Prohibition of intervention

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:
A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[1]
In order for an act, including a cyber operation, to qualify as a prohibited intervention, it must fulfil the following conditions:
  1. The act must bear on those matters in which States may decide freely. The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[1] or the conduct of national elections[2]), and external affairs (“formulation of foreign policy”;[1] “recognition of states and membership of international organisations”[3])—the so-called domaine réservé of States.[4] The content of the domaine réservé is determined by the scope and nature of the State's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[5]
    1. Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[6] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[7]
    2. Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[8] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[9]
    Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[10] The element of coercion also entails the requirement of intent.[11]
  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[12]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022) National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

Australia (2020)[edit | edit source]

"Harmful conduct in cyberspace that does not constitute a use of force may still constitute a breach of the duty not to intervene in the internal or external affairs of another State. This obligation is encapsulated in Article 2(7) of the Charter and in customary international law.

A prohibited intervention is one that interferes by coercive means, either directly or indirectly, in matters that a State is permitted by the principle of State sovereignty to decide freely. Such matters include a State's economic, political, social systems and foreign policy. Coercive means are those that effectively deprive the State of the ability to control, decide upon or govern matters of an inherently sovereign nature. Accordingly, the use by a hostile State of cyber activities to manipulate the electoral system to alter the results of an election in another State, intervention in the fundamental operation of Parliament, or in the stability of States' financial systems would constitute a violation of the principle of non-intervention."[13]

Brazil (2021)[edit | edit source]

The principle of non-intervention, which is considered customary international law, refers to “the right of every sovereign State to conduct its affairs without outside interference”. In the Declaration on the Principles of International Law concerning Friendly Relations and Co-operation among States, the General Assembly affirmed that “the strict observance by States of the obligation not to intervene in the affairs of any other State is an essential condition to ensure that nations live together in peace with one another”. Even though Resolution 2625 (XXV) preceded the widespread use of ICTs, the customary norm prohibiting intervention in the internal affairs of another State applies irrespective of the means or medium used and extends to the use of ICTs by States.

To violate the principle of non-intervention, the malicious use of ICTs against another State must involve an element of coercion affecting the right of the victim State to freely choose its political, economic, social and cultural system, and to formulate its foreign policy. If attributable to a State, this breach entails this State’s international responsibility.

There has been a growing discussion on whether cyberoperations aimed at interfering in the electoral processes of another State could amount to violations of the principle of non-intervention. Considering that elections are at the core of a State’s internal affairs, should the malicious use of ICTs against a State involve some level of coercion, then it must be prohibited by the principle of non-intervention."[14]

Canada (2022)[edit | edit source]

"22. State cyber activities may breach the foundational international law prohibition of intervention in the internal or external affairs of another State. This would be the case where both of the following conditions are met: the activities aim to interfere with the internal or external affairs of the affected State involving its inherently sovereign functions, known as domaine réservé[15]; and the activities would cause coercive effects that deprive, compel, or impose an outcome on the affected State on matters in which it has free choice.[16]

23. In its most serious form, coercion may arise through the threat or use of force but could also arise where a cyber activity is designed to deprive the affected State of its freedom of choice. Coercion must be distinguished from other conduct such as public diplomacy, criticism, persuasion, and propaganda.

24. An example of a prohibited intervention would be a malicious cyber activity that hacks and disables a State’s election commission days before an election, preventing a significant number of citizens from voting, and ultimately influencing the election outcome. Another example would be a malicious cyber activity that disrupts the functioning of a major gas pipeline, compelling the affected State to change its position in bilateral negotiations surrounding an international energy accord.

25. Whether or not a cyber activity meets the threshold for a violation of the rule on territorial sovereignty or rises to the level of a violation of the rule against intervention will be determined on a case-by-case basis. As with the thresholds for violations of territorial sovereignty, Canada believes that further State practice and opinio juris will help clarify the thresholds for the rule of non-intervention, and the scope of customary law in this area over time."[17]

Estonia (2021)[edit | edit source]

The principle of non-intervention is a well-established rule of international law, which flows from the principle of sovereignty, and applies to state conduct in cyberspace.

"If an operation attributable to another state affects a state’s internal or external affairs in such a manner that it coerces a state to take a course of action it would not voluntarily seek, it would constitute a prohibited intervention."

When discussing if a cyber operation constitutes an unlawful intervention into the external or internal affairs of another state, the element of coercion is a key factor. The possibility for a cyber operation to constitute an unlawful intervention in the functions that form a part of a state’s domaine réservé has found acceptance among states, including Estonia, especially regarding the rights and obligations deriving from the principle of state sovereignty. States’ domaine réservé according to the ICJ includes the “choice of a political, economic, social, and cultural system, and the formulation of foreign policy.” Stemming from that, cyber operations that aim to force another nation to act in an involuntary manner or to refrain from acting in a certain manner, and target the other nation’s domaine réservé (e.g. national democratic processes such as elections, or military, security or critical infrastructure systems) could constitute such an intervention."[18]

France (2019)[edit | edit source]

"Many States are acquiring the capacity to prepare and conduct operations in cyberspace. When carried out to the detriment of the rights of other States, such operations may breach international law. Depending on the extent of their intrusion or their effects, they may violate the principles of sovereignty, non-intervention or even the prohibition of the threat or use of force. States targeted by such cyberattacks are entitled to respond to them within the framework of the options offered by international law. In response to a cyberattack, France may consider diplomatic responses to certain incidents, counter-measures, or even coercive action by the armed forces if an attack constitutes armed aggression."[19]

Interference by digital means in the internal or external affairs of France, i.e. interference which causes or may cause harm to France’s political, economic, social and cultural system, may constitute a violation of the principle of non-intervention.[20]

Germany (2021)[edit | edit source]

"The prohibition of a wrongful intervention between States is not explicitly mentioned in the UN Charter. However, it is a corollary of the sovereignty principle, can be derived from art. 2 para. 1 UN Charter and is grounded in customary international law. Generally, for State-attributable conduct to qualify as a wrongful intervention, the conduct must (1) interfere with the domaine réservé of a foreign State and (2) involve coercion. Especially the definition of the latter element requires further clarification in the cyber context.

In its Nicaragua judgement, the International Court of Justice (ICJ) held that ‘[t]he element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.’ Malicious cyber activities will only in some cases amount to direct or indirect use of force. However, measures below this threshold may also qualify as coercive. Generally, Germany is of the opinion that cyber measures may constitute a prohibited intervention under international law if they are comparable in scale and effect to coercion in non-cyber contexts.

Coercion implies that a State’s internal processes regarding aspects pertaining to its domaine réservé are significantly influenced or thwarted and that its will is manifestly bent by the foreign State’s conduct. However, as is widely accepted, the element of coercion must not be assumed prematurely. Even harsher forms of communication such as pointed commentary and sharp criticism as well as (persistent) attempts to obtain, through discussion, a certain reaction or the performance of a certain measure from another State do not as such qualify as coercion. Moreover, the acting State must intend to intervene in the internal affairs of the target State – otherwise the scope of the non-intervention principle would be unduly broad.

In the context of wrongful intervention, the problem of foreign electoral interference by means of malicious cyber activities has become particularly virulent. Germany generally agrees with the opinion that malicious cyber activities targeting foreign elections may – either individually or as part of a wider campaign involving cyber and non-cyber-related tactics – constitute a wrongful intervention. For example, it is conceivable that a State, by spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots. Such activities may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion in the above-mentioned sense. A detailed assessment of the individual case would be necessary.

Also, the disabling of election infrastructure and technology such as electronic ballots, etc. by malicious cyber activities may constitute a prohibited intervention, in particular if this compromises or even prevents the holding of an election, or if the results of an election are thereby substantially modified.

Furthermore, beyond the mentioned examples, cyber activities targeting elections may be comparable in scale and effect to coercion if they aim at and result in a substantive disturbance or even permanent change of the political system of the targeted State, i.e. by significantly eroding public trust in a State’s political organs and processes, by seriously impeding important State organs in the fulfilment of their functions or by dissuading significant groups of citizens from voting, thereby undermining the meaningfulness of an election. Due to the complexity and singularity of such scenarios, it is difficult to formulate abstract criteria. Discussions in this context are still ongoing."[21]

Iran (2020)[edit | edit source]

"Article III: Intervention in Internal [and external] Affairs of other States from the View-Point of the Armed Forces of the Islamic Republic of Iran

1. The principle of non-intervention, without any doubt, is an independent principle of customary international law and any measure to change the political regime such as political forceful intervention is a gross violation of this principle. Measures like cyber manipulation of elections or engineering the public opinions on the eve of the elections may be constituted of the examples of gross intervention. The intervention, also, covers situations in which the non-cyber measures may occur in the cyber activities relating to the internal and external affairs of the other state. Cyber activities paralyzing websites in a state to provoke internal tensions and conflicts or sending mass messages in a widespread manner to the voters to affect the result of the elections in other states is also considered as the forbidden intervention.

2. Armed intervention and all other forms of intervention or attempt to threaten against the personality of state or political, economic, social, and cultural organs of it through cyber and any other tools are regarded as unlawful. No state may compel the other state, by resorting to cyber and other means, to use or encourage to use of political, economic, or any other measures to subject that state in exercising its sovereign rights or guaranteeing concessions from that state.

3. All explicit and dainty forms and complicated techniques of duress, overthrow, and outrage (whether Cyber or non-cyber) to intrigue in the political, social, or economic order of other states or destabilizing governments seeking liberalization of their own economic, political and cultural system form control or intervention of foreigners, is unlawful.

4. Every state enjoys the inherent right to the full development of information system and mass media and their employment, without intervention, to advance their own political, social, economic, and cultural interests and aspirations. Any measure resulting in impediment, denying, and or restricting operation of signals and means of information transfer and providing control systems and exercising the sovereignty of the state is regarded as unlawful.

5. Any capacity-building program in the field of cyber shall be designed and applied under the national plans and needs of states and in consistence with their economic, social, and cultural situations. These programs shall not become a means for intervention in the internal affairs of states."[22]

Israel (2020)[edit | edit source]

"Another matter closely related to the issue of sovereignty is that of non-intervention. Traditionally, this concept has been understood as having a high threshold. It has been taken to mean that State A cannot take actions to “coerce” State B in pursuing a course of action, or refraining from a course of action, in matters pertaining to State B’s core internal affairs, such as its economic or foreign policy choices. Its traditional application has focused on military intervention and support to armed groups seeking the overthrow of the regime in another State. This could presumably also relate to support given to armed groups in the cyber domain, such as providing information regarding cyber vulnerabilities of the State.

A more recent issue that has come to the fore relates to interference in national elections. We concur with the various positions expressed in this regard, such as that which was presented by former U.S. State Department Legal Adviser Brian J. Egan, and more recently reiterated by U.S. Department of Defense General Counsel Paul C. Ney Jr., that a “cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention.”[23]

Italy (2021)[edit | edit source]

"Italy believes that cyber operations constitutes a violation of the customary principle of nonintervention in the internal affairs of other States when a State employs coercive means to compel another State to undertake or desist from a specific action, in matters falling under its domain réservé.

The accelerating pace of technological change, the unpredictable effects of its applications, as well as the difficulty to measure the coercive impact of influence activities, which are on the rise, cannot be overlooked. Therefore, Italy sees merit in continuing to deepen the study of possible violations of the principle of non-intervention in cyberspace. That is particularly the case with regard to influence activities aimed, for instance, at undermining a State’s ability to safeguard public health during a pandemic, or at manipulating voting behaviour."[24]

Japan (2021)[edit | edit source]

"With respect to the principle of non-intervention, cyber operations may constitute unlawful intervention when requirements including the element of coercion, which are clarified in the Nicaragua judgement (1986), are met."[25]

"An act of causing physical damage or loss of functionality by means of cyber operations against critical infrastructure, including medical institutions, may constitute an unlawful intervention, depending on the circumstances, and at any rate, it may constitute a violation of sovereignty. As various opinions were expressed on the relationship between violation of sovereignty and unlawful intervention at the sixth GGE and the OEWG, it is desirable that a common understanding be forged through State practices and future discussions." [26]

Netherlands (2019)[edit | edit source]

"The development of advanced digital technologies has given states more opportunities to exert influence outside their own borders and to interfere in the affairs of other states. Attempts to influence election outcomes via social media are an example of this phenomenon. International law sets boundaries on this kind of activity by means of the non-intervention principle, which is derived from the principle of sovereignty. The non-intervention principle, like the sovereignty principle from which it stems, applies only between states.

Intervention is defined as interference in the internal or external affairs of another state with a view to employing coercion against that state. Such affairs concern matters over which, in accordance with the principle of sovereignty, states themselves have exclusive authority. National elections are an example of internal affairs. The recognition of states and membership of international organisations are examples of external affairs.

The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law. In essence it means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state. Although there is no clear definition of the element of coercion, it should be noted that the use of force will always meet the definition of coercion. Use of force against another state is always a form of intervention."[27]

New Zealand (2020)[edit | edit source]

"Malicious state cyber activity may be inconsistent with the rule of non-intervention. Such activity will violate the rule of non-intervention if it:

a. has significant effects on a matter which falls within the target state’s inherently sovereign functions / domaine réservé (e.g. the right freely to choose its political, economic, social and cultural system, or matters such as taxation, national security, policing, border control, and the formulation of foreign policy); and

b. is coercive (i.e. there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions). Coercion can be direct or indirect and may range from dictatorial threats to more subtle means of control. While the coercive intention of the state actor is a critical element of the rule, intention may in some circumstances be inferred from the effects of cyber activity.

Examples of malicious cyber activity that might violate the non-intervention rule include: a cyber operation that deliberately manipulates the vote tally in an election or deprives a significant part of the electorate of the ability to vote; a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network."[28]

Norway (2021)[edit | edit source]

Key message
Cyber operations that compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé), will constitute an intervention in violation of international law.

"The prohibition of intervention applies to a State’s cyber operations as it does to other State activities. Accordingly, a State must not carry out cyber operations in breach of the prohibition of intervention, according to customary international law.

A cyber operation must therefore not be carried out to compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé) – such as a State’s political, economic, social or cultural system or the formulation of its foreign policy. The constituent element of coercion means that cyber activities that are merely influential or persuasive will not qualify as illegal intervention.

Holding elections is an example of a matter within a State’s domaine réservé. Thus, carrying out cyber operations with the intent of altering election results in another State, for example by manipulating election systems or unduly influencing public opinion through the dissemination of confidential information obtained through cyber operations (‘hack and leak’), would be in violation of the prohibition of intervention. Another example is a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action."[29]

Romania (2021)[edit | edit source]

"[..]the principle of prohibition of the intervention in the internal affairs of another State should be addressed (situations of tampering with the electoral processes in other States are relevant as a discussion under this principle).

According to international law, States are under the duty not to intervene in matters within the domestic jurisdiction of any State, in accordance with the Charter; this means that no State has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.

In order for such intervention to be illegal under international law, it must be coerced, meaning that the goal of the intervention must be to effectively change the behavior of the target State; the incidence of coercion must be assessed on a case-bycase basis, in order to determine the violation of the principle of non-intervention.

In other words, the following criteria must be met in order for an act to qualify as prohibited intervention under international law:

  • the act must bear on those matters in which States may decide freely (internal and external affairs – the domain reservé of States);
  • the act must be coercive in nature;
  • there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.

Therefore, depending on the situation, interference in the internal or external affairs of Romania (that is interference which causes or may cause harm to Romania’s economic, political, social and/ or cultural system) may constitute a violation of the principle of non-intervention."[30]

Singapore (2021)[edit | edit source]

"[..] Singapore affirms that the principle of non-intervention in the internal affairs of other States applies to cyberspace. A prohibited intervention by one State against another must have a bearing on matters in which the victim State is permitted, by the principle of State sovereignty, to decide freely, including its choice of a political, economic, social and cultural system, and the formulation of foreign policy. In Singapore’s view, intervention necessarily involves an element of coercion. As non exhaustive examples, where there is interference in Singapore’s electoral processes through cyber means, or cyber-attacks against our infrastructure in an attempt to coerce our government to take or forbear a certain course of action on a matter ordinarily within its sovereign prerogative, these instances will constitute a violation of the principle of non-intervention."[31]

Sweden (2022)[edit | edit source]

"The principle of non-intervention is a fundamental principle of international law also applicable in cyberspace. It is not expressly mentioned in the UN Charter but is a corollary of the sovereign equality of all States. In the Friendly Relations Declaration, the principle of non-intervention is explained as “No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.”

The prohibition of intervention is generally understood to include two elements: intervening in matters in which each State is permitted to decide freely, and the involvement of coercion. These elements were confirmed by the International Court of Justice (ICJ) in the Nicaragua case. With regard to the latter, the Court held that the “element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.” The prohibition of intervention is applicable between States and does not apply directly to non-state actors.

While coercion is not defined in international law, it must be distinguished from other acts that would not qualify as coercion, such as criticism or other ways of influencing through diplomatic means. What constitutes coercion in the cyber context may not be easy to determine, requiring a case-by-case assessment that takes the specific circumstances into account."[32]

Switzerland (2021)[edit | edit source]

"The principle of non-intervention is the corollary of the sovereign equality of all states (Art. 2 para. 1 UN Charter) and is considered customary international law. In this context, intervention is understood to be the direct or indirect interference by one sovereign state in the internal or external affairs of another using coercive measures. It covers those areas where the state has exclusive jurisdiction (known as domaine réservé). The non-intervention principle protects a state's ability to shape its own internal affairs (political, economic, social and cultural systems) as well as its foreign policy. An infringement of sovereignty and a prohibited intervention are not the same. The latter must be coercive in nature, i.e. through its intervention a state seeks to cause another to act (or refrain from acting) in a way it would not otherwise. This means that the threshold for a breach of the non-intervention principle is significantly higher than that for a violation of state sovereignty.

The prohibition of intervention is also applicable to cyberspace. This means that in cyberspace, an unlawful act of interference by one state in the political or economic affairs of another may, in addition to constituting a violation of sovereignty, also breach the non-intervention principle under international law if the respective requirements are fulfilled. The distinction between exerting influence, which is permissible, and coercion, which is not, must be determined on a case-by-case basis. This is particularly true of economic coercion, which could be the case if a company that is systemically relevant was paralysed through a cyber operation. An assessment of whether the operation can be deemed coercive in nature, and thereby be in breach of the non-intervention principle, can only be made on a case-by-case basis."[33]

United Kingdom (2018)[edit | edit source]

"In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.

The international law prohibition on intervention in the internal affairs of other states is of particular importance in modern times when technology has an increasing role to play in every facet of our lives, including political campaigns and the conduct of elections. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of this principle is to ensure that all states remain free from external, coercive intervention in the matters of government which are at the heart of a state’s sovereignty, such as the freedom to choose its own political, social, economic and cultural system.

The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states."[34]

United Kingdom (2021)[edit | edit source]

"Below the threshold of the threat or use of force, the customary international law rule prohibiting interventions in the domestic affairs of States applies to States’ operations in cyberspace as it does to their other activities. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of the rule on non-intervention is to ensure that all States remain free from external coercive intervention in matters affecting a State’s powers, which are at the heart of a State’s sovereignty such as the freedom to choose its own political, social, economic and cultural system.

As the UK has noted previously, while the precise boundaries of this rule continue to be the subject of on-going debate, it provides a clearly established basis in international law for assessing the legality of State conduct. Thus the use of hostile cyber operations to manipulate the electoral system in another State to alter the results of an election, to undermine the stability of another State’s financial system or to target the essential medical services of another State could all, depending on the circumstances, be in violation of the international law prohibition on intervention.

The International Court of Justice has established that a prohibited intervention is one bearing on matters which each State is permitted, by the principle of State sovereignty, to decide freely."[35]

United Kingdom (2022)[edit | edit source]

"Turning to the law - one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention.

Customary international law is the general practice of States accepted as law. As such, it is not static. It develops over time according to what States do and what they say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs States’ behaviour.

A well-known formulation of the rule on non-intervention comes from the International Court of Justice in its Military and Paramilitary Activities judgment. According to the Court in that case, all States or groups of States are forbidden from intervening -

…directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.

The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.

It serves as a benchmark by which to assess lawfulness, to hold those responsible to account, and to calibrate responses.

This rule is particularly important in cyberspace for two main reasons.

First, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to State sovereignty. As long ago as 1966, the UK made clear its position that:

…the principle of non-intervention, as it applied in relations between States, [is] not explicitly set forth in the United Nations Charter but flow[s] directly and by necessary implication from the prohibition of the threat or use of force and from the principle of the sovereign equality of States…

Four years later, in 1970, the UK set out its view that “non-intervention reflected the principle of the sovereign equality of states.” And that these principles were equally valid and interrelated. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.

States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.

What matters in practice is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyber activity which traverses multiple international boundaries millions of times a second.

Second, the rule on non-intervention is also of increasing relevance due to the prevalence of hostile activity by States that falls below the threshold of the use of force or is on the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which States can define behaviour as unlawful.

Having identified the importance of the rule on non-intervention, I will now turn to the threshold for its application. The fact that behaviour attributed to another State is unwelcome, irresponsible, or indeed hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offending behaviour must be coercive.

Coercion was rightly described in the Military and Paramilitary Activities case as “the very essence” of a prohibited intervention. It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information-gathering and influencing activities that States carry out as part of international relations.

But what exactly is coercion?

Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.

But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking.

Of course, in considering whether the threshold for a prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.

It is therefore important to bring the non-intervention rule to life in the cyber context, through examples of what kinds of cyber behaviours could be unlawful in peacetime. To move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.

And being clear on what is unlawful means we can then be clearer on the range of potential options that can lawfully be taken in response. That is, the kinds of activities which would require legal justification, for example, as a proportionate response to prior illegality by another State. This is crucial in enabling States to act within the law whilst taking robust and decisive action.

With that in mind, today I will set out new detail to illustrate how this rule applies. A non-exhaustive list, to move this discussion forward. I will cover four of the most significant sectors that are vulnerable to disruptive cyber conduct: energy security; essential medical care; economic stability; and democratic processes.

Ensuring the provision of essential medical services and secure and reliable energy supply to a population are sovereign functions of a State. They are matters in respect of which international law affords free choice to States. The Integrated Review highlights the interconnected nature of the global health system, and the importance of building resilience to address global health risks. Covid is a clear example. Likewise, energy security is recognised as including protection of critical national infrastructure from cyber security risks.

Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies would breach the rule on non-intervention.

Of course, every case needs to be assessed on its facts, but prohibited cyber activity in the energy and medical sectors could include:

disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention.

Such cyber operations could include disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy.

Lastly, democratic processes. Free and open elections, using processes in which a population has confidence, are an essential part of the political system in democratic States. All States have the freedom to make their views known about processes in other countries – delivering hard, sometimes unwelcome messages, and drawing attention to concerns. This is part and parcel of international relations. However, covert cyber operations by a foreign State which coercively interfere with free and fair electoral processes would constitute a prohibited intervention.

Again, every activity needs to be assessed on its facts, but such activities could include:

operations that disrupt the systems which control electoral counts to change the outcome of an election; or operations to disrupt another State’s ability to hold an election at all, for example by causing systems to malfunction with the effect of preventing voter registration. I hope that these illustrative examples will assist in the future when considering what is unlawful in cyberspace.

I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."[36]

United States (2016)[edit | edit source]

In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. This is a challenging area of the law that raises difficult questions. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions. Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.

Relatedly, consider the challenges we face in clarifying the international law prohibition on unlawful intervention. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. For increased transparency, States need to do more work to clarify how the international law on non-intervention applies to States’ activities in cyberspace."[37]

United States (2020)[edit | edit source]

"[...] the international law prohibition on coercively intervening in the core functions of another State (such as the choice of political, economic, or cultural system) applies to State conduct in cyberspace. For example, “a cyber operation by a State that interferes with another country’s ability to hold an election” or that tampers with “another country’s election results would be a clear violation of the rule of non-intervention.” Other States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.

There is no international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations. Because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.

Some situations compel us to take into consideration whether the States involved have consented to the proposed operation. Because the principle of non-intervention prohibits “actions designed to coerce a State … in contravention of its rights,” it does not prohibit actions to which a State voluntarily consents, provided the conduct remains within the limits of the consent given."[38]

United States (2021)[edit | edit source]

"Among other international legal principles, the 2015 GGE report acknowledges the principle of non-intervention in the internal affairs of other States. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. Other States have made similar observations.290 Further, a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population--for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic--could be considered a violation of the rule of non-intervention."[39]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. 1.0 1.1 1.2 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 205.
  2. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3; Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5.
  3. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  4. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”).
  5. See also Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [10–12 in pre-print].
  6. See, eg, Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3, defining coercion as ‘compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue’ and noting that ‘[t]he goal of the intervention must be to effect change in the behaviour of the target state’; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5, defining coercion as a situation in which a State’s ‘will is manifestly bent by the foreign State’s conduct’ and noting that ‘the acting State must intend to intervene in the internal affairs of the target State’; see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘The majority of Experts was of the view that the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.’).
  7. Tallinn Manual 2.0, commentary to rule 66, para 21. See also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  8. See, eg, Australia, ‘Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace’ (2019) 4 (‘A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.’); New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020), para 9(b) (stating that a State cyber activity is coercive if ‘there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions’); see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘A few Experts took the position that to be coercive it is enough that an act has the effect of depriving the State of control over the matter in question.’).
  9. Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [11 in pre-print].
  10. Tallinn Manual 2.0, commentary to rule 66, para 21.
  11. Tallinn Manual 2.0, commentary to rule 66, paras 19 and 27.
  12. Tallinn Manual 2.0, commentary to rule 66, para 24 (the exact nature of the causal nexus was not agreed on).
  13. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  14. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 18-19.
  15. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [18], Inherently sovereign functions (also known as domaine réservé) include those matters in which a State may decide freely, such as political, economic, social, and cultural systems, as well as the formation of foreign policy.
  16. Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote [19], Tallinn Manual 2.0 supra note 15, Rule 66 and accompanying commentary at 318 para 19, provides that “mere coercion does not suffice to establish a breach of the prohibition of intervention…[it] must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.”
  17. Government of Canada, International Law applicable in cyberspace, April 2022
  18. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 25.
  19. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 6.
  20. Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 7.
  21. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 4-6.
  22. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace, August 2020
  23. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
  24. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,4-5.
  25. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 2
  26. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 3
  27. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 3.
  28. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 2.
  29. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 68-69.
  30. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 77.
  31. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 83.
  32. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,3
  33. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 3.
  34. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  35. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  36. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  37. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 13-14.
  38. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  39. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 139-140.

Bibliography and further reading[edit | edit source]