Scenario 17: Collective responses to cyber operations
A State falls victim to a wide range of cyber operations and asks its allies for help. Specifically, the State wants its allies to collectively and publicly attribute the cyber operations to the perpetrator State, to implement travel bans and asset freezes against the individual perpetrators and to undertake collective countermeasures against the responsible State to induce it to cease the cyber operations. The scenario explores the legality of these collective responses to cyber operations from the perspective of international law.
1 Scenario[edit | edit source]
1.1 Keywords[edit | edit source]
Countermeasures, collective countermeasures, targeted restrictive measures, retorsion, erga omnes obligations, prohibition of intervention, sovereignty, attribution
1.2 Facts[edit | edit source]
[F1] State A is a middle-income developed country in the western hemisphere. It has a growing technology sector and its “Digital Agenda 2030” development plan foresees, among other objectives, the digitalization of public services, investment in the digital economy and setting up of a cyber defence force by 2030. However, the cyber defence force is not yet operational and State A’s abilities to detect, attribute and respond to cyber operations remain limited. In this regard, State A relies on the assistance of its allies from the intergovernmental organization Union of States (“UoS”). The founding treaty of the UoS includes mutual assistance and defence obligations.
[F2] State A suffers a prolonged series of cyber operations against its critical infrastructure. A ransomware campaign affects the functioning of public hospitals, public transport (including municipal and long-distance trains) and various governmental services, such as the functioning of court electronic filing systems (incident 1). The ransomware makes it necessary to postpone planned operations in some hospitals and delays the running of suburban trains in the capital.
[F3] On the first day of the cyber operations, State A acquires the services of a private cyber security company. The forensic analysis conducted by the company suggests a high likelihood that the cyber operation has been conducted by an APT which is commonly identified with a unit of State B’s armed forces specialized in cyber warfare. This is corroborated by State A’s intelligence service as well as the intelligence services of several UoS Member States. State B is not a member of the UoS.
[F4] In an emergency meeting of the UoS Council, State A asks the UoS Member States for assistance. In particular, it asks its allies to:
- publicly and collectively attribute the cyber operations to State B (response 1);
- introduce targeted restrictive measures (asset freezes and travel bans) against the identified perpetrators of the cyber operations (response 2) and
- conduct offensive cyber operations against State B’s cyber infrastructure used in the attacks against State A in order to degrade and destroy State B’s offensive cyber capabilities and induce State B to cease its actions (response 3).
1.3 Examples[edit | edit source]
- Texas Municipality ransomware attack (2019)
- SamSam ransomware attack (2018)
- NotPetya (2017)
- WannaCry (2017)
- Sony Pictures Entertainment attack (2014)
- Cyber attacks against Estonia (2007)
2 Legal analysis[edit | edit source]
For a general overview of the structure of analysis in this section, see Note on the structure of articles.
[L1] The analysis in this scenario focuses on the legal qualification of State responses to cyber operations from the perspective of international law. It reflects already existing examples and scenarios to examine how to qualify responses 1-3 and whether such responses may be taken by States other than the State, which is the primary target of the relevant conduct. The analysis is restricted to general international law and does not take into account mutual defense and/or assistance obligations, which may exist between the UoS Member States and could influence their legal obligations and standing to take action in a real-world scenario.
[L2] The type of response which States are entitled to undertake under international law will depend on four key factors:
- the legal qualification of the hostile cyber operation which gave rise to the decision to respond;
- the legal qualification of the response action; and
- whether the responding State is entitled to invoke the international responsibility of the State from whose territory the initial cyber operation was launched.
2.1 Attribution[edit | edit source]
|State organs and persons and entities in exercise of governmental authority|
Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).
[L3] As the APT is a military unit of State B and the military is an organ of the State, the hackers’ conduct is attributable to State B under the customary rules on State responsibility, as reflected in Article 4 of the Articles on State Responsibility.
2.2 Breach of an international obligation[edit | edit source]
[L4] This section considers whether the cyber operations are a breach of an international obligation—specifically, the prohibition on the use of force, the prohibition on intervention and the obligation to respect the sovereignty of other States.
2.2.1 Use of force[edit | edit source]
|Use of force|
| This prohibition is reflective of customary international law and it is frequently described as a peremptory norm of international law. However, the notion of “force” in this context is limited to armed force, and to operations whose scale and effects are comparable to the use of armed force.
At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”. Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States. However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force. This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.
In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.
As of 2020, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force. However, States have begun addressing this question. In particular, France and the Netherlands allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature, as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”. Several of these criteria are also reflected in the Tallinn Manual 2.0.
Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law. In this regard, the prohibition of non-intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.
[L5] It is unlikely that the ransomware attacks (incident 1) constitute a use of force. Given the absence of direct physical damage, the ransomware attacks would arguably need to fulfil the criteria listed above to be considered comparable to the use of kinetic force. This is not the case here. The effects of the ransomware attack – the postponement of operations in hospitals, delays in public transport and the inability to electronically file court cases – would most likely not be severe enough to equate with a physical use of force against these targets, given that the malware affects the availability and integrity of a system, but typically does not leave lasting physical damage to the affected computer systems. Furthermore, the direct consequences of the ransomware are economic in nature – leading to system outages and the need to spend resources to clean the affected systems – rather than physical. Moreover, neither the intended target, nor the circumstances prevailing at the time of the attacks, nor the actual or intended effects point to a military character of the cyber operation.
2.2.2 Prohibition of intervention[edit | edit source]
|Prohibition of intervention|
|Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:|
In order for an act, including a cyber operation, to qualify as a prohibited intervention, it must fulfil the following conditions:
[L6] There is no suggestion in the scenario that the cyber operations in any way involved the external affairs of State A. However, certain effects of the ransomware implicate the domaine réservé of State A, in particular the capability of offer governmental services to the citizens of State A.
[L7] Nevertheless, the cyber operations were not sufficiently coercive in nature in the sense of having the potential to impermissibly interfere with the free exercise of the sovereign will of State A. Firstly, there is no indication in the available evidence that the ransomware attacks were conducted with the intent to force State A to take – or abstain from taking – a particular decision. Secondly, while the cyber operations affected governmental services offered to citizens and had a negative impact on the functioning of those services through the encryption of computer systems on which the services run, they did not compel State A to refrain from taking certain actions or to adopt certain positions against its will. Moreover, although it seems possible that a large-scale cyber operation against critical infrastructure abroad could have the potential to compel the victim State to take (or refrain from taking) a particular course of action against its will, the ransomware attacks described in incident 1 arguably do not show this potential due to their fragmentary and localized character.
[L8] In consequence, there was no prohibited intervention into the internal affairs of State A.
2.2.3 Obligation to respect the sovereignty of other States[edit | edit source]
|Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,|
Multiple declarations by the UN, NATO, OSCE, the European Union, and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).
It is understood that sovereignty has both an internal and an external component. In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”
As a general rule, each State must respect the sovereignty of other States. It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.
The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:
The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by one State: the Netherlands. An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”.
Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.
Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.
[L9] This analysis proceeds on the basis that the obligation to respect the sovereignty of another State is a rule of international law applicable to cyberspace. Accordingly, under the test proposed by the Tallinn Manual, sovereignty is breached when a cyber operation either causes a loss of functionality of cyber infrastructure or interferes with or usurps inherently governmental functions. The ransomware attacks (incident 1) resulted in severe losses of functionality of the targeted systems. Public hospitals, transportation and governmental services were not able to function properly, which resulted in further financial losses. Moreover, the functioning of the courts is an inherently governmental function. Therefore, the effects on governmental services amounted to an interference with inherently governmental functions of State A.
[L10] In conclusion, on the “sovereignty-as-rule” approach, State B’s actions would have violated the obligation to respect State A’s sovereignty in cyberspace.
2.3 Permissible responses[edit | edit source]
[L11] To conform with the law of State responsibility, measures taken by States in response to cyber operations must either not violate any applicable international legal rule (and therefore qualify as retorsions) or, if they do violate a rule of international law, such as the principle of non-intervention or the prohibition of the use of force, they must be justifiable on one of the grounds precluding wrongfulness, such as countermeasures.
2.3.1 Act of retorsion[edit | edit source]
|retorsion is “an unfriendly but nevertheless lawful act by the aggrieved party against the wrongdoer”. Such acts may include the prohibition of or limitations upon normal diplomatic relations, the imposition of trade embargoes or the withdrawal of voluntary aid programmes. Cyber-specific retorsions may include sending warnings to cyber operatives belonging to another State, observing the adversary’s cyber activities on one’s own network using tools such as “honeypots”, or slowing down malicious cyber operations conducted by other States.|
220.127.116.11 Collective attributions[edit | edit source]
[L12] It is necessary to distinguish attribution in the legal sense, signifying attribution of a specific act or omission to a State for the purposes of inducing international responsibility, from the political act of attribution, which is a policy consideration whereby the decision is made to attribute a specific cyber operation to an actor without necessarily attaching legal consequences to the decision. Such political attributions by individual States can take many forms, for instance criminal indictments, economic sanctions, technical alerts or official statements.
[L13] States can – but are not obliged to – take the decision to collectively attribute actions to another State. They may be regarded by the State to which a cyber operation has been attributed as an unfriendly act, but as they are of a political nature, such statements in principle do not violate any international legal obligations and therefore can be qualified as retorsions. As such, international law does not impose any restrictions on States wishing to act individually or collectively to react by way of retorsion against a wrongdoing State.
[L14] In consequence, the collective political attributions contemplated by the UoS Council (response 1) would not breach any international obligation and would therefore be permissible as acts of retorsion against State B.
18.104.22.168 Targeted restrictive measures[edit | edit source]
|Targeted restrictive measures|
The term “targeted restrictive measures” denotes sanctions taken by States outside of the framework of the United Nations, against individuals or companies which are being held responsible for conducting – or being otherwise involved in the conduct of – a cyber operation. Typically, restrictive measures take the form of travel bans or asset freezes for individuals and companies, but may also include other measures.
Targeted restrictive measures are measures typically taken within the domestic legal framework of a State or a group of States and operate territorially within the jurisdiction of that State or group of States. By virtue of their internal sovereignty, States are in principle free to adopt any measures they consider necessary or appropriate with regard to persons engaged in cyber activities.
To assess the legality of such restrictive measures taken within the domestic legal framework, it is necessary to inquire whether they violate any applicable international legal obligations of the acting State. This may be the case, for instance, if the targeted persons or entities enjoy jurisdictional immunities or if the measures in question affect rights granted by an international agreement between the acting State and the State where such persons or entities are based (such as a bilateral trade agreement). In this case, the acting State would need to be able to invoke circumstances precluding the wrongfulness of such measures, in order for their imposition to be justified. If no international legal obligations are breached, the restrictive measures are permissible under international law and may be qualified at most as acts of retorsion. Provided that these conditions are met, States may also impose such restrictive measures collectively.
[L15] In the present scenario, the travel bans and asset freezes contemplated by the UoS Council (response 2) would constitute targeted restrictive measures. Since such measures interfere with the subjects’ property rights, they have to conform with the implementing States’ obligations under human rights and other treaties (for instance bilateral investment treaties). However, without further information, nothing in this scenario indicates that rights granted to individuals by virtue of a treaty or customary international law would be affected. Therefore, they are permissible under international law and may be taken either by State A individually or by a group of UoS Member States collectively.
2.3.2 Offensive cyber operations as collective countermeasures[edit | edit source]
| Several States, including Austria, Estonia, France, Germany, Japan, the Netherlands, the United Kingdom, and the United States, have expressly confirmed the applicability of the law of countermeasures to cyber operations. Others, including Brazil, China, and Cuba, have expressed caution in this regard. Countermeasures should be distinguished from retorsions, which are unfriendly but lawful acts by the aggrieved party against the wrongdoer.
As a matter of general international law, an injured State may only take countermeasures against the responsible State if the following conditions are met:
Additionally, the countermeasures must fulfil the following requirements:
Taken countermeasures must be suspended if the internationally wrongful act has ceased or if “the dispute is pending before a court or tribunal which has the authority to make decisions binding on the parties”, and they must be terminated as soon as the responsible State has complied with its (secondary) obligations.
There is a debate as to whether States that have not themselves been directly injured by an unlawful cyber operation may engage in countermeasures in support of the injured State (sometimes referred to as collective countermeasures). In particular, one State has recently put forward the view that non-injured States “may apply countermeasures to support the state directly affected by the malicious cyber operation”. This would apply where diplomatic action is insufficient, but no lawful recourse to use of force exists. This interpretation would allow States to offer active assistance to States, which may not possess sufficient cyber capabilities themselves to counter an ongoing unlawful cyber operation. This view has found some support in scholarship, but was since rejected by at least one other State, with other parts of scholarship reluctant to endorse it. Therefore, it has to be regarded as a call for progressive development of international law, rather than a statement of the current state of international law.
Whether a particular measure fulfils these conditions is an objective question, while the burden of proof that the relevant conditions have been fulfilled falls on the injured State. The exact standard of proof required is unsettled in international law and it will depend on the relevant forum. However, relevant international jurisprudence tends to rely in this regard on the standard of “clear and convincing evidence”. This standard translates in practice into a duty to “convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true.” Importantly, if a State does resort to countermeasures on the basis of an unfounded assessment that a breach has occurred, it may incur responsibility for its own wrongful conduct.
[L16] Offensive cyber operations which degrade and destroy another State’s offensive cyber capabilities may constitute a violation of sovereignty and thus an internationally wrongful act, as they lead to a loss of functionality of that State’s cyber infrastructure (see also paras L8–L9 above). In consequence, they are only permissible if they can be qualified as countermeasures and comply with the requisite conditions under the law of State responsibility (including necessity, proportionality, not amounting to a breach of an erga omnes obligation, etc.).
[L17] It is debatable whether international law currently permits States other than an injured State to take countermeasures in order to induce a responsible State to comply with its obligations. While it might be argued that international law has indeed evolved to permit such collective countermeasures, it is widely understood that non-injured States may take action only to induce compliance with obligations that are owed to a group of States and established to protect a collective interest or erga omnes, i.e. owed to the international community as a whole. Apart from that, collective countermeasures against breaches of obligations owed to the injured State individually are not permitted and this applies also in the cyber context.
[L18] In consequence, any offensive cyber operations taken by UoS States against State B (response 3) would only be justified as (collective) countermeasures if the prior internationally wrongful act breached an international obligation established for the protection of a community interest and not merely for the protection of an individual interest of a State.
[L19] Examples of protected community interests include common goods in international environmental law, standards of protection for a group of people, especially within human rights law, or international common spaces such as the moon or other celestial bodies. Furthermore, obligations owed to the international community as a whole include the prohibition of aggression and of genocide, protection of basic rights of the human person, including protection from slavery and racial discrimination, the right of peoples to self-determination and fundamental rules of international humanitarian law.
[L20] While incident 1 may have breached the obligation to respect the sovereignty of State A (see para. L9 above), this rule protects individual rights of the affected State, and not community interests. Therefore, offensive cyber operations as contemplated in response 3 would also not serve to enforce community interests; consequently, their wrongfulness would not be precluded as lawful (collective) countermeasures. In consequence, the UoS Member States may not lawfully take measures as contemplated in response 3.
3 Checklist[edit | edit source]
- Can the cyber operation in question be attributed to a State?
- Are the authors of the cyber operation State organs?
- Did the cyber operation constitute a violation of an international obligation?
- Use of force:
- What was the severity of the cyber operation?
- Were the effects of the cyber operation directly connected to the underlying cyber activity?
- Did the cyber operation have a military character?
- Prohibition of intervention:
- Did the cyber operation interfere with the internal or external affairs of State A?
- Was the cyber operation coercive, i.e., did it have the potential to deprive State A of its freedom of choice concerning its internal or external affairs?
- What is the position of the analyst / interlocutor on whether sovereignty is a standalone primary rule of international law?
- Did the cyber operation result in physical damage or injury on State A’s territory?
- Did the cyber operation cause a loss of functionality of State A’s computer systems?
- Did the cyber operation interfere with State A’s inherently governmental functions?
- Use of force:
- What responses are permissible to be undertaken collectively?
- Are the response measures political acts, such as public attributions?
- Do the response measures violate any international obligation owed by the responding State(s) to the responsible State?
- Are the countermeasures aimed at inducing compliance and proportionate?
- Have the responding States called upon the responsible State to cease the cyber operation in question and given notice of their intent to undertake countermeasures? Or are they acting with urgency to preserve the injured rights?
- Are the responding States directly affected by the breach of an international obligation by the responsible State or are they acting in support of an injured State?
- Are the responding States acting collectively and in the community interest to protect an erga omnes norm?
4 Appendixes[edit | edit source]
4.1 See also[edit | edit source]
- Use of force
- Prohibition of intervention
- Scenario 03: Cyber operation against the power grid
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 14: Ransomware campaign
4.2 Notes and references[edit | edit source]
- ILC Articles on State Responsibility, Art 4(1).
- ILC Articles on State Responsibility, Art 6.
- ILC Articles on State Responsibility, Art 5.
- ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
- See ICRC Customary IHL Study, vol 1, 530–531: “The armed forces are considered to be a State organ, like any other entity of the executive, legislative or judicial branch of government.”
- Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
- Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion)  ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits)  ICJ Rep 14, paras 187–190.
- See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War (Hart Pub. 2010) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
- Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
- Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
- Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55.
- Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
- Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
- Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
- Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009 ICJ Rep 213], para 66 (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
- However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
- Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7.
- Tallinn Manual 2.0, commentary to rule 69, para 9.
- Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”).
- Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits)  ICJ Rep 14, para 205.
- Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
- See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”).
- Tallinn Manual 2.0, commentary to rule 66, para 19.
- Tallinn Manual 2.0, commentary to rule 66, para 21; see also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
- Tallinn Manual 2.0, commentary to rule 66, para 21.
- Tallinn Manual 2.0, commentary to rule 66, paras 19, 27.
- Tallinn Manual 2.0, commentary to rule 66, para 24 (The exact nature of the causal nexus was not agreed on).
- See Tallinn Manual 2.0, commentary to rule 66, para 21; cf. also Q Wright, ‘The Legality of Intervention under the United Nations Charter’ (1957) 51 American Society of International Law Proceedings 79, 79 (defining intervention as “dictatorial interference by a state in the internal affairs of another state or in the relations between others”).
- Tallinn Manual 2.0, commentary to rule 66, para 24.
- Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
- UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
- North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
- Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
- Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
- Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
- See Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639, 1649 (noting that States ‘voiced no meaningful objection to Rule 4’ and that ‘it appeared to be received knowledge that a primary rule on territorial-sovereignty violations existed and applied to cyber operations.’).
- Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
- Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
- Norbert Riedel, ‘Cyber Security as a Dimension of Security Policy’ (18 May 2015), arguing that ‘[e]ven in cases where one cannot speak of a use of force, the use of cyber capabilities might constitute a violation of sovereignty, if the attack can be attributed to a state, which then in turn could lead to consequences within the confines of public international law’.
- Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para. 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
- Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
- Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
- Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
- Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
- Tallinn Manual 2.0, rule 2.
- Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
- UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
- Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
- See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment)  ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
- Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
- Tallinn Manual 2.0, commentary to rule 4, para 11.
- Tallinn Manual 2.0, commentary to rule 4, para 12.
- Tallinn Manual 2.0, commentary to rule 4, para 13.
- Tallinn Manual 2.0, commentary to rule 4, para 14.
- Tallinn Manual 2.0, commentary to rule 4, para 15.
- Tallinn Manual 2.0, commentary to rule 4, para 16.
- Tallinn Manual 2.0, commentary to rule 4, para 18.
- Dutch Ministry of Foreign Affairs, Letter to the parliament on the international legal order in cyberspace, Letter of 5 July 2019 from the Minister of Foreign Affairs to the President of the House of Representatives on the international legal order in cyberspace, p. 3.
- French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 6.
- In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.
- Tallinn Manual 2.0, commentary to rule 4, paras 15-18.
- Tallinn Manual 2.0, commentary to rule 4, paras 15-18.
- E Zoller, Peacetime Unilateral Remedies: An Analysis of Countermeasures (Transnational 1984) 5.
- Articles on State Responsibility, commentary to Part Three, Chapter II, para. 3.
- Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17–22.
- Dutch Ministry of Foreign Affairs, Letter to the parliament on the international legal order in cyberspace, Letter of 5 July 2019 from the Minister of Foreign Affairs to the President of the House of Representatives on the international legal order in cyberspace, p. 6; French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 10.
- Kristen E Eichensehr, ‘The Law & Politics of Cyberattack Attribution’ (2019) UCLA School of Law Public Law Research Paper No. 19–36, 10.
- Cf. Dutch Ministry of Foreign Affairs, Letter to the parliament on the international legal order in cyberspace, Letter of 5 July 2019 from the Minister of Foreign Affairs to the President of the House of Representatives on the international legal order in cyberspace, p. 6
- See e.g. Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, ST/7299/2019/INIT, OJ L 129I, 17.5.2019, p. 13–19, Art. 1.
- Tallinn Manual 2.0, commentary to rule 2, paras 1-2.
- See, e.g., Jurisdictional Immunities of the State (Germany v. Italy: Greece intervening) (Judgment)  ICJ Rep. 99, para 136; but cf. Tom Ruys, ‘Non-UN Financial Sanctions against Central Banks and Heads of State: in breach of international immunity law?’ EJILTalk!, 12 May 2017 (arguing that State immunity is only recognized in judicial proceedings, not against administrative or executive actions).
- ILC Articles on State Responsibility, Art 22.
- See, eg, Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17 (“Unlike countermeasures, international law does not restrict nations from collaborating on retorsion. For instance, if a state has repeatedly acted maliciously in cyberspace with targets in multiple states, all of those states could collectively engage in sanctions or release a joint public statement condemning the bad actor.”).
- See, eg, Good Luck Shipping LLC v. Council of the European Union, General Court, Judgment of 24 May 2016, joined Cases T‑423/13 and T‑64/14; for further information on this topic see Elena Chachko, ‘Foreign Affairs in Court: Lessons from CJEU Targeted Sanctions Jurisprudence’ (2019) 44 Yale Journal of International Law 1.
- ILC Articles on State Responsibility, Commentary, part 3 ch 2 at para 1.
- Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility. A target State may also react through proportionate countermeasures.’ (emphasis added).
- Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures”
- French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that ‘In response to a cyberattack, France may consider diplomatic responses to certain incidents, countermeasures, or even coercive action by the armed forces if an attack constitutes armed aggression.’
- Germany, ‘Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3, stating that ‘in case of a cyber operation that is in breach of an international legal obligation below the level of the use or threat of force prohibited by Art. 2 (IV) [of the UN Charter] States are also entitled to take countermeasures as allowed by international law.’
- Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated), stating that ‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’
- Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 7.
- United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017), stating that ‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.’
- Brian J. Egan, ‘Remarks on International Law and Stability in Cyberspace’ (10 November 2016), stating that countermeasures are available ‘to address malicious cyber activity’ if that activity amounts to a prior internationally wrongful act attributable to another State.
- Brazil, ‘Open-ended Working Group on developments in the field of information and telecommunications in the context of international security: Second Substantive Session - New York, 11 February 2020: Statement by the Delegation of Brazil’ (11 February 2020), stating that ‘In the case of malicious acts in cyberspace, it is often difficult to attribute responsibility to a particular State or actor with unqualified certainty. A decision to resort to countermeasures in response to such acts carries a high risk of targeting innocent actors, and of triggering escalation.’
- China, ‘Statement by the Chinese Delegation at the Thematic Debate of the First Committee of the 72th UNGA’ (October 2017), stating that ‘Countries should discuss application of international law in the manner conducive to maintain peace, avoid introducing force, deterrence and countermeasures into cyberspace, so as to prevent arms race in cyberspace and reduce risks of confrontation and conflicts.’
- Cuba, ‘Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (23 June 2017), registering ‘serious concern over the pretension of some, reflected in paragraph 34 of the draft final report, to convert cyberspace into a theater of military operations and to legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.’ (emphasis added).
- ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment)  ICJ Rep 7, para 83.
- ILC Articles on State Responsibility, Art 52(3) – 52(4).
- ILC Articles on State Responsibility, Art 52(1)(a). According to the UK Attorney General, the UK does not feel legally obliged, when taking countermeasures in response to a covert cyber intrusion, to “give prior notification to the hostile state”. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’.
- ILC Articles on State Responsibility, Art 28-41; the list of consequences includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ILC Articles on State Responsibility, Art 52(1)(b) – 52(2).
- ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment)  ICJ Rep 7, para 87. The list of consequences in Art 28-41 includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
- ILC Articles on State Responsibility, Art 49(3).
- Such as the obligation to refrain from the threat or use of force as embodied in the UN Charter, obligations for the protection of fundamental human rights, and obligations of a humanitarian character prohibiting reprisals. ILC Articles on State Responsibility, Art 50(1).
- ILC Articles on State Responsibility, Art 50(2).
- Articles on State Responsibility, Art 51; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment)  ICJ Rep 7, para 85.
- ILC Articles on State Responsibility, Art 54.
- President of Estonia, Kersti Kaljulaid, ‘President of the Republic at the opening of CyCon 2019’ (29.05.2019).
- Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ Just Security (10.06.2019), considering the Estonian interpretation to be “an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts”.
- French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 10, arguing that collective countermeasures are not authorised under international law.
- Jeff Kosseff, ‘Collective Countermeasures in Cyberspace,’ (2020) Notre Dame Journal of International & Comparative Law Vol. 10, Iss. 1, 34; François Delerue, Cyber Operations and International Law (CUP 2020), 457.
- ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
- ILC Articles on State Responsibility, Commentary to Part One, Chapter 5, para 8 (noting that “[i]n a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State”).
- See, eg, Trail Smelter case (United States v Canada) (Award) (1941) 3 RIAA 1905, 1965; see also Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 624 (noting that in cases where State responsibility is involved, the required threshold tends to shift towards ‘clear and convincing’”).
- James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163, 167 (emphasis original).
- ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
- Cf. ILC Articles on State Responsibility, Art 42 (a) and (b) (defining an “injured State” as a State to which the obligation breached was owed individually or as a member of a group of States).
- ILC Articles on State Responsibility, Commentary to Art. 54 para 6 (leaving the resolution of the matter to the further development of international law).
- ILC Articles on State Responsibility, Art. 48 (1) (a).
- ILC Articles on State Responsibility, Art. 48 (1) (b); see also Martin Dawidowicz, Third-Party Countermeasures in International Law, 253–254
- French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 10; Jeff Kosseff, ‘Collective Countermeasures in Cyberspace,’ (2020) Notre Dame Journal of International & Comparative Law Vol. 10, Iss. 1, 34; François Delerue, Cyber Operations and International Law, 457; Przemysław Roguski, ‘Collective Countermeasures in Cyberspace – Lex Lata, Progressive Development or a Bad Idea?’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 36.
- See further Przemysław Roguski, ‘Collective Countermeasures in Cyberspace – Lex Lata, Progressive Development or a Bad Idea?’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 36–40.
- Isabel Feichtner, ‘Community Interest’, Max Planck Encyclopaedia of Public International Law (Oxford University Press 2007) paras 15-17.
- Barcelona Traction, Light and Power Company Limited (Belgium v Spain), Judgment,  ICJ Rep 3, para 34.
- East Timor (Portugal v Australia)  ICJ Rep 90, para 29.
- Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion,  ICJ Rep 136, paras 155-159.
- Przemysław Roguski, ‘Collective Countermeasures in Cyberspace: Lex lata, Progressive Development or a Bad Idea?’, in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 37.
4.3 Bibliography and further reading[edit | edit source]
- Dennis Broeders, The Public Core of the Internet (Amsterdam University Press 2015);
- Elena Chachko, ‘Foreign Affairs in Court: Lessons from CJEU Targeted Sanctions Jurisprudence’ (2019) 44 Yale Journal of International Law 1;
- Martin Dawidowicz, ‘Third-Party Countermeasures: A Progressive Development of International Law? - QIL QDI’ (2016) 29 Questions of International Law 3;
- Martin Dawidowicz, Third-Party Countermeasures in International Law (CUP 2017);
- François Delerue, Cyber Operations and International Law (CUP 2020);
- Carlo Focarelli, ‘International Law and Third-Party Countermeasures in the Age of Global Instant Communication’ (2016) 29 Questions of International Law 17;
- Eleni Katselli Proukaki, The Problem of Enforcement in International Law (Routledge 2010);
- Jeff Kosseff, ‘Collective Countermeasures in Cyberspace,’ (2020) Notre Dame Journal of International & Comparative Law Vol. 10, Iss. 1, 18-34;
- Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020)
- Przemysław Roguski, ‘Collective Countermeasures in Cyberspace: Lex lata, Progressive Development or a Bad Idea?’, in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020)
- Barrie Sander, ‘Democracy under the Influence: Paradigms of State Responsibility for Cyber Influence Operations on Elections’ (2019) 18 Chinese Journal of International Law 1;
- Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ Just Security (10.06.2019);
- Michael N Schmitt, ‘France’s Major Statement on International Law and Cyber: An Assessment’, Just Security (16 September 2019).
4.4 Contributions[edit | edit source]
- Scenario by: Przemysław Roguski
- Analysis by: Przemysław Roguski
- Reviewed by: François Delerue, Steven Hill, Jeff Kosseff, Mark Norris
|Previous: Scenario 16: High seas||Next: Scenario 18: Cyber operators|