Scenario 20: Cyber operations against medical facilities

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Ismail Sadiron Pictures. Licensed from Shutterstock.

Public hospitals in a State fall victim to a hostile cyber operation, encrypting hospital computers. As a result, patient data becomes unavailable and a number of patients have to be diverted to private hospitals. The victim State’s forensic investigation indicates that the operation was conducted by a State actor but cannot immediately determine which State was responsible. Two possible culprits emerge: a State that is a political adversary of the victim State; and a State engaged in an armed conflict with the victim State. Therefore, this scenario analyses the incident first from the perspective of peacetime international law (primarily the principles of sovereignty and non-intervention, the prohibition against the use of force, and international human rights law) and then under international humanitarian law applicable during armed conflict (notably the obligation to respect and protect medical units).

Scenario[edit | edit source]

Keywords[edit | edit source]

International humanitarian law, international human rights law, medical facilities, hospitals, ransomware, prohibition of intervention, sovereignty, use of force

Facts[edit | edit source]

[F1] State A is located in a region rattled by conflict and rivalry among regional powers. The tensions between States A and B run high and their governments have been constantly exchanging insults and political threats. However, neither State has ever used physical force against the other. By contrast, State A is locked into an ongoing international armed conflict with State C. For several years, the conflict has been continuing at low intensity with frequent shelling across the frontline.

[F2] Recently, public hospitals of State A, which account for 30% of all its hospitals, fell victim to a ransomware attack. All public hospitals use the same administration software and are connected to each other. The operation encrypted computers used in the hospitals and doctors became unable to access patient data stored digitally. This included data containing test results from hundreds of patients tested for a highly infectious disease. The inaccessibility of patient data meant the hospitals became unable to admit some patients or to treat others. As a result, the affected public hospitals had to transfer urgent cases to private hospitals.

[F3] After three days, cyber security specialists from State A found the key needed to decrypt the computers. Still, as a result of the incident, medical care at the hospitals was disrupted by delays and unavailability of important data on patient treatment. Two of the patients diverted to private hospitals died while in transit, although investigations were inconclusive as to whether their lives could have been saved if they had been admitted on time. Moreover, due to test results being unavailable, public authorities were unable to track and inform individuals who had been infected. State A’s Ministry of Health stated that the inability to track positive cases undermined the State’s strategy to combat the infectious disease.

[F4] State A’s forensic experts quickly determine that the operation was conducted by an advanced persistent threat actor, likely linked to a State. However, at the early stages they are unable to attribute the operation to a specific State. While waiting for further clarity from forensic experts, on the basis of the evidence available, State A’s intelligence service considers it is highly probable that the operation was either the work of State B, or of State C.

[F5] All States involved in this scenario are parties to the four Geneva Conventions, their Additional Protocol I, the Rome Statute of the International Criminal Court, the International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social, and Cultural Rights (ICESCR).

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] Attribution of the cyber operation against State A’s public hospitals is unclear. With available evidence suggesting that it was conducted either by State B or by State C, the legal analysis discusses the two possibilities in two separate sections below.

What if it was State B: Focus on peacetime international law[edit | edit source]

[L2] If the operation was attributed to State B, it would have taken place in time of peace. Thus, the legal analysis in this section focusses on whether the operation would have violated State A’s sovereignty, amounted to a prohibited intervention into the internal affairs of State A, and/or amounted to a use of force against State A. The analysis also examines whether State B would have violated its obligations under international human rights law.

Obligation to respect the sovereignty of other States[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,
[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1]
Multiple declarations by the UN,[2] the African Union,[3] the European Union,[4] NATO,[5] OSCE,[6] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty.[7] However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[8] It has also been adopted by several States including Austria,[9] Brazil, [10] Canada,[11] the Czech Republic,[12] Estonia,[13] Finland,[14] France,[15] Germany,[16] Iran,[17] Italy,[18] Japan,[19] the Netherlands,[20] New Zealand,[21] Norway,[22] Romania[23] and Sweden.[24]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[25] This view has been adopted by one State, the United Kingdom,[26] and has been partially endorsed by the U.S. Department of Defense General Counsel.[27] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention or use of force).

It is understood that sovereignty has both an internal and an external component.[28] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[29][30] This encompasses both private and public infrastructure.[31] The external component entails that States are “free to conduct cyber activities in [their] international relations”, subject to their international law obligations.[32]

As a general rule, each State must respect the sovereignty of other States.[33]However, within the cyber realm – and particularly regarding remote cyber operations – there is still no agreement on the criteria[34] and the required threshold[35] to qualify an operation as a sovereignty violation.[36] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[37] Accordingly, the assessment needs to be done on a case-by-case basis.[38]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[39] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[40]
  2. Causation of physical damage or injury by remote means;[41] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[42]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of the operating system or other software was proposed but not universally accepted);[43] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[44]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[45] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[46]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[47]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Canada,[48] Germany[49] and the Netherlands;[50] and followed to some extent by other States, such as the Czech Republic,[51] Norway,[52] Sweden[53] and Switzerland.[54] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”;[55]similarly, Iran has argued that “unlawful intrusion to the (public or private) cyber structures” abroad may qualify as a breach of sovereignty.[56]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[57]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L3] This analysis proceeds on the basis that the obligation to respect the sovereignty of another State is a rule of international law applicable to cyberspace. The operation interrupted and slowed down the delivery of medical services in another State. The fact that this was done through an unauthorized penetration of State A’s systems would suffice for the qualification of the operation as a breach of sovereignty under the test proposed by France.[58]

[L4] The ransomware operation also resulted in a widespread loss of functionality, given that the affected systems in State A’s public hospitals ceased to operate properly until the encryption key was found.[59] In addition, the operation prevented State A from tracking and informing patients who were tested positive for a highly infectious disease, thereby undermining its capacity to contain that disease. Taking measures to curb an epidemic is a governmental responsibility of any State (i.e., public health[60]) and thus the tracking and informing of patients can be considered as an inherently governmental function of State A.[61] Accordingly, State B’s cyber operation could also be characterized as a violation of State A’s sovereignty due to it having caused a loss of functionality of cyber infrastructure in State A (option 3 in the box above) and interfered with State A’s inherently governmental functions (option 4).

Prohibition of intervention[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law,[62] prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 Nicaragua v United States case:
A prohibited intervention must […] be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[63]
In order for an act, including a cyber operation,[64] to qualify as a prohibited intervention, it must fulfil the following conditions:[65]
  1. The act must bear on those matters in which States may decide freely.[66] The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[63] or the conduct of national elections[67]), and external affairs (“formulation of foreign policy”;[63] or “recognition of states and membership of international organisations”[68])—the so-called domaine réservé of States.[69] The content of the domaine réservé is determined by the scope and nature of the State's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[70]
    1. Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[71] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[72]
    2. Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[73] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[74]
    Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[75] The element of coercion also entails the requirement of intent.[76]

    While coercion is evident in the case of an intervention involving the use of force, ‘either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State’, as affirmed by the ICJ,[77] it is less clear with respect to non-forcible forms of interference.[78] Some States support the approach that intervention may take various forms, such as economic and political coercion.[79] One example that has been reiterated in several States’ positions, including Australia,[80] Brazil,[81] Canada,[82] Germany,[83] Israel,[84] New Zealand,[85] Norway,[86] Singapore,[87] the United Kingdom[88] and the United States,[89] is the case of cyber operations by a State interfering with another state’s ability to hold an election or manipulating the election results. Many States have affirmed that the assessment has to be done on a case-by-case basis.[90]

    Both potential and actual effects are considered to be relevant when assessing the coercion element.[91]

  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[92]
  4. The prohibition of intervention applies between States, and thus it is not applicable to the activities of non-State groups, unless their conduct can be attributed to a State under the rules on attribution under international law.[93]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of the People's Republic of China (2021) (2021), National position of Denmark (2023) (2023), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L5] With regard to the first element of prohibited intervention, the ransomware incidents related to matters of public policy including the operation of public hospitals and the development of a strategy to contain an infectious disease, i.e. public health.[94] Although some aspects of these matters are now subject to international regulation – for example, the World Health Organization’s International Health Regulations codify certain international obligations in handling public health emergencies[95] – the overall management of a public health crisis at a national level is still widely considered to remain a sovereign prerogative falling within each State’s domaine réservé.[96] Accordingly, the incidents related to matters upon which State A had the right to decide freely.

[L6] With respect to the second element, the two approaches to the meaning of “coercion” defined above lead to different results in the present scenario. On the first approach, an intent to compel State A to change its behaviour cannot be discerned from the facts. The cyber operation interfered with the functioning of the hospitals and the implementation of State A’s public health strategy, but there is insufficient information to conclude that the State of origin had the goal of effecting any particular change in the behaviour of State A.

[L7] By contrast, on the second approach, the interference with the hospitals would be considered coercive because it prevented State A from operating those hospitals according to its own will. As such, it effectively deprived that State of its ability to control or govern matters within its domaine réservé and, accordingly, it qualified as a violation of the prohibition of intervention.

Use of force[edit | edit source]

Use of force
Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[97] This prohibition is reflective of customary international law[98] and it is frequently described as a peremptory norm of international law.[99]

This rule applies between States; therefore the conduct needs to be attributable to a State and against another State ‘in their international relations’, thus excluding non-State actors unless their conduct is attributable to a State.[100]

As stated by the International Court of Justice, the prohibition applies to any use of force, regardless of the means employed.[101] However, the notion of “force” in this context is limited to armed force[102], and to operations whose scale and effects are comparable to the use of armed force.[103] As stressed by several States, each situation has to be analysed on a case-by-case basis.[104]

Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[105] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[106] This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.[107]

In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[108] Regarding its application to cyber operations, an “effects-based approach” has been mostly followed.[109] In this sense, there is emerging consensus that “a cyber attack that causes or is reasonably likely to cause physical damage to property, loss of life or injury to persons would fall under the prohibition contained in Article 2(4) of the UN Charter”,[110] including both direct and indirect consequences. At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[111]

As of 2022, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure[112] and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[113] However, States have begun addressing this question. In particular, France,[114] the Netherlands[115] and Norway[116] allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These qualitative and quantitative non-exhaustive criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature,[117] as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”.[118] Several of these criteria are also reflected in the Tallinn Manual 2.0.[119] Other States, such as Italy, did not rule out the possibility of considering operations causing the interruption of essential services without physical damage within the scope of the prohibition of the use of force.[120]

A use of force is unlawful under international law, unless it is authorized by the UN Security Council under Chapter VII of the UN Charter,[121] conducted in the exercise of the inherent right to self-defence,[122] or consented to by the territorial State.[123]

Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law.[124] In this regard, the prohibition of intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L8] It is unlikely that the ransomware operations amounted to a use of force. There is no evidence of direct physical damage and it is doubtful that the operations can be considered comparable to the use of kinetic force on the basis of the criteria mentioned above. The consequences of the operations – in particular, the disruption to the functioning of public hospitals – would arguably not be considered serious or severe enough to equate the operation with a physical use of force against those targets.[125] Even if a causal link between the cyber operations and the two patient deaths could be established, these effects might still fall below a de minimis threshold suggested in legal doctrine[126] as well as in international practice.[127] The indirect nature of any such effects would also militate against the qualification of the underlying operation as a use of force.[128] Finally, the target of the operations and the circumstances prevailing at the time when the operations were launched did not suggest that the operations had a military character.[129]

Applicability of international humanitarian law[edit | edit source]

[L9] Provided that the operation is attributed to State B, a separate legal question is whether the cyber operation conducted by State B would bring into existence an international armed conflict between State B and State A. [130]

International armed conflict
The law of international armed conflict (IAC) applies to any armed confrontation between two or more States,[131] even if one, several, or all of them deny the existence of an armed conflict.[132] Some scholars have suggested that the fighting must be of a certain intensity before international humanitarian law (IHL) comes into effect,[133] but the prevailing view is that any “resort to armed force between States”,[134] however brief or intense, triggers the application of IHL.[135] Furthermore, the law does not prescribe any specific form for the resort to force,[136] so hostilities between the belligerent States may involve any combination of kinetic and cyber operations, or cyber operations alone.[137]

It is unclear what effect cyber operations unaccompanied by any use of kinetic force would have to have in order for IHL to apply. Although it seems generally accepted that if cyber operations have similar effects to classic kinetic operations and two or more States are involved, the resulting situation would qualify as an IAC,[138] the law is unsettled on whether cyber operations that merely disrupt the operation of military or civilian infrastructure amount to a resort to armed force for the purposes of IHL.[139][140]

In the cyber context, States often act through non-State intermediaries and proxies. In such situations at the outset of an armed confrontation, the relevant State must exercise a sufficient degree of control over the non-State entity that commences hostilities against another State for the situation to qualify as an IAC. However, the correct legal test to use in this regard is the subject of an ongoing controversy.[141] The prevailing standard for the characterization of an international armed conflict is that of “overall control”, which requires that the State provides some support and that it participates in the organization, co-ordination, or planning of the relevant operations.[142] A separate standard, the “effective control” test, requires that the State must exercise control over the entire course of the operations in question.[143] While there is still disagreement as to whether the “effective control” test is the controlling test for the purposes of attribution under the law of State responsibility, there is consensus that the “overall control” test is the correct one for conflict qualification under IHL.[144] The latter is also confirmed by decades of consistent practice by international criminal tribunals including the ICTY, the ECCC, and the ICC.[145]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Costa Rica (2023) (2023), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Japan (2021) (2021).

[L10] In the present scenario, the effect of the cyber operation is difficult to compare to a classic kinetic operation because there is no physical damage comparable to that resulting from armed hostilities between States. At the same time, if computer systems in a significant number of hospitals are targeted and disrupted, it is reasonably foreseeable that injury or death will result. In line with the prevailing view that there is no requirement of a specific level of intensity of violence to trigger an international armed conflict (see in the box above), it could thus be argued that such operations would bring into existence an international armed conflict and have to comply with the limits imposed by IHL (on which see section 2.2.1 below). For the time being, however, it is unclear whether States would classify such cyber operations as bringing IHL into application.[146]

International human rights law[edit | edit source]

[L11] The scenario also raises the question of whether the cyber operation is in violation of State B’s obligation (1) to respect the right to life of those patients who died following the operation (Article 6 ICCPR) and (2) the right to health of persons whose health was negatively affected by the operation (Article 12 ICESCR).


International human rights law
International human rights law applies in cyberspace; individuals enjoy the same human rights online as they enjoy offline.[147] States are therefore bound by their human rights obligations to respect, protect and fulfil human rights in cyberspace. States also bear international responsibility for the violation of human rights obligations that are attributable to them.[148]

The source of these obligations is primarily treaty law. The two key global treaties are the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR);[149] many of these treaties’ provisions, along with the provisions of the Universal Declaration of Human Rights, are regarded as reflective of customary international human rights law, even though there is no universally accepted codification. Apart from the ICCPR and ICESCR, there are important regional human rights treaty systems, especially for Europe (based on the European Convention on Human Rights – ECHR),[150] the European Union (Charter of Fundamental Rights of the European Union – EUCFR),[151] America (American Convention on Human Rights – ACHR),[152] and Africa (African Charter on Human and Peoples’ Rights – ACHPR),[153] which provide for adjudicatory mechanisms by which individuals can assert their human rights against States and which have generated a considerable amount of case-law as a result.

In order to determine whether a State has breached its human rights obligations, the following steps of analysis should be conducted:

  1. Since cyber operations often take place in the cyber infrastructure of multiple States, the issue of jurisdiction must be addressed. Each human rights treaty has its own bespoke jurisdictional requirements and scope. In this regard, every State party to the ICCPR has undertaken “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the [ICCPR]”.[154] The UN Human Rights Committee (UN HRC) has understood this provision to mean that the human rights obligations recognized within the ICCPR apply not only to persons physically located within a State’s territory, but also to situations where the State exercises “power or effective control” either over the territory on which an individual is located (the spatial model of jurisdiction) or over the individual (the personal model of jurisdiction).[155] Likewise, the International Court of Justice (ICJ) has stated that the ICCPR “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.[156] A few States (such as the US and Israel) have adopted the contrary view and maintain that human rights obligations do not apply extraterritorially. To date, however, these States remain in the minority.[157] As such, although the exact criteria for the applicability of human rights obligations to extraterritorial activities of States are not settled and are subject to ongoing academic and political debate,[158] the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory.[159]
  2. If an international human rights regime is applicable, the second question is whether a cyber operation attributable to a State constitutes an interference with a particular human right. The human rights that are often implicated by cyber operations include the right to privacy[160] and the right to freedom of opinion and expression.[161] Other rights such as the freedom of association,[162] the prohibition of discrimination, the right to life, to health or other social and economic rights may be also affected by cyber operations or cyber-related measures.[163] If the right in question is absolute – such as the right to be free from torture or slavery – then no interference with it is allowed.[164]
  3. For an interference with a qualified right – such as the right to privacy or to freedom of expression – to be legal under human rights law, it must fulfil certain conditions, namely:
    1. be in accordance with an accessible and foreseeable domestic law (“legality”),
    2. pursue a legitimate aim of public interest (such as national security, public order, public health, or morals) or for the protection of rights of others,
    3. be necessary to achieve that aim, and
    4. be proportionate in balancing the means and the end.[165]

Apart from the responsibility for human rights violations attributed to it, a State can also be held responsible for its failure to take all reasonable measures to protect the human rights of individuals in its territory and subject to its jurisdiction (for instance, if it unlawfully allows non-State actors to violate human rights).[166]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of Ireland (2023) (2023), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kazakhstan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

[L12] In the present scenario, it must first be determined whether the patients are within State B’s jurisdiction, meaning whether State B owes human rights obligations to them.

[L13] There are at least three possible approaches to determining whether a State owes human rights obligations to persons abroad who are affected by its cyber activities.

[L14] First, a few States take the view that human rights treaties, such as the ICCPR, do not apply extraterritorially.[167] On this view, State B would not owe human rights obligations to anyone outside of its territory, including the affected patients in State A. However, it should be noted that this view has been contradicted by the International Court of Justice[168] and it has gained minimal traction outside of the limited number of its supporters.[169]

[L15] Second, in line with the well-established understanding of jurisdiction under human rights law, a State only owes obligations under the ICCPR or the ICESCR to persons abroad if it exercises effective control over the territory in which the effects of the operation manifest,[170] or if it has physical control over the victims;[171] referred to in the literature as, respectively, the spatial and personal models of jurisdiction.[172] However, neither of these conditions is met in the present scenario. As a result, a cyber operation by State B that affects victims in State A would not violate State B’s human rights obligations because the victims do not come within State B’s jurisdiction.

[L16] Third, and without specifically referring to cyber operations, human rights treaty bodies have presented more extensive views on the scope of States’ extraterritorial jurisdiction under the ICCPR and the ICESCR. With regard to the right to life under the ICCPR, the UN Human Rights Committee opined that a State’s obligations to respect and to ensure this right extend to “persons located outside any territory effectively controlled by the State, whose right to life is nonetheless impacted by its military or other activities in a direct and reasonably foreseeable manner”.[173] More broadly, the UN Committee on Economic, Social, and Cultural Rights has argued that under the ICESCR “States parties have to respect the enjoyment of the right to health in other countries”.[174] Under this approach, State B would owe human rights obligations to those affected by its cyber operations. It is unclear, however, whether such broad interpretations of the notion of jurisdiction reflect the current state of international law.[175]

[L17] If the view suggested by the UN treaty bodies was followed, it would still need to be analysed whether State B acted in violation of its obligation under the right to life by using ransomware against public hospitals. Following the UN Human Rights Committee’s interpretation of the right to life, this would be the case if an act of the State – in this case the cyber operation that likely resulted in the death of two patients – impacted the right to life in an “in a direct and reasonably foreseeable manner”.[176] In the present case, it could be argued that a cyber operation against a significant number of hospitals affects the right to life of patients in a direct and reasonably foreseeable manner, even if the cyber operation is not the immediate cause of death.[177]

[L18] Similarly, if the more extensive approach to jurisdiction was taken, it would follow that State B also violated its obligations under the right to health. This is because, as noted by the Committee on Economic, Social, and Cultural Rights, the obligation to respect that right requires States not to interfere “directly or indirectly with the enjoyment of the right to health”.[178] State B’s cyber operations which prevented patients from receiving treatment and which negatively affected State A’s ability to respond to a public health crisis would have violated that obligation.[179]

What if it was State C: Focus on the law applicable during armed conflict[edit | edit source]

International humanitarian law[edit | edit source]

[L19] If the operation is attributed to State C, it takes place in the context of an existing international armed conflict. As a consequence, all acts of the parties to the conflict with a sufficient nexus to that conflict are governed by IHL.[180] Based on the evidence available, it is unclear whether such nexus existed, which would be assessed by reference to whether State C “acted in furtherance of or under the guise of the armed conflict”.[181] The remainder of the analysis in this subsection proceeds on the assumption that this requirement was met.


Protection of medical units during armed conflict
Under treaty and customary IHL, “medical units” – a term that includes military and civilian hospitals (the latter if belonging to a party to the conflict and recognized and authorized by the competent authority of one of the Parties to the conflict) – must be “respected and protected” by the parties to the conflict at all times and “shall not be the object of attack”.[182] Intentionally directing attacks against medical units and facilities may constitute a war crime.[183]

The obligation to “respect” medical facilities is broader than just protecting them against operations that amount to attacks as defined in IHL, meaning it is also prohibited to interfere with the functioning of medical services in ways that do not necessarily result in death, injury, or damage.[184] As the ICRC Commentary explains, under the relevant IHL provisions it is prohibited to “harm [medical facilities] in any way. This also means that there should be no interference with their work (for example, by preventing supplies from getting through) or preventing the possibility of continuing to give treatment to the wounded and sick who are in their care”.[185]

In light of the comprehensive protection for medical facilities under IHL, the obligation to respect medical facilities encompasses a prohibition against deleting, altering or otherwise negatively affecting medical data.[186] Relevant data in the medical context include “data necessary for the proper use of medical equipment and for tracking the inventory of medical supplies” as well as “personal medical data required for the treatment of patients”.[187]

Publicly available national positions that address this issue include: National position of Costa Rica (2023) (2023), National position of Switzerland (2021) (2021).

[L20] In the present scenario, the malware encrypted computers used in the hospital and made medical data of hospital patients temporarily unavailable. The operation thereby interfered with the hospital’s medical work and prevented medical staff from treating those in need of care. Therefore, the operation would have constituted a violation of State C’s obligations to respect and to protect medical units.


The notion of ‘attack’ under international humanitarian law
The question of whether an operation amounts to an ‘attack’ as defined in international humanitarian law (IHL) is essential for the application of many of the rules deriving from the principles of distinction, proportionality and precaution. While some IHL rules impose limits on any military (cyber) operation, the rules specifically applicable to ‘attacks’ afford significant protection to civilians and civilian objects in times of armed conflict.[188]

Article 49 of Additional Protocol I defines ‘attacks’ as ‘acts of violence against the adversary, whether in offence or in defence’. Viewed as ‘combat action’,[189] they are understood to denote violence directed against military forces of an opposing party.[190] Arguments that a subjective element of purpose or motive to cause harm are inherent in the notion of attack[191] have not found wide support.[192]

The notion of violence in this definition can refer to either the means of warfare or their effects, meaning that an operation causing violent effects can qualify as an attack even if the means used to bring about those effects are not violent as such.[193] Accordingly, it is widely accepted that cyber operations that can be reasonably expected to cause injury or death to persons or damage or destruction to objects constitute attacks under IHL.[194]

There has been limited discussion over the contours of the reasonable foreseeability of harm standard for the purposes of defining attacks.[195] In the assessment of what constitutes the ‘reasonably expected’ effects of an operation that have to be considered, some States, including Denmark, Finland, New Zealand, Norway, Switzerland, or the United States, have clarified that this includes harm due to the foreseeable direct and indirect (or reverberating) effects of an attack.[196] An indirect or reverberating effect would include, for example, the death of patients in intensive-care units caused by a cyber operation on an electricity network that results in cutting off a hospital’s electricity supply – a view shared by the ICRC.[197] Care must be exercised in considering the extent to which understandings of reasonable foreseeability for the purposes of other rules of IHL can be deemed relevant in the interpretation of ‘attack’.

At present, different views exist on the interpretation of what constitutes ‘damage’ for assessing whether an operations amounts to an ‘attack’. One view, taken by some States including Denmark, Israel, and Peru, is that only physical damage is relevant in the assessment of what constitutes an attack under IHL.[198] Other States have interpreted the notion of ‘attack’ wider. States including Bolivia, Ecuador, France, Germany, Guatemala, Japan, and New Zealand consider that cyber operations may qualify as an ‘attack’ without causing physical damage if they disable the functionality of the target.[199] For its part, the ICRC interprets the notion of ‘attack’ as including a loss of functionality. In its view, ‘an operation designed to disable a computer or a computer network constitutes an attack under IHL, whether the object is disabled through kinetic or cyber means’.[200]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

[L21] It must further be inquired whether the operation amounts to an attack against a medical unit, which could amount to a war crime.[201] This would be the case if the operation can reasonably be expected to cause injury or death to persons or damage or destruction to objects (see box above). If the view is taken that the notion of damage includes a loss of functionality, the present operation amounts to an attack because it effectively disabled the hospital computers. This conclusion will also be reached if the focus is not on the damage caused but on the reasonably foreseeable injury or death. This is because conducting a cyber operation that is expected to disrupt computers in 30% of a State’s hospitals can be “reasonably expected to cause injury or death to persons”.[202] On the basis of the foregoing, the operation would thus qualify as a prohibited attack against a medical unit.

International human rights law[edit | edit source]

[L22] Finally, it should be noted that it is generally – though not universally – accepted that international human rights law continues to apply during armed conflicts.[203] If the more extensive view on the notion of jurisdiction is taken, the conduct attributed to State C might also implicate its human rights obligations, in particular those under the rights to life and health (see paras L16–L18 above). In that case, the precise interplay between the relevant IHL and human rights obligations would require further analysis, which is beyond the scope of the present scenario.[204]

Checklist[edit | edit source]

  • Who is responsible for the operation and can the act be attributed to a State?
  • Does the operation take place in time of peace or in the context of an armed conflict?
  • If the operation takes place in time of peace, does it
    • Violate the principle of sovereignty, the principle of non-intervention, or the prohibition against the use of force?
    • Violate the acting State’s human rights obligations? Does the acting State owe human rights obligations to the victims?
    • Could it bring into existence an international armed conflict to which IHL applies?
  • If the operation takes place in times of armed conflict, does it violate relevant rules of IHL, notably the obligation to respect and protect medical facilities and the prohibition against attacks against medical units?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  2. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  3. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024).
  4. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  5. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  6. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  7. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information andTelecommunications in the Context of International Security, UN Doc A/68/98 (24 June 2013) para 20; UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) paras 27, 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 70, 71(b).
  8. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, rule 4 (‘A State must not conduct cyber operations that violate the sovereignty of another State’), and commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  9. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  10. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 18.
  11. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  12. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  13. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 25.
  14. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  15. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  16. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  17. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  18. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 4.
  19. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (16 June 2021) 3.
  20. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  21. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 2.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 67.
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 76.
  24. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 2.
  25. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  26. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’). The approach has been maintained in UK’s 2021 and 2022 national positions.
  27. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  28. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  29. Tallinn Manual 2.0, rule 2.
  30. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules'). This has been endorsed by several States, including China, the Czech Republic, Estonia, Finland, France, Germany, Israel, Italy, the Netherlands, Norway, Sweden, Switzerland and the United States.
  31. Tallinn Manual 2.0., commentary to rule 4, para 5. See also the national positions of Norway, Sweden and Switzerland.
  32. Tallinn Manual 2.0., rule 3; see also the national positions of the Czech Republic, the Netherlands and Norway.
  33. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  34. Some States have referred to the nature of the operation, its consequences, and/or the scale or severity of the effects, as the relevant factors that should be assessed. See e.g. the national positions of Canada, Finland, Germany, New Zealand, Norway, Sweden and Switzerland. New Zealand also highlighted the nature of the target in this regard.
  35. Some States have highlighted the requirement of certain level beyond “negligible” or “de minimis” effects, such as Canada and Germany. See similarly, New Zealand’s national position. For further discussion on the required threshold, see Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Texas Law Review 1639; Harriet Moynihan, ‘The Application of International Law to State Cyberattacks. Sovereignty and Non-Intervention’, Chatham House (2 December 2019) paras 60 and ff.
  36. Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549.
  37. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  38. See e.g. the national position of Canada, Finland, New Zealand, Norway, Sweden and Switzerland.
  39. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  40. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9. See also, the national positions of Canada and New Zealand.
  41. Tallinn Manual 2.0, commentary to rule 4, para 11.
  42. Tallinn Manual 2.0, commentary to rule 4, para 12.
  43. Tallinn Manual 2.0, commentary to rule 4, para 13. Additionally, there was agreement between the experts that ‘a cyber operation necessitating repair or replacement of physical components of cyber infrastructure amounts to a violation because such consequences are akin to physical damage or injury’. See also in this respect Canada’s national position.
  44. Tallinn Manual 2.0, commentary to rule 4, para 14.
  45. Tallinn Manual 2.0, commentary to rule 4, para 15.
  46. Tallinn Manual 2.0, commentary to rule 4, para 16. Other examples may include law enforcement, taxation, foreign relations and national defense. See e.g. the national positions of Canada, Germany and Norway. See also Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549, 557.
  47. Tallinn Manual 2.0, commentary to rule 4, para 18.
  48. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  49. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  50. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  51. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic (11 February 2020) 3.
  52. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68.
  53. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 2
  54. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 3.
  55. Ministry of Defense of France, 'International Law Applied to Operations in Cyberspace' (9 September 2019) 6.
  56. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace (August 2020) para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state’).
  57. In favour: see, e.g., Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3; Romania’s national position (‘If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned’).
  58. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 6.
  59. In this regard, see Tallinn Manual 2.0., commentary to rule 4, para. 14 (noting that some of the experts considered that ‘a temporary, but significant, loss of functionality’ could qualify as a violation of the victim State’s sovereignty).
  60. Some States have referred to health care services as within the notion of ‘inherently governmental functions’, such as Canada.
  61. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 255 (‘[C]risis management during an epidemic or a pandemic is a governmental responsibility in every state and accordingly an inherently governmental function.’).
  62. The customary nature has been highlighted by several States, including Australia, Brazil, Germany, Iran, Norway, Sweden, the United Kingdom and the United States.
  63. 63.0 63.1 63.2 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14 [205].
  64. Many States, including Australia, Brazil, Canada, Estonia, Israel, Italy, Japan, New Zealand, Norway, Singapore, Sweden, Switzerland, the United Kingdom and the United States, have acknowledged that the prohibition of intervention applies to cyber operations. This has been also highlighted by the UN Group of Governmental Experts. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22 July 2015) A/70/174, para 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (14 July 2021) A/76/135, para 71(c).
  65. Many States agree that intervention ‘involves “coercion” in relation to a State’s domaine réservé’. See Ori Pomson, 'The Prohibition on Intervention Under International Law and Cyber Operations' (2022) 99 International Law Studies 180, 217. In this regard, see the national positions of Australia, Brazil, Canada, Estonia, Germany, Israel, Italy, The Netherlands, New Zealand, Norway, Romania, Singapore, Sweden, Switzerland, the United Kingdom and the United States.
  66. Militarv and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) Merits, Judgment. I.C.J. Reports 1986, 14 [241].
  67. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3; Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5.
  68. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  69. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”); Nationality Decrees Issued in Tunis and Morocco (French Zone) on November 8th, 1921 (Great Britain v France) Advisory Opinion, (1923) PCIJ Series B no 4, 7th February 1923 [24].
  70. See also Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 6(3) Journal of Cyber Policy 394, 400-1.
  71. See, e.g., Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3, defining coercion as ‘compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue’ and noting that ‘[t]he goal of the intervention must be to effect change in the behaviour of the target state’; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5, defining coercion as a situation in which a State’s ‘will is manifestly bent by the foreign State’s conduct’ and noting that ‘the acting State must intend to intervene in the internal affairs of the target State’; see further, the national positions of Italy, Switzerland, Estonia, Norway and Romania; see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘The majority of Experts was of the view that the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.’).
  72. Tallinn Manual 2.0, commentary to rule 66, para 21. See also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3.
  73. See, e.g., Australia, ‘Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace’ (2019) 4 (‘A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.’); New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020), para 9(b) (stating that a State cyber activity is coercive if ‘there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions’); United Kingdom Attorney General’s Office Suella Braverman: ‘International Law in Future Frontiers’ (19 May 2022). See also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘A few Experts took the position that to be coercive it is enough that an act has the effect of depriving the State of control over the matter in question.’).
  74. Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 6(3) Journal of Cyber Policy 394, 403; see also Sean Watts, ‘Low-Intensity Cyber Operations and the Principle of Non-Intervention’ in Jens D Ohlin, Kevin Govern and Claire Finkelstein, Cyber War: Law and Ethics for Virtual Conflicts (Oxford University Press 2015) 256 and ff.
  75. Tallinn Manual 2.0, commentary to rule 66, para 21. See also the national positions of Canada, Germany and Norway.
  76. Tallinn Manual 2.0, commentary to rule 66, paras 19 and 27. See also the national positions of Germany, New Zealand and Sweden.
  77. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) Merits, Judgment. I.C.J. Reports 1986, 14 [205]. See also national position of Canada, Germany and The Netherlands.
  78. See Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 82.
  79. See Ori Pomson, 'The Prohibition on Intervention Under International Law and Cyber Operations' (2022) 99 International Law Studies 180, 212. While some States have stressed that economic coercion can still be sufficient for a breach of the rule of non-intervention, others remained ambiguous in their positions. States have referred to different examples that could be classified, depending on the circumstances of the case, under the prohibition of intervention. See the national positions of Australia (‘intervention in the fundamental operation of Parliament, or in the stability of States’ financial systems’), Canada (‘a malicious cyber activity that disrupts the functioning of a major gas pipeline, compelling the affected State to change its position in bilateral negotiations surrounding an international energy accord’), Italy (‘influence activities aimed, for instance, at undermining a State’s ability to safeguard public health during a pandemic’), New Zealand (‘a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network’), Norway (‘a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action’), Singapore (‘cyber-attacks against our infrastructure in an attempt to coerce our government to take or forbear a certain course of action on a matter ordinarily within its sovereign prerogative’), Switzerland (‘This is particularly true of economic coercion, which could be the case if a company that is systemically relevant was paralysed through a cyber operation’), the United Kingdom (‘intervention in the fundamental operation of Parliament, or in the stability of our financial system’; ‘to undermine the stability of another State’s financial system or to target the essential medical services of another State’; ‘Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies […]disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention […] disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy’), and the United States (‘a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population –for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic’).
  80. Australian Government, Australia's position on how international law applies to State conduct in cyberspace (2020).
  81. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, (August 2021) 19.
  82. Government of Canada, International Law applicable in cyberspace (April 2022)
  83. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 5-6.
  84. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020).
  85. New Zealand Foreign Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 2.
  86. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68-69.
  87. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 83.
  88. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century (23 May 2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021); Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022.
  89. Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 13-14; Hon Paul C Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (2 March, 2020); Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 140.
  90. See the national positions of Canada, Romania, Sweden and Switzerland.
  91. Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 101. Further, the international group of experts involved in the Tallinn Manual 2.0. considered that ‘the fact that a coercive cyber operation fails to produce the desired outcome has no bearing on whether [the prohibition of intervention] has been breached’. Tallinn Manual 2.0., commentary to rule 66, para 29.
  92. Tallinn Manual 2.0, commentary to rule 66, para 24 (the exact nature of the causal nexus was not agreed on).
  93. Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 79. See also the national positions of The Netherlands (‘The non-intervention principle, like the sovereignty principle from which it stems, applies only between states’), Sweden (‘The prohibition of intervention is applicable between States and does not apply directly to non-state actors’), and the 2022 position of the United Kingdom (‘To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility’).
  94. See in this regard for essential medical services, the national positions of Italy, Japan, New Zealand and the United Kingdom.
  95. International Health Regulations (signed 23 May 2005, entered into force 15 June 2007) 2509 UNTS 79.
  96. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 257 (‘It is unquestionably within the domaine réservé of a state to determine how it will handle a health crisis, as is the actual handling of that crisis.’); Gary P. Corn, ‘Covert Deception, Strategic Fraud, and the Rule of Prohibited Intervention’, Hoover Working Group on National Security, Technology, and Law, Aegis Series Paper No. 2005 (18 September 2020) 9 (‘the adoption and implementation of public-health policies and measures, especially in the face of a global pandemic, are widely recognized as legitimate matters of governance within a state’s internal sovereign jurisdiction’).
  97. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
  98. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, paras 187–190. See also, the national positions of Brazil, Israel, Sweden, and the United States.
  99. See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War. The Prohibition on the Use of Force in Contemporary International Law (Hart Pub. 2021) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
  100. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 44.
  101. Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1. C.J. Reports 1996, 226; see also the national positions of Brazil, Germany, France, the Netherlands and Sweden.
  102. Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
  103. Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”). This is also embodied in the national positions of several States, including Australia, Canada, Germany, Italy, the Netherlands, Romania and Sweden.
  104. See the national positions of Canada, Germany, Italy, the Netherlands, Romania, Sweden and the United States.
  105. Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
  106. Documents of the United Nations Conference on International Organization (1945), vol VI, 334. See also the national position of the Netherlands.
  107. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
  108. Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment, 2009 ICJ Rep 213 [66] (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
  109. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 46-47. See the national positions of Australia, Germany, France, the Netherlands, Sweden, the United Kingdom and the United States. As highlighted by Roscini, other analytic approaches include an ‘instrument-based approach’ which focuses on the means used, and the ‘target-based approach’ which ‘argues that cyber operations reach the threshold of the use of armed force when they are conducted against national critical infrastructure’. On the latter, see for example Estonia’s national position, combining the target and the effects-based approaches in its assessment.
  110. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 53. See also the national positions of Australia, Brazil, Estonia, Italy, Israel and the United States. Further, it has been argued that there is a minimum threshold of intensity or gravity in the use of force, for it to fall under Article 2(4) of the UN Charter. See Roscini, 53-54. See also in this regard, Tallinn Manual 2.0., commentary to rule 69, para 9(a).
  111. Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55. See also ibid, 48 (noting that ‘the dependency of modern societies on computers, computer systems, and networks has made it possible to achieve analogous prejudicial results through other, non-destructive means’)
  112. However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
  113. Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
  114. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
  115. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
  116. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 69-70, stating that ‘Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4)’.
  117. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
  118. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7.
  119. Tallinn Manual 2.0, commentary to rule 69, para 9. The indicative factors highlighted by the Manual are: (i) severity; (ii) immediacy; (iii) directness; (iv) invasiveness; (v) measurability of effects; (vi) military character; (vii) State involvement; and (viii) presumptive legality.
  120. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 8. See also the national position of Israel, stating that ‘As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force’.
  121. See Articles 39–42 of the UN Charter.
  122. See Article 51 of the UN Charter.
  123. See in this regard the national positions of Australia, the Netherlands and Romania.
  124. Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”); Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 4; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 77.
  125. See also Tallinn Manual 2.0, commentary to rule 69, para 9(a) (‘Severity is the most significant factor in the analysis.’).
  126. See, eg, Robert Kolb, Ius contra bellum: Le droit international relatif au maintien de la paix (2nd edn, Bruylant 2009) 247; Olivier Corten, The Law Against War: The Prohibition on the Use of Force in Contemporary International Law (Hart Pub 2021) 55; Mary Ellen O’Connell, ‘The Prohibition on the Use of Force’, in Nigel D. White & Christian Henderson (eds), Research Handbook on International Conflict and Security Law (OUP 2013) 102; see also Tallinn Manual 2.0, commentary to rule 69, para 9(a); but see, eg, Tom Ruys, ‘The Meaning of “Force” and the Boundaries of the Jus ad Bellum: Are “Minimal” Uses of Force Excluded from UN Charter Article 2(4)?’ (2014) 108 AJIL 159.
  127. IIFFMCG, Independent International Fact-Finding Mission on the Conflict in Georgia: Report (September 2009) vol 2, at 242 (‘The prohibition of the use of force covers all physical force which surpasses a minimum threshold of intensity. … Only very small incidents lie below this threshold, for instance the targeted killing of single individuals, forcible abductions of individual persons, or the interception of a single aircraft.’) (emphasis added).
  128. Tallinn Manual 2.0, commentary to rule 69, para 9(c) (‘Cyber operations in which cause and effect are clearly linked are more likely to be characterised as uses of force than those in which they are highly attenuated.’).
  129. See French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 7 (‘In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target’) (emphasis added).
  130. On the difference in the cyber context between the relevant thresholds under the law on the use of force and IHL, see Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 302–310.
  131. Common Article 2 GC I (stipulating that the Conventions “shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties”).
  132. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 246 (‘Even if none of the Parties recognize the existence of a state of war or of an armed conflict, humanitarian law would still apply provided that an armed conflict is in fact in existence.’).
  133. See, eg, Jan K Kleffner, ‘Scope of Application of Humanitarian Law’ in D Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; ILA Use of Force Committee, Final Report on the Meaning of Armed Conflict in International Law (2010) 32; Gary D. Solis, The Law of Armed Conflict: International Humanitarian Law in War (2nd edn, CUP 2016) 162.
  134. Prosecutor v Tadić (Decision on Jurisdiction) IT-94-1-AR72 (2 October 1995) para 70.
  135. See, eg, Jean S. Pictet (ed) Geneva Convention IV relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 20–21; Yves Sandoz, Christophe Swinarski, and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) 40; René Provost, International Human Rights and Humanitarian Law (CUP 2002) 250; Jann K Kleffner, ‘Scope of Application of International Humanitarian Law’ in Dieter Fleck (ed), The Handbook of International Humanitarian Law (3rd edn, OUP 2013) 45; Andrew Clapham, ‘Concept of International Armed Conflict’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015) 16 para 38; ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 251; Noam Zamir, Classification of Conflicts in International Humanitarian Law: The Legal Impact of Foreign Intervention in Civil Wars (Edward Elgar 2017) 53–55; Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 15–16.
  136. Cf. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 89 (holding that the relevant rules of IHL apply “to all international armed conflict, whatever type of weapons might be used”) (emphasis added).
  137. Tallinn Manual 2.0, commentary to rule 82, para 11.
  138. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 288.
  139. ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 289.
  140. For State views on this matter, see, eg, Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 7 (‘International humanitarian law only applies to cyber operations when such operations are part of, or amount to, an armed conflict. Most so far known cyberattacks have not been launched in the context of an armed conflict or have met the threshold of armed conflict.’); French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, 12 (‘Cyberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict (IAC)’); Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7 (‘An international armed conflict – a main prerequisite for the applicability of IHL in a concrete case – is characterized by armed hostilities between States. This may also encompass hostilities that are partially or totally conducted by using cyber means.’); Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021), 7 (‘If the effects of cyber operations are taken into consideration, the conduct of cyber operations alone may reach the threshold of an "armed conflict."’).
  141. See further Kubo Mačák, Internationalized Armed Conflicts in International Law (OUP 2018) 39–47.
  142. Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (29 May 2013), vol 1, para 86(a).
  143. See Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, paras 112–15; see further Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 421.
  144. Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 405; but see ICRC (ed), Commentary on the Third Geneva Convention (CUP 2021), commentary on common Article 2, para 304 (arguing that overall control is the controlling test in both contexts).
  145. See Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (15 July 1999) paras 120–121; Prosecutor v Lubanga (Pre-Trial Chamber 1) ICC-01/04-01/06 (29 January 2007) paras 209–211; Case No 001/18-07-2007/ECCC/TC (26 July 2010) para 540.
  146. For instance, Germany states broadly that ‘armed hostilities’ that are ‘totally conducted by using cyber means’ can amount to an international armed conflict. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 7. France considers that ‘while an armed conflict consisting exclusively of digital activities cannot be ruled out in principle, it is based on the capacity of autonomous cyberoperations to reach the threshold of violence required to be categorised as such’ (emphasis added). French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019), 12. While Japan considers that the effects of a cyber operation ‘alone may reach the threshold of an "armed conflict”’, it also argues that this ‘needs to be decided on a case-by-case basis, taking into account a number of elements, such as the manner of the actual attack and the intent of each party to the incident, in a comprehensive manner’. Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (28 May 2021), 7.
  147. See, for example, United Nations Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016), para 1; NATO, Warsaw Summit Communiqué (9 July 2016), para 70; G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011), para II/11; UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015) A/70/174, paras 13(e) and 28(b); UNGA, ‘Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security’ (14 July 2021) A/76/135, paras 36 and ff. This has been reaffirmed by most States in their national positions, such as Australia, Canada, Czech Republic, Estonia, Finland, Italy, Japan, the Netherlands, New Zealand, Norway, Romania, Sweden, Switzerland, the United Kingdom and the United States.
  148. See, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43 [170].
  149. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR); International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR).
  150. Formal title: Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953), ETS 5 (ECHR); there are several protocols which significantly expand and amend the obligations of the original Convention.
  151. Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 (EUCFR).
  152. American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123 (ACHR).
  153. African Charter on Human and Peoples’ Rights (‘Banjul Charter’) (adopted 27 June 1981, entered into force 21 October 1986), CAB/LEG/67/3 rev. 5, 21 I.L.M. 58 (1982) (ACHPR).
  154. Article 2(1) ICCPR.
  155. UN HRC, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting), para 10.
  156. Cf, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ Rep 136 [111]. See further, UN HRC, General comment No. 36, Article 6, Right to life (3 September 2019) CCPR/C/GC/36, para 63. See also the approach adopted by the European Court of Human Rights in Al-Skeini and others v. the United Kingdom, App no 55721/07 (ECtHR, 7 July 2011) [131] and ff; Loizidou v. Turkey, App no 15318/89 (ECtHR, 23 March 1995) [62], and recently in Carter v. Russia, App no. 20914/07 (ECtHR, 21 September 2021) [161]. For the position within the Inter-American System see Saldano v. Argentina, Report No 38/99 (Inter-American Commission of Human Rights, 11 March 1999) [17] and in particular the wide interpretation adopted by the Inter-Amercian Court of Human Rights in its Advisory Opinion 23/17 on the Environment and Human Rights, Series a 23 (IACtHR, 15 November 2017) para 104(h).
  157. See, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ 136, para 110; UN HRC, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  158. See, for example, Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81.
  159. Switzerland has expressly stated in its national position that ‘Human rights obligations are equally binding upon states operating in cyberspace as in physical space. This also applies when the cyber operation in question is being carried out extraterritorially, to the extent that the States exercise their sovereign authority in doing so’. See Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 8.
  160. Article 17 ICCPR; Article 8 ECHR; Article 7 EUCFR; Article 11 ACHR. The exact titles and scopes of the provisions vary. For example, this can be triggered be the practice of surveillance. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 194. See also Szabo and Vissy v Hungary, App no 37138/ 14 (ECtHR, 12 January 2016); Liberty and Others v United Kingdom, App No 58243/00 (ECtHR, 2008).
  161. Article 19 ICCPR; Article 10 ECHR; Article 11 EUCFR; Article 13 ACHR. The exact titles and scopes of the provisions vary, and include its counterpart, the right to access to information, as highlighted in the national positions of Estonia, Finland, Italy, Sweden, Switzerland and the United States. A violation of this right may be, for example by ‘a DDoS attack that inhibits access to the Internet or the voicing of views, and is attributable to a state’. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 194.
  162. As highlighted by many States in their national positions, including Australia, Canada, the Czech Republic, Estonia, the Netherlands and Sweden.
  163. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 195–197.
  164. See Soering v. the United Kingdom, App no 14038/88 (ECtHR, 07 July 1989) [88]; Ireland v. the United Kingdom, App no 5310/71 (ECtHR, 18 January 1978) [163]; Hurri Laws v. Nigeria, Communication No 225/98 (AComHPR, 6 November 2000) [41]; UN HRC, General Comment 20, Article 7 (Prohibition of Torture, or Other Cruel, Inhuman or Degrading Treatment or Punishment) (10 March 1992) para 3; CAT, General Comment 2 on the implementation of article 2 by States parties (24 January 2008) CAT/C/GC/2, paras 1 and 5.
  165. UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011), paras 21-36; See also ICCPR General Comment No. 27 (1 November 1999), paras 14-16; UN HRC, General Comment No. 31 [80] The Nature of the General Legal Obligation Imposed on States Parties to the Covenant (26 May 2004) CCPR/C/21/Rev.1/Add. 13, para 6.
  166. See, Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988) [177]. See also UN HRC, General Comment No. 31 [80] The Nature of the General Legal Obligation Imposed on States Parties to the Covenant (26 May 2004) CCPR/C/21/Rev.1/Add. 13, para 8; UN HRC, General comment No. 36, Article 6, Right to life (3 September 2019) CCPR/C/GC/36, para 7. See also the national positions of Finland and Switzerland.
  167. Human Rights Committee, Concluding observations of the Human Rights Committee, United States of America, 18 December 2006, CCPR/C/USA/CO/3/Rev.1, para 10; Committee on Economic, Social and Cultural Rights, Concluding observations of the Committee on Economic, Social and Cultural Rights, Israel, 26 June 2003, E/C.12/1/Add.90, para. 11. See also Israel’s position as reflected in Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, I.C.J. Reports 2004, 136 [110].
  168. See International Court of Justice, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 9 July 2004, paras 111 and 112.
  169. See Nicola Wenzel, ‘Human Rights, Treaties, Extraterritorial Application and Effects’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated May 2008) paras 4 and 21; see also Human Rights Committee, General Comment No. 31 on ‘The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’, 26 May 2004, CCPR/C/21/Rev.1/Add.13, para. 10.
  170. See Human Rights Committee, Concluding Observations, Israel, UN Doc CCPR/C/79/Add.93 (18 August 1998), para 10 (‘the Covenant must be held applicable to the occupied territories and those areas…where Israel exercises effective control’); Committee on Economic, Social and Cultural Rights, Concluding observations, Israel, UN Doc E/C.12/1/Add.90 (26 June 2003), para 31 (‘the Committee reaffirms its view that the State party’s obligations under the Covenant apply to all territories and populations under its effective control’).
  171. See Human Rights Committee, General Comment No. 31 on ‘The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’, 26 May 2004, CCPR/C/21/Rev.1/Add.13, para. 10 (‘a State Party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party’); Committee on Economic, Social and Cultural Rights, Concluding observations, Israel, UN Doc E/C.12/1/Add.90 (26 June 2003), para 31 (‘the Committee reaffirms its view that the State party’s obligations under the Covenant apply to all territories and populations under its effective control’).
  172. See generally Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 118–228.
  173. See Human Rights Committee, General comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 63. See also Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 209 ff.
  174. CESCR General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12), 11 August 2000, E/C.12/2000/4, para. 39; see also Committee on Economic, Social and Cultural Rights, General comment No. 24 (2017) on State obligations under the International Covenant on Economic, Social and Cultural Rights in the context of business activities, 10 August 2017, E/C.12/GC/24, para. 29, in which the Committee states: “The extraterritorial obligation to respect requires States parties to refrain from interfering directly or indirectly with the enjoyment of the Covenant rights by persons outside their territories.”
  175. Several States have rejected such interpretations in non-cyber contexts explicitly. See, for instance, the reactions of Austria, Canada, France, Germany, Norway, Netherlands, United States to draft General Comment No. 36 of the UN Human Rights Committee, available here: https://www.ohchr.org/en/hrbodies/ccpr/pages/gc36-article6righttolife.aspx
  176. See Human Rights Committee, General Comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 63. See also Marko Milanovic, Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy (OUP 2011) 209 ff. On another occasion, the Committee defines the relevant standard as an impact on the right to life in an “intentional or otherwise foreseeable and preventable” manner. Human Rights Committee, General Comment No. 36 (2018) on article 6 of the International Covenant on Civil and Political Rights, on the right to life, 30 October 2018, CCPR/C/GC/36, para. 6.
  177. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 262 (arguing that a State would violate the right to life if it, ‘through a hostile cyber operation, knowingly and intentionally increased the risk that a population would be exposed to infection, or denied them effective treatment’) (emphasis added).
  178. CESCR General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12), para. 33.
  179. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations During a Pandemic’ (2020) 11 Journal of National Security Law & Policy 247, 262 (arguing that ‘[h]ostile cyber operations that disrupt individuals’ access to health care, or more generally a state’s ability to mitigate the effects of a pandemic, would easily run afoul of [the obligation to respect the right to health], which contains no threshold criterion’).
  180. See, eg, Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019) 201 (“IHL only governs conduct that has a sufficient nexus to the armed conflict”); Gloria Gaggioli (ed), The Use of Force in Armed Conflicts (ICRC 2013) 4 (“In order to be covered by IHL, the use of force must take place in an armed conflict situation and must have a nexus with the armed conflict.”); Tallinn Manual 2.0, commentary to rule 80, para 5 (“there must be a nexus between the cyber activity in question and the conflict for the law of armed conflict [i.e., IHL] to apply to that activity”).
  181. Prosecutor v Kunarac et al (Appeal Judgement) IT-96-23 & IT-96-23/1-A (12 June 2002) [58]; see also Tallinn Manual 2.0, commentary to rule 80, para 6 (noting a difference of views among the experts: “According to one view, [IHL] governs any cyber activity conducted by a party to an armed conflict against its opponent … By a second view, the cyber activity must have been undertaken in furtherance of the hostilities, that is, in order to contribute to the originator’s military effort.”)
  182. See, in particular, Article 19 First Geneva Convention, Article 18 Fourth Geneva Convention, Article 12 Additional Protocol I, Article 11(1) Additional Protocol I. See also Rule 28 ICRC CIHL Study. On the requirement of recognition and authorization, see Article 12(2) Additional Protocol I. Unauthorized civilian medical units are protected according to the rules on the protection of civilian objects. See ICRC CIHL Study, commentary on rule 28, at 95.
  183. See Articles 8(2)(b)(xxiv) and 8(2)(e)(ii) Rome Statute of the International Criminal Court. See also Article 85(2) Additional Protocol I.
  184. See Article 49 AP I, which defines attacks as “acts of violence against the adversary, whether in offence or in defence”. The Tallinn Manual 2.0 defines a cyber attack for the purposes of IHL as a cyber operation, “that is reasonably expected to cause injury or death to persons or damage or destruction to objects”. (Rule 92)
  185. ICRC Commentary on the APs, para 517. See also ICRC Commentary on GC I, para 1799; Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector (21 May 2020), point 5 (“During armed conflict, international humanitarian law requires that medical units, transport and personnel must be respected and protected at all times. Accordingly, parties to armed conflicts: must not disrupt the functioning of health-care facilities through cyber operations; must take all feasible precautions to avoid incidental harm caused by cyber operations, and; must take all feasible measures to facilitate the functioning of health-care facilities and to prevent their being harmed, including by cyber operations”); Tallinn Manual 2.0, para 5 of the commentary on Rule 131.
  186. See ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 43; Tallinn Manual 2.0, commentary to rule 132, para 3; French Ministry of the Armies, “International Law Applied to Operations in Cyberspace” (9 September 2019) 14–15.
  187. Tallinn Manual 2.0, commentary to rule 132, para 3.
  188. Concretely, rules such as the prohibition of attacks against civilians and civilian objects, the prohibition of indiscriminate and disproportionate attacks, and the obligation to take all feasible precautions to avoid or at least reduce incidental harm to civilians and damage to civilian objects when carrying out an attack apply to those operations that qualify as ‘attacks’ as defined in IHL. The notion of attack under IHL, defined in Article 49 of AP I, is different from and should not be confused with the notion of ‘armed attack’ under Article 51 of the UN Charter, which belongs to the realm of the law on the use of force (jus ad bellum). To determine that a specific cyber operation, or a type of cyber operations, amounts to an attack under IHL does not necessarily mean that it would qualify as an armed attack under the UN Charter.
  189. Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols, ICRC, Geneva, para. 1879 (‘Commentary of Additional Protocol I’).
  190. International Criminal Court (ICC), Situation in the Democratic Republic of the Congo in the case of the Prosecutor v Bosco Ntaganda, Roger O’Keefe, Observations by Professor Roger O’Keefe, pursuant to rule 103 of the Rules of Procedure and Evidence, No. ICC-01/04-02/06 A2, 17 September 2020, p. 3.
  191. ICC, Situation in the Democratic Republic of the Congo in the case of the Prosecutor v Bosco Ntaganda, Submission of Observations to the Appeals Chamber Pursuant to Rule 103 by Geoffrey Corn et al, No.: ICC-01/04-02/06 A2, 18 September 2020, paras. 14 – 15.
  192. ICC, Prosecutor v Bosco Ntaganda, ICC-01/04-02/06, Judgment (Appeals Chamber), 30 March 2021, Partly Concurring Opinion of Judge Eboe-Osuji, para. 110; Yoram Dinstein and Arne Willy Dahl, Oslo Manual on Select Topics of the Law of Armed Conflict (Springer 2020), rule 8 and the discussion of reasonable foreseeability of harm.
  193. Cordula Droege, “Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians”, (2012) 94(886) International Review of the Red Cross 533, 557; William H. Boothby, The Law of Targeting (OUP 2012) 384; Laurent Gisel, Tilman Rodenhäuser, and Knut Dörmann, ‘Twenty years on: International humanitarian law and the protection of civilians against the effects of cyber operations during armed conflicts’, (2020) 102(913) International Review of the Red Cross 287, 312.
  194. ICRC, “International humanitarian law and the challenges of contemporary armed conflicts” (2015) 41–42; Tallinn Manual 2.0, rule 92. This view is also held by States including Australia, Australia’s submission on international law to be annexed to the report of the 2021 Group of Governmental Experts on Cyber, at 4; and Switzerland, Switzerland's position paper on the application of international law in cyberspace, Annex UN GGE 2019/2021, at 10.
  195. See, for instance, the commentary to the relevant rules in the Tallinn and Oslo Manuals: Tallinn Manual 2.0, rule 92 and accompanying commentary; Yoram Dinstein and Arne Willy Dahl, Oslo Manual on Select Topics of the Law of Armed Conflict (Springer 2020), rule 8 and accompanying commentary.
  196. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 677 (when discussing computer network attacks); Finland, International law and cyberspace: Finland’s national positions (2020) 7; New Zealand, Manual of Armed Forces Law (2nd edn, 2017) vol 4, para 8.10.22; Norway, Manual i krigens folkerett (2013) para 9.54; Switzerland, “Switzerland’s position paper on the application of international law in cyberspace: Annex UN GGE 2019/2021” (27 May 2021) 10; United States, “United States Submission to the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2014–15)”, at 6, and from a practical perspective Joint Publication 3-12 (R) ‘Cyberspace operations’ (5 February 2013), at IV-4.
  197. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7. Israel has further argued that an operation may amount to an attack if ‘a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft—that operation may constitute an attack’. Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400.
  198. Denmark, Military Manual on International Law Relevant to Danish Armed Forces in International Operations (2016) 290–291; Roy Schöndorf, ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, (2021) 97 International Law Studies 395, 400; Peru, Response Submitted by Peru to the Questionnaire on the Application of International Law in OAS Member States in the Cyber Context (June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 31.
  199. Bolivia, Note from the Plurilateral State of Bolivia, Ministry of Foreign Affairs, OAS Permanent Mission to the OAS Inter-American Juridical Committee, MPB-OEA-NV104-19 (17 July 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para 33; Ecuador, Verbal Note 4-2 186/2019 from the Permanent Mission of Ecuador to the OAS (28 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para. 32; France, Ministry of the Armies, International Law Applied to Operations in Cyberspace, 2019, p. 13; Germany, On the Application of International Law in Cyberspace Position Paper, March 2021, p. 9; Guatemala, Note Of. 4VM.200-2019/GJL/lr/bm, from Mr. Gabriel Juárez Lucas, Fourth Vice Minister of the Interior Ministry of the Republic of Guatemala to Luis Toro Utillano, Technical Secretariat, Inter-American Juridical Committee (14 June 2019), cited in OAS, Improving Transparency: International Law and State Cyber Operations: Fifth Report, OAS Doc. CJI/doc. 615/20 rev.1 (7 August 2020) para. 32; Italy, Italian Position Paper on ‘International Law and Cyberspace’, 2021, pp. 9–10; Japan, Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 2021, p. 7; New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), para. 25.
  200. ICRC, International Humanitarian Law and Cyber Operations during Armed Conflicts: ICRC position paper (November 2019) 7–8. The ICRC bases this interpretation on a contextual and teleological interpretation of the notion of ‘attack’ in Additional Protocol I. See ICRC, International humanitarian law and the challenges of contemporary armed conflicts (2015) 41.
  201. Article 8(2)(b)(xxiv) Rome Statute of the International Criminal Court.
  202. Tallinn Manual 2.0, Rule 92.
  203. See Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) (1996) ICJ Rep 226, para 25; Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) (2004) ICJ Rep 136, para 106; Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, I.C.J. Reports 2005, 168 [216]; see also Human Rights Committee, General Comment No. 31: Nature of the General Legal Obligation on States Parties to the Covenant, UN Doc. CCPR/C/21/Rev.1/Add. 13, 26 May 2004, para. 11; General Comment No. 35 – Article 9: Liberty and Security of person, UN Doc. CCPR/C/GC/35, 16 December 2014, para. 64; General Comment No. 36 – Article 6: Right to life, UN Doc. CCPR/C/GC/36, 3 September 2019, para. 64; but see e.g. M. J. Dennis, ‘Application of Human Rights Treaties Extraterritorially in Times of Armed Conflict and Military Occupation’ (2005) 99 American Journal of International Law 119.
  204. See generally René Provost, International Human Rights and Humanitarian Law (CUP 2002); Cordula Droege, ‘Elective Affinities? Human Rights and Humanitarian Law’ (2008) 90 IRRC 501; Iain Scobbie, ‘Principle or Pragmatics? The Relationship between Human Rights Law and the Laws of Armed Conflict’ (2009) 14 JCSL 449; Orna Ben-Naftali (ed), International Humanitarian Law and International Human Rights Law (OUP 2011); Daniel Bethlehem, ‘The Relationship between International Humanitarian Law and International Human Rights Law in Situations of Armed Conflict’ (2013) 2 Cambridge J Int’l & Comp L 180; Andrew Clapham, ‘The Complex Relationship Between the Geneva Conventions and International Human Rights Law’ in Andrew Clapham, Paola Gaeta, and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015); Marco Sassòli, International Humanitarian Law: Rules, Controversies, and Solutions to Problems Arising in Warfare (Edward Elgar 2019) 423–443.

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 19: Hate speech Next: Scenario 21: Misattribution caused by deception