Definition[edit | edit source]
| Several States, including Austria, Estonia, France, Germany, Japan, the Netherlands, the United Kingdom, and the United States, have expressly confirmed the applicability of the law of countermeasures to cyber operations. Others, including Brazil, China, and Cuba, have expressed caution in this regard. Countermeasures should be distinguished from retorsions, which are unfriendly but lawful acts by the aggrieved party against the wrongdoer.
As a matter of general international law, an injured State may only take countermeasures against the responsible State if the following conditions are met:
Additionally, the countermeasures must fulfil the following requirements:
Taken countermeasures must be suspended if the internationally wrongful act has ceased and if “the dispute is pending before a court or tribunal which has the authority to make decisions binding on the parties”, and they must be terminated as soon as the responsible State has complied with its (secondary) obligations.
There is a debate as to whether States that have not themselves been directly injured by an unlawful cyber operation may engage in countermeasures in support of the injured State (sometimes referred to as collective countermeasures). In particular, one State has recently put forward the view that non-injured States “may apply countermeasures to support the state directly affected by the malicious cyber operation”. This would apply where diplomatic action is insufficient, but no lawful recourse to use of force exists. This interpretation would allow States to offer active assistance to States, which may not possess sufficient cyber capabilities themselves to counter an ongoing unlawful cyber operation. This view has found some support in scholarship, but was since rejected by at least one other State, with other parts of scholarship reluctant to endorse it. Therefore, it has to be regarded as a call for progressive development of international law, rather than a statement of the current state of international law.
Whether a particular measure fulfils these conditions is an objective question, while the burden of proof that the relevant conditions have been fulfilled falls on the injured State. The exact standard of proof required is unsettled in international law and it will depend on the relevant forum. However, relevant international jurisprudence tends to rely in this regard on the standard of “clear and convincing evidence”. This standard translates in practice into a duty to “convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true.” Importantly, if a State does resort to countermeasures on the basis of an unfounded assessment that a breach has occurred, it may incur responsibility for its own wrongful conduct.
National positions[edit | edit source]
"If a State is a victim of malicious cyber activity, which is attributable to a perpetrator State, the victim-State may be able to take countermeasures (whether in cyberspace or through another means) under certain circumstances. Countermeasures are measures, which would otherwise be unlawful, taken to secure cessation of, or reparation for, the other State's unlawful conduct.
Countermeasures in cyberspace cannot amount to a use of force and must be proportionate. States are able to respond to other States' malicious activity with acts of retorsion, which are unfriendly acts that are not inconsistent with any of the State's international obligations."
"[...] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.
Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. The countermeasures applied should follow the principle of proportionality and other principles established within the international customary law. International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace."
"An internationally wrongful act may justify recourse to countermeasures by the injured State if the State responsible for an internationally wrongful act declines to cease the wrongful conduct or pay reparation. Countermeasures may only be taken with the purpose of ensuring compliance, not for retaliation. Countermeasures may furthermore not breach the prohibition of the threat or use of force, or other peremptory norms of general international law, and must be consistent with other customary law requirements and limitations concerning countermeasures, most of which are reflected in the International Law Commission’s Articles on State Responsibility. Some of the procedural requirements concerning countermeasures may nevertheless require adjustment. For instance, it may be possible to attribute a hostile cyber operation only afterward whereas countermeasures normally should be taken while the wrongful act is ongoing. There is no general obligation for a State taking countermeasures to disclose the information on the basis of which the action is taken. At the same time, it is in each State’s best interests to ensure that a decision to take countermeasures is based on solid evidence, given that recourse to countermeasures would otherwise constitute an internationally wrongful act. A State that responds to a hostile cyber operation must therefore have adequate proof of the source of the operation and convincing evidence of the responsibility of a particular State."
"In general, France can respond to cyberattacks by taking counter-measures. In response to a cyberattack that infringes international law (including use of force), France may take counter-measures designed to (i) protect its interests and ensure they are respected and (ii) induce the State responsible to comply with its obligations.
Under international law, such counter-measures must be taken by France in its capacity as victim. Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.
Counter-measures must also be taken in compliance with international law, in particular the prohibition of the threat or use of force. Consequently, they form part of a peaceful response, their sole purpose being to end the initial violation, including in reaction to a cyberoperation that constitutes a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter. The response to a cyberoperation may involve digital means or not, provided that it is commensurate with the injury suffered, taking into account the gravity of the initial violation and the rights in question.
Lastly, the use of counter-measures requires the State responsible for the cyberattack to comply with its obligations.The victim State may, in certain circumstances, derogate from the obligation to inform the State responsible for the cyberoperation beforehand, where there is a need to protect its rights. The possibility of taking urgent counter-measures is particularly relevant in cyberspace, given the widespread use of concealment procedures and the difficulties of traceability."
"The law of countermeasures allows a State to react, under certain circumstances, to cyber-related breaches of obligations owed to it by another State by taking measures which for their part infringe upon legal obligations it owes to the other State. If certain legal conditions are met, such measures do not constitute wrongful acts under the international law of State responsibility. Germany agrees that cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures.
As regards the limitations to countermeasures, Germany is of the opinion that, generally, the same conditions apply as in non cyber-related contexts: In particular, countermeasures may only be adopted against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations arising from its responsibility (in particular cessation of the wrongful act). Also, they must be proportionate and respect fundamental human rights, obligations of a humanitarian character prohibiting reprisals and peremptory norms of international law.
Due to the multifold and close interlinkage of cyber infrastructures not only across different States but also across different institutions and segments of society within States, cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects. Against this background, States must be particularly thorough and prudent in examining whether or not the applicable limitation criteria to cyber countermeasures are met.
A State may – a maiore ad minus – engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects if such measures fulfil the requirements for countermeasures." 
"With respect to the issue of countermeasures, I would like to echo the positions taken by the United Kingdom, the United States, and other States, to the effect that there is no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade, allowing the responsible State to reconsider its actions without frustrating the ability of the injured State to take the intended countermeasures. However, in the cyber domain, where the pace of events can be extremely fast and the other side may thwart the action if it anticipates it, announcing a cyber-countermeasure in advance would often negate its utility and effectiveness, and in some instances undermine the interests of the injured State, as well as render the countermeasure obsolete."
Japan[edit | edit source]
"Under international law, it is permitted, under certain conditions, to take countermeasures against internationally wrongful acts.
In general terms, under international law, a State which has been injured by an internationally wrongful act of another State may take, under certain conditions, countermeasures in order to induce the responsible State to comply with (i) the obligation to cease the international wrongful act and (ii) the obligation to make reparation.
General international law does not confine countermeasures to those with the same means as the preceding internationally wrongful act in response to which they are taken. Japan considers that this is the same for the countermeasures against internationally wrongful acts in cyberspace."
"If State A attributes internationally wrongful cyber activity to State B, State A may demand reparation and guarantees of non repetition and/or utilise peaceful dispute resolution mechanisms, including the International Court of Justice where available. State A may also respond with countermeasures against State B. Countermeasures are otherwise internationally wrongful acts that are permitted when undertaken to induce another state to comply with its obligations under international law. They may include, but are not limited to, cyber activities that would otherwise be prohibited by international law. Any countermeasure must: a. be undertaken to induce compliance by the state in breach of international law;
b. be directed at the state responsible for the internationally wrongful act;
c. not rise to the level of use of force or breach peremptory norms of international law; and
d. be necessary and proportionate.
Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law. In those circumstances, collective countermeasures would be subject to the same limitations set out above."
"If the threshold for an armed attack has not been reached, states can have recourse to immediate and proportionate non-violent countermeasures".
"In cases where an act violates international law and can be legally attributed to a state, the injured state(s) may also take countermeasures in the form of reprisals, provided that the applicable rules governing state responsibility are observed. Although reprisals are contrary to international law, they are justified in response to a prior breach of international law. However, such a countermeasure must not violate certain fundamental substantive obligations such as the prohibition on the use of force, fundamental human rights, most norms of international humanitarian law, peremptory norms (jus cogens) and the obligation to respect diplomatic and consular inviolability. Military force, i.e. measures leading to loss of life and limb, are therefore prohibited.
Countermeasures must impose a (legal) disadvantage aimed at prompting the state concerned to cease its conduct that is in breach of international law and/or to make reparations. In principle, the responsible state can only impose countermeasures if it has first called for the violation(s) to cease and has announced what measures it is planning to take. Exceptions may be made for cyber operations requiring an immediate response in order for the injured state to enforce its rights and prevent further damage. Countermeasures must always be proportional, whatever the circumstances.
A countermeasure in response to a cyber incident does not necessarily have to take place in the cyber domain. In accordance with the rules governing state responsibility, other measures that aim to enforce the responsible state's compliance with its international obligations are also permissible. Cyber countermeasures do not have to directly target the computer system originally used to commit the incident in question; injured states are permitted to take other measures as long as they are aimed at the responsible state ceasing its conduct that is in breach of international law. This means that depending on the specific circumstances, it may be permissible under international law to use cyber countermeasures to block the computer system abroad originally used to commit the incident. Likewise, in some cases it may be permissible to compromise computer systems abroad even if they were not the original source of the incident."
"If state is the victim of a violation by another state of an obligation under international law (i.e. an internationally wrongful act), it may under certain circumstances take countermeasures in response. Countermeasures are acts (or omissions) that would normally constitute a violation of an obligation under international law but which are permitted because they are a response to a previous violation by another state. In cyberspace, for example, a cyber operation could be launched to shut down networks or systems that another state is using for a cyberattack. A countermeasure is different to the practice of retorsion in that it would normally be contrary to international law. For this reason, countermeasures are subject to strict conditions, including the requirement that the injured state invoke the other state’s responsibility. This involves the injured state establishing a violation of an obligation under international law that applies between the injured state and the responsible state, and requires that the cyber operation can be attributed to the responsible state.
In addition, the injured state must in principle notify the other state of its intention to take countermeasures. However, if immediate action is required in order to enforce the rights of the injured state and prevent further damage, such notification may be dispensed with. Furthermore, countermeasures must be temporary and proportionate, they may not violate any fundamental human rights, and they may not amount to the threat or use of force."
"Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.
These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.
In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.
In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa."
"Resort may be had to countermeasures in response to an internationally wrongful act, in accordance with international law, in relation to States’ activities in cyberspace as in relation to their other activities. This includes both resorting to countermeasures against a State whose cyber activities constitute internationally wrongful acts and carrying out countermeasures by means of cyber operations. Countermeasures need not be symmetrical: where the internationally wrongful act is itself not a cyber activity, the response may nonetheless involve cyber-based countermeasures (and vice versa).
An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations. Any measures adopted must be commensurate with the injury suffered. They must be carried out in accordance with the conditions and restrictions established in international law and must in particular not contravene the prohibition on the threat or use of force, must be necessary and proportionate to the purpose of inducing the responsible State to comply with its obligations and must not contravene any other peremptory norm of international law.
The application of international law to the use of countermeasures in cyberspace must take account of the nature of cyber activities, which might commence and then cease almost instantaneously or within a short timeframe. In those circumstances, a wider pattern of cyber activities might collectively constitute an internationally wrongful act justifying a response.
The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances. Prior notice may not be a legal obligation when responding to covert cyber intrusion with countermeasures or when resort is had to countermeasures which themselves depend on covert cyber capabilities. In such cases, prior notice could expose highly sensitive capabilities and prejudice the very effectiveness of the countermeasures in question. However any decision to resort to countermeasures without prior notice must be necessary and proportionate to the purpose of inducing compliance in the circumstances."
Appendixes[edit | edit source]
See also[edit | edit source]
- Scenario 04: A State’s failure to assist an international organization
- Scenario 05: State investigates and responds to cyber operations against private actors in its territory
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 09: Economic cyber espionage
- Scenario 14: Ransomware campaign
- Scenario 17: Collective responses to cyber operations
Notes and references[edit | edit source]
- ILC Articles on State Responsibility, Commentary, part 3 ch 2 at para 1.
- Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility. A target State may also react through proportionate countermeasures.’ (emphasis added).
- Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures”
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that ‘In response to a cyberattack, France may consider diplomatic responses to certain incidents, countermeasures, or even coercive action by the armed forces if an attack constitutes armed aggression.’
- Germany, ‘Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3, stating that ‘in case of a cyber operation that is in breach of an international legal obligation below the level of the use or threat of force prohibited by Art. 2 (IV) [of the UN Charter] States are also entitled to take countermeasures as allowed by international law.’
- Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated), stating that ‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 7.
- United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017), stating that ‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.’
- Brian J. Egan, ‘Remarks on International Law and Stability in Cyberspace’ (10 November 2016), stating that countermeasures are available ‘to address malicious cyber activity’ if that activity amounts to a prior internationally wrongful act attributable to another State.
- Brazil, ‘Open-ended Working Group on developments in the field of information and telecommunications in the context of international security: Second Substantive Session - New York, 11 February 2020: Statement by the Delegation of Brazil’ (11 February 2020), stating that ‘In the case of malicious acts in cyberspace, it is often difficult to attribute responsibility to a particular State or actor with unqualified certainty. A decision to resort to countermeasures in response to such acts carries a high risk of targeting innocent actors, and of triggering escalation.’
- China, ‘Statement by the Chinese Delegation at the Thematic Debate of the First Committee of the 72th UNGA’ (October 2017), stating that ‘Countries should discuss application of international law in the manner conducive to maintain peace, avoid introducing force, deterrence and countermeasures into cyberspace, so as to prevent arms race in cyberspace and reduce risks of confrontation and conflicts.’
- Cuba, ‘Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (23 June 2017), registering ‘serious concern over the pretension of some, reflected in para 34 of the draft final report, to convert cyberspace into a theater of military operations and to legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.’ (emphasis added).
- ILC Articles on State Responsibility, Art 49 para 1; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 83.
- ILC Articles on State Responsibility, Art 52 paras 3 - 4.
- ILC Articles on State Responsibility, Art 52 para 1 subpara a). According to the UK Attorney General, the UK does not feel legally obliged, when taking countermeasures in response to a covert cyber intrusion, to “give prior notification to the hostile state”. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’.
- ILC Articles on State Responsibility, Art 28-41; the list of consequences includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ILC Articles on State Responsibility, Art 52 para 1 subpara b) – Art 52 para 2.
- ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 87. The list of consequences in Art 28-41 includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ILC Articles on State Responsibility, Art 49(3).
- Such as the obligation to refrain from the threat or use of force as embodied in the UN Charter, obligations for the protection of fundamental human rights, and obligations of a humanitarian character prohibiting reprisals. ILC Articles on State Responsibility, Art 50(1).
- ILC Articles on State Responsibility, Art 50(2).
- Articles on State Responsibility, Art 51; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 85.
- ILC Articles on State Responsibility, Art 54.
- President of Estonia, Kersti Kaljulaid, ‘President of the Republic at the opening of CyCon 2019’ (29.05.2019).
- Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ Just Security (10.06.2019), considering the Estonian interpretation to be “an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts”.
- French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 10, arguing that collective countermeasures are not authorised under international law.
- Jeff Kosseff, ‘Collective Countermeasures in Cyberspace,’ (2020) Notre Dame Journal of International & Comparative Law Vol. 10, Iss. 1, 34; François Delerue, Cyber Operations and International Law (CUP 2020), 457.
- ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
- ILC Articles on State Responsibility, Commentary to Part One, Chapter 5, para 8 (noting that “[i]n a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State”).
- See, eg, Trail Smelter case (United States v Canada) (Award) 1941 3 RIAA 1905, 1965; see also Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 624 (noting that in cases where State responsibility is involved, the required threshold tends to shift towards ‘clear and convincing’”).
- James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163, 167 (emphasis original).
- ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49 para 3.
- Australian Government, Australia's position on how international law applies to State conduct in cyberspace
- President of Estonia: international law applies also in cyber space, 29 May 2019
- International law and cyberspace - Finland's national position
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7-8.
- Federal Government of Germany, On the Application of International Law in Cyberspace, March 2021, 13-14
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4-5
- The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3-4.
- Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 4
- Federal Department of Foreign Affairs, Switzerland's position paper on the application of international law in cyberspace, May 2021, 6-7
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7-8.
- Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
- United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021