Scenario 02: Cyber espionage against government departments

From International cyber law: interactive toolkit
Revision as of 09:01, 18 September 2018 by Uncleistvan1BBB (talk | contribs)
Jump to navigation Jump to search

A military unit of State B conducts a cyber espionage operation against State A’s Ministry of Foreign Affairs and its subordinate organizations. The data obtained in this operation is later published on the Internet.

The analysis considers whether State B’s operation violated diplomatic and consular law, sovereignty, and the prohibition of intervention.


Scenario

Keywords

Cyber espionage, diplomatic and consular law, State responsibility, sovereignty, prohibited intervention

Facts

State A discovers that a mail server and several other servers belonging to its Ministry of Foreign Affairs (MFA) have been infiltrated. Investigation shows that the intruders gained access to the mail server by obtaining passwords of several consular officers at State A’s missions abroad through spear phishing and fake log-on websites (incident 1).

After gaining access, the intruders escalated their privileges and moved laterally through the network. Within a few days, they gained access to other servers and services. They had access to data of various MFA personnel including senior officials for several months (incident 2).

A vast amount (over 10 GB) of unclassified data was exfiltrated, even though it is not immediately clear what precise data was affected by the incident (incident 3). No data was destroyed or encrypted.

Nobody claims responsibility for the attack immediately after the discovery of the incident. However, a few days later, emails, procurement documents, and internal memos purportedly belonging to the MFA of State A are published on the Internet. (incident 4).

Judging by the nature of the compromised data and by persons that were apparently of particular interest to the attackers, the attackers seem to have been located in or related to State B. Technical investigation suggests that the malware tools used were in the past employed by an entity affiliated with a military unit of State B. Following requests for information addressed to various CERTs around the world, State A’s authorities establish that similar attacks have been executed against central government institutions in several other countries. Earlier on, head of an allied intelligence service in State C had publicly accused State B of a cyber espionage campaign conducted by the above military unit against that State C’s MFA.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR)[1] and the Vienna Convention on Consular Relations (VCCR).[2]

Similar real-world incidents

NB: Links in this section will go to separate pages for each of these incidents within the toolkit (for demonstration purposes only, they now link to Wikipedia pages on those topics).

  • APT-29 attacks on ministries in 2016-2017
  • OPM hack

Legal analysis

See also Note on the structure of articles. [NB this separate article will explain the basics of the general law of State responsibility and how each article discusses Attribution, then Breach, and other issues only if necessary.]

The legal analysis focuses on the law of State responsibility, taking into account the sovereignty of State A, prohibition of intervention, and diplomatic and consular law as the applicable lex specialis.

International humanitarian law is not analysed in detail. There is no ongoing armed conflict, nor do the incidents trigger the application of international humanitarian law. They do not amount to a use of force or an armed attack, because they are not severe enough to be comparable to a ‘physical’ use of force.

Definition

State responsibility
Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[3] The law of State responsibility is largely customary in nature; its codification is provided by the International Law Commission's Articles on State Responsibility.[4] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[5] The law of State responsibility also applies to cyber operations and other cyber activities.[6]

Every internationally wrongful act of a State – entailing both acts and omissions –, has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[7]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[8]

An internationally wrongful act entails the State’s international responsibility and gives rise to legal consequences, including the obligation to cease the conduct (if applicable) and the obligation to make full reparation for the injury caused.[9]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Austria (2024) (2024), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2024) (2024), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2021) (2021).

National positions

African Union (2024)

"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace.

62. The African Union is of the view that, in conformity with the relevant rules of international law, the burden to substantiate a claim that a State has committed an internationally wrongful act through ICTs in cyberspace is on the State making such a claim. The African Union also underscores the importance of cooperation, including between national authorities, such as Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to detect, investigate, prevent, and halt internationally wrongful acts undertaken through ICTs in cyberspace.

63. The African Union underscores that responses to internationally wrongful acts committed through ICTs in cyberspace should be in accordance with its obligations under the UN Charter, especially the obligations relating to the peaceful settlement of disputes, and the other applicable rules of international law, including the obligation to respect the territorial sovereignty of States."[10]

Australia (2020)

"The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations."[11]

Austria (2024)

Key Positions
"The customary international law rules on state responsibility also apply to cyber activities by states.

A state incurs international responsibility for acts or omissions related to a cyber activity that are attributable to that state and that constitute a breach of an international legal obligation of that state. The attribution of cyber activities to a state must be made in accordance with the customary international law rules on state responsibility. Internationally wrongful acts attributable to a state, including acts in the cyber context, may be answered by countermeasures, including through cyber means. The same limitations to countermeasures apply as in non-cyber-related contexts."[12]

"The customary international law rules of state responsibility, largely codified in the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), apply to cyber activities that are attributable to states. According to the law of state responsibility, every internationally wrongful act – i.e. an act or omission that is attributable to a state under international law and constitutes a breach of an international obligation of the state – entails the international responsibility of that state (cf. Art. 1 and 2 ARSIWA).

A cyber activity is attributable to a state if it is conducted by a de jure or de facto state organ, a person or entity exercising elements of governmental authority, an organ placed at the disposal of a state by another state, or by a non-state actor acting on the instructions of, or under the direction or effective control of a state (Art. 4, 5, 6 and 8 ARSIWA). Ultra vires acts by state organs are generally also attributable to the state, as well as conduct which was acknowledged and adopted by a state as its own (Art. 7 and 11 ARSIWA).

The responsible state must cease a continuing act or offer assurances and guarantees of nonrepetition under certain circumstances, as well as make full reparation for the injury caused by the wrongful act (Art. 30 and 31 ARSIWA).

The wrongfulness of a cyber activity may, under some circumstances, be precluded if it was taken in self-defence, or by way of a non-forcible countermeasure, or in situations of force majeure, distress or necessity (Art. 21 to 25 ARSIWA). A state may also respond with lawful retorsions, which themselves are unfriendly, but lawful acts."[13]

Brazil (2021)

"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."[14]

Canada (2022)

"28. The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.

29. In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks."[15]

"30. An internationally wrongful act in the cyber context is a cyber-related action or omission that: constitutes a breach of an international legal obligation, whether to another State or the entire international community; and is attributable to a State under international law.

31. International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures."[16]

Costa Rica (2023)

"10. Costa Rica believes that, under customary international law, as codified in Articles 1 and 2 of the International Law Commission (ILC)’s Articles on Responsibility of States for Internationally Wrongful Acts (‘the ILC Articles’), cyber operations may amount to internationally wrongful acts engaging the responsibility of a State when they can be attributed to it and involve a breach of its international obligation(s)."[17]

Czech Republic (2024)

"52. The customary international law on State responsibility, as reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), applies to State behaviour in cyberspace.

53. An internationally wrongful act is an act or omission that constitutes a breach of an international obligation of a State and is attributable to it under international law."[18]

Denmark (2023)

"Denmark is of the view that the general rules of State responsibility apply in cyberspace. A State bears international responsibility if it breaches an international obligation owed to another State. A State may be responsible under international law for acts undertaken by an organ of the State or by actors exercising government authority on behalf of that State. Acts by a non-State actor may be attributable to a State where the non-State actor carries out a cyber operation under the instruction of, or under the direction or control of that State, or where the State actor acknowledges and adopts the operations carried out by the non-State actor as its own.

Each State may decide whether to publicly attribute cyber acts to other States or not. There is no obligation under international law for States to share documentation or other evidence supporting an attribution. The application of international law and State responsibility does not depend on public attribution."[19]

Estonia (2019)

"[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."[20]

Estonia (2021)

The law of state responsibility is a cornerstone for responsible state behaviour in cyberspace when it comes to assessing the unlawfulness of cyber operations below the threshold of use of force.

"The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.

States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.

States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established."[21]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."

[...]

"According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law."[22]

Finland (2020)

"The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."[23]

Italy (2021)

"Italy concurs with the view that attribution of cyber wrongful acts from one State to another is governed by the general rules of international law on the attribution of State conduct as codified by the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). Still, Italy acknowledges the difficulties of applying the ARSIWA in a peculiar environment such as cyberspace."[24]

Japan (2021)

"Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."[25]

"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."

[...]

"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law."[26]

New Zealand (2020)

"Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities."[27]

Norway (2021)

Key message
In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law.

A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."[28]

Poland (2022)

6. A state is responsible for actions in cyberspace that violate international law

"Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”)."[29]

Romania (2021)

"There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

  • attributable to the State under international law; and
  • constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components".[30]

[...]

"Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice)."[31]

Russia (2021)

"The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3)."[32]

[...]

"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence."[33]

Sweden (2022)

"An internationally wrongful act by a State entails the responsibility of that State under international law. The articles on State responsibility drafted by the International Law Commission constitute secondary norms of international law, identifying conditions when a State is internationally responsible for wrongful acts and the effects thereof. The general norms on State responsibility apply also in relation to wrongful acts in the cyber context.

Technical difficulties pose new challenges in identifying those responsible for cyber operations, compared with kinetic operations, but the rules on attribution under the law of State responsibility also apply in a cyber context."[34]

Switzerland (2021)

"The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."[35]

United Kingdom (2018)

"There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control."[36]

United Kingdom (2021)

"A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility."[37]

United Kingdom (2022)

"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."[38]

United States (2021)

"Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it."[39]

Appendixes

See also

Notes and references

  1. Vienna Convention on Diplomatic Relations (adopted 18 April 1961, entered into force 24 April 1964), 500 UNTS 95.
  2. Vienna Convention on Consular Relations (adopted 24 April 1963, entered into force 19 March 1967), 596 UNTS 261.
  3. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
  4. Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  5. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
  6. UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
  7. ILC Articles on State Responsibility, Art 2.
  8. ILC Articles on State Responsibility, Arts 20-26.
  9. ILC Articles on State Responsibility, Arts 28, 30 and 31.
  10. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024) 10.
  11. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  12. Austrian Position on Cyber Activities and International Law (April 2024) p. 8.
  13. Austrian Position on Cyber Activities and International Law (April 2024) p. 8-9.
  14. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20-21.
  15. Government of Canada, International Law applicable in cyberspace, April 2022
  16. Government of Canada, International Law applicable in cyberspace, April 2022
  17. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 3 (footnotes omitted).
  18. Ministry of Foreign Affairs of the Czech Republic, "Czech Republic - Position paper on the application of international law in cyberspace" (27 February 2024) 13-14 (footnotes omitted).
  19. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 7.
  20. President of Estonia: international law applies also in cyber space, 29 May 2019
  21. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 27-28.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, (August 2021) 28.
  23. International law and cyberspace - Finland's national position
  24. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,5-6.
  25. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 3-4
  26. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 4.
  27. The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
  28. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  29. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 6.
  30. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78.
  31. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 79.
  32. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  33. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  34. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,5
  35. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 5.
  36. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  37. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  38. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  39. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141.

Bibliography and further reading

Attribution

transclude as necessary

The military unit of State B qualifies as an organ of that State.[1] As such, its relevant conduct is directly attributable to State B.[2] The following analysis proceeds on the assumption that all incidents described in the scenario (incidents 1–4) were conducted by the said State B’s military unit.

Breach of international obligation

Definition

Breach of an international obligation
The second element of an internationally wrongful act is conduct amounting to a breach of an international obligation owed by the relevant entity.[3] In this regard, it is undisputed that a cyber-related action or omission by a State may constitute a breach of its international obligations.[4] International obligations arise from primary rules of international law:[5] international treaties, customary international law, and general principles of law.[6] Fault, such as intent or negligence on part of the wrongdoing State, is not a necessary element of a breach of an international obligation, unless there exists such a requirement in the relevant primary rule.[7] Similarly, there is no general requirement for the injured party to have suffered any damage—again, unless such a requirement forms part of the primary obligation in question.[8]

It is impossible to provide a list of all international obligations that may be violated by resort to cyber means. However, certain rules appear with higher frequency than others. These include the prohibition on the use of force; the prohibition of intervention; the obligation to respect the sovereignty of other States; the obligation to respect the right to privacy; the obligation of due diligence; and a few others (such as, for instance, the rule of distinction in the context of the law of armed conflict).

Appendixes

See also

Notes and references

  1. See, for example, ICRC Customary IHL Study, vol 1, 530–531 (“The armed forces are considered to be a State organ, like any other entity of the executive, legislative or judicial branch of government.”).
  2. Articles on State Responsibility, Art. 4(1); Tallinn Manual 2.0, commentary to rule 15, para. 1.
  3. Cf. ILC Articles on State Responsibility, Art. 2(b).
  4. For a detailed discussion of a breach of an international obligation by a cyber-related act, see rule 14 of Tallinn Manual 2.0 and commentary 2–11 thereto.
  5. ILC Articles on State Responsibility, General commentary, para 1.
  6. Statute of the International Court of Justice, of 26 June 1945, annexed to the UN Charter, Art 38(1)(a)–(c).
  7. ILC Articles on State Responsibility, Art. 2, para 10.
  8. ILC Articles on State Responsibility, Art. 2, para 9.

Bibliography and further reading

The following obligations based on treaty law and customary international law are considered:

Diplomatic and consular law

The Vienna Convention on Diplomatic Relations and the Vienna Convention on Consular Relations are considered to be broadly reflective of customary international law.[1] Therefore, even if State A or State B had not ratified these Conventions, the rules analysed below would still apply to their diplomatic and consular relations.

International law protects the inviolability of documents and archives of diplomatic missions and consular posts.[2] This includes any official correspondence, whether in electronic or paper form.[3] The international legal obligation to respect inviolability is unaffected by the frequent practice of States to conduct cyber espionage operations that violate this duty. This is because any such practice is regularly condemned by the victim States, whereas the offending States refrain from putting forward any corresponding legal justification of such operations.[4]

In incident 1, by gaining access to an official email account of a consular officer, State B ran afoul of the inviolability of official correspondence. The lateral movement (incident 2) and exfiltration of data (incident 3) are just further steps in the illegal activity of State B, at least to the extent that the hacked accounts and servers contained data pertaining to State A’s diplomatic missions and consular posts, irrespective of their location.[5]

Incident 4, wherein the data was published on the Internet, raises the question whether the published materials are still protected by international law. This issue is unsettled in the present state of the law. One view, endorsed by a majority of the experts drafting the Tallinn Manual, is that inviolability no longer applies to data that has been made public, as it is “not confidential as a matter of fact”.[6] By contrast, others believe that the duty to respect the inviolability of the materials in question continues to apply in such cases.[7] The primary reason for this view is that the duty of inviolability covers the protected materials “wherever they may be”,[8] which therefore includes even the public domain.[9]

Sovereignty

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[10]

Multiple declarations by the UN,[11] the African Union,[12] the European Union,[13] NATO,[14] OSCE,[15] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty.[16] However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[17] It has also been adopted by several States including Austria,[18] Brazil, [19] Canada,[20] the Czech Republic,[21] Estonia,[22] Finland,[23] France,[24] Germany,[25] Iran,[26] Italy,[27] Japan,[28] the Netherlands,[29] New Zealand,[30] Norway,[31] Romania[32] and Sweden.[33]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[34] This view has been adopted by one State, the United Kingdom,[35] and has been partially endorsed by the U.S. Department of Defense General Counsel.[36] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention or use of force).

It is understood that sovereignty has both an internal and an external component.[37] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[38][39] This encompasses both private and public infrastructure.[40] The external component entails that States are “free to conduct cyber activities in [their] international relations”, subject to their international law obligations.[41]

As a general rule, each State must respect the sovereignty of other States.[42]However, within the cyber realm – and particularly regarding remote cyber operations – there is still no agreement on the criteria[43] and the required threshold[44] to qualify an operation as a sovereignty violation.[45] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[46] Accordingly, the assessment needs to be done on a case-by-case basis.[47]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[48] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[49]
  2. Causation of physical damage or injury by remote means;[50] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[51]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of the operating system or other software was proposed but not universally accepted);[52] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[53]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[54] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[55]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[56]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Canada,[57] Germany[58] and the Netherlands;[59] and followed to some extent by other States, such as the Czech Republic,[60] Norway,[61] Sweden[62] and Switzerland.[63] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”;[64]similarly, Iran has argued that “unlawful intrusion to the (public or private) cyber structures” abroad may qualify as a breach of sovereignty.[65]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[66]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Austria (2024) (2024), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of the Czech Republic (2024) (2024), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

With regard to incidents 1–3, the answer depends on whether the espionage operation was fully conducted from outside of State A’s territory, or whether a part of it was conducted by operators physically located in State A’s territory. In the latter case, the operation could be considered a violation of sovereignty, and hence State B’s breach of its corresponding international obligation (option 1 above).[67]

Taken separately, the publication of the acquired data (incident 4) would not violate the sovereignty of State A. Had the published information been classified in State A, then the publication is likely illegal according to State A’s domestic law; State A can also be party to international agreements which regulate the transfer of its classified information to third parties, which may create obligations for third States with regard to this information.[68]

Prohibited intervention

Prohibition of intervention (conditions)

In the present scenario, prohibited intervention could also be a relevant qualification. The incidents encroach on State A’s external affairs which are the sole prerogative of State A. However, incidents 1–3 do not contain the element of coercion, because they are conducted merely with the aim to gather information, which does not compel State A to adapt the conduct of its external affairs.[69]

As for incident 4, if it can be attributed to State B, it is coercive in the sense that it has the potential to cause State A to adapt its external affairs based on the published information and to contain the relevant political damage. It may be harder for State A to ascertain the intent of State B, which might have had no particular outcome in mind, apart from causing mischief. This might also pose an issue for establishing the causal nexus between State B’s activity and the resulting reaction by State A: the causality might not be deemed direct enough.

Espionage

In general

Peacetime cyber espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[70]

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations.

Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[71] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[72]

Publicly available national positions that address this issue include: National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

Economic cyber espionage

Economic cyber espionage
The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[73] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[74] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[75]

Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law.

However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[76] Several authors,[77] including experts of the Tallinn Manual 2.0,[78] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[79] Additionally, no international consensus exists that agreements such as the WTO TRIPS[80] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[81]

Accordingly, such conduct is not subject to any general prohibition under extant international law.

National positions

United States (2020)

"For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. This proposition is recognized in the Department’s adoption of the “defend forward” strategy: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The Department’s commitment to defend forward including to counter foreign cyber activity targeting the United States—comports with our obligations under international law and our commitment to the rules-based international order.

The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).

Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.

Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations."[82]

United States (2021)

"In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per see violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions."[83]

Appendixes

See also

Notes and references

  1. See, for example, J Wouters, S Duquet, and K Meuwissen, “The Vienna Conventions on Diplomatic and Consular Relations” in AF Cooper, J Heine, and R Thakur (eds), The Oxford Handbook of Modern Diplomacy (OUP 2013) 510 (noting that VCDR’s and VCCR’s main provisions have acquired customary status); ICJ, United States Diplomatic and Consular Staff in Tehran [1980] ICJ Rep 3, 31–32 [62] (noting that the relevant obligations under the two treaties are “also obligations under general international law”).
  2. Art. 24 VCDR; Art. 33 VCCR.
  3. Tallinn Manual 2.0, commentary to rule 41, para. 3.
  4. Tallinn Manual 2.0, commentary to rule 41, para. 11.
  5. See Tallinn Manual 2.0, commentary to rule 41, para. 6 (noting that archives and documents of a diplomatic mission or a consular post remain inviolable even if they are stored outside of the receiving State, including on a server belonging to the sending State’s ministry of foreign affairs).
  6. Tallinn Manual 2.0, commentary to rule 41, para. 14.
  7. Tallinn Manual 2.0, commentary to rule 41, para. 15.
  8. Art. 24 VCDR and Art. 33 VCCR.
  9. Tallinn Manual 2.0, commentary to rule 41, para. 15.
  10. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  11. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  12. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024).
  13. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  14. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  15. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  16. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information andTelecommunications in the Context of International Security, UN Doc A/68/98 (24 June 2013) para 20; UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) paras 27, 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 70, 71(b).
  17. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, rule 4 (‘A State must not conduct cyber operations that violate the sovereignty of another State’), and commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  18. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  19. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 18.
  20. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  21. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 25.
  23. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  24. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  25. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  26. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  27. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 4.
  28. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (16 June 2021) 3.
  29. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  30. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 2.
  31. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 67.
  32. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 76.
  33. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 2.
  34. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  35. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’). The approach has been maintained in UK’s 2021 and 2022 national positions.
  36. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  37. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  38. Tallinn Manual 2.0, rule 2.
  39. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules'). This has been endorsed by several States, including China, the Czech Republic, Estonia, Finland, France, Germany, Israel, Italy, the Netherlands, Norway, Sweden, Switzerland and the United States.
  40. Tallinn Manual 2.0., commentary to rule 4, para 5. See also the national positions of Norway, Sweden and Switzerland.
  41. Tallinn Manual 2.0., rule 3; see also the national positions of the Czech Republic, the Netherlands and Norway.
  42. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  43. Some States have referred to the nature of the operation, its consequences, and/or the scale or severity of the effects, as the relevant factors that should be assessed. See e.g. the national positions of Canada, Finland, Germany, New Zealand, Norway, Sweden and Switzerland. New Zealand also highlighted the nature of the target in this regard.
  44. Some States have highlighted the requirement of certain level beyond “negligible” or “de minimis” effects, such as Canada and Germany. See similarly, New Zealand’s national position. For further discussion on the required threshold, see Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Texas Law Review 1639; Harriet Moynihan, ‘The Application of International Law to State Cyberattacks. Sovereignty and Non-Intervention’, Chatham House (2 December 2019) paras 60 and ff.
  45. Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549.
  46. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  47. See e.g. the national position of Canada, Finland, New Zealand, Norway, Sweden and Switzerland.
  48. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  49. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9. See also, the national positions of Canada and New Zealand.
  50. Tallinn Manual 2.0, commentary to rule 4, para 11.
  51. Tallinn Manual 2.0, commentary to rule 4, para 12.
  52. Tallinn Manual 2.0, commentary to rule 4, para 13. Additionally, there was agreement between the experts that ‘a cyber operation necessitating repair or replacement of physical components of cyber infrastructure amounts to a violation because such consequences are akin to physical damage or injury’. See also in this respect Canada’s national position.
  53. Tallinn Manual 2.0, commentary to rule 4, para 14.
  54. Tallinn Manual 2.0, commentary to rule 4, para 15.
  55. Tallinn Manual 2.0, commentary to rule 4, para 16. Other examples may include law enforcement, taxation, foreign relations and national defense. See e.g. the national positions of Canada, Germany and Norway. See also Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549, 557.
  56. Tallinn Manual 2.0, commentary to rule 4, para 18.
  57. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  58. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  59. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  60. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic (11 February 2020) 3.
  61. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68.
  62. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 2
  63. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 3.
  64. Ministry of Defense of France, 'International Law Applied to Operations in Cyberspace' (9 September 2019) 6.
  65. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace (August 2020) para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state’).
  66. In favour: see, e.g., Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3; Romania’s national position (‘If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned’).
  67. Tallinn Manual 2.0, commentary to rule 4, para. 6-7; commentary to rule 32, para. 9.
  68. See, for example, Agreement between the government of the United Kingdom of Great Britain and Northern Ireland and the government of the French Republic concerning the mutual protection of classified information (signed on 27 March 2008 in London, entered into force 1 December 2008, France No. 1 (2008), Cm. 7425, available at [1].
  69. Tallinn Manual 2.0, commentary to rule 66, para. 33.
  70. Tallinn Manual 2.0, rule 32.
  71. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  72. Id.; Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 291, 302-3.
  73. President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  74. G20 Leaders’ Communiqué (15–16 November 2015), para 26; see also G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  75. See US, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  76. UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015), A/70/174.
  77. Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443, 488-492; David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights; Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  78. Tallinn Manual 2.0, rule 32, commentary 3.
  79. For an opposing view, see Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  80. Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  81. Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018), page 5: “Economic espionage, to the extent it qualifies as a violation of intellectual property rights, should arguably be treated as an act comparable to commercial activities, jure gestionis. A [S]tate would then not be able to claim state immunity for such acts and could thus instead face a normal trial in a domestic court.“
  82. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  83. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 140.

Bibliography and further reading

As this overview demonstrates, the mere characterization of a cyber operation as amounting to cyber espionage is not conclusive as to the question of its lawfulness under international law.[1] Reference must be had to specific rules of international law, which may be breached by the operation in question in its specific circumstances (see especially Sovereignty and Prohibited intervention above). It may be noted that there is a view that acts of espionage represent a customary exception to the relevant prohibitions.[2] However, this interpretation would amount to the establishment of a novel circumstance precluding wrongfulness, for which there is no evidence in international law. Accordingly, the lawfulness of incidents 1–4 therefore must be assessed with reference to other applicable international legal rules.

Due diligence

The due diligence obligation of State B for the abovementioned incidents is superseded by its direct responsibility for the activities of its governmental organs. On State B’s part, there is no omission, but rather a commission of an internationally wrongful act.[3]

Checklist

  • Do the affected materials come under the duty of inviolability?
  • Does the exfiltration and publication of data violate the sovereignty of the victim State?
  • Does the exfiltration and publication of data amount to a prohibited intervention?
  • Is the fact that part of the operation is cyber espionage an important circumstance for the il/legality of the operation?

Appendixes

See also

Notes and references

  1. See also Tallinn Manual 2.0, commentary to rule 32, para. 6 (“By styling a cyber operation as a ‘cyber espionage operation’, a State cannot ... claim that it is by definition lawful under international law; its lawfulness depends on whether the way in which the operation is carried out violates any international law obligations that bind the State.”).
  2. See, for example, Tallinn Manual 2.0, commentary to rule 32, para. 9; A Deeks, “An International Legal Framework for Surveillance”, (2015) 55 Va J Int’l L 291, 302.
  3. Tallinn Manual 2.0, commentary to rule 6, para. 43.

Bibliography and further reading

  • MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
  • Etc.

External links

  • (...)


Original text by: Tomáš Minárik

Reviewed by: [TBC]

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_02:_Cyber_espionage_against_government_departments?oldid=119"