain circumstances. Countermeasures are measures, which would otherwise be unlawful, taken to secure cessation of, or reparation for, the other State's unlawful conduct.
Countermeasures in cyberspace cannot amount to a use of force and must be proportionate. States are able to respond to other States' malicious activity with acts of retorsion, which are unfriendly acts that are not inconsistent with any of the State's international obligations."
"On the other hand, there are questions on the customary status of other set of articles on state responsibility emanated from the ILC, such as the ones on countermeasures. There are different views on the existence of widespread state practice and opinio juris capable of giving rise to customary international law on the legality and the requirements of countermeasures. Furthermore, it is generally accepted that the ILC provisions on countermeasures went beyond the codification of customary norms and had a strong element of progressive development of international law. In this regard, it is important to recall that several states have criticized countermeasures because they would be prone to abuses, especially due to the material inequality of states.
Particularly on ICTs, there are many factors advising a cautious approach on countermeasures. First, there is an added difficulty to attribute cyber activities to a particular State, which is aggravated by the fact that States have different technical resources and capabilities to both identify the origins of a cyber activity and to verify claims of breaches of international obligations through cyber means. Second, cyber operations can be designed to mask or spoof the perpetrator, which in turns increase the risks of miscalculated responses against innocent actors. Finally, the speed with which the precipitating wrongful cyber operations may unfold poses a high risk of escalation, with potential rippling effects to the kinetic domain.
With this in mind, Brazil considers that there needs to be further discussions on the legality of countermeasures as a response to internationally wrongful acts, including in the cyber context. The discussions must fully take into account the UN Charter in its entirety, thus excluding from the outset any possibility of using force as a countermeasure – a view that has already been confirmed by the ILC. The priority of peaceful settlement of disputes, in line with articles 2(3) and 33 of the UN Charter, must also be reaffirmed."
"34. Canada considers that States are entitled to use countermeasures in response to internationally wrongful acts including in cyberspace. The customary international law of State responsibility defines limits in the exercise of the right to take countermeasures, being actions that would otherwise be unlawful. Countermeasures may not be taken in retaliation, but only to induce compliance, and directed at the State responsible for the internationally wrongful act. They may not constitute the threat or use of force, must be consistent with other peremptory norms of international law, and they must be proportional.
35. Lawful countermeasures in response to internationally wrongful cyber acts can be non-cyber in nature, and can include cyber operations in response to non-cyber internationally wrongful acts.
36. A State taking countermeasures is not obliged to provide detailed information equivalent to the level of evidence required in a judicial process to justify its cyber countermeasures; however, the State should have reasonable grounds to believe that the State that is alleged to have committed the internationally wrongful act was responsible for it. The precise scope of certain procedural aspects of countermeasures, such as notification, needs to be further defined through State practice given the unique nature of cyberspace.
37. Assistance can be provided on request of an injured State, for example where the injured State does not possess all the technical or legal expertise to respond to internationally wrongful cyber acts. However, decisions as to possible responses remain solely with the injured State. Canada has considered the concept of “collective cyber countermeasures” but does not, to date, see sufficient State practice or opinio juris to conclude that these are permitted under international law. Canada distinguishes “collective cyber countermeasures” from actions taken in “collective self-defence” including measures taken in cyberspace."
"[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.
Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace."
"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."
|If a cyber operation does not reach the threshold of armed conflict but nonetheless constitutes a violation of international law, states maintain the right to take countermeasures, in accordance with the law of state responsibility.|
"Countermeasures have strict legal criteria – an injured state may only take countermeasures against a state that is responsible for an internationally wrongful act in order to induce the given state to comply with its international obligations. This means that under certain circumstances, an injured state has the right to take measures that would normally violate international customary law or international treaties, but taken as a countermeasure such actions would be permitted as they would be in response to a violation of international law.
In order to take countermeasures in response to a malicious cyber operation violating international law, the operation in question must have been attributed to a state."
"An internationally wrongful act may justify recourse to countermeasures by the injured State if the State responsible for an internationally wrongful act declines to cease the wrongful conduct or pay reparation. Countermeasures may only be taken with the purpose of ensuring compliance, not for retaliation. Countermeasures may furthermore not breach the prohibition of the threat or use of force, or other peremptory norms of general international law, and must be consistent with other customary law requirements and limitations concerning countermeasures, most of which are reflected in the International Law Commission’s Articles on State Responsibility. Some of the procedural requirements concerning countermeasures may nevertheless require adjustment. For instance, it may be possible to attribute a hostile cyber operation only afterward whereas countermeasures normally should be taken while the wrongful act is ongoing. There is no general obligation for a State taking countermeasures to disclose the information on the basis of which the action is taken. At the same time, it is in each State’s best interests to ensure that a decision to take countermeasures is based on solid evidence, given that recourse to countermeasures would otherwise constitute an internationally wrongful act. A State that responds to a hostile cyber operation must therefore have adequate proof of the source of the operation and convincing evidence of the responsibility of a particular State."
"In general, France can respond to cyberattacks by taking counter-measures. In response to a cyberattack that infringes international law (including use of force), France may take counter-measures designed to (i) protect its interests and ensure they are respected and (ii) induce the State responsible to comply with its obligations.
Under international law, such counter-measures must be taken by France in its capacity as victim. Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.
Counter-measures must also be taken in compliance with international law, in particular the prohibition of the threat or use of force. Consequently, they form part of a peaceful response, their sole purpose being to end the initial violation, including in reaction to a cyberoperation that constitutes a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter. The response to a cyberoperation may involve digital means or not, provided that it is commensurate with the injury suffered, taking into account the gravity of the initial violation and the rights in question.
Lastly, the use of counter-measures requires the State responsible for the cyberattack to comply with its obligations.The victim State may, in certain circumstances, derogate from the obligation to inform the State responsible for the cyberoperation beforehand, where there is a need to protect its rights. The possibility of taking urgent counter-measures is particularly relevant in cyberspace, given the widespread use of concealment procedures and the difficulties of traceability."
"The law of countermeasures allows a State to react, under certain circumstances, to cyber-related breaches of obligations owed to it by another State by taking measures which for their part infringe upon legal obligations it owes to the other State. If certain legal conditions are met, such measures do not constitute wrongful acts under the international law of State responsibility. Germany agrees that cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures.
As regards the limitations to countermeasures, Germany is of the opinion that, generally, the same conditions apply as in non cyber-related contexts: In particular, countermeasures may only be adopted against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations arising from its responsibility (in particular cessation of the wrongful act). Also, they must be proportionate and respect fundamental human rights, obligations of a humanitarian character prohibiting reprisals and peremptory norms of international law.
Due to the multifold and close interlinkage of cyber infrastructures not only across different States but also across different institutions and segments of society within States, cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects. Against this background, States must be particularly thorough and prudent in examining whether or not the applicable limitation criteria to cyber countermeasures are met.
A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures." 
"With respect to the issue of countermeasures, I would like to echo the positions taken by the United Kingdom, the United States, and other States, to the effect that there is no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade, allowing the responsible State to reconsider its actions without frustrating the ability of the injured State to take the intended countermeasures. However, in the cyber domain, where the pace of events can be extremely fast and the other side may thwart the action if it anticipates it, announcing a cyber-countermeasure in advance would often negate its utility and effectiveness, and in some instances undermine the interests of the injured State, as well as render the countermeasure obsolete."
Italy is of the view that when a State is victim of an international wrongful act perpetrated by another State, it may take countermeasures in response.
Italy deems that countermeasures are adequate responses to cyber operations that constitute an international wrongful act below the threshold of an armed attack. This is without prejudice to the inherent right of States to self-defence. The adoption of countermeasures against the State that may be held responsible, directly or indirectly, for unlawful cyber acts may be problematic due to, inter alia, difficulties of: traceability, assessment of breach in relation with the threshold of the diligence due, significance of the harm suffered.
The victim-State is generally required to call upon the State of origin to discontinue the wrongful act and to notify it of its intention to take countermeasures in response to wrongful cyber operations. However, in conformity with international law, this requirement may not apply if immediate action is needed to enforce the rights of the injured State and to prevent further damage.
The response to a wrongful cyber operation may be in kind (but not necessarily, as per relevant international law), on the condition that the response is commensurate with the harm suffered and is limited to the purpose of ensuring compliance with breached obligations, thus taking into account the seriousness of the initial violation and the rights in question. In any case, countermeasures must not amount to a threat, or use, of force and must be consistent with other peremptory norms, as well as with human rights and humanitarian law."
"Under international law, it is permitted, under certain conditions, to take countermeasures against internationally wrongful acts.
In general terms, under international law, a State which has been injured by an internationally wrongful act of another State may take, under certain conditions, countermeasures in order to induce the responsible State to comply with (i) the obligation to cease the international wrongful act and (ii) the obligation to make reparation.
General international law does not confine countermeasures to those with the same means as the preceding internationally wrongful act in response to which they are taken. Japan considers that this is the same for the countermeasures against internationally wrongful acts in cyberspace."
"If state is the victim of a violation by another state of an obligation under international law (i.e. an internationally wrongful act), it may under certain circumstances take countermeasures in response. Countermeasures are acts (or omissions) that would normally constitute a violation of an obligation under international law but which are permitted because they are a response to a previous violation by another state. In cyberspace, for example, a cyber operation could be launched to shut down networks or systems that another state is using for a cyberattack. A countermeasure is different to the practice of retorsion in that it would normally be contrary to international law. For this reason, countermeasures are subject to strict conditions, including the requirement that the injured state invoke the other state’s responsibility. This involves the injured state establishing a violation of an obligation under international law that applies between the injured state and the responsible state, and requires that the cyber operation can be attributed to the responsible state.
In addition, the injured state must in principle notify the other state of its intention to take countermeasures. However, if immediate action is required in order to enforce the rights of the injured state and prevent further damage, such notification may be dispensed with. Furthermore, countermeasures must be temporary and proportionate, they may not violate any fundamental human rights, and they may not amount to the threat or use of force."
New Zealand (2020)
"If State A attributes internationally wrongful cyber activity to State B, State A may demand reparation and guarantees of non repetition and/or utilise peaceful dispute resolution mechanisms, including the International Court of Justice where available. State A may also respond with countermeasures against State B. Countermeasures are otherwise internationally wrongful acts that are permitted when undertaken to induce another state to comply with its obligations under international law. They may include, but are not limited to, cyber activities that would otherwise be prohibited by international law. Any countermeasure must: a. be undertaken to induce compliance by the state in breach of international law;
b. be directed at the state responsible for the internationally wrongful act;
c. not rise to the level of use of force or breach peremptory norms of international law; and
d. be necessary and proportionate.
Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law. In those circumstances, collective countermeasures would be subject to the same limitations set out above."
"If a State is the victim of an internationally wrongful cyber operation and another State can be held responsible under customary international law on State responsibility, the injured State may, depending on the circumstances, be entitled to take countermeasures.
A countermeasure is an act that would otherwise be contrary to international law, but where the injured State can invoke the prior internationally wrongful act as a ground for precluding wrongfulness. If there is doubt regarding the attribution of a cyber operation to a State under international law, it may be preferable for the injured State to make use of acts of retorsion rather than countermeasures in order to avoid the possibility of incurring State responsibility for its response.
Countermeasures may only be taken to induce a State to cease an internationally wrongful act or resume its compliance with an international obligation. They are not to be used for punishment and retaliation. Countermeasures must be limited to what is considered necessary and proportional, and may only target the State to which the cyber operation or internationally wrongful act can be attributed. There is no requirement for countermeasures to be of the same nature as the internationally wrongful acts to which they are a response, and countermeasures in response to cyber operations may therefore be carried out within or outside cyberspace. Countermeasures must not violate the prohibition on the threat or use of force or international humanitarian law.
The State held responsible should be notified of both the violation of international law and the grounds for attribution, as well as of the intention to introduce countermeasures. Countermeasures may only be taken if a State has sufficient grounds for attributing the conduct in question to a particular State under international law. What constitutes sufficient grounds will be fact-specific and case-specific, and can be particularly challenging to determine in the case of cyber operations. The State taking countermeasures must be confident in its attribution before resorting to countermeasures. However, the State taking countermeasures need not publish detailed grounds for its attribution or give a detailed technical account of this to the State identified as responsible as this might reveal sensitive methods of interception and detection or offensive and defensive capabilities.
Countermeasures may be taken without prior notification to the responsible State if providing such notification might reveal sensitive methods or capabilities or prevent the countermeasures from having the necessary effect. For example, the injured State could carry out a cyber operation to disrupt the capability of the aggressor State conducting the internationally wrongful cyber operation such as election interference. This countermeasure would in other circumstances be in violation of the aggressor State’s sovereignty."
"Countermeasures are the reaction of a state whose international rights have been violated by another actor. They consist in refraining from the performance of international obligations for some time in order to persuade the state that violates international law to fulfil its obligations and to persuade it against further violations.
At the same time, the Republic of Poland expresses the view that the evolution of customary international law over the last two decades provides grounds for recognising that a state may take countermeasures in pursuit of general interest as well. In particular, the possibility of taking such measures materialise itself in response to states’ violations of peremptory norms, such as the prohibition of aggression.
When applying such measures, the state is required to act in accordance with the principle of proportionality. Moreover, both retorsion and countermeasures cannot constitute the violation of norms pertaining to fundamental human rights, obligations under international humanitarian law and peremptory norms."
"At the same time, once the international responsibility of a State is entailed, the injured State(s) may recourse to countermeasures in order to induce that State to comply with its international obligations."
"The countermeasures, which can be taken by an injured State against a State which is responsible for an internationally wrongful act, shall not affect the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations; obligations for the protection of fundamental human rights; obligations of a humanitarian character prohibiting reprisals; other obligations under peremptory norms of general international law (article 50)."
"Even if malicious cyber activity against a State has not risen to the level of an armed attack entitling the victim State to exercise the right of self-defence, international law provides that a victim State that is subjected to another State’s internationally wrongful act against it (whether through malicious cyber activity, or physical means) is entitled to have recourse to counter-measures which are consistent with international law.
Malicious cyber activity attributable to a State that interferes with a victim State’s proper governing functions is an example of an internationally wrongful act."
"A State responsible for a wrongful act is under an obligation to cease its behaviour and to make full reparation for the injury caused. When a State is injured by an internationally wrongful act it may respond by a variety of measures. Such measures include countermeasures against the responsible State to ensure compliance with its international obligations.
Recourse to countermeasures is subject to strict requirements under the law of State responsibility and include measures otherwise prohibited by international law. Countermeasures must inter alia be proportionate in character and cannot include the use of force. There is no requirement for responsive measures to be similar in kind and they may include non-cyber means. Before resorting to countermeasures, the injured State must notify the responsible State. It should be noted that this rule also allows for countermeasures without prior notification when urgent measures are needed to preserve the rights of the injured State. This rule also applies to cyber operations."
"If the threshold for an armed attack has not been reached, states can have recourse to immediate and proportionate non-violent countermeasures".
"In cases where an act violates international law and can be legally attributed to a state, the injured state(s) may also take countermeasures in the form of reprisals, provided that the applicable rules governing state responsibility are observed. Although reprisals are contrary to international law, they are justified in response to a prior breach of international law. However, such a countermeasure must not violate certain fundamental substantive obligations such as the prohibition on the use of force, fundamental human rights, most norms of international humanitarian law, peremptory norms (jus cogens) and the obligation to respect diplomatic and consular inviolability. Military force, i.e. measures leading to loss of life and limb, are therefore prohibited.
Countermeasures must impose a (legal) disadvantage aimed at prompting the state concerned to cease its conduct that is in breach of international law and/or to make reparations. In principle, the responsible state can only impose countermeasures if it has first called for the violation(s) to cease and has announced what measures it is planning to take. Exceptions may be made for cyber operations requiring an immediate response in order for the injured state to enforce its rights and prevent further damage. Countermeasures must always be proportional, whatever the circumstances.
A countermeasure in response to a cyber incident does not necessarily have to take place in the cyber domain. In accordance with the rules governing state responsibility, other measures that aim to enforce the responsible state's compliance with its international obligations are also permissible. Cyber countermeasures do not have to directly target the computer system originally used to commit the incident in question; injured states are permitted to take other measures as long as they are aimed at the responsible state ceasing its conduct that is in breach of international law. This means that depending on the specific circumstances, it may be permissible under international law to use cyber countermeasures to block the computer system abroad originally used to commit the incident. Likewise, in some cases it may be permissible to compromise computer systems abroad even if they were not the original source of the incident."
United Kingdom (2018)
"Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.
These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.
In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.
In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."
United Kingdom (2021)
"Resort may be had to countermeasures in response to an internationally wrongful act, in accordance with international law, in relation to States’ activities in cyberspace as in relation to their other activities. This includes both resorting to countermeasures against a State whose cyber activities constitute internationally wrongful acts and carrying out countermeasures by means of cyber operations. Countermeasures need not be symmetrical: where the internationally wrongful act is itself not a cyber activity, the response may nonetheless involve cyber-based countermeasures (and vice versa).
An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations. Any measures adopted must be commensurate with the injury suffered. They must be carried out in accordance with the conditions and restrictions established in international law and must in particular not contravene the prohibition on the threat or use of force, must be necessary and proportionate to the purpose of inducing the responsible State to comply with its obligations and must not contravene any other peremptory norm of international law.
The application of international law to the use of countermeasures in cyberspace must take account of the nature of cyber activities, which might commence and then cease almost instantaneously or within a short timeframe. In those circumstances, a wider pattern of cyber activities might collectively constitute an internationally wrongful act justifying a response.
The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances. Prior notice may not be a legal obligation when responding to covert cyber intrusion with countermeasures or when resort is had to countermeasures which themselves depend on covert cyber capabilities. In such cases, prior notice could expose highly sensitive capabilities and prejudice the very effectiveness of the countermeasures in question. However any decision to resort to countermeasures without prior notice must be necessary and proportionate to the purpose of inducing compliance in the circumstances."
United Kingdom (2022)
"[..] [U]nder the international law doctrine of countermeasures, a State may respond to a prior unlawful act, in ways which would under normal circumstances be unlawful, in order to stop the offending behaviour and ensure reparation. The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another State. It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option in order to bring unlawful behaviour in cyberspace to an end.
However, some countries simply do not have the capability to respond effectively by themselves in the face of hostile and unlawful cyber intrusions. It is open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding collectively."
United States (2016)
"The customary international law doctrine of countermeasures permits a State that is the victim of an internationally wrongful act of another State to take otherwise unlawful measures against the responsible State in order to cause that State to comply with its international obligations, for example, the obligation to cease its internationally wrongful act. Therefore, as a threshold matter, the availability of countermeasures to address malicious cyber activity requires a prior internationally wrongful act that is attributable to another State. As with all countermeasures, this puts the responding State in the position of potentially being held responsible for violating international law if it turns out that there wasn’t actually an internationally wrongful act that triggered the right to take countermeasures, or if the responding State made an inaccurate attribution determination. That is one reason why countermeasures should not be engaged in lightly.
Additionally, under the law of countermeasures, measures undertaken in response to an internationally wrongful act performed in or through cyberspace that is attributable to a State must be directed only at the State responsible for the wrongful act and must meet the principles of necessity and proportionality, including the requirements that a countermeasure must be designed to cause the State to comply with its international obligations—for example, the obligation to cease its internationally wrongful act — and must cease as soon as the offending State begins complying with the obligations in question.
The doctrine of countermeasures also generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken—in other words, the doctrine generally requires what I will call a “prior demand.” The sufficiency of a prior demand should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.
I also should note that countermeasures taken in response to internationally wrongful cyber activities attributable to a State generally may take the form of cyber-based countermeasures or non-cyber-based countermeasures. That is a decision typically within the discretion of the responding State and will depend on the circumstances."
United States (2020)
"Depending on the circumstances, DoD lawyers may also consider whether an operation that does not constitute a use of force could be conducted as a countermeasure. In general, countermeasures are available in response to an internationally wrongful act attributed to a State. In the traditional view, the use of countermeasures must be preceded by notice to the offending State, though we note that there are varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency. In a particular case it may be unclear whether a particular malicious cyber activity violates international law. And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available."
United States (2021)
"In certain circumstances, a State injured by cyber activities that are attributable to another State and that constitute an internationally wrongful act, but do not amount to an armed attack, may respond with non-forcible countermeasures. Such countermeasures must be directed only at the State responsible for the wrongful act, must meet the requirements of necessity and proportionality, must be designed to induce the State to return to compliance with its international obligations, and, under the customary international law of State responsibility, must be suspended without undue delay if the internationally wrongful act has ceased.
Before an injured State can undertake countermeasures in response to a cyber-based internationally wrongful act attributable to a State, it generally must call upon the responsible State to cease its wrongful conduct, unless urgent countermeasures are necessary to preserve the injured State’s rights. The sufficiency of this prior demand on the responsible State should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.
Countermeasures taken in response to cyber activities attributable to States that constitute internationally wrongful acts may take the form of cyber-based countermeasures or non-cyber-based countermeasures. Countermeasures are distinct from acts of retorsion, which are unfriendly acts that are not inconsistent with any international obligations".
- Scenario 04: A State’s failure to assist an international organization
- Scenario 05: State investigates and responds to cyber operations against private actors in its territory
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 09: Economic cyber espionage
- Scenario 14: Ransomware campaign
- Scenario 17: Collective responses to cyber operations
Notes and references
- ↑ ILC Articles on State Responsibility, Commentary, part 3 ch 2 at para 1.
- ↑ Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility. A target State may also react through proportionate countermeasures.’ (emphasis added).
- ↑ Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures”
- ↑ French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that ‘In response to a cyberattack, France may consider diplomatic responses to certain incidents, countermeasures, or even coercive action by the armed forces if an attack constitutes armed aggression.’
- ↑ Germany, ‘Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3, stating that ‘in case of a cyber operation that is in breach of an international legal obligation below the level of the use or threat of force prohibited by Art. 2 (IV) [of the UN Charter] States are also entitled to take countermeasures as allowed by international law.’
- ↑ Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated), stating that ‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’
- ↑ Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 7.
- ↑ United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017), stating that ‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.’
- ↑ Brian J. Egan, ‘Remarks on International Law and Stability in Cyberspace’ (10 November 2016), stating that countermeasures are available ‘to address malicious cyber activity’ if that activity amounts to a prior internationally wrongful act attributable to another State.
- ↑ Brazil, ‘Open-ended Working Group on developments in the field of information and telecommunications in the context of international security: Second Substantive Session - New York, 11 February 2020: Statement by the Delegation of Brazil’ (11 February 2020), stating that ‘In the case of malicious acts in cyberspace, it is often difficult to attribute responsibility to a particular State or actor with unqualified certainty. A decision to resort to countermeasures in response to such acts carries a high risk of targeting innocent actors, and of triggering escalation.’
- ↑ China, ‘Statement by the Chinese Delegation at the Thematic Debate of the First Committee of the 72th UNGA’ (October 2017), stating that ‘Countries should discuss application of international law in the manner conducive to maintain peace, avoid introducing force, deterrence and countermeasures into cyberspace, so as to prevent arms race in cyberspace and reduce risks of confrontation and conflicts.’
- ↑ Cuba, ‘Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (23 June 2017), registering ‘serious concern over the pretension of some, reflected in para 34 of the draft final report, to convert cyberspace into a theater of military operations and to legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.’ (emphasis added).
- ↑ ILC Articles on State Responsibility, Art 49 para 1; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 83.
- ↑ ILC Articles on State Responsibility, Art 52 paras 3 - 4.
- ↑ ILC Articles on State Responsibility, Art 52 para 1 subpara a). According to the UK Attorney General, the UK does not feel legally obliged, when taking countermeasures in response to a covert cyber intrusion, to “give prior notification to the hostile state”. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’.
- ↑ ILC Articles on State Responsibility, Art 28-41; the list of consequences includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ↑ ILC Articles on State Responsibility, Art 52 para 1 subpara b) – Art 52 para 2.
- ↑ ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 87. The list of consequences in Art 28-41 includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ↑ ILC Articles on State Responsibility, Art 49(3).
- ↑ Such as the obligation to refrain from the threat or use of force as embodied in the UN Charter, obligations for the protection of fundamental human rights, and obligations of a humanitarian character prohibiting reprisals. ILC Articles on State Responsibility, Art 50(1).
- ↑ ILC Articles on State Responsibility, Art 50(2).
- ↑ Articles on State Responsibility, Art 51; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 85.
- ↑ ILC Articles on State Responsibility, Art 54.
- ↑ President of Estonia, Kersti Kaljulaid, ‘President of the Republic at the opening of CyCon 2019’ (29.05.2019).
- ↑ Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ Just Security (10.06.2019), considering the Estonian interpretation to be “an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts”.
- ↑ French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 10, arguing that collective countermeasures are not authorised under international law.
- ↑ Jeff Kosseff, ‘Collective Countermeasures in Cyberspace,’ (2020) Notre Dame Journal of International & Comparative Law Vol. 10, Iss. 1, 34; François Delerue, Cyber Operations and International Law (CUP 2020), 457.
- ↑ ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
- ↑ ILC Articles on State Responsibility, Commentary to Part One, Chapter 5, para 8 (noting that “[i]n a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State”).
- ↑ See, eg, Trail Smelter case (United States v Canada) (Award) 1941 3 RIAA 1905, 1965; see also Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 624 (noting that in cases where State responsibility is involved, the required threshold tends to shift towards ‘clear and convincing’”).
- ↑ James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163, 167 (emphasis original).
- ↑ ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49 para 3.
- ↑ Australian Government, Australia's position on how international law applies to State conduct in cyberspace
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 21.
- ↑ Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote , Articles on State Responsibility, supra note 21, Art. 22.
- ↑ Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote , In this regard the law of state responsibility foresees cases where notification may not be required – Articles on State Responsibility, supra note 21,Art. 52(b).
- ↑ Government of Canada, International Law applicable in cyberspace, April 2022
- ↑ President of Estonia: international law applies also in cyber space, 29 May 2019
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 29-30.
- ↑ International law and cyberspace - Finland's national position
- ↑ Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7-8.
- ↑ Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 13-14.
- ↑ Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- ↑ Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,7-8.
- ↑ Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4-5
- ↑ Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7-8.
- ↑ The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3-4.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 72-73.
- ↑ The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 8.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 79.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
- ↑ Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,6
- ↑ Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 4.
- ↑ Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6-7.
- ↑ Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
- ↑ United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- ↑ Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
- ↑ Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 21-22.
- ↑ Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
- ↑ Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 142.