Retorsion

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Retorsion
An act of retorsion is “an unfriendly but nevertheless lawful act by the aggrieved party against the wrongdoer”.[1] Such acts may include the prohibition of or limitations upon normal diplomatic relations, the imposition of trade embargoes or the withdrawal of voluntary aid programmes.[2] Cyber-specific retorsions may include sending warnings to cyber operatives belonging to another State, observing the adversary’s cyber activities on one’s own network using tools such as “honeypots”, or slowing down malicious cyber operations conducted by other States.[3]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of Estonia (2021) (2021), National position of Germany (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

Costa Rica (2023)[edit | edit source]

"15. [...] Countermeasures must be distinguished from acts of retorsion, i.e., unfriendly acts taken in response to lawful but equally unfriendly acts by another State, such as the suspension of diplomatic relations. Measures of retorsion are also available in cyberspace, including in response to wrongful or unfriendly cyber operations".[4]

Czech Republic (2024)[edit | edit source]

"59. Retorsion is a lawful, albeit unfriendly, act of an aggrieved State towards a wrongdoing State or an international organisation. Due to its lawfulness, retorsion is a readily available response to a harmful cyber activity that does not qualify as a breach of international law. However, it is also available in response to an internationally wrongful act. Response by retorsion can be combined with other types of response, such as countermeasures, if the legal conditions for such measures are met.

60. The Czech Republic is of the view that retorsion can be of both cyber and non-cyber nature. Examples include imposing visa restrictions, suspension of treaty negotiations, recalling a head of diplomatic mission, severance of diplomatic relations or economic measures such as import or export restrictions (unless the State has a specific obligation prohibiting it from doing so). Retorsion can be taken jointly by several States if none of the participating States has a legal obligation to refrain from that particular response."[5]

Estonia (2021)[edit | edit source]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."[6]

Retorsions may be taken as a response to malicious cyber operations as long as they are not in violation with international law.

"Retorsions will remain as measures for a state to respond to unfriendly acts or violations of international law, which by themselves do not constitute a countermeasure. States have the right to apply these measures as long as they do not violate obligations under international law.

These measures could, for example include the expulsion of diplomats or applying restrictive measures to officials of a third country such as asset freezes or travel bans. One example of such a mechanism would be the European Union’s cyber sanctions regime and cyber diplomacy toolbox, which offer an array of measures that could be taken as a response to malicious cyber operations."[7]

Germany (2021)[edit | edit source]

"A State may engage in measures of retorsion to counter a cyber operation carried out against it. Retorsions are unfriendly acts directed against the interests of another State without amounting to an infraction of obligations owed to that State under international law. Since retorsions are predominantly rooted in the political sphere, they are not subject to such stringent legal limitations as other types of response such as countermeasures.

Measures of retorsion may be adopted to counter (merely) unfriendly cyber operations perpetrated by another State. They may likewise be enacted in reaction to an unlawful cyber operation if more intensive types of response (countermeasures, self-defence) are unavailable for legal reasons (for example, in cases in which counter-measures would be disproportionate) or politically unfeasible. Moreover, they may be adopted as a reaction to an unlawful cyber operation in combination with other types of response, such as countermeasures, as part of a State’s comprehensive, multi-pronged response to malicious cyber activities directed against it."[8]

Netherlands (2019)[edit | edit source]

"Retorsion relates to acts that, while unfriendly, are not in violation of international law. This option is therefore always available to states that wish to respond to undesirable conduct by another state, because it is a lawful exercise of a state’s sovereign powers. States are free to take these kinds of measures as long they remain within the bounds of their obligations under international law.

A state may respond to a cyber operation by another state, for example, by declaring diplomats ‘persona non grata’, or by taking economic or other measures against individuals or entities involved in the operation. Another retorsion measure a state may consider is limiting or cutting off the other state’s access to servers or other digital infrastructure in its territory, provided the countries in question have not concluded a treaty on mutual access to digital infrastructure in each other’s territory."[9]

New Zealand (2020)[edit | edit source]

"Regardless of whether the activity amounts to an internationally wrongful act, a state may always attribute political responsibility for malicious state cyber activity and may always respond with retorsion (i.e. unfriendly acts not inconsistent with international law)."[10]

Norway (2021)[edit | edit source]

"A State may respond to any form of cyber operation by retorsion. Retorsion refers to the taking of measures that are lawful but unfriendly, directed against another State. Retorsion may therefore be used regardless of whether international law has been violated and regardless of whether State responsibility applies. Examples of acts of retorsion are breaking off or limiting diplomatic relations, for instance by declaring a diplomat persona non grata, or the imposition of sanctions. Publicly declaring that another State is responsible for a cyber operation is in itself an act of retorsion."[11]

Poland (2022)[edit | edit source]

"In accordance with international law, a state has a right to take measures in response to hostile actions in cyberspace that do not reach the threshold of an armed attack.

International practice shows that states may use a range of measures to ensure that law is respected by other actors subject to international law. In particular the state which is the target of an cyberattack may respond to hostile actions by using retorsion or countermeasures.

Retorsion is a response of the state to actions contrary to its interest or hostile actions of another state. Measures taken as a retorsion may be in reaction to both legal and illegal actions of another subject of international law, but in itself they must be in compliance with international law."[12]

Singapore (2021)[edit | edit source]

"Apart from counter-measures, a victim State that is subject to malicious cyber activity short of an internationally wrongful act may also respond with acts of retorsion."[13]

Switzerland (2021)[edit | edit source]

"Retorsion allows states to respond to such activities regardless of whether international law has been violated or not. It refers to unfriendly but lawful measures in response to unwelcome acts by another state. Typical examples of retorsion include refraining from signing a trade agreement that would benefit both parties, recalling an ambassador, or breaking off diplomatic relations as a last resort."[14]

United Kingdom (2022)[edit | edit source]

"If a State carries out irresponsible, hostile, or unlawful cyber activity, what then are the options available to the victim State?

There are a wide range of effective response options available to impose a cost on States carrying out irresponsible or hostile cyber activity, regardless of whether the cyber activity constitutes an internationally unlawful act. These kinds of measures, referred to as acts of retorsion in international law, could include economic sanctions, restrictions on freedom of movement, exclusion from international groupings and wider diplomatic measures. So, there are always options available to stand up to unacceptable behaviour. And you do not have to look far to see how the impact of taking these kinds of measures is amplified when acting alongside other like-minded States.

Let me be clear. This means that when states like Russia or China carry out irresponsible or hostile cyber activity, the UK and our allies are always able to take action, whether or not the activity was itself unlawful. Today that might be in response to hostile cyber activity occurring in Ukraine, tomorrow it could be a response to hostile activity in Taiwan."[15]

United States (2016)[edit | edit source]

"[..]a State can always undertake unfriendly acts that are not inconsistent with any of its international obligations in order to influence the behavior of other States. Such acts—which are known as acts of retorsion—may include, for example, the imposition of sanctions or the declaration that a diplomat is persona non grata."[16]

United States (2021)[edit | edit source]

"Acts of retorsion may include the imposition of sanctions or the declaration that a diplomat is persona non grata. A State can always undertake such responsive measures that are not inconsistent with any of its international obligations in order to influence the behavior of other States, including in response to destabilizing cyber activities."[17]


Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. E Zoller, Peacetime Unilateral Remedies: An Analysis of Countermeasures (Transnational 1984) 5.
  2. Articles on State Responsibility, commentary to Part Three, Chapter II, para. 3.
  3. Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17–22.
  4. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 5 (footnotes omitted).
  5. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 14-15 (footnotes omitted).
  6. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
  7. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 29.
  8. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 13.
  9. Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 7.
  10. The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
  11. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 72.
  12. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 7-8.
  13. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 84.
  14. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6.
  15. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  16. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 20.
  17. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 142.

Bibliography and further reading[edit | edit source]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Retorsion?oldid=4069"