Note on the structure of articles
The structure of articles[edit | edit source]
The core of this toolkit consists of international cyber law scenarios. Each scenario describes an incident, or a series thereof, and then analyses these from the perspective of international cyber law. The central question of the legal analysis section is the following: Do the incidents described in the scenario amount to a violation of international law by any of the relevant actors? In order to answer that question, the section is typically divided into three main parts: (1) attribution, (2) breach, and (3) responses and justifications. Occasionally, one or even two of these parts may be missing, depending on which issues are raised by a particular scenario.
This structure broadly follows the logic of the law of international responsibility. According to this logic, an entity—most commonly, but not exclusively, a State—is only responsible for an internationally wrongful act if three conditions are met simultaneously: firstly, there is an action or omission which is attributable to the entity in question; secondly, that action or omission constitutes a breach of an international obligation of the said entity; and thirdly, there are no circumstances that would preclude the wrongfulness of such an action or omission. As far as the responsibility of States is concerned, the relevant rules are codified in the International Law Commission’s Articles on State Responsibility, which are generally considered to reflect customary international law.
The remainder of this note explains the basics of the relevant law from the perspective of its application to cyber operations of the kind discussed in the present toolkit. Its aim is to assist the readers in understanding the structure used in the analysis of the individual scenarios while avoiding unnecessary repetition in the text of those scenarios.
Attribution[edit | edit source]
The conduct of the actors in the scenario must be attributable to an entity that bears the relevant obligation under international law. For the most part, international law regulates the conduct of States, and therefore the section on attribution typical considers whether the relevant conduct is imputable to any of the States mentioned in the scenario. To the extent that non-State actors (such as international organizations, private companies or organized armed groups) bear specific legal obligations under international law, this is highlighted in the text and if attribution of specific conduct to such entities poses particular problems, this is also considered in the same section.
As far as attribution of conduct to States is concerned, it is useful to distinguish between, on the one hand, the conduct of State organs or in exercise of governmental authority and, on the other hand, the conduct of non-State actors:
|State organs and persons and entities in exercise of governmental authority|
|The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).
|Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
Each of the three criteria entails a form of subordination between the non-State actor and the potentially responsible State. Regarding the criterion of control, there is a debate on the degree of control required for the attribution of the conduct to the State, as different tests have been developed.
On the one hand, the ICJ has affirmed that the exercise of “effective control” is necessary, which entails that the State is able to control the beginning of the relevant operations, the way they are carried out, and their end. This position has been expressly followed by some States in the realm of cyber operations, including Brazil, the Netherlands and Norway.
On the other hand, a less restrictive approach has been developed by the ICTY, and followed by the ICRC, under the “overall control” test, which requires the State in question (i) to provide the non-State entity with financial and training assistance, military equipment and/or operational support, and (ii) to participate in the organization, co-ordination or planning of operations of the entity in question. Nevertheless, the proponents of this test limit it to organized groups, meaning that the effective control test remains applicable for the conduct of private individuals, or unorganized groups.
The details of the individual modes of attribution are considered in the specific scenarios. In some cases, the aspect of evidence is considered:
|Evidentiary standards applicable to the attribution of cyber activities are context-dependent. The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof, and these matters are instead ordinarily determined by the relevant forum.
It is generally understood that any allegation that a wrongful act has been committed by another State should be substantiated. Nevertheless, there is no obligation under international law to publicly provide the evidence on which an attribution is based. This has been reaffirmed by many States in their national positions, including Canada, Finland, France, Germany, Israel, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom and the United States. Some States have additionally affirmed that a “sufficient level of confidence”, or “sufficient certainty” must be reached before making a decision on attribution.
In case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them." This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved." The scope, scale, and impact of the incident have also been stressed as aspects that should be considered to support the assessment. The utility of cooperation at the regional and international levels for attribution purposes has also been highlighted.
Specific rules may apply to some responses, so when one State responds with countermeasures after misattributing an internationally wrongful act to another State, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.
Breach[edit | edit source]
|Breach of an international obligation|
|The second element of an internationally wrongful act is conduct amounting to a breach of an international obligation owed by the relevant entity. In this regard, it is undisputed that a cyber-related action or omission by a State may constitute a breach of its international obligations. International obligations arise from primary rules of international law: international treaties, customary international law, and general principles of law. Fault, such as intent or negligence on part of the wrongdoing State, is not a necessary element of a breach of an international obligation, unless there exists such a requirement in the relevant primary rule. Similarly, there is no general requirement for the injured party to have suffered any damage—again, unless such a requirement forms part of the primary obligation in question.
It is impossible to provide a list of all international obligations that may be violated by resort to cyber means. However, certain rules appear with higher frequency than others. These include the prohibition on the use of force; the prohibition of intervention; the obligation to respect the sovereignty of other States; the obligation to respect the right to privacy; the obligation of due diligence; and a few others (such as, for instance, the rule of distinction in the context of the law of armed conflict).
Although the application of these rules to the particular facts is the task of the individual scenarios, the toolkit contains an overview of each of these rules from the perspective of cyber-related activities. These overviews provided in collapsible sections within the individual scenarios and they can also be accessed directly at the links above or through the general List of articles.
Responses and justifications[edit | edit source]
|Circumstances precluding wrongfulness|
|A specific cyber-relation action or omission will only constitute an internationally wrongful act in the absence of circumstances precluding its wrongfulness.
The wrongfulness of specific conduct is precluded if one of the following conditions is met:
Some of the generally accepted circumstances precluding wrongfulness are responsive in nature, in the sense that they allow the relevant actor to claim that it is responding to a prior act of another entity or to a previously existing situation and that it is the fact of acting in response which justifies the lawfulness of the conduct in question. Accordingly, the scope of the third part of the legal analysis section is broader than a mere consideration of the applicable circumstances precluding wrongfulness. On occasion, other available responses (such as retorsions or responses authorized by the municipal law of the acting State) are also discussed, even if these do not serve to shield the acting entity from international responsibility.
|An act of retorsion is “an unfriendly but nevertheless lawful act by the aggrieved party against the wrongdoer”. Such acts may include the prohibition of or limitations upon normal diplomatic relations, the imposition of trade embargoes or the withdrawal of voluntary aid programmes. Cyber-specific retorsions may include sending warnings to cyber operatives belonging to another State, observing the adversary’s cyber activities on one’s own network using tools such as “honeypots”, or slowing down malicious cyber operations conducted by other States.|
Other responses may be available on the facts of the individual scenarios and are discussed there if appropriate.
Appendixes[edit | edit source]
See also[edit | edit source]
Notes and references[edit | edit source]
- Cf. J Crawford, ‘The System of International Responsibility’ in J Crawford, A Pellet and S Olleson (eds), The Law of International Responsibility (OUP 2010) 17–18 (noting that although the “burden of compliance principally lies” on States, all international legal persons are subject to the system of international responsibility).
- It should be noted that the second and the third condition are frequently considered together. For practical reasons, the toolkit analyses each of them separately, as some authors have also done in the past: see, eg, J Crawford and S Olleson, ‘The Nature and Forms of International Responsibility’ in M Evans (ed), International Law (4th edn, OUP 2014) 453 (referring to “[t]hree elements”, namely “attribution, breach, and the absence of any valid justification for non-performance”). However, it is conceded that the (non-)existence of circumstances precluding wrongfulness may be viewed as a sub-element of breach: in other words, the circumstances, when they are validly invoked, exclude that the relevant conduct constitutes a breach of a given international obligation. FI Paddeu, “Circumstances Precluding Wrongfulness” in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008-) (last updated September 2014), para. 4.
- Articles on State Responsibility.
- See, eg, Noble Ventures v Romania (12 October 2005) ICSID Case No ARB/01/11, para. 69 (noting that the Articles “are widely regarded as a codification of customary international law”); Tallinn Manual 2.0, commentary to Chapter 4, section 1, para. 1 (noting that the International Group of Experts agreed that, with a few exceptions, the Articles “replicate customary international law”).
- Cf. Articles on State Responsibility, Art. 2(a).
- Cf. B Stern, “The Elements of an Internationally Wrongful Act”, in J Crawford, A Pellet and S Olleson (eds), The Law of International Responsibility (OUP 2010) 203–08 (distinguishing between “[o]rgans of the State and persons or entities exercising elements of governmental authority” and “[p]ersons and entities acting on behalf of the State”).
- ILC Articles on State Responsibility, Art 4(1).
- ILC Articles on State Responsibility, Art 5.
- ILC Articles on State Responsibility, Art 6.
- ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
- ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
- Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 426–27.
- See: ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits)  ICJ Rep 14, para 115; ICJ, Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment)  ICJ Rep 43, para 400.
- See Stefan Talmon, ‘The Responsibility of Outside Powers for Acts of Secessionist Entities’ (2009) 58(3) International and Comparative Law Quarterly 493, 503; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of cyber operations: an international law perspective on the Park Jin Hyok case’ (2020) 9(1) Cambridge International Law Journal 51, 63; See also Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 37-38.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 21.
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 6.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 71.
- Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (ICTY, 15 July 1999) paras 116 and ff.
- ICRC (ed), Commentary to the First Geneva Gonvention (CUP 2016) para 409; ICRC (ed), Commentary to the Third Geneva Convention (CUP 2021) para 304
- Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (ICTY, 29 May 2013), para. 86(a); see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 422.
- Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (ICTY, 15 July 1999) para 132; see also Antonio Cassese, ‘The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia’ (2007) 18(4) EJIL 649, 657.
- ILC Articles on State Responsibility, Art 9.
- ILC Articles on State Responsibility, Art 10(1).
- ILC Articles on State Responsibility, Art 10(2).
- ILC Articles on State Responsibility, Art 11.
- See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
- ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
- Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
- UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) para. 28(f); UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) para 71.(g); Acknowledged by Brazil, Germany, Russia and Switzerland in their national positions.
- SeeTallinn Manual 2.0, Chapter 4 Section 1 chapeau, para 13.
- Government of Canada, International Law applicable in cyberspace (April 2022)
- International law and cyberspace - Finland's national position (2020)
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 11.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 12.
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020)
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 6.
- The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
- Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 5
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6.
- According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century' (23 May 2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021)
- Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 19; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 141.
- See the national positions of Germany and Italy. See also New Zealand’s national position (“sufficient confidence”).
- See The Netherlands’ national position.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
- UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) para 24.
- UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 24 and 27.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49 para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)
- Cf. ILC Articles on State Responsibility, Art. 2(b).
- For a detailed discussion of a breach of an international obligation by a cyber-related act, see rule 14 of Tallinn Manual 2.0 and commentary 2–11 thereto.
- ILC Articles on State Responsibility, General commentary, para 1.
- Statute of the International Court of Justice, of 26 June 1945, annexed to the UN Charter, Art 38(1)(a)–(c).
- ILC Articles on State Responsibility, Art. 2, para 10.
- ILC Articles on State Responsibility, Art. 2, para 9.
- Cf. ILC Articles on State Responsibility, commentary to Part One, chapter V, para 1 (“The existence in a given case of a circumstance precluding wrongfulness ... provides a shield against an otherwise well-founded claim for the breach of an international obligation”).
- ILC Articles on State Responsibility, Art 20.
- ILC Articles on State Responsibility, Art 21.
- ILC Articles on State Responsibility, Arts 22 and 49–54.
- ILC Articles on State Responsibility, Art 23.
- ILC Articles on State Responsibility, Art 24.
- ILC Articles on State Responsibility, Art 25.
- E Zoller, Peacetime Unilateral Remedies: An Analysis of Countermeasures (Transnational 1984) 5.
- Articles on State Responsibility, commentary to Part Three, Chapter II, para. 3.
- Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17–22.
Bibliography and further reading[edit | edit source]
- MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)