Neutrality

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition of neutrality[edit | edit source]

Neutrality
Law of neutrality is a separate but complementary legal regime to international humanitarian law. It regulates relations between States which are parties to an international armed conflict (IAC) and States which are not parties to the conflict (neutral Powers). Several States have affirmed the application of the law of neutrality to cyber operations and shared their views on how it applies.[1] Transposing the rule of inviolability of the neutral Power’s territory to the cyber context, several States consider that parties to the conflict are prohibited from directing cyber operations against and from cyber infrastructure located in the territory, and under the exclusive control of, neutral Powers.[2] However, one State has expressed doubts over whether rules relating to territorial inviolability under the law of neutrality are applicable to cyber operations.[3]

With regard to harm that is not directed at a neutral State but which nonetheless may occur incidentally, France takes the view that ‘belligerents must refrain from causing harmful effects to digital infrastructure situated on the territory of a neutral State’.[4] Switzerland and Romania take similar positions.[5] The Tallinn Manual struggled with this issue, agreeing that foreseeable spill-over effects in neutral territory may breach the law of neutrality, but that ‘each case must be assessed on its own merits’ and that ‘States would be unlikely to regard de minimis effects as precluding the prosecution of an otherwise legitimate attack’.[6] The experts also noted that the law of neutrality allows for a balancing of competing rights between ‘belligerents to effectively conduct military operations’ and ‘neutral States to remain generally unaffected by the conflict’.[6]

While neutral State territory is inviolable[7] and therefore the exercise of belligerent rights by cyber means in neutral territory is prohibited, Article 8 of the Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, explains that a neutral State is not required to forbid or restrict a belligerent’s use of ‘telegraph or telephone cables or of wireless telegraphy apparatus belonging to it or to companies or private individuals.’[8] In light of Article 8, different views exist with respect to the use of neutral cyber infrastructure by belligerents for cyber operations carried out in connection with an armed conflict. This mainly concerns situations where the data packets are routed through neutral cyber infrastructure, intentionally or otherwise. France takes the position that it does not violate the law of neutrality if the transmission has no effects on the neutral State.[9] The United States generally considers the use of publicly available communications infrastructure by belligerents as lawful.[10] Denmark has taken the view that it is ‘assumed that infrastructure located in the territory of a neutral State may not be used by belligerent States to engage in acts of war’.[11]

Corollary to the protection granted to neutral Powers is their duty to prevent and terminate any violation of its neutrality, although its extent is unsettled in the cyber context.[12] Failure to do so, particularly in the face of offensive cyber operations, could entitle the aggrieved party to use forceful measures against the neutral cyber infrastructure to end the adverse effects the operation causes.[13] However, any such measures would need to conform to the overarching UN Charter regime and customary international law governing the use of force.

Any potential legal obligation to prevent and terminate a violation of neutrality presents unique challenges in the cyber context given that neutral States do not always have knowledge of the use of their servers to transmit malware, and are not always able to prevent or terminate a cyber attack.[14] Switzerland seems to share this concern, arguing that there should be limits to the rights and duties of a neutral Power in light of the nature of data traffic on the Internet.[15]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of France (2019) (2019), National position of the Italian Republic (2021) (2021), National position of the Netherlands (2019) (2019), National position of Romania (2021) (2021), National position of Switzerland (2021) (2021).

National positions[edit | edit source]

Costa Rica (2023)[edit | edit source]

"63. The law of neutrality is applicable to cyber operations carried out during an international armed conflict, and it protects the populations and the cyber infrastructure in neutral States from the effects of such conflicts. Costa Rica understands the term “neutral State” as referring to any State which is not a party to an ongoing international armed conflict.

64. Parties to an international armed conflict are prohibited from carrying out cyber operations against and from cyber infrastructure located in the territory, and under the exclusive control of, neutral States. In Costa Rica’s perspective, they must also refrain from engaging in cyber operations that are reasonably expected to cause incidental harm to cyber infrastructure situated on the territory of neutral States.

65. Under the law of neutrality, a neutral State must not knowingly allow any use of cyber infrastructure located in its territory, or under its exclusive control, by parties to an international armed conflict for hostile purposes. This obligation is one of due diligence and is thus subject to the means reasonably available to the neutral State in question as well as its knowledge – actual or constructive – of such hostile uses of its cyber infrastructure. Conversely, the neutral State is not obliged to prevent parties to the conflict from using its networks solely for communication purposes."[16]

Czech Republic (2024)[edit | edit source]

"31. The purpose of the law of neutrality is to spare neutral States and their inhabitants from the effects of hostilities, and to prevent an escalation of an international armed conflict.

32. Due to worldwide interconnectivity of cyberspace, the law of neutrality is of great importance for cyber operations conducted as part of an international armed conflict. The Czech Republic shares the position taken by the Tallinn Manual 2.0 that the law of neutrality applies to cyber operations and cyber infrastructure.

33. Cyber infrastructure located within the territory of a neutral State or under its exclusive control is protected by the State’s territorial integrity and international humanitarian law. As long as such infrastructure is not used by the parties to the international armed conflict for the exercise of their belligerent rights, it is considered neutral in character irrespective of public or private ownership or the nationality of the owners. As such, it is protected from any harmful interference by the parties to the international armed conflict.

34. Without prejudice to para 33 above, the Czech Republic takes the view that the use of a public, internationally and openly accessible network, such as the Internet, for military purposes, does not violate the law of neutrality even if it or its components are located on the territory of a neutral State, provided that doing so does not have any harmful effects on that State.

35. A neutral State must remain impartial and may not knowingly engage in cyber activities that support the military action of one party to the international armed conflict. This means that a neutral State may not allow a party to the international armed conflict to use any cyber infrastructure located within its territory (as well as on vessels and aircrafts of the neutral State’s nationality) for military purposes or to establish a new one for such purposes. In line with para 34 above this does not apply to the use of public, internationally and openly accessible networks such as the Internet without any effect on the neutral State.

36. A neutral State is also obliged to take all feasible measures to terminate an abuse of the cyber infrastructure located within its territory (as well as on the vessels and aircrafts of its nationality) by any party to the international armed conflict."[17]

France (2019)[edit | edit source]

"Cyberoperations carried out in the context of an international armed conflict, or which trigger such a conflict, are subject to the law of neutrality. As such, the States party to an IAC may neither carry out cyberoperations linked to the conflict from installations situated on the territory of a neutral State or under the exclusive control of a neutral State, nor take control of computer systems of the neutral State in order to carry out such operations. The neutral State must prevent any use by belligerent States of ICT infrastructure situated on its territory or under its exclusive control. However, it is not required to prevent belligerent States from using its ICT networks for communication purposes.

Routing a cyberattack via the systems of a neutral State without any effect on that State does not breach the law of neutrality, which prohibits only the physical transit of troops or convoys."[18]

"The law of neutrality applies to cyberoperations. Belligerents must refrain from causing harmful effects to digital infrastructure situated on the territory of a neutral State or from launching a cyberattack from such infrastructure."[19]

Italy (2021)[edit | edit source]

"The law of neutrality applies in cyberspace in the context of an international armed conflict on the basis of existing international customary law. According to the law of neutrality, parties to an international armed conflict may not launch wrongful cyber operations from ICT infrastructure located in the territory or under the exclusive control of a neutral State.

Within an armed conflict, any action taken by a neutral State should be applied equally to all belligerents. For instance, a State may not provide or deny access to its ICT infrastructure to one party but not to the other(s). In addition, neutral States must abide by the rules and recommendations taken by the UNSC. They may thus not invoke their neutrality to refrain from adopting such measures against the wrongdoer(s)."[20]

Netherlands (2019)[edit | edit source]

"A key component of IHL is international law on neutrality. Neutrality requires that states which are not party to an armed conflict refrain from any act from which involvement in the conflict may be inferred or acts that could be deemed in favour of a party to the conflict. In its relations with parties to the armed conflict the neutral state is required to treat all parties equally in order to maintain its neutrality. A state may not, for example, deny access to its IT systems to one party to the conflict but not to the other. In its response to the above-mentioned advisory report by the AIV/CAVV, the government noted that, ‘In an armed conflict involving other parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here.’"[21]

Romania (2021)[edit | edit source]

"We are also of the view that the principle of neutrality apply as well to cyber operations as part of an armed conflict and thus, belligerents must refrain from harming information and communication infrastructure situated on the territory of a neutral State or from launching attacks from such infrastructure."[22]

Switzerland (2021)[edit | edit source]

"As a matter of principle, Switzerland considers the rights and obligations of neutral countries in international armed conflicts to be applicable to cyberspace as well. If such an international armed conflict arises, a neutral country has a duty to prevent any infringements of its neutrality, such as the use of its territory by one of the conflicting parties. Parties to the conflict are obliged in turn to respect the territorial integrity of the neutral country. Therefore they may not conduct related cyber operations from installations that are either on the territory or under the exclusive control of the neutral country. Parties to the conflict are also prohibited from taking control of a neutral country's computer systems in order to carry out such operations.

Because of the global cross border nature of cyberspace, there are also limits to the rights and duties of a neutral country in terms of territoriality – airspace can be closed for certain flying objects, for example, but the same targeted approach cannot be used for data traffic oncthe internet. Another issue is that data are not only transmitted via terrestrial and cable channels but also via satellites located in outer space, which puts them outside the scope of application of the law of neutrality. Such factors must be taken into consideration when it comes to applying the rights and duties of neutral countries in cyberspace.

In principle, belligerent states are not permitted to damage the data networks of neutral countries when undertaking combat operations via their own computer networks. Neutral countries may not support conflicting parties with either troops or their own weapons. In terms of military cyber operations in connection with an international armed conflict, this means that a neutral country must prevent parties to the conflict from using its military-controlled systems or networks. In general, military networks are shielded and not publicly accessible."[23]


Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60; Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019); Italian Position Paper on “International Law and Cyber Space”, Italian Ministry for Foreign Affairs and International Cooperation 10; Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 5; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 78 (Romania), 89 (Switzerland); DoD Law of War Manual, para 16.4.1.
  2. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 89 (Switzerland); Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019); Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 78 (Romania); Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60; See also Italian Position Paper on “International Law and Cyber Space”, Italian Ministry for Foreign Affairs and International Cooperation 10.
  3. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 97 ILS 395, 397-98 (2021) (‘in relation to one of the basic overarching rules of neutrality—the inviolability of a neutral State’s territory—while in the land domain it is forbidden to transfer troops or convoys of munitions; at sea—the passage of warships in territorial waters is possible; and in the air such passage is subject to discretion or limitations of each neutral State. Given these differences, it remains unclear if and how this rule would be applicable in cyberspace.’)
  4. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019).
  5. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 79 (Switzerland), 89 (Romania) The ICJ has acknowledged that under the law of neutrality some States ‘rule out the use of a weapon the effects of which simply cannot be contained within the territories of the contending States’. ICJ, Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996, para 93. For an alternative view, see verbal statement by the United States in ICJ, ‘Public sitting: Verbatim Record’, in the case in ICJ, Legality of the Use by a State of Nuclear Weapons (Advisory Opinion), Wednesday 15 November 1995, 41 (‘The argument that the use of a nuclear weapon is per se unlawful because it would inevitably violate the territory of neutral States is equally unsound, Mr. President. The principle that neutral territory is inviolable means that a belligerent may not, save in rare and clearly defined circumstances, actually conduct military operations on the territory of a neutral State. It has never meant that neutral States can expect to be subject to none of the effects of war’.) See also more generally, ‘Draft Convention on Rights and Duties of Neutral States in Naval and Aerial War’, American Journal of International Law Vol. 33 (1939) 386-391 (commentary to Article 22 ‘A belligerent has no duty to pay compensation for damage to a neutral vessel or other neutral property or persons, when such damage is incidental to a belligerent’s act of war against the armed forces of its enemy and not in violation of the provisions of this Convention or of the law of war’.)
  6. 6.0 6.1 Tallinn Manual 2.0, commentary to rule 150, para 4.
  7. Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, Article 1.
  8. Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, Article 8.
  9. Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019).
  10. DoD Law of War Manual, para 16.4.1.
  11. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 60.
  12. See Tallinn Manual 2.0, commentary to rule 150, paras 5–7.
  13. Tallinn Manual 2.0, rule 153.
  14. Jeffrey T.G. Kelsey, ‘Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare’, Michigan Law Review, Vol. 106, May 2008, 1427-1452, 1444.
  15. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021 89.
  16. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 17-18 (footnotes omitted).
  17. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 9-10 (footnotes omitted).
  18. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  19. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 16.
  20. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,10.
  21. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 5.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
  23. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 4-5.

Bibliography and further reading[edit | edit source]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Neutrality?oldid=4056"