Editing National position of the United Kingdom (2018)

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 2: Line 2:
 
This is the national position of the United Kingdom on international law applicable to cyberspace. The position has been presented by the UK Attorney General Jeremy Wright on 23 May 2018 during a Chatham House speech titled <i>"Cyber and International Law in the 21st Century".</i> <ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref>
 
This is the national position of the United Kingdom on international law applicable to cyberspace. The position has been presented by the UK Attorney General Jeremy Wright on 23 May 2018 during a Chatham House speech titled <i>"Cyber and International Law in the 21st Century".</i> <ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref>
   
==[[Applicability of international law]]==
+
==Applicability of international law==
<section begin=UK_2018 applicability />
 
 
"Cyber space is not – and must never be – a lawless world. It is the UK’s view that when states and individuals engage in hostile cyber operations, they are governed by law just like activities in any other domain. The UK has always been clear that we consider cyber space to be an integral part of the rules based international order that we are proud to promote. The question is not whether or not international law applies, but rather how it applies and whether our current understanding is sufficient.
 
"Cyber space is not – and must never be – a lawless world. It is the UK’s view that when states and individuals engage in hostile cyber operations, they are governed by law just like activities in any other domain. The UK has always been clear that we consider cyber space to be an integral part of the rules based international order that we are proud to promote. The question is not whether or not international law applies, but rather how it applies and whether our current understanding is sufficient.
   
What this means is that hostile actors cannot take action by cyber means without consequence, both in peacetime and in times of conflict. States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 applicability />
+
What this means is that hostile actors cannot take action by cyber means without consequence, both in peacetime and in times of conflict. States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref>
   
==[[Sovereignty]]==
+
==Sovereignty==
 
<section begin=UK_2018 sovereignty />
 
<section begin=UK_2018 sovereignty />
 
"[..]a further contested area amongst those engaged in the application of international law to cyber space is the regulation of activities that fall below the threshold of a prohibited intervention, but nonetheless may be perceived as affecting the territorial sovereignty of another state without that state’s prior consent. Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 sovereignty />
 
"[..]a further contested area amongst those engaged in the application of international law to cyber space is the regulation of activities that fall below the threshold of a prohibited intervention, but nonetheless may be perceived as affecting the territorial sovereignty of another state without that state’s prior consent. Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 sovereignty />
Line 20: Line 19:
 
These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 state responsibility />
 
These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 state responsibility />
   
==[[Attribution]]==
+
==Attribution==
 
<section begin=UK_2018 attribution />
 
<section begin=UK_2018 attribution />
 
"As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.
 
"As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.
Line 30: Line 29:
 
For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 attribution />
 
For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 attribution />
   
==[[Countermeasures]]==
+
==Countermeasures==
 
<section begin=UK_2018 countermeasures />
 
<section begin=UK_2018 countermeasures />
 
"Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.
 
"Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.
Line 40: Line 39:
 
In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 countermeasures />
 
In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 countermeasures />
   
==[[Prohibition of intervention]]==
+
==Prohibition of intervention==
 
<section begin=UK_2018 prohibition of intervention />
 
<section begin=UK_2018 prohibition of intervention />
 
"In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.
 
"In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.
Line 48: Line 47:
 
The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 prohibition of intervention />
 
The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 prohibition of intervention />
   
==[[International humanitarian law (jus in bello)|International humanitarian law (''jus in bello'')]]==
+
==International humanitarian law (''jus in bello'')==
 
<section begin=UK_2018 IHL />
 
<section begin=UK_2018 IHL />
 
"[..]in addition to the provisions of the UN Charter, the application of international humanitarian law to cyber operations in armed conflicts provides both protection and clarity. When states are engaged in an armed conflict, this means that cyber operations can be used to hinder the ability of hostile groups such as Daesh to coordinate attacks, and in order to protect coalition forces on the battlefield. But like other responsible states, this also means that even on the new battlefields of cyber space, the UK considers that there is an existing body of principles and rules that seek to minimise the humanitarian consequences of conflict."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 IHL />
 
"[..]in addition to the provisions of the UN Charter, the application of international humanitarian law to cyber operations in armed conflicts provides both protection and clarity. When states are engaged in an armed conflict, this means that cyber operations can be used to hinder the ability of hostile groups such as Daesh to coordinate attacks, and in order to protect coalition forces on the battlefield. But like other responsible states, this also means that even on the new battlefields of cyber space, the UK considers that there is an existing body of principles and rules that seek to minimise the humanitarian consequences of conflict."<ref>[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018]</ref><section end=UK_2018 IHL />
   
==[[Self-defence|Self-defence, armed attack and use of force]]==
+
==Self-defence, armed attack and use of force==
 
<section begin=UK_2018 self-defence, armed attack and use of force />
 
<section begin=UK_2018 self-defence, armed attack and use of force />
 
First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.
 
First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)