National position of the United States of America (2021)

Introduction[edit | edit source]

This is the national position of the United States of America on international law applicable to cyberspace. The position^[1] has been submitted by the United States of America and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States.^[2] The compendium has been publicly released in August 2021.^[3]

Applicability of international law[edit | edit source]

"The United States believes that fostering discussion on how States understand their existing rights and obligations under international law, including with respect to self-defense, use of force, and armed conflict, apply in cyberspace actually promotes greater predictability and reduces the risk of unintended conflict."^[4]

"There are two related bodies of international law that are relevant to the question of how existing international law applies to ICTs and the use of force in and through cyberspace: jus ad bellum (the body of law that addresses, inter alia, uses of force triggering a State’s right to use force in self-defense) and jus in bello (the body of law governing the conduct of hostilities in the context of armed conflict)."^[5]

Use of force[edit | edit source]

"Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In determining whether a cyber activity constitutes a use of force prohibited by Article 2(4) of the UN Charter and customary international law or an armed attack sufficient to trigger a State’s inherent right of self defense, States should consider the nature and extent of injury or death to persons and the destruction of, or damage to, property. Although this is necessarily a case-by-case, fact-specific inquiry, cyber activities that proximately result in death, injury, or significant destruction, or represent an imminent threat thereof, would likely be viewed as a use of force / armed attack. If the physical consequences of a cyber activity result in the kind of damage that dropping a bomb or firing a missile would, that cyber activity should equally be considered a use of force / armed attack.

Some of the factors States should evaluate in assessing whether an event constitutes an actual or imminent use of force / armed attack in or through cyberspace include the context of the event, the actor perpetrating the action (recognizing the challenge of attribution in cyberspace, including the ability of an attacker to masquerade as another person/entity or manipulate transmission data to make it appear as if the cyber activity was launched from a different location or by a different person), the target and its location, the effects of the cyber activity, and the intent of the actor (recognizing that intent, like the identity of the attacker, may be difficult to discern, but that hostile intent may be inferred from the particular circumstances of a cyber activity), among other factors."^[6]

Self-defence and armed attack[edit | edit source]

"A State’s inherent right of self-defense, recognized in Article 51 of the UN Charter, may in certain circumstances be triggered by cyber activities that amount to an actual or imminent armed attack. This inherent right of self-defense against an actual or imminent armed attack in or through cyberspace applies whether the attacker is a State actor or a non-State actor. There is no requirement that a State defend itself using the same capabilities with which it is being attacked. States may employ cyber capabilities that rise to the level of a use of force as a means of self-defense against a kinetic armed attack (i.e., one that was not launched in or through cyberspace). Additionally, States may in certain circumstances use kinetic military force in self-defense against an armed attack in or through cyberspace.

The use of force in self-defense must be limited to what is necessary and proportionate to address the imminent or actual armed attack in or through cyberspace. Before resorting to forcible measures in self-defense against an actual or imminent armed attack in or through cyberspace, States should consider whether passive cyber defenses or active defenses below the threshold of the use of force would be sufficient to neutralize the armed attack or imminent threat thereof."^[7]

International humanitarian law (jus in bello)[edit | edit source]

"The 2015 GGE report recognized the applicability of the established jus in bello principles of humanity, necessity, proportionality, and distinction in cyberspace. The applicability of the jus in bello more broadly to States’ use of ICTs has been reaffirmed by a large number of Member States.

[...]

The United States has also elaborated on how these principles would apply to cyber capabilities under an armed conflict. For example, the principle of distinction requires that only legitimate military objectives be made the object of attack. In the context of cyber capabilities used in armed conflict, the principle of distinction requires that only legitimate military objectives be made the object of attack.

The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects which would be excessive in relation to the concrete and direct military advantage anticipated. In the cyber context, this rule would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians. In addition to the potential physical damage that a cyber activity may cause, such as death or injury that may result from effects on critical infrastructure, parties must assess the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance but may be networked to military objectives.

In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.

The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals."^[8]

Principle of precautions[edit | edit source]

"In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.

The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals."^[9]

Attack (international humanitarian law)[edit | edit source]

"The United States recognizes that cyber activities in the context of an armed conflict may in certain circumstances constitute an “attack” for purposes of the application of the jus in bello rules that govern the conduct of hostilities, including the principles of humanity, necessity, proportionality, and distinction recognized in the 2015 GGE report".^[10]

Sovereignty[edit | edit source]

"As recognized in the 2013 and 2015 GGE reports, State sovereignty and the international principles that flow from sovereignty apply to States’ ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.

The United States believes that State sovereignty, among other long-standing international legal principles, must be taken into account in the conduct of activities in cyberspace. Whenever a State contemplates conducting activities in cyberspace, the equal sovereignty of other States needs to be considered.

The implications of sovereignty for cyber activities are complex, but we can start by noting two important implications of sovereignty for ICT-related activities. First, we acknowledge the continuing relevance of territorial jurisdiction, even to cyber activities, and second, we acknowledge the exercise of jurisdiction by the territorial State is not unlimited; it must also be consistent with applicable international law, including international human rights obligations."^[11]

"In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions."^[12]

Prohibition of intervention[edit | edit source]

"Among other international legal principles, the 2015 GGE report acknowledges the principle of non-intervention in the internal affairs of other States. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. Other States have made similar observations.290 Further, a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population--for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic--could be considered a violation of the rule of non-intervention."^[13]

Peacetime cyber espionage[edit | edit source]

"In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per see violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions."^[14]

International human rights law[edit | edit source]

"Finally, while the physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and is subject to the jurisdiction of the territorial State, the exercise of jurisdiction by the territorial State is not unlimited. It must be consistent with applicable international law, including international human rights obligations. The 1948 Universal Declaration of Human Rights (UDHR) says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” All human beings hold certain rights, whether they choose to exercise them in a city square or an Internet chat room. The right to freedom of expression is well-established internationally in both the UDHR and the International Covenant on Civil and Political Rights. Both of these instruments clearly state that this right can be exercised through any media and regardless of frontiers. Both of these instruments set forth the right of individuals to publish, to create art, to practice their religions, and to gather together and discuss issues of the day. Regardless of whether these activities occur online or offline, they are governed by the same principles."^[15]

Due diligence[edit | edit source]

"In recent public statements on how international law applies in cyberspace, a few States have referenced the concept of “due diligence”: that States have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other States, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law. We do believe, however, that if a State is notified of harmful activity emanating from its territory it must take reasonable steps to address such activity."^[16]

State responsibility[edit | edit source]

"Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it."^[17]

Attribution[edit | edit source]

"The law of State responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise elements of governmental authority are attributable to that State. As important, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies; cyber operations conducted by non-State actors are attributable to a State under the law of State responsibility when such operations are engaged in pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own. Thus, when there is information – whether obtained through technical means or all-source intelligence – that permits attribution of a cyber act of an ostensibly non-State actor to a State under the international law of State responsibility, the victim State has all of the rights and remedies against the responsible State permitted to it under international law.

The law of State responsibility does not set forth burdens or standards of proof for attribution. Such questions may be relevant for judicial or other types of proceedings, but they do not apply as an international legal matter to a State’s determination about attribution of internationally wrongful cyber acts for purposes of its response to such acts, including by taking unilateral, self-help measures permissible under international law, such as countermeasures. In that context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not required. Instead, international law generally requires that States act reasonably under the circumstances. Similarly, there is no international legal obligation to reveal evidence on which attribution is based. But to facilitate global understanding of emerging state practice in this rapidly developing area, public attributions should, wherever feasible, include sufficient evidence to allow corroboration or cross-checking of allegations.

Attribution plays an important role in States’ responses to malicious cyber activities as a matter of international law. It is crucial, however, to distinguish legal attribution from attribution in the technical and political senses. States and commentators often express concerns about the challenge of attribution in a technical sense – that is, the challenge in light of certain characteristics of cyberspace of obtaining facts, whether through technical indicators or all-source intelligence, that would inform a State’s policy and legal determinations about a particular cyber incident. Others have raised issues related to political decisions about attribution – that is, considerations that might be relevant to a State’s decision to go public and identify another State as the actor responsible for a particular cyber incident and to condemn a particular cyber act as unacceptable. As norms emerge to clarify how international law addresses the issue of attribution, it would be useful, wherever possible, for law-abiding states to share information regarding both technical knowhow and state practice."^[18]

Countermeasures[edit | edit source]

"In certain circumstances, a State injured by cyber activities that are attributable to another State and that constitute an internationally wrongful act, but do not amount to an armed attack, may respond with non-forcible countermeasures. Such countermeasures must be directed only at the State responsible for the wrongful act, must meet the requirements of necessity and proportionality, must be designed to induce the State to return to compliance with its international obligations, and, under the customary international law of State responsibility, must be suspended without undue delay if the internationally wrongful act has ceased.

Before an injured State can undertake countermeasures in response to a cyber-based internationally wrongful act attributable to a State, it generally must call upon the responsible State to cease its wrongful conduct, unless urgent countermeasures are necessary to preserve the injured State’s rights. The sufficiency of this prior demand on the responsible State should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.

Countermeasures taken in response to cyber activities attributable to States that constitute internationally wrongful acts may take the form of cyber-based countermeasures or non-cyber-based countermeasures. Countermeasures are distinct from acts of retorsion, which are unfriendly acts that are not inconsistent with any international obligations".^[19]

Retorsion[edit | edit source]

"Acts of retorsion may include the imposition of sanctions or the declaration that a diplomat is persona non grata. A State can always undertake such responsive measures that are not inconsistent with any of its international obligations in order to influence the behavior of other States, including in response to destabilizing cyber activities."^[20]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

Bibliography and further reading[edit | edit source]