Countermeasures

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Countermeasures
Countermeasures are “measures that would otherwise be contrary to the international obligations of an injured State vis-à-vis the responsible State, if they were not taken by the former in response to an internationally wrongful act by the latter in order to procure cessation and reparation”.[1] Several States, including Australia,[2] Austria,[3] Canada,[4] Estonia,[5] France,[6] Germany,[7] Italy,[8] Japan,[9] the Netherlands,[10] New Zealand,[11] Norway,[12] Singapore,[13] Sweden,[14] the United Kingdom,[15] and the United States,[16] have expressly confirmed the applicability of the law of countermeasures to cyber operations. Others, including Brazil,[17] China,[18] and Cuba,[19] have expressed caution in this regard. Countermeasures should be distinguished from retorsions, which are unfriendly but lawful acts by the aggrieved party against the wrongdoer.

As a matter of general international law, an injured State may only take countermeasures against the responsible State if the following conditions are met:

  1. The existence of a prior internationally wrongful act of the responsible State against the injured State.[20] If that act consists of a cyber operation, this means that the operation must have been amounted to a breach of the obligations of the responsible State that is attributable to that State;
  2. The injured State has called upon[21] the responsible State to fulfil its obligations arising from its internationally wrongful act;[22] and
  3. The injured State has notified the responsible State of its decision to take countermeasures, and offered to negotiate with that State, unless it is taking “urgent countermeasures as are necessary to preserve its rights.”[23] Some States, such as Canada,[24] Israel,[25] Norway,[26] the United Kingdom[27] and the United States[28] have advocated for a particular approach to the notification requirement in the cyber realm, in particular to preserve the effectiveness of the measures and/or to avoid exposing sensitive capabilities of the responding State.[29]

Additionally, the countermeasures must fulfil the following requirements:

  2. Their aim must be to induce the responsible State to comply with the legal consequences of its internationally wrongful act;[30] hence, the aim of countermeasures is restoration, not retribution or retaliation; and the countermeasures can only target the responsible State;
  3. They “shall, as far as possible, be taken in such a way as to permit the resumption of performance of the obligations in question”;[31]
  4. They shall not affect the obligation to refrain from the threat or use of force,[32] obligations for the protection of fundamental human rights, of a humanitarian character prohibiting reprisals, or other “obligations under peremptory norms of general international law”;[33] obligations under any dispute settlement procedure between the injured and responsible State, and obligations arising from the inviolability of diplomatic or consular agents, premises, archives and documents;[34] and
  5. They must be “commensurate with the injury suffered, taking into account the gravity” of the prior unlawful act and of the rights in question (i.e. the “proportionality” requirement).[35] However, proportionality does not require that the adopted measures must be equivalent, reciprocal or even in kind.[36] As clearly expressesd by many States, including Canada,[37] Germany,[38] Italy,[39] Japan,[40] Norway,[41] Sweden,[42] Switzerland,[43] the United Kingdom[44] and the United States,[45] countermeasures against cyber operations can be non-cyber in nature, and cyber countermeasures may be adopted in response to non-cyber wrongful acts.

Countermeasures are temporary in nature. In case the original internationally wrongful act has ceased, and the dispute is submitted in good faith to a court or tribunal with the authority to make decisions binding on the parties, countermeasures may not be taken and if already taken, must be suspended,[46] except if the responsible State fails to implement the dispute settlement procedures in good faith.[47] Countermeasures must also be terminated as soon as the responsible State has complied with its (secondary) obligations.[48]

There is an ongoing debate as to whether States that have not themselves been directly injured by an unlawful cyber operation may engage in countermeasures in support of the injured State (sometimes referred to as "collective countermeasures").[49] In particular, Estonia has opined that non-injured States “may apply countermeasures to support the state directly affected by the malicious cyber operation”,[50] a view that has also received some support from New Zealand.[51] This would apply where diplomatic action is insufficient, but no lawful recourse to use of force exists. This interpretation would allow States to offer active assistance to other States, which may not possess sufficient cyber capabilities themselves to counter an ongoing unlawful cyber operation, or otherwise deter the responsible State with other non-cyber countermeasures.[52] However, this view has since been rejected by at least one State (France),[53] while others, such as Canada, do not yet consider there to be “sufficient State practice or opinio juris to conclude that [collective countermeasures] are permitted under international law”.[54] Therefore, it has to be regarded as a call for progressive development of international law, rather than a statement of the current state of international law.

Whether a particular measure fulfils these conditions is an objective question,[55] while the burden of proof that the relevant conditions have been fulfilled falls on the injured State.[56] The exact standard of proof required is unsettled in international law and it will depend on the relevant forum. However, relevant international jurisprudence tends to rely on the standard of “clear and convincing evidence”.[57] This standard translates in practice into a duty to “convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true”.[58] Importantly, if a State does resort to countermeasures on the basis of an unfounded assessment that a breach has occurred, it may incur in international responsibility for its own wrongful conduct.[59]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

Australia (2020)[edit | edit source]

"If a State is a victim of malicious cyber activity, which is attributable to a perpetrator State, the victim-State may be able to take countermeasures (whether in cyberspace or through another means) under certain circumstances. Countermeasures are measures, which would otherwise be unlawful, taken to secure cessation of, or reparation for, the other State's unlawful conduct.

Countermeasures in cyberspace cannot amount to a use of force and must be proportionate. States are able to respond to other States' malicious activity with acts of retorsion, which are unfriendly acts that are not inconsistent with any of the State's international obligations."[60]

Brazil (2021)[edit | edit source]

"On the other hand, there are questions on the customary status of other set of articles on state responsibility emanated from the ILC, such as the ones on countermeasures. There are different views on the existence of widespread state practice and opinio juris capable of giving rise to customary international law on the legality and the requirements of countermeasures. Furthermore, it is generally accepted that the ILC provisions on countermeasures went beyond the codification of customary norms and had a strong element of progressive development of international law. In this regard, it is important to recall that several states have criticized countermeasures because they would be prone to abuses, especially due to the material inequality of states.

Particularly on ICTs, there are many factors advising a cautious approach on countermeasures. First, there is an added difficulty to attribute cyber activities to a particular State, which is aggravated by the fact that States have different technical resources and capabilities to both identify the origins of a cyber activity and to verify claims of breaches of international obligations through cyber means. Second, cyber operations can be designed to mask or spoof the perpetrator, which in turns increase the risks of miscalculated responses against innocent actors. Finally, the speed with which the precipitating wrongful cyber operations may unfold poses a high risk of escalation, with potential rippling effects to the kinetic domain.

With this in mind, Brazil considers that there needs to be further discussions on the legality of countermeasures as a response to internationally wrongful acts, including in the cyber context. The discussions must fully take into account the UN Charter in its entirety, thus excluding from the outset any possibility of using force as a countermeasure – a view that has already been confirmed by the ILC. The priority of peaceful settlement of disputes, in line with articles 2(3) and 33 of the UN Charter, must also be reaffirmed."[61]

Canada (2022)[edit | edit source]

"34. Canada considers that States are entitled to use countermeasures in response to internationally wrongful acts including in cyberspace. The customary international law of State responsibility defines limits in the exercise of the right to take countermeasures, being actions that would otherwise be unlawful.[62] Countermeasures may not be taken in retaliation, but only to induce compliance, and directed at the State responsible for the internationally wrongful act. They may not constitute the threat or use of force, must be consistent with other peremptory norms of international law, and they must be proportional.

35. Lawful countermeasures in response to internationally wrongful cyber acts can be non-cyber in nature, and can include cyber operations in response to non-cyber internationally wrongful acts.

36. A State taking countermeasures is not obliged to provide detailed information equivalent to the level of evidence required in a judicial process to justify its cyber countermeasures; however, the State should have reasonable grounds to believe that the State that is alleged to have committed the internationally wrongful act was responsible for it. The precise scope of certain procedural aspects of countermeasures, such as notification, needs to be further defined through State practice given the unique nature of cyberspace.[63]

37. Assistance can be provided on request of an injured State, for example where the injured State does not possess all the technical or legal expertise to respond to internationally wrongful cyber acts. However, decisions as to possible responses remain solely with the injured State. Canada has considered the concept of “collective cyber countermeasures” but does not, to date, see sufficient State practice or opinio juris to conclude that these are permitted under international law. Canada distinguishes “collective cyber countermeasures” from actions taken in “collective self-defence” including measures taken in cyberspace."[64]

Costa Rica (2023)[edit | edit source]

"13. Pursuant to the customary rules of State responsibility, States directly injured by cyber operations amounting to internationally wrongful acts may respond by resorting to cyber or non-cyber countermeasures. Cyber countermeasures may also be taken in response to non-cyber internationally wrongful acts. Countermeasures are the non-forcible suspension of an international obligation whose wrongfulness is precluded by the prior breach of international law. They may be taken by an injured State only in order to induce the responsible State to comply with its international obligations of cessation and/or reparation of the wrongful conduct. Countermeasures, online or offline, must not be punitive, and they must be proportionate to the injury suffered, considering the gravity of the breach and the rights in question. They may not affect the prohibition on the use of force and other peremptory rules of international law, fundamental human rights, rules of a humanitarian character prohibiting reprisals, binding dispute settlement procedures, as well as diplomatic and consular law.

14. To avoid the risk of escalation into conflict, countermeasures are subject to certain procedural conditions under customary international law. These are the requirements of i) calling upon the responsible State to fulfill its obligations of cessation and/or reparation, ii) notification of the intention or decision to take countermeasures, and iii) offer to negotiate with the responsible State. However, in Costa Rica’s view and considering the above-mentioned conditions, the procedural requirements do not have to be met when compliance with them would defeat the purpose of the intended countermeasures.

15. In Costa Rica’s view, countermeasures may be taken by the injured State, i.e., the State specifically affected by the breach, as well as third States in response to violations of obligations of an erga omnes nature or upon request by the injured State. Thus, States may respond collectively to cyber or non-cyber operations that amount to internationally wrongful acts, by resorting to cyber or non-cyber countermeasures. Countermeasures must be distinguished from acts of retorsion, i.e., unfriendly acts taken in response to lawful but equally unfriendly acts by another State, such as the suspension of diplomatic relations. Measures of retorsion are also available in cyberspace, including in response to wrongful or unfriendly cyber operations.

16. Other circumstances precluding wrongfulness under customary international law which are also applicable in the context of cyber operations are consent, necessity, force majeure, and self-defense, addressed below".[65]

Czech Republic (2024)[edit | edit source]

"62. Countermeasures are measures that are taken by an injured State against a State which is responsible for an internationally wrongful act, that would normally constitute a violation of an obligation under international law, but the wrongfulness of which is precluded as they are conducted in response to an ongoing internationally wrongful act committed by another State. Conditions relating to resort to countermeasures are set forth by customary international law, as reflected in ARSIWA.

63. The Czech Republic recognises that the purpose of countermeasures is to induce the State that committed an internationally wrongful act to comply with its obligations under international law. The ultimate goal of countermeasures is to attain the cessation of the violation of international law and reparation of the injury suffered. Other purposes, such as retribution or retaliation, do not constitute a ground for a lawful use of countermeasures.

64. The Czech Republic reserves its right to respond to cyber-related violations of international law obligations attributable to other States, in form of actions or omissions, by undertaking countermeasures, which can be carried out via both cyber and non-cyber means. States may respond with both traditional countermeasures, such as trade embargoes and financial sanctions, and cyber-enabled countermeasures, i.e., adverse cyber operations consisting in the non- performance for the time being of international obligations towards the responsible State.

65. Countermeasures shall be, as far as possible, reversible, shall not amount to the level of the threat or use of force and must be in compliance with other peremptory norms of international law, obligations for the protection of fundamental human rights, international humanitarian law prohibition on reprisals, applicable obligations undr inviolability. They must be temporary and proportionate, i.e., commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights of the injured State that were violated. In this context, the lack of physical damage shall not be considered as an impediment to undertaking justified countermeasures.

66. The Czech Republic recognises that an injured State is required to call upon the responsible State to fulfil its international obligations. Furthermore, prior to employing countermeasures, an injured State is required to notify the responsible State of its intention to take countermeasures and offer to negotiate with the responsible State. The Czech Republic, however, recognises that in case of urgency and in order to preserve rights of the injured State, countermeasures may be undertaken without such prior notification. In either way, given the specific nature of cyberspace that allows attackers to use various spoofing methods, the injured State may resort to countermeasures only if it is able to attribute the internationally wrongful act in question to the responsible State.

67. An injured State is not obliged to disclose evidence to justify resort to countermeasures but rather to be reasonable in its assessment and establish with sufficient certainty the attribution of an internationally wrongful act to a particular State. The Czech Rwith the responsible State. The Czech Republic, however, recognises that in case of urgency and in order to preserve rights of the injured State, countermeasures may be undertaken without such prior notification. In either way, given the specific nature of cyberspace that allows attackers to use various spoofing methods, the injured State may resort to countermeasures only if it is able to attribute the internationally wrongful act in question to the responsible State."[66]

Denmark (2023)[edit | edit source]

"States may be subject to unfriendly or hostile cyber acts or omissions that do not rise to the level of illegality under international law. These may be met with responses of a diplomatic, economic, or political nature intended to deter and hold accountable such States, irrespective of the fact that those acts are not illegal under international law. Such responses are generally termed retorsions. However, where one State breaches its obligations under international law towards another State, the victim State may respond with countermeasures. A State injured by an internationally wrongful act may be justified in taking non-forcible countermeasures in order to procure the cessation of the wrongful act and to achieve reparation for the injury.

Breaches of international obligations, whether cyber or non-cyber in nature, may be responded to by both cyber and non-cyber countermeasures. Countermeasures must be necessary and proportionate. Thus, countermeasures may not go beyond what is necessary to bring the illegal conduct to an end. Countermeasures must be taken with the intention of compelling the offending State to change its behaviour. That being the case countermeasures may only be taken for the period where the other State continues its illegal acts. To the extent possible countermeasures should be reversible although the precise meaning of this concept in a cyber-context is not clear.

Countermeasures may only be taken in response to an internationally wrongful act. That raises the question of when such an act may be considered to have been completed and whether a target State may, for example, take countermeasures in response to an unsuccessful cyber operation that has not been completed e.g. due to defensive mechanisms from the target State. It is the view of Denmark that States cannot be presumed to have to suffer actual harm before taking countermeasures.

Denmark accepts the existence of general procedural requirements when taking countermeasures including an obligation to notify, but also supports the view put forward by a number of States that observance of these obligations may not be feasible in all circumstances in a cyber-context.

Countermeasures must be directed against State organs or other entities acting on behalf of, or whose acts are attributable to, a State as it is the State that is in breach of its obligations vis-à-vis the target State. This, however, does not necessarily exclude that actions may in some circumstances be directed against non-State actor as part of countermeasures.

The question of collective countermeasures does not seem to have been fully settled in state practice and needs careful consideration. As a general observation Denmark finds that there may be instances where one State suffers a violation of an obligation owed to the international community as a whole, and where the victim State may request the assistance of other States in applying proportionate and necessary countermeasures in collective response hereto."[67]

Estonia (2019)[edit | edit source]

"[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.

Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace."[68]

Estonia (2021)[edit | edit source]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."[69]

If a cyber operation does not reach the threshold of armed conflict but nonetheless constitutes a violation of international law, states maintain the right to take countermeasures, in accordance with the law of state responsibility.

"Countermeasures have strict legal criteria – an injured state may only take countermeasures against a state that is responsible for an internationally wrongful act in order to induce the given state to comply with its international obligations. This means that under certain circumstances, an injured state has the right to take measures that would normally violate international customary law or international treaties, but taken as a countermeasure such actions would be permitted as they would be in response to a violation of international law.

In order to take countermeasures in response to a malicious cyber operation violating international law, the operation in question must have been attributed to a state."[70]

Finland (2020)[edit | edit source]

"An internationally wrongful act may justify recourse to countermeasures by the injured State if the State responsible for an internationally wrongful act declines to cease the wrongful conduct or pay reparation. Countermeasures may only be taken with the purpose of ensuring compliance, not for retaliation. Countermeasures may furthermore not breach the prohibition of the threat or use of force, or other peremptory norms of general international law, and must be consistent with other customary law requirements and limitations concerning countermeasures, most of which are reflected in the International Law Commission’s Articles on State Responsibility. Some of the procedural requirements concerning countermeasures may nevertheless require adjustment. For instance, it may be possible to attribute a hostile cyber operation only afterward whereas countermeasures normally should be taken while the wrongful act is ongoing. There is no general obligation for a State taking countermeasures to disclose the information on the basis of which the action is taken. At the same time, it is in each State’s best interests to ensure that a decision to take countermeasures is based on solid evidence, given that recourse to countermeasures would otherwise constitute an internationally wrongful act. A State that responds to a hostile cyber operation must therefore have adequate proof of the source of the operation and convincing evidence of the responsibility of a particular State."[71]

France (2019)[edit | edit source]

"In general, France can respond to cyberattacks by taking counter-measures. In response to a cyberattack that infringes international law (including use of force), France may take counter-measures designed to (i) protect its interests and ensure they are respected and (ii) induce the State responsible to comply with its obligations.

Under international law, such counter-measures must be taken by France in its capacity as victim. Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.

Counter-measures must also be taken in compliance with international law, in particular the prohibition of the threat or use of force. Consequently, they form part of a peaceful response, their sole purpose being to end the initial violation, including in reaction to a cyberoperation that constitutes a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter. The response to a cyberoperation may involve digital means or not, provided that it is commensurate with the injury suffered, taking into account the gravity of the initial violation and the rights in question.

Lastly, the use of counter-measures requires the State responsible for the cyberattack to comply with its obligations.The victim State may, in certain circumstances, derogate from the obligation to inform the State responsible for the cyberoperation beforehand, where there is a need to protect its rights. The possibility of taking urgent counter-measures is particularly relevant in cyberspace, given the widespread use of concealment procedures and the difficulties of traceability."[72]

Germany (2021)[edit | edit source]

"The law of countermeasures allows a State to react, under certain circumstances, to cyber-related breaches of obligations owed to it by another State by taking measures which for their part infringe upon legal obligations it owes to the other State. If certain legal conditions are met, such measures do not constitute wrongful acts under the international law of State responsibility. Germany agrees that cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures.

As regards the limitations to countermeasures, Germany is of the opinion that, generally, the same conditions apply as in non cyber-related contexts: In particular, countermeasures may only be adopted against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations arising from its responsibility (in particular cessation of the wrongful act). Also, they must be proportionate and respect fundamental human rights, obligations of a humanitarian character prohibiting reprisals and peremptory norms of international law.

Due to the multifold and close interlinkage of cyber infrastructures not only across different States but also across different institutions and segments of society within States, cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects. Against this background, States must be particularly thorough and prudent in examining whether or not the applicable limitation criteria to cyber countermeasures are met.

A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures." [73]

Ireland (2023)[edit | edit source]

"25. Under well-established rules of state responsibility, a state responsible for an internationally wrongful act is under an obligation to cease its behaviour and to make full reparation for the injury caused. A state that is the victim of a cyber-operation constituting an internationally wrongful act attributable to another state may respond in various ways, including seeking recourse through dispute resolution mechanisms, where available. Recourse to countermeasures – i.e. measures which would otherwise be unlawful – against the state responsible for the internationally wrongful act to induce compliance is permitted in accordance with the limitations imposed by international law. Countermeasures must inter alia be proportionate and temporary in character and cannot include the use of force. There is no requirement for responsive measures to be similar in kind and in this context therefore they may include non-cyber means.

26. On the question of third party or collective countermeasures, Ireland considers that since the adoption of the ARSIWA in 2001, state practice indicates that such measures are permissible in limited circumstances, in particular in the context of violations of peremptory norms. The possibility of imposing third party or collective countermeasures in the cyber context is particularly relevant for states that may consider it necessary to respond to a malicious cyber-operation with a counter-operation, but lack the technological capacity to do so on their own."[74]

Israel (2020)[edit | edit source]

"With respect to the issue of countermeasures, I would like to echo the positions taken by the United Kingdom, the United States, and other States, to the effect that there is no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade, allowing the responsible State to reconsider its actions without frustrating the ability of the injured State to take the intended countermeasures. However, in the cyber domain, where the pace of events can be extremely fast and the other side may thwart the action if it anticipates it, announcing a cyber-countermeasure in advance would often negate its utility and effectiveness, and in some instances undermine the interests of the injured State, as well as render the countermeasure obsolete."[75]

Italy (2021)[edit | edit source]

Italy is of the view that when a State is victim of an international wrongful act perpetrated by another State, it may take countermeasures in response.

Italy deems that countermeasures are adequate responses to cyber operations that constitute an international wrongful act below the threshold of an armed attack. This is without prejudice to the inherent right of States to self-defence. The adoption of countermeasures against the State that may be held responsible, directly or indirectly, for unlawful cyber acts may be problematic due to, inter alia, difficulties of: traceability, assessment of breach in relation with the threshold of the diligence due, significance of the harm suffered.

The victim-State is generally required to call upon the State of origin to discontinue the wrongful act and to notify it of its intention to take countermeasures in response to wrongful cyber operations. However, in conformity with international law, this requirement may not apply if immediate action is needed to enforce the rights of the injured State and to prevent further damage.

The response to a wrongful cyber operation may be in kind (but not necessarily, as per relevant international law), on the condition that the response is commensurate with the harm suffered and is limited to the purpose of ensuring compliance with breached obligations, thus taking into account the seriousness of the initial violation and the rights in question. In any case, countermeasures must not amount to a threat, or use, of force and must be consistent with other peremptory norms, as well as with human rights and humanitarian law."[76]

Japan (2021)[edit | edit source]

"Under international law, it is permitted, under certain conditions, to take countermeasures against internationally wrongful acts.

In general terms, under international law, a State which has been injured by an internationally wrongful act of another State may take, under certain conditions, countermeasures in order to induce the responsible State to comply with (i) the obligation to cease the international wrongful act and (ii) the obligation to make reparation.

General international law does not confine countermeasures to those with the same means as the preceding internationally wrongful act in response to which they are taken. Japan considers that this is the same for the countermeasures against internationally wrongful acts in cyberspace."[77]

Netherlands (2019)[edit | edit source]

"If state is the victim of a violation by another state of an obligation under international law (i.e. an internationally wrongful act), it may under certain circumstances take countermeasures in response. Countermeasures are acts (or omissions) that would normally constitute a violation of an obligation under international law but which are permitted because they are a response to a previous violation by another state. In cyberspace, for example, a cyber operation could be launched to shut down networks or systems that another state is using for a cyberattack. A countermeasure is different to the practice of retorsion in that it would normally be contrary to international law. For this reason, countermeasures are subject to strict conditions, including the requirement that the injured state invoke the other state’s responsibility. This involves the injured state establishing a violation of an obligation under international law that applies between the injured state and the responsible state, and requires that the cyber operation can be attributed to the responsible state.

In addition, the injured state must in principle notify the other state of its intention to take countermeasures. However, if immediate action is required in order to enforce the rights of the injured state and prevent further damage, such notification may be dispensed with. Furthermore, countermeasures must be temporary and proportionate, they may not violate any fundamental human rights, and they may not amount to the threat or use of force."[78]

New Zealand (2020)[edit | edit source]

"If State A attributes internationally wrongful cyber activity to State B, State A may demand reparation and guarantees of non repetition and/or utilise peaceful dispute resolution mechanisms, including the International Court of Justice where available. State A may also respond with countermeasures against State B. Countermeasures are otherwise internationally wrongful acts that are permitted when undertaken to induce another state to comply with its obligations under international law. They may include, but are not limited to, cyber activities that would otherwise be prohibited by international law. Any countermeasure must: a. be undertaken to induce compliance by the state in breach of international law;

b. be directed at the state responsible for the internationally wrongful act;

c. not rise to the level of use of force or breach peremptory norms of international law; and

d. be necessary and proportionate.

Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law. In those circumstances, collective countermeasures would be subject to the same limitations set out above."[79]

Norway (2021)[edit | edit source]

"If a State is the victim of an internationally wrongful cyber operation and another State can be held responsible under customary international law on State responsibility, the injured State may, depending on the circumstances, be entitled to take countermeasures.

A countermeasure is an act that would otherwise be contrary to international law, but where the injured State can invoke the prior internationally wrongful act as a ground for precluding wrongfulness. If there is doubt regarding the attribution of a cyber operation to a State under international law, it may be preferable for the injured State to make use of acts of retorsion rather than countermeasures in order to avoid the possibility of incurring State responsibility for its response.

Countermeasures may only be taken to induce a State to cease an internationally wrongful act or resume its compliance with an international obligation. They are not to be used for punishment and retaliation. Countermeasures must be limited to what is considered necessary and proportional, and may only target the State to which the cyber operation or internationally wrongful act can be attributed. There is no requirement for countermeasures to be of the same nature as the internationally wrongful acts to which they are a response, and countermeasures in response to cyber operations may therefore be carried out within or outside cyberspace. Countermeasures must not violate the prohibition on the threat or use of force or international humanitarian law.

The State held responsible should be notified of both the violation of international law and the grounds for attribution, as well as of the intention to introduce countermeasures. Countermeasures may only be taken if a State has sufficient grounds for attributing the conduct in question to a particular State under international law. What constitutes sufficient grounds will be fact-specific and case-specific, and can be particularly challenging to determine in the case of cyber operations. The State taking countermeasures must be confident in its attribution before resorting to countermeasures. However, the State taking countermeasures need not publish detailed grounds for its attribution or give a detailed technical account of this to the State identified as responsible as this might reveal sensitive methods of interception and detection or offensive and defensive capabilities.

Countermeasures may be taken without prior notification to the responsible State if providing such notification might reveal sensitive methods or capabilities or prevent the countermeasures from having the necessary effect. For example, the injured State could carry out a cyber operation to disrupt the capability of the aggressor State conducting the internationally wrongful cyber operation such as election interference. This countermeasure would in other circumstances be in violation of the aggressor State’s sovereignty."[80]

Poland (2022)[edit | edit source]

"Countermeasures are the reaction of a state whose international rights have been violated by another actor. They consist in refraining from the performance of international obligations for some time in order to persuade the state that violates international law to fulfil its obligations and to persuade it against further violations.

At the same time, the Republic of Poland expresses the view that the evolution of customary international law over the last two decades provides grounds for recognising that a state may take countermeasures in pursuit of general interest as well. In particular, the possibility of taking such measures materialise itself in response to states’ violations of peremptory norms, such as the prohibition of aggression.

When applying such measures, the state is required to act in accordance with the principle of proportionality. Moreover, both retorsion and countermeasures cannot constitute the violation of norms pertaining to fundamental human rights, obligations under international humanitarian law and peremptory norms."[81]

Romania (2021)[edit | edit source]

"At the same time, once the international responsibility of a State is entailed, the injured State(s) may recourse to countermeasures in order to induce that State to comply with its international obligations."[82]

Russia (2021)[edit | edit source]

"The countermeasures, which can be taken by an injured State against a State which is responsible for an internationally wrongful act, shall not affect the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations; obligations for the protection of fundamental human rights; obligations of a humanitarian character prohibiting reprisals; other obligations under peremptory norms of general international law (article 50)."[83]

Singapore (2021)[edit | edit source]

"Even if malicious cyber activity against a State has not risen to the level of an armed attack entitling the victim State to exercise the right of self-defence, international law provides that a victim State that is subjected to another State’s internationally wrongful act against it (whether through malicious cyber activity, or physical means) is entitled to have recourse to counter-measures which are consistent with international law.

Malicious cyber activity attributable to a State that interferes with a victim State’s proper governing functions is an example of an internationally wrongful act."[84]

Sweden (2022)[edit | edit source]

"A State responsible for a wrongful act is under an obligation to cease its behaviour and to make full reparation for the injury caused. When a State is injured by an internationally wrongful act it may respond by a variety of measures. Such measures include countermeasures against the responsible State to ensure compliance with its international obligations.

Recourse to countermeasures is subject to strict requirements under the law of State responsibility and include measures otherwise prohibited by international law. Countermeasures must inter alia be proportionate in character and cannot include the use of force. There is no requirement for responsive measures to be similar in kind and they may include non-cyber means. Before resorting to countermeasures, the injured State must notify the responsible State. It should be noted that this rule also allows for countermeasures without prior notification when urgent measures are needed to preserve the rights of the injured State. This rule also applies to cyber operations."[85]

Switzerland (2021)[edit | edit source]

"If the threshold for an armed attack has not been reached, states can have recourse to immediate and proportionate non-violent countermeasures".[86]

"In cases where an act violates international law and can be legally attributed to a state, the injured state(s) may also take countermeasures in the form of reprisals, provided that the applicable rules governing state responsibility are observed. Although reprisals are contrary to international law, they are justified in response to a prior breach of international law. However, such a countermeasure must not violate certain fundamental substantive obligations such as the prohibition on the use of force, fundamental human rights, most norms of international humanitarian law, peremptory norms (jus cogens) and the obligation to respect diplomatic and consular inviolability. Military force, i.e. measures leading to loss of life and limb, are therefore prohibited.

Countermeasures must impose a (legal) disadvantage aimed at prompting the state concerned to cease its conduct that is in breach of international law and/or to make reparations. In principle, the responsible state can only impose countermeasures if it has first called for the violation(s) to cease and has announced what measures it is planning to take. Exceptions may be made for cyber operations requiring an immediate response in order for the injured state to enforce its rights and prevent further damage. Countermeasures must always be proportional, whatever the circumstances.

A countermeasure in response to a cyber incident does not necessarily have to take place in the cyber domain. In accordance with the rules governing state responsibility, other measures that aim to enforce the responsible state's compliance with its international obligations are also permissible. Cyber countermeasures do not have to directly target the computer system originally used to commit the incident in question; injured states are permitted to take other measures as long as they are aimed at the responsible state ceasing its conduct that is in breach of international law. This means that depending on the specific circumstances, it may be permissible under international law to use cyber countermeasures to block the computer system abroad originally used to commit the incident. Likewise, in some cases it may be permissible to compromise computer systems abroad even if they were not the original source of the incident."[87]

United Kingdom (2018)[edit | edit source]

"Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.

These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.

In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.

In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."[88]

United Kingdom (2021)[edit | edit source]

"Resort may be had to countermeasures in response to an internationally wrongful act, in accordance with international law, in relation to States’ activities in cyberspace as in relation to their other activities. This includes both resorting to countermeasures against a State whose cyber activities constitute internationally wrongful acts and carrying out countermeasures by means of cyber operations. Countermeasures need not be symmetrical: where the internationally wrongful act is itself not a cyber activity, the response may nonetheless involve cyber-based countermeasures (and vice versa).

An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations. Any measures adopted must be commensurate with the injury suffered. They must be carried out in accordance with the conditions and restrictions established in international law and must in particular not contravene the prohibition on the threat or use of force, must be necessary and proportionate to the purpose of inducing the responsible State to comply with its obligations and must not contravene any other peremptory norm of international law.

The application of international law to the use of countermeasures in cyberspace must take account of the nature of cyber activities, which might commence and then cease almost instantaneously or within a short timeframe. In those circumstances, a wider pattern of cyber activities might collectively constitute an internationally wrongful act justifying a response.

The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances. Prior notice may not be a legal obligation when responding to covert cyber intrusion with countermeasures or when resort is had to countermeasures which themselves depend on covert cyber capabilities. In such cases, prior notice could expose highly sensitive capabilities and prejudice the very effectiveness of the countermeasures in question. However any decision to resort to countermeasures without prior notice must be necessary and proportionate to the purpose of inducing compliance in the circumstances."[89]

United Kingdom (2022)[edit | edit source]

"[..] [U]nder the international law doctrine of countermeasures, a State may respond to a prior unlawful act, in ways which would under normal circumstances be unlawful, in order to stop the offending behaviour and ensure reparation. The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another State. It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option in order to bring unlawful behaviour in cyberspace to an end.

However, some countries simply do not have the capability to respond effectively by themselves in the face of hostile and unlawful cyber intrusions. It is open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding collectively."[90]

United States (2016)[edit | edit source]

"The customary international law doctrine of countermeasures permits a State that is the victim of an internationally wrongful act of another State to take otherwise unlawful measures against the responsible State in order to cause that State to comply with its international obligations, for example, the obligation to cease its internationally wrongful act. Therefore, as a threshold matter, the availability of countermeasures to address malicious cyber activity requires a prior internationally wrongful act that is attributable to another State. As with all countermeasures, this puts the responding State in the position of potentially being held responsible for violating international law if it turns out that there wasn’t actually an internationally wrongful act that triggered the right to take countermeasures, or if the responding State made an inaccurate attribution determination. That is one reason why countermeasures should not be engaged in lightly.

Additionally, under the law of countermeasures, measures undertaken in response to an internationally wrongful act performed in or through cyberspace that is attributable to a State must be directed only at the State responsible for the wrongful act and must meet the principles of necessity and proportionality, including the requirements that a countermeasure must be designed to cause the State to comply with its international obligations—for example, the obligation to cease its internationally wrongful act — and must cease as soon as the offending State begins complying with the obligations in question.

The doctrine of countermeasures also generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken—in other words, the doctrine generally requires what I will call a “prior demand.” The sufficiency of a prior demand should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.

I also should note that countermeasures taken in response to internationally wrongful cyber activities attributable to a State generally may take the form of cyber-based countermeasures or non-cyber-based countermeasures. That is a decision typically within the discretion of the responding State and will depend on the circumstances."[91]

United States (2020)[edit | edit source]

"Depending on the circumstances, DoD lawyers may also consider whether an operation that does not constitute a use of force could be conducted as a countermeasure. In general, countermeasures are available in response to an internationally wrongful act attributed to a State. In the traditional view, the use of countermeasures must be preceded by notice to the offending State, though we note that there are varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency. In a particular case it may be unclear whether a particular malicious cyber activity violates international law. And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available."[92]

United States (2021)[edit | edit source]

"In certain circumstances, a State injured by cyber activities that are attributable to another State and that constitute an internationally wrongful act, but do not amount to an armed attack, may respond with non-forcible countermeasures. Such countermeasures must be directed only at the State responsible for the wrongful act, must meet the requirements of necessity and proportionality, must be designed to induce the State to return to compliance with its international obligations, and, under the customary international law of State responsibility, must be suspended without undue delay if the internationally wrongful act has ceased.

Before an injured State can undertake countermeasures in response to a cyber-based internationally wrongful act attributable to a State, it generally must call upon the responsible State to cease its wrongful conduct, unless urgent countermeasures are necessary to preserve the injured State’s rights. The sufficiency of this prior demand on the responsible State should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.

Countermeasures taken in response to cyber activities attributable to States that constitute internationally wrongful acts may take the form of cyber-based countermeasures or non-cyber-based countermeasures. Countermeasures are distinct from acts of retorsion, which are unfriendly acts that are not inconsistent with any international obligations".[93]


Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. ILC Articles on State Responsibility, Commentary, part 3 ch 2 at para 1.
  2. Australian Government, Australia's position on how international law applies to State conduct in cyberspace (2020).
  3. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility. A target State may also react through proportionate countermeasures.’ (emphasis added).
  4. Government of Canada, International Law applicable in cyberspace (April 2022) para 34.
  5. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures”
  6. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that ‘In response to a cyberattack, France may consider diplomatic responses to certain incidents, countermeasures, or even coercive action by the armed forces if an attack constitutes armed aggression.’
  7. Germany, ‘Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3, stating that ‘in case of a cyber operation that is in breach of an international legal obligation below the level of the use or threat of force prohibited by Art. 2 (IV) [of the UN Charter] States are also entitled to take countermeasures as allowed by international law.’
  8. Italian Ministry for Foreign Affairs and International Cooperation, 'Italian position paper on "International law and cyberspace"' (2021) 7-8.
  9. Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated), stating that ‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’
  10. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 7.
  11. New Zealand Foreign Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 3-4.
  12. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  13. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 84.
  14. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 6.
  15. United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017), stating that ‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.’
  16. Brian J. Egan, ‘Remarks on International Law and Stability in Cyberspace’ (10 November 2016), stating that countermeasures are available ‘to address malicious cyber activity’ if that activity amounts to a prior internationally wrongful act attributable to another State.
  17. Brazil, ‘Open-ended Working Group on developments in the field of information and telecommunications in the context of international security: Second Substantive Session - New York, 11 February 2020: Statement by the Delegation of Brazil’ (11 February 2020), stating that ‘In the case of malicious acts in cyberspace, it is often difficult to attribute responsibility to a particular State or actor with unqualified certainty. A decision to resort to countermeasures in response to such acts carries a high risk of targeting innocent actors, and of triggering escalation.’
  18. China, ‘Statement by the Chinese Delegation at the Thematic Debate of the First Committee of the 72th UNGA’ (October 2017), stating that ‘Countries should discuss application of international law in the manner conducive to maintain peace, avoid introducing force, deterrence and countermeasures into cyberspace, so as to prevent arms race in cyberspace and reduce risks of confrontation and conflicts.’
  19. Cuba, ‘Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (23 June 2017), registering ‘serious concern over the pretension of some, reflected in para 34 of the draft final report, to convert cyberspace into a theater of military operations and to legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.’ (emphasis added).
  20. ILC Articles on State Responsibility, Art 49 para 1; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 83.
  21. ILC Articles on State Responsibility, Art 52 para 1 subpara a). According to the UK Attorney General, the UK does not feel legally obliged, when taking countermeasures in response to a covert cyber intrusion, to “give prior notification to the hostile state”. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’.
  22. ILC Articles on State Responsibility, Art 28-41; the list of consequences includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
  23. ILC Articles on State Responsibility, Art 52 para 1 subpara b) – Art 52 para 2.
  24. Government of Canada, International Law applicable in cyberspace (April 2022).
  25. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020).
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  27. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’ (2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021).
  28. Hon Paul C Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (2 March 2020).
  29. See also Tallinn Manual 2.0, commentary to rule 21, paras 10–12.
  30. ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 87. The list of consequences in Art 28-41 includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
  31. ILC Articles on State Responsibility, Art 49(3).
  32. The position of the ILC has been followed by States in their national positions, including Australia, Brazil, Canada, Finland, France, Italy, the Netherlands, New Zealand, Norway, Russia, Sweden, Switzerland and the UK. For an alternative view on “forcible countermeasures” see Oil Platforms (Islamic Republic of Iran v. United States of America) Judgment, I.C.J. Reports 2003, 16, Separate Opinion of Judge Simma [12 and ff].
  33. ILC Articles on State Responsibility, Art 50(1).
  34. ILC Articles on State Responsibility, Art 50(2).
  35. Articles on State Responsibility, Art 51; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 85.
  36. See ILC Articles on State Responsibility, part 3, para 5; see also Tallinn Manual 2.0, commentary to rule 23, para 7.
  37. Government of Canada, International Law applicable in cyberspace (April 2022).
  38. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 13-14.
  39. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on "International law and cyberspace"’ (2021) 7-8.
  40. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 4-5.
  41. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  42. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 6.
  43. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6-7.
  44. Attorney General Jeremy Wright, Cyber and International Law in the 21st Century (23 May 2018); Attorney General Suella Braverman, International Law in Future Frontiers (19 May 2022).
  45. Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 21-22; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 142.
  46. ILC Articles on State Responsibility, Art 52(3).
  47. ILC Articles on State Responsibility, Art 52(4).
  48. ILC Articles on State Responsibility, Art 53.
  49. ILC Articles on State Responsibility, Art 54. In the cyber context, scholarship supportive of notion of collective countermeasures includes Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ (Just Security, 10 June 2019), considering the Estonian interpretation to be “an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts”; see also Michael N Schmitt and Sean Watts, ‘Collective Cyber Countermeasures?’ (2021) 12 Harvard National Security Journal 373. Conversely, scholarship that has rejected this notion includes Jeff Kosseff, ‘Collective Countermeasures in Cyberspace’ (2020) 10(1) Notre Dame Journal of International & Comparative Law 18, 34; François Delerue, Cyber Operations and International Law (CUP 2020), 457.
  50. President of Estonia, Kersti Kaljulaid, ‘President of the Republic at the opening of CyCon 2019’ (29.05.2019); see also Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 28.
  51. New Zealand Foreing Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 3-4.
  52. Michael Schmitt, Three International Law Rules for Responding Effectively to Hostile Cyber Operations (Just Security, 31 July 2021)
  53. French Ministry of the Armies, International Law Applied to Operations in Cyberspace (9 September 2019) 10, arguing that collective countermeasures are not authorised under international law.
  54. Government of Canada, International Law applicable in cyberspace (April 2022) para 37.
  55. ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
  56. ILC Articles on State Responsibility, Commentary to Part One, Chapter 5, para 8 (noting that “[i]n a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State”).
  57. See, eg, Trail Smelter case (United States v Canada) (Award) 1941 3 RIAA 1905, 1965; see also Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 624 (noting that in cases where State responsibility is involved, the required threshold tends to shift towards ‘clear and convincing’”).
  58. James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163, 167 (emphasis original).
  59. ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49 para 3.
  60. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  61. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 21.
  62. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [23], Articles on State Responsibility, supra note 21, Art. 22.
  63. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [24], In this regard the law of state responsibility foresees cases where notification may not be required – Articles on State Responsibility, supra note 21,Art. 52(b).
  64. Government of Canada, International Law applicable in cyberspace, April 2022
  65. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 4-5 (footnotes omitted).
  66. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 15-16 (footnotes omitted).
  67. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 8-9.
  68. President of Estonia: international law applies also in cyber space, 29 May 2019
  69. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
  70. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 29-30.
  71. International law and cyberspace - Finland's national position
  72. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7-8.
  73. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 13-14.
  74. Irish Department of Foreign Affairs, Position Paper on the Application of International Law in Cyberspace (6 July 2023) 6.
  75. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  76. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,7-8.
  77. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4-5
  78. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7-8.
  79. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3-4.
  80. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 72-73.
  81. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 8.
  82. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 79.
  83. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  84. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
  85. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,6
  86. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 4.
  87. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6-7.
  88. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  89. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  90. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  91. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 21-22.
  92. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  93. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 142.

Bibliography and further reading[edit | edit source]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Countermeasures?oldid=4071"