National position of the Czech Republic (2024)

This page is under construction...

Introduction[edit | edit source]

• This national position contains a large number of footnote references. For ease of use, these footnotes have been omitted from the uploaded text of the position; readers are advised to consult its full version available online to access all the references.

The Czech Republic has published a Position Paper on the Application of International Law in Cyberspace. The position paper includes an introductory note stating that: "The rapid development of cyber capabilities and increasing number of harmful cyber activities have led States to address the question of how international law applies to cyberspace. The Czech Republic is aware of the opportunities and threats arising from the technological progress in information and communication technologies (ICTs) and fully endorses the international order based on international law that promotes an open, secure, stable, accessible and peaceful ICT environment and encourages responsible State behaviour in cyberspace. The Czech Republic considers international law to be a fundamental element of the framework for responsible State behaviour in cyberspace, which is essential to maintaining international peace and security, including in relation to cyber activities, and reaffirms that international law, including the United Nations Charter in its entirety, is applicable to State conduct in cyberspace and is essential to maintaining peace and stability in the ICT environment. The Czech Republic supports the ongoing international efforts to determine how international law applies to cyberspace, including the work of the past and current UN Open Ending Working Group on security of and the use of information and communications technologies (OEWG) and the past UN Group of Govermental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (GGEs) and welcomes the growing number of national contributions of States on how international law applies in cyberspace. The Czech Republic is therefore pleased to contribute to these efforts, following several years of consultations between various governmental institutions, reflecting the views of a wide range of States and other stakeholders, including the International Committee of the Red Cross, and academic projects on the application of international law to cyber operations, such as the Tallinn Manual, the Oxford Process and the Cyber Law Toolkit. The Czech Republic believes that the expression of national positions on how international law applies to the States activities in cyberspace will enhance international dialogue and further development of a common understanding and consensus on lawful and acceptable State behaviour, and that such statements can help reduce the risk of misunderstanding and escalation between States arising from cyber activities.

In this position paper the Czech Republic sets out its current view on the application of certain provisions of international law in cyberspace. The position paper in no way aims to offer an exhaustive analysis, but is rather intended to express national position on certain relevant issues.

The position paper has been prepared in collaboration of the Ministry of Foreign Affairs of the Czech Republic, the Ministry of Defence of the Czech Republic, and the National Cyber and Information Security Agency and approved by the Committee for the Foreign Security Policy Coordination (CFSPC)."^[1]

Sovereignty[edit | edit source]

"1. The principles of sovereignty and sovereign equality of States are fundamental concepts of international law, cornerstones of the UN Charter and apply in cyberspace, just as they do in other domains.

2. The two facets of sovereignty are the internal facet, meaning that every State exercises its sovereignty over its territory, including the ICTs located therein, subject to its obligations under international law, including international human rights law, and the external facet, meaning that every State may freely and independently choose and develop its political, social, economic and cultural system and determine its foreign policy.

3. The sovereignty of every State must be respected. The principle of sovereignty forms a basis of various rules, such as the prohibition of intervention and the prohibition of the use of force. At the same time, sovereignty is a rule in its own right which is capable of being violated. Thus, cyber activities that do not amount to a prohibited intervention or a prohibited use of force may nevertheless amount to a violation of a State’s sovereignty under international law. In such case, violation of one State’s sovereignty by another State, including by a cyber means, would be considered an internationally wrongful act.

4. On the other hand, the Czech Republic does not consider every cyber operation attributable to a State and having an effect in the territory or infrastructure of another State to be a violation of the latter’s sovereignty. Cyberspace is a global and open domain and States often exercise their jurisdiction in another State’s territory without legal repercussions. For instance, an organ of a State viewing a publicly available website hosted in another State for the purposes of obtaining information during a criminal investigation does not violate that State’s sovereignty, despite exercising jurisdiction in its territory without its consent.

5. Therefore, it is necessary to set a threshold where cyber activities could constitute a violation of the rule of sovereignty. The Czech Republic is of the view that cyber activities that rise above the level of negligible or de minimis effects and cause significant harmful effects on the territory of another State without the consent of that State could amount to a violation of the rule of sovereignty in relation to the State concerned. While there is no universal consensus on the threshold, the Czech Republic is of the opinion that the analysis should take into account the degree of infringement upon the target State’s territorial integrity (i.e. the scope, scale, impact or severity of the effects of the operation and the causal link between the operation and its effects) or whether the operation interfered with or usurped inherently governmental functions. In general, the impact or severity of cyber effects will be evaluated in the same manner and according to the same criteria as for physical activities. The Czech Republic will assess whether a violation of sovereignty has occurred on a case-by-case basis, since further State practice and opinio juris is needed to clarify the scope of customary law in this area over time.

6. The Czech Republic is of the opinion that the following cyber operations in one State’s territory constitute violations of sovereignty, if attributed to another State, inter alia:

a) a cyber operation causing death or injury to persons or significant physical damage;

b) a cyber operation causing damage to or disruption of cyber or other infrastructure with a significant impact on national security, economy, public health, public safety or environment; for instance, if such an operation causes a severe power outage affecting thousands of households;

c) a cyber operation interfering with any data or services which are essential for the exercise of inherently governmental functions, and thereby significantly disrupting the exercise of those functions; for example, distributing ransomware which encrypts the computers used by a government and thus disables the payment of retirement pensions or other social benefits."^[2]

Prohibition of intervention[edit | edit source]

"7. The obligation of non-intervention is a well-established customary rule of international law stemming from the principle of State sovereignty, which is also applicable to cyberspace. A definition of prohibited intervention was provided by the International Court of Justice in the 1986 Nicaragua v United States case: “A prohibited intervention must […] be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.”

8. The prohibition of intervention applies between States, and thus it is not applicable to the activities of individuals and non-State groups, unless their conduct can be attributed to a State under the rules of attribution under international law. Cyber activities may constitute a prohibited intervention under international law if they are comparable in scale and effect to intervention in non-cyber contexts.

9. There are two conditions for a cyber activity to be considered as an intervention prohibited under international law:

a) The activity has to tamper with the internal or external affairs of the State, also known as domaine réservé. Internal affairs include, for instance, the conduct of elections; court proceedings; or the drafting and enactment of laws. External affairs include, for instance, the ratification and denunciation of treaties; consenting to official activities of other State’s organs in its territory; or opening or closing down an embassy.

b) The activity must be coercive in nature. Coercion is an activity intended to deprive, either directly or indirectly, the State of its ability to exercise control or govern matters within its internal and external affairs. The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in customary international law, further State practice and opinio juris are therefore needed.

10. Furthermore, a causal nexus between the activity and the effect on the target State to change its behaviour has to be considered. The assessment whether a particular cyber activity has reached the threshold of prohibited intervention has to be done on a case-by-case basis.

11. There is a certain similarity between the terms “internal and external affairs” and “inherently governmental affairs”, which is one of the defining elements of violation of sovereignty. The difference between actions that violate sovereignty and actions that violate the prohibition of intervention is that the latter is coercive, i.e., intentionally aims to influence the State’s free will and choice.

12. The use of cyber means to target election systems to manipulate election results would, for example, constitute a violation of the obligation of non-intervention.

13. Prohibition of intervention does not cover cyber activities broadly described as “propaganda”, provided that they do not violate another specific rule of international law, such as direct and public incitement to commit genocide. Mere influencing, criticism or persuasion do not meet the requirements to be qualified as prohibited intervention either.

14. Therefore, assessed on a case-by-case approach and taking into account specific circumstances of the case, intervention in the internal or external affairs of the Czech Republic by cyber means may constitute a violation of the prohibition of intervention."^[3]

Due diligence[edit | edit source]

"15. Due diligence stems from a general international law principle that States must ensure that territory and objects over which they enjoy sovereignty are not used to harm the rights of other States. Due diligence entails that “it is every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.” Thus, in the cyber domain, due diligence requires States to take all reasonable and feasible measures concerning activities in cyberspace falling under their jurisdiction in order to prevent, eliminate or mitigate potentially significant harm to legally protected interests of another State.

16. There exist, to this day, divergent views on the precise normative character, scope, and content of due diligence in cyberspace. In the opinion of the Czech Republic, due diligence, under the conditions stated below, may be considered an obligation in its own right.

17. Due diligence equally applies in cyberspace as concluded by the UN GGE in 2015. The Czech Republic is of the view that every State has an obligation to act against unlawful and harmful cyber activities emanating from or through its territory provided that it is aware of, or should reasonably be expected to be aware of, such activities. Due diligence applies in particular to activities of private individuals that violate the rights of other States, when harmful activities cannot be attributed to a particular State in accordance with the rules governing state responsibility or where only insufficient proof for such attribution exists.

18. The due diligence obligation is only triggered when the target State suffers serious adverse consequences. There is no universally accepted threshold of harm in international law and each case should be evaluated individually. The Czech Republic maintains that such harm does not need to be necessarily limited to physical damage to objects or physical injuries to persons by cyber means and could encompass other serious non-physical harm, resulting, for example, from the interference with or impairment of the use and operation of critical infrastructure. Such situations could also encompass, for example, malicious activities in cyberspace causing serious adverse consequences to medical and healthcare facilities in the Czech Republic.

19. To ensure compliance with the due diligence obligation, States should take measures that may be reasonably expected, in the given context and circumstances, to act against harmful cyber activities that violate a right of another State. In procedural terms, due diligence might encompass a duty to inform and cooperate in the case of transboundary harm. At the same time, the means to which a State has recourse in order to fulfil its due diligence obligation must be compatible with international law, including human rights obligations applicable to cyber activities. The Czech Republic understands due diligence as an obligation of conduct, not of result, therefore, as long as a State takes all reasonable measures, in accordance with the due diligence obligation, it cannot be held responsible if it is unable to prevent, mitigate or terminate wrongful cyber activities launched from or in transiting through its territory. Thus, the due diligence obligation does not require preventive monitoring of all activities in cyberspace. Moreover, factors such as technological and financial resources and overall material capabilities of the State, in the particular circumstances of each case, have to be taken into consideration when evaluating the compliance with the due diligence obligation.

20. In line with the above, the Czech Republic would consider a manifest violation of the due diligence obligation as an internationally wrongful act against which the Czech Republic, as the injured State, could take response pertaining to the law of State responsibility."^[4]

Peaceful settlement of disputes[edit | edit source]

"21. The obligation of every State to settle their international disputes by peaceful means remains one of the fundamental provisions of the UN Charter and general international law, which also applies in cyberspace.

22. In case of disputes that may endanger the maintenance of international peace and security, States shall seek solutions through negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice, as described in Article 33 (1) of the UN Charter.

23. The Czech Republic is of the view that the obligation to settle disputes peacefully does not preclude the right of States to take other measures in accordance with international law, including the UN Charter."^[5]

Use of force[edit | edit source]

"24. The prohibition of the threat or use of force by a State against the territorial integrity or political independence of another State or in any other manner inconsistent with the Purposes of the United Nations, as contained in Article 2(4) of the UN Charter, is one of the core provisions of the UN Charter and a fundamental rule of customary international law, which is also considered as peremptory norm of general international law (jus cogens).

25. The prohibition of the threat or use of force contained in the UN Charter is deliberately general and encompasses any means and methods used (whether kinetic or cyber means). Thus, the prohibition of the threat or use of force applies also in cyberspace.

26. Given the dependency of all States and societies on ICTs, cyber activities can have serious consequences not only in cyberspace but also in the physical world. Such activities can result in malfunction of critical infrastructure, physical damage or extensive economic loss, threaten national security or put human lives into jeopardy. The Czech Republic is of the opinion that cyber operation conducted in cyberspace could amount to the use of force under Article 2(4) of the UN Charter when the effects of the operation are comparable to those of a conventional character.

27. The UN Charter does not provide a definition of the term “use of force”. Whether activities in cyberspace, attributable to a State under international law, violate the prohibition of the threat or use of force as contained in Article 2(4) of the UN Charter needs to be assessed on case-by-case basis. Activities conducted by cyber means that do not amount to a threat or use of force may still amount to a violation of sovereignty or a prohibited intervention into internal or external affairs. In the context of cyber operations, the Czech Republic is of the view that factors offered by the Tallinn Manual 2.0, such as severity, immediacy, directness, invasiveness, measurability of effects, military character, State involvement or presumptive legality of the cyber operation in question represent important criteria in the process of evaluation when deciding whether an act may be characterized as an unlawful use of force.

28. Depending on the facts and circumstances, cyber operations attributable to a State and amounting to an unlawful use of force under Article 2(4) of the UN Charter may also constitute an "armed attack", under Article 51 of the UN Charter. The term "use of force" is generally perceived to be a broader concept than "armed attack", which is considered as the most grave form of the use of force.

29. The UN Charter does not provide a definition of the term "armed attack", nor does it list the criteria for determining under what conditions an act amounts to an "armed attack". In accordance with the general guidance provided by the International Court of Justice there are two main factors to be considered when assessing whether a use of force constitutes an armed attack: the scale and the effects of the particular act. If a cyber operation was comparable in its scale and effect to an attack by conventional means (kinetic operations) in terms of its gravity, such as fatalities, damage and destruction, it could be considered as constituting an armed attack under Article 51 of the UN Charter.

30. The Czech Republic reiterates the provisions of the UN Charter and customary international law that if an armed attack occurs, the affected State may exercise its inherent right to individual or collective self-defence under Article 51 of the UN Charter. The exercise of the right to self-defence shall meet the conditions of necessity and proportionality, but is not limited to cyber means and cyber domain, even if the armed attack was so conducted. Collective self-defence against a cyber operation amounting to an armed attack can be exercised only at the request of the victim State and within the scope of such a request."^[6]

Neutrality[edit | edit source]

"31. The purpose of the law of neutrality is to spare neutral States and their inhabitants from the effects of hostilities, and to prevent an escalation of an international armed conflict.

32. Due to worldwide interconnectivity of cyberspace, the law of neutrality is of great importance for cyber operations conducted as part of an international armed conflict. The Czech Republic shares the position taken by the Tallinn Manual 2.0 that the law of neutrality applies to cyber operations and cyber infrastructure.

33. Cyber infrastructure located within the territory of a neutral State or under its exclusive control is protected by the State’s territorial integrity and international humanitarian law. As long as such infrastructure is not used by the parties to the international armed conflict for the exercise of their belligerent rights, it is considered neutral in character irrespective of public or private ownership or the nationality of the owners. As such, it is protected from any harmful interference by the parties to the international armed conflict.

34. Without prejudice to para 33 above, the Czech Republic takes the view that the use of a public, internationally and openly accessible network, such as the Internet, for military purposes, does not violate the law of neutrality even if it or its components are located on the territory of a neutral State, provided that doing so does not have any harmful effects on that State.

35. A neutral State must remain impartial and may not knowingly engage in cyber activities that support the military action of one party to the international armed conflict. This means that a neutral State may not allow a party to the international armed conflict to use any cyber infrastructure located within its territory (as well as on vessels and aircrafts of the neutral State’s nationality) for military purposes or to establish a new one for such purposes. In line with para 34 above this does not apply to the use of public, internationally and openly accessible networks such as the Internet without any effect on the neutral State.

36. A neutral State is also obliged to take all feasible measures to terminate an abuse of the cyber infrastructure located within its territory (as well as on the vessels and aircrafts of its nationality) by any party to the international armed conflict."^[7]

International humanitarian law (jus in bello)[edit | edit source]

37. IHL applies to cyber operations conducted in the context of both international and non- international armed conflicts. It protects persons who do not, or no longer, take part in the hostilities, and imposes limits on the the means and methods of warfare, conduct of hostilities, and provides for the protection of civilians and civilian objects during an ongoing armed conflict.

38. Principles and rules of IHL applicable in armed conflict govern all forms of warfare and all means or methods of warfare, including those of the future. This is confirmed also by Article 36 of Additional Protocol I requiring States to review the lawfulness of such means and methods of warfare. Thus, cyber operations conducted as a part of an armed conflict are governed by IHL in the same way as any other means or methods of warfare.

39. The Czech Republic endorses the view that a cyber operation during an armed conflict, which is attributable to a State or other party to the conflict under international law, may constitute an “attack” under IHL, when the effects of such operation are comparable to those conducted by conventional means or methods of warfare, for instance if a cyber operation is designed or reasonably expected to cause injury or death to persons or damage or destruction to objects during an armed conflict.

40. Cyber operations conducted as part of hostilities during an armed conflict must always be conducted in compliance with all relevant IHL rules and in particular with IHL basic principles of humanity and military necessity, distinction, proportionality and precaution. Compliance with these principles in a cyber context may require specific considerations as the infrastructure in cyberspace is often used for both military and civilian purposes.

41. Parties to armed conflict must carefully design and use cyber tools to distinguish between the civilian population and combatants and between civilian objects and military objectives when conducting cyber operations. Civilians and civilian objects shall be protected from being the object of attack, including those carried out by cyber means. Civilians are protected against attack unless and for such time as they are directly participating in hostilities. In case of doubt as to whether a person is a civilian, that person shall be presumed a civilian. Attacks shall be limited strictly to military objectives. In case of doubt as to whether cyber infrastructure that is normally used for civilian purposes is being used to effectively contribute to military action, it shall be presumed not to be so used. Foreseeable direct and indirect effects shall be taken into account when assessing the proportionality of an attack.

42. When conducting cyber operations, constant care must be taken to spare the civilian population, individual civilians and civilian objects, for instance to ensure protection of essential civilian infrastructure and services. All feasible precautions must be taken to protect civilians and civilian objects from adverse effects of attacks, including through cyber means.

43. It is prohibited to make objects indispensable for the survival of the civilian population the object of attack, including through cyber means. It is likewise prohibited to destroy, remove or render them useless by cyber means. Parties to an armed conflict must not disrupt the functioning of such objects, including through cyber means. All feasible measures must be taken to facilitate thier functioning and prevent harm to these objects, including by cyber operations.

44. Medical units, transport and personnel as well as impartial humanitarian personnel and objects shall not be the object of attack and they must be respected and protected at all times, including their cyber infrastructure. All feasible measures must be taken to facilitate their functioning and to prevent harm to these facilities and persons.

45. Under all circumstances, parties to an armed conflict must not employ cyber tools that would spread or cause harm indiscriminately. Indiscriminate attacks, i.e., those that are of a nature to strike military objectives and civilians or civilian objects without distinction, are prohibited by IHL.

46. Cyber operations that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated, are prohibited. In the cyber context, this would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure that would affect civilians.

47. The Czech Republic emphasizes that the application of IHL to cyber activities in armed conflict by no means promotes the militarization of cyberspace, nor legitimizes cyber warfare, just as IHL does not legitimize any other form of warfare. On the contrary, it reduces the military use of cyberspace by creating limits and requiring for all used means and methods of warfare to be employed in accordance with its rules."^[8]

Legal review of cyber weapons[edit | edit source]

"38. Principles and rules of IHL applicable in armed conflict govern all forms of warfare and all means or methods of warfare, including those of the future. This is confirmed also by Article 36 of Additional Protocol I requiring States to review the lawfulness of such means and methods of warfare. Thus, cyber operations conducted as a part of an armed conflict are governed by IHL in the same way as any other means or methods of warfare."^[9]

Attack (international humanitarian law)[edit | edit source]

"39. The Czech Republic endorses the view that a cyber operation during an armed conflict, which is attributable to a State or other party to the conflict under international law, may constitute an “attack” under IHL, when the effects of such operation are comparable to those conducted by conventional means or methods of warfare, for instance if a cyber operation is designed or reasonably expected to cause injury or death to persons or damage or destruction to objects during an armed conflict."^[10]

Conduct of hostilities[edit | edit source]

"40. Cyber operations conducted as part of hostilities during an armed conflict must always be conducted in compliance with all relevant IHL rules and in particular with IHL basic principles of humanity and military necessity, distinction, proportionality and precaution. Compliance with these principles in a cyber context may require specific considerations as the infrastructure in cyberspace is often used for both military and civilian purposes.

45. Under all circumstances, parties to an armed conflict must not employ cyber tools that would spread or cause harm indiscriminately. Indiscriminate attacks, i.e., those that are of a nature to strike military objectives and civilians or civilian objects without distinction, are prohibited by IHL."^[11]

Attacks against persons[edit | edit source]

"41. Parties to armed conflict must carefully design and use cyber tools to distinguish between the civilian population and combatants and between civilian objects and military objectives when conducting cyber operations. Civilians and civilian objects shall be protected from being the object of attack, including those carried out by cyber means. Civilians are protected against attack unless and for such time as they are directly participating in hostilities. In case of doubt as to whether a person is a civilian, that person shall be presumed a civilian. [...]"^[12]

Military objectives[edit | edit source]

"41. Parties to armed conflict must carefully design and use cyber tools to distinguish between the civilian population and combatants and between civilian objects and military objectives when conducting cyber operations. Civilians and civilian objects shall be protected from being the object of attack, including those carried out by cyber means. [...] Attacks shall be limited strictly to military objectives. In case of doubt as to whether cyber infrastructure that is normally used for civilian purposes is being used to effectively contribute to military action, it shall be presumed not to be so used. Foreseeable direct and indirect effects shall be taken into account when assessing the proportionality of an attack."^[13]

Principle of precaution[edit | edit source]

"42. When conducting cyber operations, constant care must be taken to spare the civilian population, individual civilians and civilian objects, for instance to ensure protection of essential civilian infrastructure and services. All feasible precautions must be taken to protect civilians and civilian objects from adverse effects of attacks, including through cyber means."^[14]

Objects indispensable to the survival of the civilian population[edit | edit source]

"43. It is prohibited to make objects indispensable for the survival of the civilian population the object of attack, including through cyber means. It is likewise prohibited to destroy, remove or render them useless by cyber means. Parties to an armed conflict must not disrupt the functioning of such objects, including through cyber means. All feasible measures must be taken to facilitate thier functioning and prevent harm to these objects, including by cyber operations."^[15]

Protection of medical units during armed conflict[edit | edit source]

"44. Medical units, transport and personnel as well as impartial humanitarian personnel and objects shall not be the object of attack and they must be respected and protected at all times, including their cyber infrastructure. All feasible measures must be taken to facilitate their functioning and to prevent harm to these facilities and persons."^[16]

Proportionality[edit | edit source]

"46. Cyber operations that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated, are prohibited. In the cyber context, this would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure that would affect civilians."^[17]

International human rights law[edit | edit source]

"48. With ongoing digitalization and technological advances of new technologies, the need to protect and respect all human rights in and with respect to cyberspace is becoming more urgent. While new technologies have great potential to contribute to the protection and promotion of human rights, they also pose significant challenges to human rights. The Czech Republic reiterates that the same rights that people have offline must also be protected online and States must uphold their human rights obligations. Human rights instruments such as the International Covenant on Civil and Political Rights (ICCPR), the International Covenant on Economic, Social and Cultural Rights (ICESCR), European Convention for the Protection of Human Rights and Fundamental Freedoms and other relevant human rights treaties and customary international law based on the Universal Declaration of Human Rights are applicable in cyberspace as they are in the physical domain. The Czech Republic further reiterates the universality, indivisibility, interdependence and interrelatedness of all human rights and fundamental freedoms.

49. Protection and promotion of human rights, both online and offline, is a longstanding priority for the Czech Republic. The Czech Republic promotes international collaboration to maintain a free, open, safe, secure and stable cyberspace where democracy, rule of law, and human rights and fundamental freedoms apply. In international organizations and other platforms, the Czech Republic promotes the human rights-based and human-centric approach to digital transition.

50. In the cyber domain, States must respect, protect and ensure human rights for all, including but not limited to the right to privacy, the right to freedom of thought, conscience and religion, the right to freedom of opinion and expression, including the right to seek, receive and impart information, the right to freedom of peaceful assembly and association, the right to equality and non-discrimination and the right to education, which are particularly relevant in the context of cyberspace and digital technologies. Implications of new and emerging technologies, in particular data-driven technologies, must be taken into account especially in the context of the right to privacy, the right to freedom of opinion and expression and the right to freedom of peaceful assembly and association as stipulated in the ICCPR.

51. In some situations, the obligations to respect and ensure human rights can be restricted. The Czech Republic recognizes that such restrictions must be provided by law, serve a legitimate purpose (such as protecting the rights of others, or national security), be necessary to achieve that purpose and be proportionate."^[18]

State responsibility[edit | edit source]

"52. The customary international law on State responsibility, as reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), applies to State behaviour in cyberspace.

53. An internationally wrongful act is an act or omission that constitutes a breach of an international obligation of a State and is attributable to it under international law."^[19]

Attribution[edit | edit source]

"54. The Czech Republic recognises the right of a State to attribute a cyber activity, either individually or collectively, in compliance with international law. A decision to attribute a cyber activity is a national prerogative and remains at the discretion of a sovereign State.

55. General international rules of attribution as reflected in ARSIWA are also applicable to cyberspace. A cyber operation is deemed an internationally wrongful act when it is attributable to a State under international law and constitutes a breach of an international obligation of the State. A cyber activity is attributable to a State if perpetrated by organs of States, or persons or entities exercising elements of governmental authority and acting in that capacity in the particular instance, or organs placed at the disposal of a State by another State. Furthermore, States are responsible for international wrongful acts conducted by cyber means and perpetrated by non- state actors if such an actor in fact acts on the instruction of, or under the direction or control of that State in carrying out the conduct in question.

56. Attribution is linked to the availability of information. It requires establishing the facts of the activity in question and the identity of the actors responsible for the purposes of attribution. Cooperation with relevant institutions to gather all available information, information sharing, consultations and coordination at national and international level can be required. Attribution is based not only on gathering relevant technical information but also on the assessment of a political and security context of a cyber activity, its nature, extent, and consequences. The ascertainment of the State of origin of a cyber activity is not in itself a determining factor and cannot stand as an argument alone.

57. Although States are not required to be absolutely certain to attribute a wrongful act, but rather to gather and reasonably assess the information available, a sufficient degree of certainty on attribution of a wrongful act to a particular State needs to be reached.

58. States are not obliged to disclose evidence in order to publicly attribute a cyber activity. The disclosure of evidence may be relevant when a legal proceeding is initiated (e.g., before the International Court of Justice)."^[20]

Retorsion[edit | edit source]

"59. Retorsion is a lawful, albeit unfriendly, act of an aggrieved State towards a wrongdoing State or an international organisation. Due to its lawfulness, retorsion is a readily available response to a harmful cyber activity that does not qualify as a breach of international law. However, it is also available in response to an internationally wrongful act. Response by retorsion can be combined with other types of response, such as countermeasures, if the legal conditions for such measures are met.

60. The Czech Republic is of the view that retorsion can be of both cyber and non-cyber nature. Examples include imposing visa restrictions, suspension of treaty negotiations, recalling a head of diplomatic mission, severance of diplomatic relations or economic measures such as import or export restrictions (unless the State has a specific obligation prohibiting it from doing so). Retorsion can be taken jointly by several States if none of the participating States has a legal obligation to refrain from that particular response."^[21]

Circumstances precluding wrongfulness[edit | edit source]

"61. The Czech Republic recognises that wrongfulness of a cyber activity is precluded in the case of consent, self-defence, countermeasures in respect of internationally wrongful act, force majeure, distress or necessity."^[22]

Countermeasures[edit | edit source]

"62. Countermeasures are measures that are taken by an injured State against a State which is responsible for an internationally wrongful act, that would normally constitute a violation of an obligation under international law, but the wrongfulness of which is precluded as they are conducted in response to an ongoing internationally wrongful act committed by another State. Conditions relating to resort to countermeasures are set forth by customary international law, as reflected in ARSIWA.

63. The Czech Republic recognises that the purpose of countermeasures is to induce the State that committed an internationally wrongful act to comply with its obligations under international law. The ultimate goal of countermeasures is to attain the cessation of the violation of international law and reparation of the injury suffered. Other purposes, such as retribution or retaliation, do not constitute a ground for a lawful use of countermeasures.

64. The Czech Republic reserves its right to respond to cyber-related violations of international law obligations attributable to other States, in form of actions or omissions, by undertaking countermeasures, which can be carried out via both cyber and non-cyber means. States may respond with both traditional countermeasures, such as trade embargoes and financial sanctions, and cyber-enabled countermeasures, i.e., adverse cyber operations consisting in the non- performance for the time being of international obligations towards the responsible State.

65. Countermeasures shall be, as far as possible, reversible, shall not amount to the level of the threat or use of force and must be in compliance with other peremptory norms of international law, obligations for the protection of fundamental human rights, international humanitarian law prohibition on reprisals, applicable obligations undr inviolability. They must be temporary and proportionate, i.e., commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights of the injured State that were violated. In this context, the lack of physical damage shall not be considered as an impediment to undertaking justified countermeasures.

66. The Czech Republic recognises that an injured State is required to call upon the responsible State to fulfil its international obligations. Furthermore, prior to employing countermeasures, an injured State is required to notify the responsible State of its intention to take countermeasures and offer to negotiate with the responsible State. The Czech Republic, however, recognises that in case of urgency and in order to preserve rights of the injured State, countermeasures may be undertaken without such prior notification. In either way, given the specific nature of cyberspace that allows attackers to use various spoofing methods, the injured State may resort to countermeasures only if it is able to attribute the internationally wrongful act in question to the responsible State.

67. An injured State is not obliged to disclose evidence to justify resort to countermeasures but rather to be reasonable in its assessment and establish with sufficient certainty the attribution of an internationally wrongful act to a particular State. The Czech Rwith the responsible State. The Czech Republic, however, recognises that in case of urgency and in order to preserve rights of the injured State, countermeasures may be undertaken without such prior notification. In either way, given the specific nature of cyberspace that allows attackers to use various spoofing methods, the injured State may resort to countermeasures only if it is able to attribute the internationally wrongful act in question to the responsible State."^[23]

Plea of necessity[edit | edit source]

"68. The Czech Republic endorses that the State acts in conformity with international law under the principle of necessity when its action not in conformity with an international obligation is the only way for the State to safeguard an essential interest against a grave and imminent peril. This rule may be invoked only in exceptional cases, namely if there is no other real possibility of addressing the grave and imminent peril, such peril is clearly established on the basis of the evidence reasonably available at the time and provided the act would not result in serious impairment of an essential interests of another State or of the international community as a whole. The State may invoke necessity even if the total amount of potential damage has not yet been assessed, such damage also does not necessarily have to be physical."^[24]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

Bibliography and further reading[edit | edit source]