National position of Brazil (2021)

Introduction[edit | edit source]

This is the national position of Brazil on international law applicable to cyberspace. The position ^[1] has been submitted by Brazil and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States.^[2]. The compendium has been publicly released in August 2021.^[3]

Applicability of international law[edit | edit source]

"Brazil firmly believes that in their use of information and communications technologies, States must comply with international law, including the United Nations Charter, international human rights law and international humanitarian law. The United Nations and other regional organizations have recognized that international law, and in particular the Charter of the United Nations, is applicable to States’ ICT-related activity in cyberspace and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. Hence, in current discussions, the question is no longer whether, but how international law applies to the use of ICTs by States."^[4]

Sovereignty[edit | edit source]

"State sovereignty is one of the founding principles of international law. As the ICJ has stated in the Corfu Channel Case, “between independent States, the respect for territorial sovereignty is an essential foundation for ‘international relations’”. It is applicable as a standalone rule, including to the use of ICTs by States, and entails an independent obligation of “every State to respect the territorial sovereignty of others”. Currently, there is neither broad state practice nor sufficient opinio juris to generate new customary international norm allowing for the violation of State sovereignty, including by means of ICTs.

Violations of State sovereignty by another State, including by means of ICTs, constitute an internationally wrongful act and entail the international responsibility of the State in violation. Interceptions of telecommunications, for instance, whether or not they are considered to have crossed the threshold of an intervention in the internal affairs of another State, would nevertheless be considered an internationally wrongful act because they violate state sovereignty. Similarly, cyber operations against information systems located in another State’s territory or causing extraterritorial effects might also constitute a breach of sovereignty."^[5]

Prohibition of intervention[edit | edit source]

The principle of non-intervention, which is considered customary international law, refers to “the right of every sovereign State to conduct its affairs without outside interference”. In the Declaration on the Principles of International Law concerning Friendly Relations and Co-operation among States, the General Assembly affirmed that “the strict observance by States of the obligation not to intervene in the affairs of any other State is an essential condition to ensure that nations live together in peace with one another”. Even though Resolution 2625 (XXV) preceded the widespread use of ICTs, the customary norm prohibiting intervention in the internal affairs of another State applies irrespective of the means or medium used and extends to the use of ICTs by States.

To violate the principle of non-intervention, the malicious use of ICTs against another State must involve an element of coercion affecting the right of the victim State to freely choose its political, economic, social and cultural system, and to formulate its foreign policy. If attributable to a State, this breach entails this State’s international responsibility.

There has been a growing discussion on whether cyberoperations aimed at interfering in the electoral processes of another State could amount to violations of the principle of non-intervention. Considering that elections are at the core of a State’s internal affairs, should the malicious use of ICTs against a State involve some level of coercion, then it must be prohibited by the principle of non-intervention."^[6]

Use of force[edit | edit source]

"As stated in previous reports of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, international law is applicable to the use of ICTs by States. This includes the legal prohibition of the use of force in international relations, which is enshrined in the UN Charter and is also part of customary international law. It is a peremptory norm, to which only two exceptions are permitted: self-defense and authorization under Chapter VII of the Charter.

The United Nations Charter does not refer to specific weapons or other means of use of force, and therefore the legal prohibition applies to all of them. Cyber operations may amount to an illegal use of force if they are attributable to a State and if their impact is similar to the impact of a kinetic attack. It is generally understood that, to date, no state has claimed that the rule prohibiting the use of force was violated due to the conduction of a cyberattack. The lack of such a precedent only reinforces the need for caution when making analogies between cyber and kinetic actions in assessments related to jus ad bellum.

General Assembly Resolution 3314(XXIX), which contains the definition of aggression, enumerates a series of acts that qualify as such: invasion of territory by armed forces, military occupation, bombardments or the use of any weapons against the territory of another state, blockade of the ports or coasts by the armed forces, among others. Although it is not binding, GA Res 3314(XXIX) has been considered highly authoritative and has guided the ICJ in its caselaw. In many instances, it might prove difficult to establish a direct analogy between the acts listed in GA Res 3314 (XXIX) and cyber operations, due to their unique characteristics. Therefore, it is advisable to update the multilateral understanding of which acts amount to the use of force and aggression, so as to include instances of cyberattacks. While it might be challenging to find consensus on grey areas, such as the characterization of digital attacks with no direct physical effects, there are points of convergence that should be consolidated multilaterally to provide more clarity and legal certainty."^[7]

Self-defence, armed attack and use of force[edit | edit source]

"Amongst the gravest forms of the use of force in international relations are armed attacks, which trigger the right of states to resort to self-defense, in accordance with article 51 of the UN Charter. Being self-defense an exception to the general principle on the prohibition to the use of force, it needs to be interpreted restrictively. This view is in line with the case law of the International Court of Justice, the principal judicial organ of the United Nations.

As a consequence, self-defense is only triggered by an armed attack undertaken by or attributable to a State. It is not possible to invoke self-defense as a response to acts by non-State actors, unless they are acting on behalf or under the effective control of a state. This norm becomes even more relevant with cyber operations, where technical, legal and operational challenges to determine attribution might make it impossible to verify potential abuses of the right of self defense, which in turns creates the risk of low impact persistent unilateral military action undermining the collective system established under the Charter.

In the same vein, contemporary international law does not allow for self-defense on the basis that the territorial state would be “unwilling and unable” to repress non-state actors whose cyber acts have extraterritorial effects. The definition of “armed attack” is limited to the use of force attributable to a state and, therefore, actions from non-state actors with similar effects might amount to serious crimes, but not an “armed attack”. If such a situation arises, the territorial state should adopt measures, in good faith and within its capabilities, to cease the action and ensure accountability.

If it fails to do so, this omission might constitute an internationally wrongful act, thus entailing this states’international responsibility. According to customary international law, in this case the victim state is entitled to remedies, to be pursued only through peaceful means.

Moreover, self-defense should be a temporary remedy. Member states that exercise their right to self-defense must immediately report it to the Security Council, in line with article 51 of the Charter. Given the novelty of cyberattacks and the uncertainties related to it, reporting to the Security Council is even more important. As the ICJ highlighted, “the absence of a report may be one of the factors indicating whether the State in question was itself convinced that it was acting in self defense”. Once the incident is reported to the Security Council, it is expected that the temporary act of self-help is replaced by collective action, adopted and pursued in line with the UN Charter.

For Brazil, the right to self-defense exists once there is an actual or imminent armed attack. Under international law, there is no right to “preventive self-defense” - a notion that does not find legal grounds neither in art. 51 of the Charter nor in customary international law. Finally, as with responses to armed activities using conventional weapons, self-defense against armed attacks caused by digital means must be necessary and proportionate."^[8]

State responsibility[edit | edit source]

"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."^[9]

Attribution[edit | edit source]

"States and international courts have consistently recognized some of the ILC articles on state responsibility as customary international law, such as the rules for attribution. In the absence of any lex specialis for cyberspace, the customary norms concerning the attribution of conduct to a State are also applicable to the State’s use of ICTs. Hence, cyber operations are attributable to a State if they are conducted by a State organ, by persons or entities exercising elements of governmental authority, or by persons or groups “acting on the instructions of, or under the direction or control of,” the State. Regarding the latter criteria, for a private person or entity’s conduct be attributable to a State, it has to be proved that the state had “effective control” over the operations. It is clear, therefore, that a connection “must exist between the conduct of a [state] and its international responsibility.”

The technical difficulties in tracing cyber operations and in determining its authorship may lead to additional challenges in attributing an internationally wrongful act to a State. However, these added difficulties must not serve as a justification to lower the bar for determinations on attribution, which must be substantiated."^[10]

Countermeasures[edit | edit source]

"On the other hand, there are questions on the customary status of other set of articles on state responsibility emanated from the ILC, such as the ones on countermeasures. There are different views on the existence of widespread state practice and opinio juris capable of giving rise to customary international law on the legality and the requirements of countermeasures. Furthermore, it is generally accepted that the ILC provisions on countermeasures went beyond the codification of customary norms and had a strong element of progressive development of international law. In this regard, it is important to recall that several states have criticized countermeasures because they would be prone to abuses, especially due to the material inequality of states.

Particularly on ICTs, there are many factors advising a cautious approach on countermeasures. First, there is an added difficulty to attribute cyber activities to a particular State, which is aggravated by the fact that States have different technical resources and capabilities to both identify the origins of a cyber activity and to verify claims of breaches of international obligations through cyber means. Second, cyber operations can be designed to mask or spoof the perpetrator, which in turns increase the risks of miscalculated responses against innocent actors. Finally, the speed with which the precipitating wrongful cyber operations may unfold poses a high risk of escalation, with potential rippling effects to the kinetic domain.

With this in mind, Brazil considers that there needs to be further discussions on the legality of countermeasures as a response to internationally wrongful acts, including in the cyber context. The discussions must fully take into account the UN Charter in its entirety, thus excluding from the outset any possibility of using force as a countermeasure – a view that has already been confirmed by the ILC. The priority of peaceful settlement of disputes, in line with articles 2(3) and 33 of the UN Charter, must also be reaffirmed."^[11]

International humanitarian law (jus in bello)[edit | edit source]

"International humanitarian law (IHL) is fairly equipped to answer many of the questions associated with new technologies, including ICTs. There is no doubt that IHL applies to States use of ICTs during an armed conflict. The fact that a specific weapon has been invented after the development of humanitarian law does not exempt it from regulation. Quoting from the ICJ Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, excluding cyber operations from IHL scope of application “would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future.”

IHL applies to situations amounting to armed conflict independently of its classification as such by the parties. For IHL, it does not matter whether the armed conflict is lawful or not, because its objective is to minimize human suffering and provide a minimum level of protection to civilians in any scenario of hostilities. Hence, the recognition that international humanitarian law applies to the cyberspace does not in any way endorse its militarization or legitimize cyberwarfare, but only ensures a minimum level of protection if an armed conflict arises.

There are two instances where IHL might apply to cyber activities. First, if they are carried out as part of an ongoing armed conflict, contributing to conventional operations conducted by the parties. Second, if the cyber activities themselves cross the threshold of violence to be characterized as an armed conflict.

Of particular importance, the 2015 GGE report has noted the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction.

For Brazil, the IHL principle of precaution is also applicable to the use of ICTs by States, meaning that parties must “take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects”."^[12]

"In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks. The principle of distinction determines that cyberattacks must target military objectives and must not be indiscriminate. In case of doubt whether a cyber infrastructure that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, it shall be presumed not to be so used.

[...]

In any event, where IHL is silent or ambiguous, the “Martens clause” remains applicable, ensuring that, in cases not covered by existing rules, “civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from the dictates of public conscience”."^[13]

Attack (international humanitarian law)[edit | edit source]

"While holding the view that IHL applies to cyberspace, there are issues that deserve further reflection, such as the definition of cyberattack for the purposes of article 49 of AP I; the consideration of civilian data as a civilian object that entails protection under IHL; and when a civilian acting in the cyberspace might be considered as taking direct part in hostilities."^[14]

Principle of precautions[edit | edit source]

"Of particular importance, the 2015 GGE report has noted the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction.

For Brazil, the IHL principle of precaution is also applicable to the use of ICTs by States, meaning that parties must “take all feasible precautions in the choice of means and methods of attack with a view to avoiding, and in any event minimizing, incidental loss of civilian life, injury to civilians and damage to civilian objects”.

Moreover, according to AP I, States have an obligation, “in the study, development, acquisition or adoption of a new weapon, means or method of warfare,” to “determine whether its employment would, in some or all circumstances,” be prohibited. This norm, although being less strict than some States wished during the negotiations of AP I, already encompasses some precautionary elements. It must guide the development, acquisition and adoption of cyber capabilities. In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks.

In making the assessment of necessity, distinction, proportionality and precaution, parties must take into consideration the particularities of the cyberspace, such as the interconnectivity between military and civilian networks."^[15]

Legal review of cyber weapons[edit | edit source]

"[..] according to AP I, States have an obligation, “in the study, development, acquisition or adoption of a new weapon, means or method of warfare,” to “determine whether its employment would, in some or all circumstances,” be prohibited. This norm, although being less strict than some States wished during the negotiations of AP I, already encompasses some precautionary elements. It must guide the development, acquisition and adoption of cyber capabilities."^[16]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

Bibliography and further reading[edit | edit source]