Difference between revisions of "Sovereignty"

From International cyber law: interactive toolkit
Jump to navigation Jump to search
(→‎Definition: integrating comments OP)
Line 10: Line 10:
  
 
* For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual 2.0<ref>Michael N Schmitt, '[https://heinonline.org/HOL/P?h=hein.journals/cjil19&i=36 Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law]' (2018) 19 ChiJIntlL 30,40; [https://doi.org/10.1017/CBO9781139169288 Tallinn Manual 2.0], commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).</ref> and it has reportedly not been challenged by any of the over fifty States that participated in the process of consultations of the Manual in 2017.<ref>See Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).</ref>
 
* For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual 2.0<ref>Michael N Schmitt, '[https://heinonline.org/HOL/P?h=hein.journals/cjil19&i=36 Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law]' (2018) 19 ChiJIntlL 30,40; [https://doi.org/10.1017/CBO9781139169288 Tallinn Manual 2.0], commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).</ref> and it has reportedly not been challenged by any of the over fifty States that participated in the process of consultations of the Manual in 2017.<ref>See Michael N Schmitt and Liis Vihul, ‘[https://texaslawreview.org/respect-sovereignty-cyberspace/ Respect for Sovereignty in Cyberspace]’ (2017) 95 Tex L Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).</ref>
* By contrast, the opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not "a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State".<ref>Memorandum from JM O’Connor, General Counsel of the Department of Defense, 'International Law Framework for Employing Cyber Capabilities in Military Operations' (19 January 2017), as cited by Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771, 829.</ref> Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is "a principle of international law that guides state interactions".<ref>Gary P. Corn and Robert Taylor, ‘[https://doi.org/10.1017/aju.2017.57 Sovereignty in the Age of Cyber]’ (2017) 111 AJIL Unbound 207, 208.</ref> This view has since been endorsed by the UK attorney general.<ref>Jeremy Wright, ‘[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Cyber and International Law in the 21st Century]’ (23 May 2018) (‘The UK Government’s position is … that there is no such rule as a matter of current international law.’).</ref>
+
* By contrast, the opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not "a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State".<ref name=":0">Memorandum from JM O’Connor, General Counsel of the Department of Defense, 'International Law Framework for Employing Cyber Capabilities in Military Operations' (19 January 2017), as cited by Sean Watts & Theodore Richard, '[https://law.lclark.edu/live/files/26902-lcb223article3wattspdf Baseline Territorial Sovereignty and Cyberspace]' (2018) 22 Lewis & Clark L. Rev. 771, 829.</ref> Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is "a principle of international law that guides state interactions".<ref name=":1">Gary P. Corn and Robert Taylor, ‘[https://doi.org/10.1017/aju.2017.57 Sovereignty in the Age of Cyber]’ (2017) 111 AJIL Unbound 207, 208.</ref> This view has since been endorsed by the UK attorney general.<ref name=":2">Jeremy Wright, ‘[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Cyber and International Law in the 21st Century]’ (23 May 2018) (stating, in the context of cyber operations, that ‘[t]he UK Government’s position is … that there is no such rule as a matter of current international law.’).</ref>
  
The remainder of this section proceeds on the basis of the former "sovereignty-as-rule" approach. Those espousing the latter "sovereignty-as-principle" approach should refer to the [[prohibition of intervention]].
+
The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to the [[prohibition of intervention]].
  
It is understood that sovereignty has both an internal and an external component.<ref>Cf. James Crawford, ''Brownlie's Principles of Public International Law'' (OUP 2012) 448</ref> In the cyber context, the "internal" facet of sovereignty entails that "[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations."<ref> [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], rule 2.</ref> <ref> Sovereignty over cyber infrastructures derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, '[https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?referer=https://www.google.ee/&httpsredir=1&article=1027&context=ils Territorial Sovereignty and Neutrality in Cyberspace]' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')</ref>
+
It is understood that sovereignty has both an internal and an external component.<ref>Cf. James Crawford, ''Brownlie's Principles of Public International Law'' (OUP 2012) 448</ref> In the cyber context, the "internal" facet of sovereignty entails that "[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations."<ref name=":3"> [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], rule 2.</ref> <ref> Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, '[https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?referer=https://www.google.ee/&httpsredir=1&article=1027&context=ils Territorial Sovereignty and Neutrality in Cyberspace]' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')</ref>
  
 
As a general rule, each State must respect the sovereignty of other States.<ref>UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], rule 4.</ref> It is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 5 and 12.</ref>
 
As a general rule, each State must respect the sovereignty of other States.<ref>UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], rule 4.</ref> It is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 5 and 12.</ref>
Line 20: Line 20:
 
The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:
 
The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:
  
# A State organ conducting cyber operations against a target State or entities or persons located there while <b>physically present</b> in the target State's territory violates the target State's sovereignty.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 6.</ref>  This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 7; commentary to rule 32, para 9.</ref>
+
# A State organ conducting cyber operations against a target State or entities or persons located there while <b>physically present</b> in the target State's territory violates the target State's sovereignty.<ref name=":4">See, eg, [https://www.icj-cij.org/files/case-related/152/152-20151216-JUD-01-00-EN.pdf ''Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica)'' (Judgment)] [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 6.</ref> This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.<ref name=":5">[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 7; commentary to rule 32, para 9.</ref>
 
# Causation of <b>physical damage or injury</b> '''by remote means''';<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 11.</ref> again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 12.</ref>
 
# Causation of <b>physical damage or injury</b> '''by remote means''';<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 11.</ref> again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 12.</ref>
 
# Causation of a <b>loss of functionality</b> of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 13.</ref> Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 14.</ref>
 
# Causation of a <b>loss of functionality</b> of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 13.</ref> Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 14.</ref>
# <b>Interference with</b> data or services that are necessary for the exercise of "<b>inherently governmental functions</b>";<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 15.</ref> although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 16.</ref>
+
# <b>Interference with</b> data or services that are necessary for the exercise of "<b>inherently governmental functions</b>";<ref name=":6">[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 15.</ref> although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.<ref name=":7">[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 16.</ref>
 
# <b>Usurpation of "inherently governmental functions"</b>, such as exercise of law enforcement functions in another State’s territory without justification.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18.</ref>
 
# <b>Usurpation of "inherently governmental functions"</b>, such as exercise of law enforcement functions in another State’s territory without justification.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 18.</ref>
  
[[Attribution|Attributing]] the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.
+
[[Attribution|Attributing]] the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.  
  
 
---<br>
 
---<br>
Line 33: Line 33:
  
  
Sovereignty is a multifaceted concept and, as the International Court of Justice recognized recently, there are “many rules of international law which protect sovereignty in general”.<ref>[https://www.icj-cij.org/files/case-related/163/163-20180606-JUD-01-00-EN.pdf ''Immunities and Criminal Proceedings'' (Equatorial Guinea v France) (Preliminary Objections)] (6 June 2018), para 93.</ref> In the territorial context, according to a widely accepted definition in the ''Island of Palmas'' arbitral award of 1928,  
+
'''Sovereignty''' is a multifaceted concept and, as the International Court of Justice recognized recently, there are “many rules of international law which protect sovereignty in general”.<ref>[https://www.icj-cij.org/files/case-related/163/163-20180606-JUD-01-00-EN.pdf ''Immunities and Criminal Proceedings'' (Equatorial Guinea v France) (Preliminary Objections)] (6 June 2018), para 93.</ref> In the territorial context, according to a widely accepted definition in the ''Island of Palmas'' arbitral award of 1928,  
  
 
<blockquote>[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.<ref>''Island of Palmas (Neth. v. U.S.)'', 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).</ref></blockquote>  
 
<blockquote>[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.<ref>''Island of Palmas (Neth. v. U.S.)'', 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).</ref></blockquote>  
  
Thus, “the first and foremost restriction imposed by international law upon a State is that – failing the existence of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another State”. This may be termed as an obligation to respect another state’s territorial sovereignty or territorial integrity.
+
Thus, “the first and foremost restriction imposed by international law upon a State is that – failing the existence of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another State”.<ref>''Lotus Case (France v Turkey)'' (Merits) PCIJ Rep Series A No 10, 18.</ref> This may be termed as an obligation to respect another state’s territorial sovereignty or territorial integrity.<ref>See, eg, Francesco Capotorti, ‘Cours général de droit international public’ (1994) 248 RdC 9, 41.</ref>
  
It should be noted that an opposing view considers that sovereignty is "a principle of international law that guides state interactions, but is not itself a binding rule",[32] and in this regard does not consider that an obligation exists to respect territorial integrity, beyond the prohibitions of the use of force and intervention. It was originally formulated by two high-level US government legal advisors writing in their private capacity[33] and it has since been endorsed at least by the UK attorney general.[34]
 
  
The remainder of this section proceeds on the basis of the former approach that there exists an independent obligation under international law to respect a state’s territorial integrity. Those espousing the latter "sovereignty-as-principle" approach should refer to the prohibition of intervention.
+
It should be noted that an opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not “a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State”.<ref name=":0" /> Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is “a principle of international law that guides state interactions”.<ref name=":1" /> This view has since been endorsed by the UK attorney general.<ref name=":2" />
  
Pursuant to the position that there exists an obligation under international to respect a state’s territorial integrity, there is likely to be little disagreement that this encompasses "the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations." [35]  Accordingly, it is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its territorial sovereignty. Additionally, a State organ conducting cyber operations against State A or entities or persons located there while physically present in State A’s territory violates the State’s territorial sovereignty.[37] Similarly, it would seem that causation of physical consequences by remote means would amount to a violation of sovereignty, though dissenting positions have been voiced. Whether espionage, involving physical presence of a person, constitutes a violation of sovereignty – and if so, under which circumstances – is a subject of ongoing scholarly disagreement.[38]
 
  
As regards intangible, or virtual, layers of cyberspace, the question whether they are subject to a State’s territorial integrity is a subject of debate. This, of course, has implications for the question whether cyber operations involving intangible consequences can amount to violations of territorial integrity, and whether cyber activities involving virtual presence on cyber infrastructure in other States amounts to a violation of territorial integrity. Similarly, this has consequences for instances in which one may consider loss of functionality of cyber infrastructure as not involving physical consequences.
+
The remainder of this section proceeds on the basis of the former approach that there exists an independent obligation under international law to respect a state’s territorial integrity. Those espousing the latter “sovereignty-as-principle” approach should refer to the [[prohibition of intervention]].
  
On the one hand, the argument has been raised that, because ‘cyber infrastructure is property located on State territory’, it therefore follows that ‘cyber operations that interfere with a sovereign’s independent and exclusive control of territorial cyber infrastructure are prohibited’. Conversely, the territorial sovereignty of States over intangible layers of cyberspace has been rejected by others, for reasons such as: the difficulty for States to exercise effective control – effectivités – over such layers; the virtual nature of cyberspace which creates conceptual difficulties for placing such virtual layers under a legal framework which governs what may (not) be done vis-à-vis territory; and numerous media reports which – if true – would put much State practice at odds with an such an obligation.
 
  
Finally, it should be noted that the Tallinn Manual 2.0 considered interference with data or services that are necessary for the exercise of "inherently governmental functions", as well as usurpation of "inherently governmental functions",  as violations of ‘sovereignty’[43] (although the Experts could not definitively define the term "inherently governmental functions").[44] Others have noted the paucity in State practice supporting this test, though all would agree it is necessary to see have State practice develops in this field.   
+
Pursuant to the position that there exists an obligation under international law to respect a state’s territorial integrity, there is likely to be little disagreement that this encompasses “the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”<ref name=":3" /> Accordingly, it is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its territorial sovereignty. Additionally, a State organ conducting cyber operations against State A or entities or persons located there while physically present in State A’s territory violates that State’s territorial sovereignty.<ref name=":4" /> Similarly, it would seem that causation of physical consequences by remote means would amount to a violation of sovereignty, though dissenting positions have been voiced.<ref>[ADD REF]</ref> Whether espionage, involving physical presence of a person, constitutes a violation of sovereignty—and if so, under which circumstances—is a subject of ongoing scholarly disagreement.<ref name=":5" /><ref>See also Gérard Cohen-Jonathan and Robert Kovar, ‘L’espionnage en temps de paix’ (1960) 6 AFDI 239, 252; Ingrid Delupis, ‘Foreign Warships and Immunity for Espionage’ (1984) 78 AJIL 53, 67.</ref>
  
Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.
 
  
<br />
+
As regards intangible (or virtual) layers of cyberspace, the question whether they are subject to a State’s territorial integrity is a subject of debate. This has implications for the question whether cyber operations involving intangible consequences can amount to violations of territorial integrity, and whether cyber activities involving virtual presence on cyber infrastructure in other States amount to a violation of territorial integrity. Similarly, this issue has consequences for instances in which one may consider loss of functionality of cyber infrastructure as not involving physical consequences.
 +
 
 +
 
 +
On the one hand, the argument has been raised that, because “cyber infrastructure is property located on State territory”, it therefore follows that “cyber operations that interfere with a sovereign’s independent and exclusive control of territorial cyber infrastructure are prohibited”.<ref>[ADD REF - OP]</ref> Conversely, the territorial sovereignty of States over intangible layers of cyberspace has been rejected by others, for reasons including the difficulty for States to exercise effective control—''effectivités''—over such layers<ref>See, eg, Shabtai Rosenne, ‘The Perplexities of Modern International Law: General Course on Public International Law’ (2001) 291 RdC 9, 266; Ahmed Mahiou, ‘Le droit international ou la dialectique de la rigueur et de la flexibilité: Cours général de droit international’ (2009) 337 RdC 9, 133–34.</ref> and the virtual nature of cyberspace which creates conceptual difficulties for placing such virtual layers under a legal framework which governs what may (not) be done vis-à-vis territory.<ref>Dan Efrony and Yuval Shany, ‘[https://doi.org/10.1017/ajil.2018.86 A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice]’ (2018) 112 AJIL 583, 653.</ref>
 +
 
 +
 
 +
Finally, it should be noted that the ''Tallinn Manual 2.0'' considered interference with data or services that are necessary for the exercise of “inherently governmental functions”, as well as usurpation of “inherently governmental functions”, as violations of “sovereignty”<ref name=":6" /> (although the Tallinn experts could not definitively define the term “inherently governmental functions”<ref name=":7" />). Others have noted the paucity in State practice supporting this test,<ref>See, eg, Gary Corn, ‘Cyber National Security: Navigating Gray Zone Challenges in and through Cyberspace’ in Winston S Williams and Christopher M Ford (eds), ''Complex Battlespaces: The Law of Armed Conflict and the Dynamics of Modern Warfare'' (OUP 2018) 420.</ref> though all would likely agree it is necessary to see how State practice develops in this field.
 +
 
 +
 
 +
Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.<ref>In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), ''Enhancing the Rule of Law through the International Court of Justice'' (Brill 2012) 145. Against: see, eg,  [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 4, para 3.</ref>
 
|}<section end=Definition />
 
|}<section end=Definition />
  

Revision as of 18:09, 1 February 2019

Definition

Sovereignty
Crown-Silhouette.svg
OPTION A


Sovereignty is a core principle of international law. According to a widely accepted definition in the Island of Palmas arbitral award of 1928,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1]

According to multiple declarations by the UN,[2] NATO,[3] OSCE,[4] the European Union,[5] and individual States, international law applies in cyberspace, and hence also the principle of sovereignty applies in cyberspace. It is the subject of some debate, however, to what extent this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual 2.0[6] and it has reportedly not been challenged by any of the over fifty States that participated in the process of consultations of the Manual in 2017.[7]
  • By contrast, the opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not "a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State".[8] Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is "a principle of international law that guides state interactions".[9] This view has since been endorsed by the UK attorney general.[10]

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to the prohibition of intervention.

It is understood that sovereignty has both an internal and an external component.[11] In the cyber context, the "internal" facet of sovereignty entails that "[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations."[12] [13]

As a general rule, each State must respect the sovereignty of other States.[14] It is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[15]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[16] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[17]
  2. Causation of physical damage or injury by remote means;[18] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[19]
  3. Causation of a loss of functionality of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[20] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[21]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[22] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[23]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[24]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

---

OPTION B


Sovereignty is a multifaceted concept and, as the International Court of Justice recognized recently, there are “many rules of international law which protect sovereignty in general”.[25] In the territorial context, according to a widely accepted definition in the Island of Palmas arbitral award of 1928,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[26]

Thus, “the first and foremost restriction imposed by international law upon a State is that – failing the existence of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another State”.[27] This may be termed as an obligation to respect another state’s territorial sovereignty or territorial integrity.[28]


It should be noted that an opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not “a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State”.[8] Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is “a principle of international law that guides state interactions”.[9] This view has since been endorsed by the UK attorney general.[10]


The remainder of this section proceeds on the basis of the former approach that there exists an independent obligation under international law to respect a state’s territorial integrity. Those espousing the latter “sovereignty-as-principle” approach should refer to the prohibition of intervention.


Pursuant to the position that there exists an obligation under international law to respect a state’s territorial integrity, there is likely to be little disagreement that this encompasses “the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[12] Accordingly, it is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its territorial sovereignty. Additionally, a State organ conducting cyber operations against State A or entities or persons located there while physically present in State A’s territory violates that State’s territorial sovereignty.[16] Similarly, it would seem that causation of physical consequences by remote means would amount to a violation of sovereignty, though dissenting positions have been voiced.[29] Whether espionage, involving physical presence of a person, constitutes a violation of sovereignty—and if so, under which circumstances—is a subject of ongoing scholarly disagreement.[17][30]


As regards intangible (or virtual) layers of cyberspace, the question whether they are subject to a State’s territorial integrity is a subject of debate. This has implications for the question whether cyber operations involving intangible consequences can amount to violations of territorial integrity, and whether cyber activities involving virtual presence on cyber infrastructure in other States amount to a violation of territorial integrity. Similarly, this issue has consequences for instances in which one may consider loss of functionality of cyber infrastructure as not involving physical consequences.


On the one hand, the argument has been raised that, because “cyber infrastructure is property located on State territory”, it therefore follows that “cyber operations that interfere with a sovereign’s independent and exclusive control of territorial cyber infrastructure are prohibited”.[31] Conversely, the territorial sovereignty of States over intangible layers of cyberspace has been rejected by others, for reasons including the difficulty for States to exercise effective control—effectivités—over such layers[32] and the virtual nature of cyberspace which creates conceptual difficulties for placing such virtual layers under a legal framework which governs what may (not) be done vis-à-vis territory.[33]


Finally, it should be noted that the Tallinn Manual 2.0 considered interference with data or services that are necessary for the exercise of “inherently governmental functions”, as well as usurpation of “inherently governmental functions”, as violations of “sovereignty”[22] (although the Tallinn experts could not definitively define the term “inherently governmental functions”[23]). Others have noted the paucity in State practice supporting this test,[34] though all would likely agree it is necessary to see how State practice develops in this field.


Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[35]

Appendices

See also

Notes and references

  1. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  2. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  3. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  4. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  5. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017),
  6. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  7. See Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).
  8. 8.0 8.1 Memorandum from JM O’Connor, General Counsel of the Department of Defense, 'International Law Framework for Employing Cyber Capabilities in Military Operations' (19 January 2017), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  9. 9.0 9.1 Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208.
  10. 10.0 10.1 Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating, in the context of cyber operations, that ‘[t]he UK Government’s position is … that there is no such rule as a matter of current international law.’).
  11. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448
  12. 12.0 12.1 Tallinn Manual 2.0, rule 2.
  13. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  14. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  15. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  16. 16.0 16.1 See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  17. 17.0 17.1 Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  18. Tallinn Manual 2.0, commentary to rule 4, para 11.
  19. Tallinn Manual 2.0, commentary to rule 4, para 12.
  20. Tallinn Manual 2.0, commentary to rule 4, para 13.
  21. Tallinn Manual 2.0, commentary to rule 4, para 14.
  22. 22.0 22.1 Tallinn Manual 2.0, commentary to rule 4, para 15.
  23. 23.0 23.1 Tallinn Manual 2.0, commentary to rule 4, para 16.
  24. Tallinn Manual 2.0, commentary to rule 4, para 18.
  25. Immunities and Criminal Proceedings (Equatorial Guinea v France) (Preliminary Objections) (6 June 2018), para 93.
  26. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  27. Lotus Case (France v Turkey) (Merits) PCIJ Rep Series A No 10, 18.
  28. See, eg, Francesco Capotorti, ‘Cours général de droit international public’ (1994) 248 RdC 9, 41.
  29. [ADD REF]
  30. See also Gérard Cohen-Jonathan and Robert Kovar, ‘L’espionnage en temps de paix’ (1960) 6 AFDI 239, 252; Ingrid Delupis, ‘Foreign Warships and Immunity for Espionage’ (1984) 78 AJIL 53, 67.
  31. [ADD REF - OP]
  32. See, eg, Shabtai Rosenne, ‘The Perplexities of Modern International Law: General Course on Public International Law’ (2001) 291 RdC 9, 266; Ahmed Mahiou, ‘Le droit international ou la dialectique de la rigueur et de la flexibilité: Cours général de droit international’ (2009) 337 RdC 9, 133–34.
  33. Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 653.
  34. See, eg, Gary Corn, ‘Cyber National Security: Navigating Gray Zone Challenges in and through Cyberspace’ in Winston S Williams and Christopher M Ford (eds), Complex Battlespaces: The Law of Armed Conflict and the Dynamics of Modern Warfare (OUP 2018) 420.
  35. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.

Bibliography and further reading