Sovereignty

From International cyber law: interactive toolkit
Revision as of 14:59, 15 January 2019 by Uncleistvan1BBB (talk | contribs)
Jump to navigation Jump to search

Definition

Sovereignty
Crown-Silhouette.svg
Sovereignty is a core principle of international law. According to a widely accepted definition in the Island of Palmas arbitral award of 1928,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1]

According to multiple declarations by the UN,[2] NATO,[3] OSCE,[4] the European Union, [5] and individual States, international law applies in cyberspace, and hence also the principle of sovereignty applies in cyberspace. It is the subject of some debate to what extent this principle operates as a standalone rule of international law.
  • For the proponents of this view, the prohibition on violation of sovereignty is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual[6] and it has reportedly not been challenged by any of over fifty States that had participated in the process of consultations of the Manual in 2017.[7]
  • By contrast, the opposing view, originally formulated by the General Counsel of the US Department of Defense, considers that sovereignty is not "a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State".[8] Rather, as further explained by two high-level US government legal advisors writing in their private capacity, it is "a principle of international law that guides state interactions".[9] This view has since been endorsed at least by the UK attorney general.[10]

The remainder of this section proceeds on the basis of the former "sovereignty-as-rule" approach. Those espousing the latter "sovereignty-as-principle" approach should refer to the prohibition of intervention.

The "internal" facet of sovereignty entails that "[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations."[11] [12]

Each State's sovereignty is protected by international law from violation by other States.[13] It is clear that a cyber operation with severe destructive effects, comparable to a "non-cyber" armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[14]

The following options have been proposed in the Tallinn Manual 2.0:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[15]  This was agreed by all Experts drafting the Manual; however, "a few" of the Experts thought that the extensive State practice carved out an exception for espionage operations.[16]
  2. Causation of physical damage or injury by remote means;[17] again, "a few" Experts took the position that this is a relevant but not a determinative factor by itself;[18]
  3. Causation of a loss of functionality of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[19] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[20]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[21] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify;[22]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.

Attributing the conduct to a State different from State A is a necessary prerequisite for qualifying it as a violation of sovereignty. Non-State actors cannot violate sovereignty on their own.[23]

Appendices

See also

Notes and references

  1. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  2. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  3. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  4. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  5. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017),
  6. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  7. See Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex. L. Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).
  8. Memorandum from JM O’Connor, General Counsel of the Department of Defense, 'International Law Framework for Employing Cyber Capabilities in Military Operations' (19 January 2017), as cited by S Watts & T Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  9. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208.
  10. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (‘The UK Government’s position is … that there is no such rule as a matter of current international law.’).
  11. Tallinn Manual 2.0, rule 2.
  12. Sovereignty over cyber infrastructures derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that "Territorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.")
  13. Tallinn Manual 2.0, rule 4.
  14. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  15. Tallinn Manual 2.0, commentary to rule 4, para 6.
  16. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  17. Tallinn Manual 2.0, commentary to rule 4, para 11.
  18. Tallinn Manual 2.0, commentary to rule 4, para 12.
  19. Tallinn Manual 2.0, commentary to rule 4, para 13.
  20. Tallinn Manual 2.0, commentary to rule 4, para 14.
  21. Tallinn Manual 2.0, commentary to rule 4, para 15.
  22. Tallinn Manual 2.0, commentary to rule 4, para 16.
  23. Tallinn Manual 2.0, commentary to rule 4, para 2.

Bibliography and further reading