|Sovereignty is a core principle of international law. According to a widely accepted definition in the Island of Palmas arbitral award of 1928,|
According to multiple declarations by the UN, NATO, OSCE, and individual States, international law applies in cyberspace, and hence also the principle of sovereignty applies in cyberspace. It is the subject of some debate to what extent this principle operates as a standalone rule of international law.
The remainder of this section proceeds on the basis of the former ‘sovereignty-as-rule’ approach. Those espousing the latter ‘sovereignty-as-principle’ approach should refer to the prohibition of intervention.
The ‘internal’ facet of sovereignty entails that ‘[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.’
Each State’s sovereignty is protected by international law from violation by other States. It is clear that a cyber operation with severe destructive effects, comparable to a ‘non-cyber’ armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.
The following options have been proposed in the Tallinn Manual 2.0:
Attributing the conduct to a State different from State A is a necessary prerequisite for qualifying it as a violation of sovereignty. Non-State actors cannot violate sovereignty on their own.
Notes and references
- Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
- United Nations General Assembly, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 22 July 2015, http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174&referer=/english/&Lang=E.
- Wales Summit Declaration, Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales, 5 September 2015, paragraph 72, https://www.nato.int/cps/ic/natohq/official_texts_112964.htm.
- Organization for Security and Co-operation in Europe, Permanent Council, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies, https://www.osce.org/pc/227281?download=true.
- MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017), rule 4, commentary 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
- See MN Schmitt and L Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Texas Law Review 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).
- GP Corn and R Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208.
- Gary Corn was the Staff Judge Advocate at the US Cyber Command and Robert Taylor was Former Principal Deputy General Counsel at the US Department of Defense. See Corn and Taylor (n 7) 207.
- J Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) <https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century> (‘The UK Government’s position is … that there is no such rule as a matter of current international law.’).
- MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017), rule 2.
- Id., rule 4.
- Id., rule 4, commentary 6.
- Id., rule 4, commentary 7.; rule 32, commentary 9.
- Id., rule 4, commentary 11.
- Id., rule 4, commentary 12.
- Id., rule 4, commentary 13.
- Id., rule 4, commentary 15.
- Id., rule 4, commentary 16.
- Id., rule 4, commentary 18.
Bibliography and further reading
- MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)