Scenario 23: Vaccine research and testing

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© totojang1977. Licensed from Shutterstock.

A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

Scenario[edit | edit source]

Keywords[edit | edit source]

Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law, DDoS, hospitals

Facts[edit | edit source]

[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

Attribution[edit | edit source]

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[1]
  2. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance";[2]
  3. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State.[3]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[4]

[L2] Both the cyber espionage operation and the DDoS attack are likely attributable to State B. Admittedly, there is a possibility that this hostile cyber operation was, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B was responsible. However, in light of the increasingly strained diplomatic relationship between States A and B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B was responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Articles on State Responsibility. Consequently, the balance of the analysis of this scenario considers whether State B breached its international law obligations either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

Breach of an international obligation[edit | edit source]

[L3] This section considers whether the cyber espionage and the DDoS attack by State B breach an international obligation owed to State A—specifically, whether State B breached the international law rules prohibiting violations of State sovereignty and intervention into the domaine réservé of another State, perpetrated an unlawful use of force against State A, or violated the human rights of inhabitants of State A.

Obligation to respect the sovereignty of other States[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[5]

Multiple declarations by the UN,[6] the African Union,[7] the European Union,[8] NATO,[9] OSCE,[10] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty.[11] However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[12] It has also been adopted by several States including Austria,[13] Brazil, [14] Canada,[15] the Czech Republic,[16] Estonia,[17] Finland,[18] France,[19] Germany,[20] Iran,[21] Italy,[22] Japan,[23] the Netherlands,[24] New Zealand,[25] Norway,[26] Romania[27] and Sweden.[28]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[29] This view has been adopted by one State, the United Kingdom,[30] and has been partially endorsed by the U.S. Department of Defense General Counsel.[31] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention or use of force).

It is understood that sovereignty has both an internal and an external component.[32] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[33][34] This encompasses both private and public infrastructure.[35] The external component entails that States are “free to conduct cyber activities in [their] international relations”, subject to their international law obligations.[36]

As a general rule, each State must respect the sovereignty of other States.[37]However, within the cyber realm – and particularly regarding remote cyber operations – there is still no agreement on the criteria[38] and the required threshold[39] to qualify an operation as a sovereignty violation.[40] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[41] Accordingly, the assessment needs to be done on a case-by-case basis.[42]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[43] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[44]
  2. Causation of physical damage or injury by remote means;[45] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[46]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of the operating system or other software was proposed but not universally accepted);[47] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[48]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[49] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[50]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[51]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Canada,[52] Germany[53] and the Netherlands;[54] and followed to some extent by other States, such as the Czech Republic,[55] Norway,[56] Sweden[57] and Switzerland.[58] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”;[59]similarly, Iran has argued that “unlawful intrusion to the (public or private) cyber structures” abroad may qualify as a breach of sovereignty.[60]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[61]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L4] State B’s DDoS attack (incident 2) violated State A’s sovereignty. Under one view, which is held by a number of states, as well as numerous scholars, a remotely conducted cyber operation breaches the sovereignty of another State if it causes concrete effects within the territory of the victim State.[62] A contrasting view, succinctly expressed by France, is that an unauthorized cyber operation penetrating a State’s systems violates that State’s sovereignty even if the cyber operation does not cause concrete effects within victim State territory.[63] One can conclude with a high degree of certainty that, by interfering with the dissemination of virus testing information and test results, State B caused the virus to spread more rapidly among people in State A than it otherwise would have done. The inability of State A’s population to know how and when to schedule testing or to obtain the results of completed tests in a timely manner meant that people were unable to identify themselves as carriers of the virus, were unaware they posed a public health risk, and likely were slow to implement appropriate precautions. That lack of information means persons carrying the virus almost certainly unknowingly spread it to others. Likewise, State A likely experienced an increased mortality rate from the virus because the inability of the population to get tested and to obtain test results delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment.

[L5] However, for this prong of analysis of incident 2, the physical effects must be ascertained and causally linked to the cyber operation.[64] Mere rescheduling of planned surgeries or a minor delay in delivering the test results would be a less serious effect than directly interfering with the immediate delivery of medical care; likewise, the impossibility of testing at one location could simply result in people taking the test elsewhere, so it may be difficult to pinpoint the causal link between the cyber operation and the additional infections.

[L6] Further, following the approach of the Tallinn Manual, also adopted by several States, interference with, or usurpation of, inherently government functions could be considered as a relevant test for determining the existence of a violation of sovereignty (see options 4 and 5 above). Applying that analysis to incident 2, State B also breached State A’s sovereignty by interfering with its ability to carry out its inherently governmental function of managing the public health crisis ongoing within its territory.[65] By denying State A’s population access to critical information about operations at the State’s primary virus testing facility, State B’s DDoS attack interfered with a vital aspect of State A’s plan for managing the health crisis. The act of interfering with State A’s inherently governmental function, wholly apart from whether that interference causes concrete effects that manifest in State A, results in a sovereignty violation.[66]

[L7] As for State B exfiltrating the vaccine research from State A (incident 1), under the facts of this scenario, this likely does not constitute a sovereignty violation.[67] First, State A suffered no damage or destruction to its cyber infrastructure. Second, State B did not, merely by exfiltrating vaccine research, necessarily cause increased spread of the virus or higher mortality rates among those infected with the virus in State A. If, however, State B accessing the clinical trial data caused the clinical trial to fail procedural protocols and need to be restarted, the resulting delay in State A’s vaccine development effort may shift the analysis in favour of a breach of sovereignty. Finally, State B did not impair the ability of State A to perform its inherently governmental functions; in particular its ability to manage the public health crisis within its borders, since both the integrity of the vaccine research data itself and the access thereto were not impacted by incident 1.

Cyber espionage[edit | edit source]

Peacetime cyber espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[68]

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations.

Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[69] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[70]

Publicly available national positions that address this issue include: National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L8] State B’s cyber espionage efforts do not per se violate international law.[71] Under the analysis above, remotely-conducted cyber espionage only violates a State’s sovereignty when it either causes concrete effects in the territory of that State—including serious damage to or destruction of cyber systems—or, according to those who hold this view, interferes with that State’s performance of its inherently governmental functions, whether or not such effects result from the espionage activities.[72] Under the facts of this scenario, State B exfiltrating the vaccine research from State A likely does not constitute a sovereignty violation (see para L7).[73]

Economic espionage[edit | edit source]

Economic cyber espionage
The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[74] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[75] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[76]

Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law.

However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[77] Several authors,[78] including experts of the Tallinn Manual 2.0,[79] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[80] Additionally, no international consensus exists that agreements such as the WTO TRIPS[81] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[82]

Accordingly, such conduct is not subject to any general prohibition under extant international law.

[L9] Exfiltrating eight months of vaccine research and clinical trial data from State A may fairly be considered economic cyber espionage of State A’s intellectual property. However, current international law does not prohibit economic cyber espionage. Therefore, attributing the data theft to State B and characterizing incident 1 as economic cyber espionage is insufficient to establish State B’s responsibility under international law. Absent a relevant treaty commitment between State B and State A, State B’s economic cyber espionage does not, itself, violate an international legal obligation binding upon it.

Non-intervention[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law,[83] prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 Nicaragua v United States case:

A prohibited intervention must […] be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[84]

In order for an act, including a cyber operation,[85] to qualify as a prohibited intervention, it must fulfil the following conditions:[86]
  1. The act must bear on those matters in which States may decide freely.[87] The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[84] or the conduct of national elections[88]), and external affairs (“formulation of foreign policy”;[84] or “recognition of states and membership of international organisations”[89])—the so-called domaine réservé of States.[90] The content of the domaine réservé is determined by the scope and nature of the State's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[91]
    1. Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[92] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[93]
    2. Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[94] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[95]
    Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[96] The element of coercion also entails the requirement of intent.[97]

    While coercion is evident in the case of an intervention involving the use of force, ‘either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State’, as affirmed by the ICJ,[98] it is less clear with respect to non-forcible forms of interference.[99] Some States support the approach that intervention may take various forms, such as economic and political coercion.[100] One example that has been reiterated in several States’ positions, including Australia,[101] Brazil,[102] Canada,[103] Germany,[104] Israel,[105] New Zealand,[106] Norway,[107] Singapore,[108] the United Kingdom[109] and the United States,[110] is the case of cyber operations by a State interfering with another state’s ability to hold an election or manipulating the election results. Many States have affirmed that the assessment has to be done on a case-by-case basis.[111]

    Both potential and actual effects are considered to be relevant when assessing the coercion element.[112]

  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[113]
    4. The prohibition of intervention applies between States, and thus it is not applicable to the activities of non-State groups, unless their conduct can be attributed to a State under the rules on attribution under international law.[114]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of the People's Republic of China (2021) (2021), National position of Denmark (2023) (2023), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L10] The exfiltration of vaccine research by State B (incident 1) lacks the coercive element necessary to qualify as a prohibited intervention. State A retains full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. State A’s ability to continue to execute its crisis response plan, a matter within its domaine réservé,[115] is thus not adversely impacted by State B copying and appropriating the vaccine data to its own use.

[L11] In contrast, according to the more widely held position, the DDoS attack (incident 2) constitutes an unlawful intervention because it interfered with the crisis response plan developed by State A’s Ministry of Health by rendering the largest and principal virus testing centre in State A unable to perform its intended function as a key component of State A’s plan to manage the public health crisis ongoing in its territory.[116]

Use of force[edit | edit source]

Use of force
Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[117] This prohibition is reflective of customary international law[118] and it is frequently described as a peremptory norm of international law.[119]

This rule applies between States; therefore the conduct needs to be attributable to a State and against another State ‘in their international relations’, thus excluding non-State actors unless their conduct is attributable to a State.[120]

As stated by the International Court of Justice, the prohibition applies to any use of force, regardless of the means employed.[121] However, the notion of “force” in this context is limited to armed force[122], and to operations whose scale and effects are comparable to the use of armed force.[123] As stressed by several States, each situation has to be analysed on a case-by-case basis.[124]

Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[125] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[126] This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.[127]

In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[128] Regarding its application to cyber operations, an “effects-based approach” has been mostly followed.[129] In this sense, there is emerging consensus that “a cyber attack that causes or is reasonably likely to cause physical damage to property, loss of life or injury to persons would fall under the prohibition contained in Article 2(4) of the UN Charter”,[130] including both direct and indirect consequences. At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[131]

As of 2022, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure[132] and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[133] However, States have begun addressing this question. In particular, France,[134] the Netherlands[135] and Norway[136] allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These qualitative and quantitative non-exhaustive criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature,[137] as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”.[138] Several of these criteria are also reflected in the Tallinn Manual 2.0.[139] Other States, such as Italy, did not rule out the possibility of considering operations causing the interruption of essential services without physical damage within the scope of the prohibition of the use of force.[140]

A use of force is unlawful under international law, unless it is authorized by the UN Security Council under Chapter VII of the UN Charter,[141] conducted in the exercise of the inherent right to self-defence,[142] or consented to by the territorial State.[143]

Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law.[144] In this regard, the prohibition of intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of Norway (2021) (2021), National position of Pakistan (2023) (2023), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L12] Uses of force need neither be perpetrated by the armed forces of a State nor involve the use of kinetic weapons.[145] However, there is no consensus on the precise test or criteria by which to determine whether a particular cyber operation may properly be characterized as a use of force.[146] That said, it is generally accepted that a cyber operation causing injury or death to persons or significant physical damage or destruction of objects qualifies as a use of force.[147]

[L13] The DDoS attack by State B (incident 2) significantly lessened the ability of State A’s population to get tested and to obtain test results. Further, it almost certainly delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment. State B’s conduct likely caused State A to experience increased rates of infection and mortality from the virus than would have been the case otherwise. Those increased rates of infection and mortality are reasonably foreseeable effects of State B’s cyber operation. If persons in State A in fact fell ill or died at any significant scale as a result of the DDoS attack (incident 2), then it may reasonably be characterized as an unlawful use of force against State A by State B.[148] Even if such effects were not manifest and the hostile cyber operation did not qualify as a use of force, similar cyber operations repeatedly demonstrating the capacity to significantly disrupt cyber systems in a way likely to produce concrete effects might cross the Article 2(4) threshold as a threat to use force.[149]

[L14] Even if the DDoS attack (incident 2) by State B qualifies as an unlawful use of force, State A and its allies may not respond in self-defence under Article 51 of the UN Charter, and its customary international law equivalent unless the DDoS attack is sufficiently grave to amount to an “armed attack”.[150] Even then, a response in self-defence is further limited by the requirements that it be necessary and proportionate.[151] State B was identified as the source of the DDoS attack (incident 2) only after the disruption. Indications that further cyber or kinetic attacks may follow are absent. Thus, it would be difficult for State A to reasonably claim that a use of force in self-defence was necessary to repel an ongoing or imminent attack by State B.[152] State A could, if it chose to, call upon the UN Security Council to characterise State B’s conduct as a “threat to the peace” or a “breach of the peace” and prescribe measures under Chapter VII of the UN Charter.[153] Setting aside the prospect of UN Security Council action, it is at least arguably unnecessary to draw a conclusion regarding whether State B’s DDos attack (incident 2) against State A crossed the threshold of violating Article 2(4) of the UN Charter, because it breached other applicable international legal rules.[154] Even if international lawyers cannot agree on the precise rule(s) of international law violated by State B’s hostile cyber operations, there is a growing view that State cyber operations causing “significant adverse or harmful consequences for the research, trial, manufacture, and distribution” of vaccines, including “by means that damage the content or impair the use of sensitive research data, particularly trial results, or which impose significant costs on targeted facilities in the form of repair, shutdown, or related preventive activities” violate international law.[155]

[L15] The unilateral responses available to State A under international law for a prohibited use of force — acts of retorsion[156] and countermeasures[157] — are identical to those available in response to other violations of international law.

Due diligence[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[158] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[159]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[160] Some States have framed it within their national positions as one of the "voluntary, non-binding norms of responsible State behaviour"[161] in cyberspace, including Israel,[162] New Zealand,[163] the United Kingdom[164] and Canada.[165]

It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[166] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means.[167] This view has also been endorsed by a growing number of States, including Australia,[168] Czech Republic,[169] Estonia,[170] Finland,[171] France,[172] Germany,[173] Italy,[174] Japan,[175] the Netherlands,[176] Norway,[177] Switzerland,[178] and Sweden.[179]

Due diligence does not entail a duty of prevention,[180] but rather an obligation of conduct.[181] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State[182]) contrary to the rights of a victim State,[183]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[184]
  3. which would have been unlawful if conducted by the potentially responsible State,[185]
  4. which have serious adverse consequences for the victim State,[186]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[187] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[188]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Canada (2022) (2022), National position of the People's Republic of China (2021) (2021), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2021) (2021).

[L16] In the event that State B denies responsibility or even goes so far as to proffer evidence suggesting that the hostile cyber operations are not, in fact, attributable to it, State B may still be liable for failure to meet its due diligence obligation. Assuming arguendo that State B was not in fact responsible for the hostile cyber operations themselves, it was still under an international legal obligation not to allow its territory and cyber infrastructure under its control to be used to affect State A’s rights and produce serious adverse consequences for State A.[189] To be responsible for failing to meet its due diligence obligation, State B must have had actual knowledge that its territory or cyber infrastructure was being so used, or the facts must be such that State B “in the normal course of events would have become aware.”[190] Assuming it knew or should have known its territory or infrastructure was being used to harm State A, State B was obligated “to take all measures that are feasible in the circumstances to put an end to [the hostile cyber operations].”[191]

International human rights law[edit | edit source]

International human rights law
International human rights law applies in cyberspace; individuals enjoy the same human rights online as they enjoy offline.[192] States are therefore bound by their human rights obligations to respect, protect and fulfil human rights in cyberspace. States also bear international responsibility for the violation of human rights obligations that are attributable to them.[193]

The source of these obligations is primarily treaty law. The two key global treaties are the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR);[194] many of these treaties’ provisions, along with the provisions of the Universal Declaration of Human Rights, are regarded as reflective of customary international human rights law, even though there is no universally accepted codification. Apart from the ICCPR and ICESCR, there are important regional human rights treaty systems, especially for Europe (based on the European Convention on Human Rights – ECHR),[195] the European Union (Charter of Fundamental Rights of the European Union – EUCFR),[196] America (American Convention on Human Rights – ACHR),[197] and Africa (African Charter on Human and Peoples’ Rights – ACHPR),[198] which provide for adjudicatory mechanisms by which individuals can assert their human rights against States and which have generated a considerable amount of case-law as a result.

In order to determine whether a State has breached its human rights obligations, the following steps of analysis should be conducted:

  1. Since cyber operations often take place in the cyber infrastructure of multiple States, the issue of jurisdiction must be addressed. Each human rights treaty has its own bespoke jurisdictional requirements and scope. In this regard, every State party to the ICCPR has undertaken “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the [ICCPR]”.[199] The UN Human Rights Committee (UN HRC) has understood this provision to mean that the human rights obligations recognized within the ICCPR apply not only to persons physically located within a State’s territory, but also to situations where the State exercises “power or effective control” either over the territory on which an individual is located (the spatial model of jurisdiction) or over the individual (the personal model of jurisdiction).[200] Likewise, the International Court of Justice (ICJ) has stated that the ICCPR “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.[201] A few States (such as the US and Israel) have adopted the contrary view and maintain that human rights obligations do not apply extraterritorially. To date, however, these States remain in the minority.[202] As such, although the exact criteria for the applicability of human rights obligations to extraterritorial activities of States are not settled and are subject to ongoing academic and political debate,[203] the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory.[204]
  2. If an international human rights regime is applicable, the second question is whether a cyber operation attributable to a State constitutes an interference with a particular human right. The human rights that are often implicated by cyber operations include the right to privacy[205] and the right to freedom of opinion and expression.[206] Other rights such as the freedom of association,[207] the prohibition of discrimination, the right to life, to health or other social and economic rights may be also affected by cyber operations or cyber-related measures.[208] If the right in question is absolute – such as the right to be free from torture or slavery – then no interference with it is allowed.[209]
  3. For an interference with a qualified right – such as the right to privacy or to freedom of expression – to be legal under human rights law, it must fulfil certain conditions, namely:
    1. be in accordance with an accessible and foreseeable domestic law (“legality”),
    2. pursue a legitimate aim of public interest (such as national security, public order, public health, or morals) or for the protection of rights of others,
    3. be necessary to achieve that aim, and
    4. be proportionate in balancing the means and the end.[210]

Apart from the responsibility for human rights violations attributed to it, a State can also be held responsible for its failure to take all reasonable measures to protect the human rights of individuals in its territory and subject to its jurisdiction (for instance, if it unlawfully allows non-State actors to violate human rights).[211]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2020) (2020), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of Ireland (2023) (2023), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of Kazakhstan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

[L17] International human rights law (IHRL) is an applicable, and more direct, legal mechanism for vindicating the rights of the individuals (vice the States) harmed by State B’s DDoS attack (incident 2).[212] Although there is no definitive listing of the international human rights regarded as customary, many human rights enshrined in treaties such as the ICCPR and the ICESCR are considered to reflect customary international law.[213] Numerous treaties, including both the ICCPR and the ICESCR, protect the individual rights to health and life,[214] as does customary international law.[215]

[L18] The international legal obligation to respect individuals’ rights to life and health means States must refrain from conduct that unjustifiably interferes with, or otherwise adversely affects, these rights.[216] The concept of State conduct resulting in an arbitrary deprivation of life arises most apparently in the contexts of domestic law enforcement operations and targeting during armed conflict.[217] However, there is no reason, in principle, why an unjustified State cyber operation adversely impacting the individual human rights to life and health should be beyond the reach of IHRL.[218]

[L19] A jurisdictional threshold issue with which one must first grapple in determining the applicability of IHRL to State cyber operations conducted into another State which disrupt individuals’ access to health care services, interfere with the other State’s ability to preserve public health, and increase the rates of infection and mortality, is extraterritoriality.[219] Although the Human Rights Committee has offered a more expansive and controversial conception of extraterritorial jurisdiction based upon a State’s exercise of control over the enjoyment of the right to life,[220] the prevailing view is that human rights treaties apply where either (a) the State against which the IHRL obligation is to be levied controls the territory in which the victim’s rights are violated, or (b) an organ of the State against which the IHRL obligation is to be levied exercises power or control over the individual victim(s).[221] Neither of these circumstances necessarily limits the application of IHRL to within the territorial borders of the acting State.[222] Although not beyond reasonable debate as lex ferenda rather than lex lata,[223] the customary right to be free from arbitrary deprivations of life may likewise not be constrained in application to the territorial confines of the acting State.[224]

[L20] A State cyber operation conducted into the territory of another State that either directly injures or kills persons or increases the rates of infection and mortality by disrupting access to health care services or interfering with the other State’s ability to preserve public health, likely violates the rights to life and health under customary IHRL and, for States Party to an applicable IHRL treaty, also under the relevant treaty or treaties.[225]

[L21] So far, the focus has been on the legality of State B’s activities, but consideration must also be given to whether State A has satisfied its human rights obligations. Article 2(1) of the International Covenant on Political and Civil Rights requires States “to respect and to ensure to all individuals within its territory and subject to its jurisdiction [the right to life].” Article 2(1) of the European Convention on Human Rights also obliges State A to affirmatively take steps to protect the lives of those within its jurisdiction.[226] The latter positive obligation includes both “the duty to provide a regulatory framework; and the obligation to take preventive operational measures”,[227] and it applies in various contexts, including that of public health.[228] It is unclear whether State A may bear some responsibility for failing to properly enact cybersecurity standards that could have prevented or minimized State B’s hostile cyber operations and the illness and death caused by them, but the possibility should not be overlooked.

Checklist[edit | edit source]

  • Sovereignty
    • What is the victim State’s position on whether sovereignty is a primary rule of international law, and if so, the content of this rule?
    • Was the operation: (a) conducted remotely; or (b) conducted from within the territory of the victim State and without its consent?
    • Did the operation cause physical damage, significant loss of functionality, or destruction of cyber infrastructure in the victim State?
    • Did the operation cause damage to or destruction of something other than cyber infrastructure in the victim State?
    • Did the operation, directly or indirectly, cause injury or death to individuals?
    • Did the operation interfere with the victim State performing its inherently governmental functions?
    • Did the operation usurp the performance of an inherently governmental function of the victim State?
    • If the facts support finding a violation of sovereignty, is there a circumstance precluding the wrongfulness of that violation?
  • Prohibition of intervention
    • Did the operation interfere with or usurp a matter unregulated by international law or left solely to the prerogative of the victim State under international law?
    • Did the operation amount to a coercive act, and if so, under what definition of “coercion”?
    • If the facts support finding a violation of the prohibition on intervention, is there a circumstance precluding the wrongfulness of that violation?
  • Use of force
    • Did the operation cause physical effects in the territory of the victim State?
    • If no physical effects manifested in the territory of the victim State, what is the victim State’s position on whether cyber operations not causing concrete effects can qualify as a use of force?
    • If physical effects resulted from the operation, were more than a de minimis number of persons in the victim State injured or killed? Did the operation result in significant physical damage or destruction of objects?
    • Did the effects generated in the victim State result immediately or near immediately from the operation?
    • Are the effects generated in the victim State directly traceable to the operation as the cause?
    • Is the perpetrator of the operation a State organ that might be expected to employ kinetic means typically characterised as a use of force (e.g., armed forces or intelligence agencies)?
    • Is the system targeted in the victim State public (governmental) or private (non-governmental)?
    • Is the scale of the effects generated in the victim State reasonably quantifiable?
  • International human rights
    • Did the operation interfere with an individual right recognized under a human rights treaty to which the States are party or that is recognized by customary international law?
    • Does the State perpetrating the operation control the territory in which the victim’s rights are violated, or does an organ of the perpetrating State exercise power or control over the victim?
    • If the organ of the State perpetrating the cyber operation does not exercise power or control over the victim in a physical sense, does that State organ exercise control over the victim’s ability to enjoy a human right recognized under a human rights treaty to which the States are party or recognized by customary international law?
    • If the operation interferes with an individual right recognized under an applicable human rights treaty or under customary international law, is that interference (a) authorized by a domestic law; (b) undertaken in the pursuit of a legitimate public interest (e.g., national security, public order, or public health) or to protect the rights of others; (c) necessary to achieve that the public interest; and (d) conducted in a manner proportionate to the desired end?
    • Did the victim State fulfil its positive obligations under IHRL (e.g., protecting the right to life of those under its jurisdiction)?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. ILC Articles on State Responsibility, Art 4(1).
  2. ILC Articles on State Responsibility, Art 5.
  3. ILC Articles on State Responsibility, Art 6.
  4. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  5. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  6. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  7. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024).
  8. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  9. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  10. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  11. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information andTelecommunications in the Context of International Security, UN Doc A/68/98 (24 June 2013) para 20; UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) paras 27, 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 70, 71(b).
  12. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, rule 4 (‘A State must not conduct cyber operations that violate the sovereignty of another State’), and commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  13. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  14. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 18.
  15. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  16. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  17. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 25.
  18. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  19. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  20. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  21. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  22. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 4.
  23. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (16 June 2021) 3.
  24. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  25. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 2.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 67.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 76.
  28. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 2.
  29. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  30. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’). The approach has been maintained in UK’s 2021 and 2022 national positions.
  31. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  32. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  33. Tallinn Manual 2.0, rule 2.
  34. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules'). This has been endorsed by several States, including China, the Czech Republic, Estonia, Finland, France, Germany, Israel, Italy, the Netherlands, Norway, Sweden, Switzerland and the United States.
  35. Tallinn Manual 2.0., commentary to rule 4, para 5. See also the national positions of Norway, Sweden and Switzerland.
  36. Tallinn Manual 2.0., rule 3; see also the national positions of the Czech Republic, the Netherlands and Norway.
  37. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  38. Some States have referred to the nature of the operation, its consequences, and/or the scale or severity of the effects, as the relevant factors that should be assessed. See e.g. the national positions of Canada, Finland, Germany, New Zealand, Norway, Sweden and Switzerland. New Zealand also highlighted the nature of the target in this regard.
  39. Some States have highlighted the requirement of certain level beyond “negligible” or “de minimis” effects, such as Canada and Germany. See similarly, New Zealand’s national position. For further discussion on the required threshold, see Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Texas Law Review 1639; Harriet Moynihan, ‘The Application of International Law to State Cyberattacks. Sovereignty and Non-Intervention’, Chatham House (2 December 2019) paras 60 and ff.
  40. Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549.
  41. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  42. See e.g. the national position of Canada, Finland, New Zealand, Norway, Sweden and Switzerland.
  43. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  44. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9. See also, the national positions of Canada and New Zealand.
  45. Tallinn Manual 2.0, commentary to rule 4, para 11.
  46. Tallinn Manual 2.0, commentary to rule 4, para 12.
  47. Tallinn Manual 2.0, commentary to rule 4, para 13. Additionally, there was agreement between the experts that ‘a cyber operation necessitating repair or replacement of physical components of cyber infrastructure amounts to a violation because such consequences are akin to physical damage or injury’. See also in this respect Canada’s national position.
  48. Tallinn Manual 2.0, commentary to rule 4, para 14.
  49. Tallinn Manual 2.0, commentary to rule 4, para 15.
  50. Tallinn Manual 2.0, commentary to rule 4, para 16. Other examples may include law enforcement, taxation, foreign relations and national defense. See e.g. the national positions of Canada, Germany and Norway. See also Michael Schmitt, ‘Sovereignty, Intervention, and Autonomous Cyber Capabilities’ (2020) 96 International Law Studies 549, 557.
  51. Tallinn Manual 2.0, commentary to rule 4, para 18.
  52. Government of Canada, International Law applicable in cyberspace (April 2022) para 13.
  53. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  54. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  55. Richard Kadlčák, Statement of the Special Envoy for Cyberspace and Director of Cybersecurity Department of the Czech Republic (11 February 2020) 3.
  56. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68.
  57. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 2
  58. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 3.
  59. Ministry of Defense of France, 'International Law Applied to Operations in Cyberspace' (9 September 2019) 6.
  60. Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace (August 2020) para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state’).
  61. In favour: see, e.g., Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3; Romania’s national position (‘If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned’).
  62. See Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253.
  63. See French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7.
  64. Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253 (effects), 258, 268 (causal nexus per analogiam).
  65. Tallinn Manual 2.0, commentary to rule 4, paras 15–16; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255. Some States have referred to health care services as within the notion of “inherently governmental functions”, such as Canada.
  66. Tallinn Manual 2.0, commentary to rule 4, para 19; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  67. See Tallinn Manual 2.0, rule 4 and commentary to rule 4, para 27; Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6. But see, French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7; Iran, Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace.
  68. Tallinn Manual 2.0, rule 32.
  69. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  70. Id.; Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 291, 302-3.
  71. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 254.
  72. Tallinn Manual 2.0, rule 4 and commentary to rule 4, paras. 10–16; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 254.
  73. See Tallinn Manual 2.0, rule 4 and commentary to rule 4, para 27; Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  74. President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  75. G20 Leaders’ Communiqué (15–16 November 2015), para 26; see also G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  76. See US, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  77. UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015), A/70/174.
  78. Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443, 488-492; David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights; Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  79. Tallinn Manual 2.0, rule 32, commentary 3.
  80. For an opposing view, see Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  81. Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  82. Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018), page 5: “Economic espionage, to the extent it qualifies as a violation of intellectual property rights, should arguably be treated as an act comparable to commercial activities, jure gestionis. A [S]tate would then not be able to claim state immunity for such acts and could thus instead face a normal trial in a domestic court.“
  83. The customary nature has been highlighted by several States, including Australia, Brazil, Germany, Iran, Norway, Sweden, the United Kingdom and the United States.
  84. 84.0 84.1 84.2 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14 [205].
  85. Many States, including Australia, Brazil, Canada, Estonia, Israel, Italy, Japan, New Zealand, Norway, Singapore, Sweden, Switzerland, the United Kingdom and the United States, have acknowledged that the prohibition of intervention applies to cyber operations. This has been also highlighted by the UN Group of Governmental Experts. See UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22 July 2015) A/70/174, para 28(b); UNGA, Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (14 July 2021) A/76/135, para 71(c).
  86. Many States agree that intervention ‘involves “coercion” in relation to a State’s domaine réservé’. See Ori Pomson, 'The Prohibition on Intervention Under International Law and Cyber Operations' (2022) 99 International Law Studies 180, 217. In this regard, see the national positions of Australia, Brazil, Canada, Estonia, Germany, Israel, Italy, The Netherlands, New Zealand, Norway, Romania, Singapore, Sweden, Switzerland, the United Kingdom and the United States.
  87. Militarv and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) Merits, Judgment. I.C.J. Reports 1986, 14 [241].
  88. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3; Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5.
  89. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  90. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”); Nationality Decrees Issued in Tunis and Morocco (French Zone) on November 8th, 1921 (Great Britain v France) Advisory Opinion, (1923) PCIJ Series B no 4, 7th February 1923 [24].
  91. See also Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 6(3) Journal of Cyber Policy 394, 400-1.
  92. See, e.g., Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3, defining coercion as ‘compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue’ and noting that ‘[t]he goal of the intervention must be to effect change in the behaviour of the target state’; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5, defining coercion as a situation in which a State’s ‘will is manifestly bent by the foreign State’s conduct’ and noting that ‘the acting State must intend to intervene in the internal affairs of the target State’; see further, the national positions of Italy, Switzerland, Estonia, Norway and Romania; see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘The majority of Experts was of the view that the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.’).
  93. Tallinn Manual 2.0, commentary to rule 66, para 21. See also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3.
  94. See, e.g., Australia, ‘Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace’ (2019) 4 (‘A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.’); New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020), para 9(b) (stating that a State cyber activity is coercive if ‘there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions’); United Kingdom Attorney General’s Office Suella Braverman: ‘International Law in Future Frontiers’ (19 May 2022). See also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘A few Experts took the position that to be coercive it is enough that an act has the effect of depriving the State of control over the matter in question.’).
  95. Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 6(3) Journal of Cyber Policy 394, 403; see also Sean Watts, ‘Low-Intensity Cyber Operations and the Principle of Non-Intervention’ in Jens D Ohlin, Kevin Govern and Claire Finkelstein, Cyber War: Law and Ethics for Virtual Conflicts (Oxford University Press 2015) 256 and ff.
  96. Tallinn Manual 2.0, commentary to rule 66, para 21. See also the national positions of Canada, Germany and Norway.
  97. Tallinn Manual 2.0, commentary to rule 66, paras 19 and 27. See also the national positions of Germany, New Zealand and Sweden.
  98. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) Merits, Judgment. I.C.J. Reports 1986, 14 [205]. See also national position of Canada, Germany and The Netherlands.
  99. See Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 82.
  100. See Ori Pomson, 'The Prohibition on Intervention Under International Law and Cyber Operations' (2022) 99 International Law Studies 180, 212. While some States have stressed that economic coercion can still be sufficient for a breach of the rule of non-intervention, others remained ambiguous in their positions. States have referred to different examples that could be classified, depending on the circumstances of the case, under the prohibition of intervention. See the national positions of Australia (‘intervention in the fundamental operation of Parliament, or in the stability of States’ financial systems’), Canada (‘a malicious cyber activity that disrupts the functioning of a major gas pipeline, compelling the affected State to change its position in bilateral negotiations surrounding an international energy accord’), Italy (‘influence activities aimed, for instance, at undermining a State’s ability to safeguard public health during a pandemic’), New Zealand (‘a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network’), Norway (‘a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action’), Singapore (‘cyber-attacks against our infrastructure in an attempt to coerce our government to take or forbear a certain course of action on a matter ordinarily within its sovereign prerogative’), Switzerland (‘This is particularly true of economic coercion, which could be the case if a company that is systemically relevant was paralysed through a cyber operation’), the United Kingdom (‘intervention in the fundamental operation of Parliament, or in the stability of our financial system’; ‘to undermine the stability of another State’s financial system or to target the essential medical services of another State’; ‘Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies […]disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention […] disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy’), and the United States (‘a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population –for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic’).
  101. Australian Government, Australia's position on how international law applies to State conduct in cyberspace (2020).
  102. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, (August 2021) 19.
  103. Government of Canada, International Law applicable in cyberspace (April 2022)
  104. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 5-6.
  105. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020).
  106. New Zealand Foreign Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 2.
  107. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 68-69.
  108. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 83.
  109. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century (23 May 2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021); Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022.
  110. Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 13-14; Hon Paul C Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (2 March, 2020); Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 140.
  111. See the national positions of Canada, Romania, Sweden and Switzerland.
  112. Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 101. Further, the international group of experts involved in the Tallinn Manual 2.0. considered that ‘the fact that a coercive cyber operation fails to produce the desired outcome has no bearing on whether [the prohibition of intervention] has been breached’. Tallinn Manual 2.0., commentary to rule 66, para 29.
  113. Tallinn Manual 2.0, commentary to rule 66, para 24 (the exact nature of the causal nexus was not agreed on).
  114. Harriet Moynihan, The Application of International Law to State Cyberattacks Sovereignty and Non-Intervention (Chatham House, 2 December 2019) para 79. See also the national positions of The Netherlands (‘The non-intervention principle, like the sovereignty principle from which it stems, applies only between states’), Sweden (‘The prohibition of intervention is applicable between States and does not apply directly to non-state actors’), and the 2022 position of the United Kingdom (‘To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility’).
  115. See Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  116. See in particular, the national positions of Italy (‘Italy sees merit in continuing to deepen the study of possible violations of the principle of non-intervention in cyberspace. That is particularly the case with regard to influence activities aimed, for instance, at undermining a State’s ability to safeguard public health during a pandemic’) and the United States (‘Further, a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population - for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic- could be considered a violation of the rule of non-intervention’).
  117. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
  118. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, paras 187–190. See also, the national positions of Brazil, Israel, Sweden, and the United States.
  119. See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War. The Prohibition on the Use of Force in Contemporary International Law (Hart Pub. 2021) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
  120. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 44.
  121. Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1. C.J. Reports 1996, 226; see also the national positions of Brazil, Germany, France, the Netherlands and Sweden.
  122. Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
  123. Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”). This is also embodied in the national positions of several States, including Australia, Canada, Germany, Italy, the Netherlands, Romania and Sweden.
  124. See the national positions of Canada, Germany, Italy, the Netherlands, Romania, Sweden and the United States.
  125. Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
  126. Documents of the United Nations Conference on International Organization (1945), vol VI, 334. See also the national position of the Netherlands.
  127. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
  128. Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment, 2009 ICJ Rep 213 [66] (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
  129. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 46-47. See the national positions of Australia, Germany, France, the Netherlands, Sweden, the United Kingdom and the United States. As highlighted by Roscini, other analytic approaches include an ‘instrument-based approach’ which focuses on the means used, and the ‘target-based approach’ which ‘argues that cyber operations reach the threshold of the use of armed force when they are conducted against national critical infrastructure’. On the latter, see for example Estonia’s national position, combining the target and the effects-based approaches in its assessment.
  130. Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 53. See also the national positions of Australia, Brazil, Estonia, Italy, Israel and the United States. Further, it has been argued that there is a minimum threshold of intensity or gravity in the use of force, for it to fall under Article 2(4) of the UN Charter. See Roscini, 53-54. See also in this regard, Tallinn Manual 2.0., commentary to rule 69, para 9(a).
  131. Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55. See also ibid, 48 (noting that ‘the dependency of modern societies on computers, computer systems, and networks has made it possible to achieve analogous prejudicial results through other, non-destructive means’)
  132. However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
  133. Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
  134. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
  135. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
  136. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 69-70, stating that ‘Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4)’.
  137. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
  138. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 7.
  139. Tallinn Manual 2.0, commentary to rule 69, para 9. The indicative factors highlighted by the Manual are: (i) severity; (ii) immediacy; (iii) directness; (iv) invasiveness; (v) measurability of effects; (vi) military character; (vii) State involvement; and (viii) presumptive legality.
  140. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on “International law and cyberspace”’ (2021) 8. See also the national position of Israel, stating that ‘As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force’.
  141. See Articles 39–42 of the UN Charter.
  142. See Article 51 of the UN Charter.
  143. See in this regard the national positions of Australia, the Netherlands and Romania.
  144. Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”); Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 4; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 77.
  145. Tallinn Manual 2.0, commentary to rule 68, para 4; Tallinn Manual 2.0, introduction to Chapter 14, para 1.
  146. See generally Michael N. Schmitt, The Use of Cyber Force and International Law, in Oxford Handbook on the Use of Force in International Law 1110 (Marc Weller ed. 2015).
  147. See, e.g., Harold Hongju Koh, Legal Adviser, U.S. Dep’t of State, International Law in Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-Agency Legal Conference (Sept. 18, 2012), reprinted in 54 Harv. Int’l L.J. Online 1, 4 (2012). Tallinn Manual 2.0, commentary to rule 69, para 8.
  148. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 258–59.
  149. See Duncan B. Hollis & Tsvetelina van Benthem, ‘What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?’ Lawfare (March 30, 2021).
  150. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 51. A minority view should be acknowledged here, according to which the right of self-defense potentially applies against any illegal use of force, irrespective of its qualification as an “armed attack”. See, e.g., US DoD, Law of War Manual (December 2016), para 1.11.5.2.
  151. See, e.g., Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 194; Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 41; Oil Platforms (Iran v US) [2003] ICJ Rep 161, para 43.
  152. Cf G Nolte and A Randelzhofer, ‘Article 51’ in B Simma et al (eds), The Charter of the United Nations: A Commentary (3rd edn, OUP 2012) vol II, 1426–27, para 60 (noting that the use of force in self-defence is limited to ending the attack so that the specific impulse from which the attack emerged is no longer present); but see David Kretzmer, ‘The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum’ (2013) 24 EJIL 235, 264–66 (arguing that states that have been the victims of an armed attack may under certain conditions use force to pre-empt future attacks).
  153. See Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 39.
  154. See generally, Certain Activities Carried out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Merits) [2015] ICJ Rep 665, para. 97.
  155. Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020).
  156. See, e.g., James Crawford, State Responsibility: The General Part, 676 (CUP 2008) (describing acts of retorsion as “[t]he most common unilateral self-help measure in international practice” and “retaliation against another state in a manner that does not interfere with the target state’s rights under international law”).
  157. See, e.g., James Crawford, State Responsibility: The General Part, 685 (CUP 2008) (describing countermeasures as “non-compliance with an international obligation owed towards another state, adopted in response to a prior breach of international law by that other state and aimed at inducing it to comply with its obligations of cessation and reparation”).
  158. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  159. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  160. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added); See also UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 29-30.
  161. Dapo Akande, Antonio Coco and Talita de Souza Dias, ‘Old Habits Die Hard: Applying Existing International Law in Cyberspace and Beyond’, EJIL Talk! (5 January 2021)
  162. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020) 403-4. The position states that "we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form".
  163. New Zealand Foreign Affairs and Trade, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020) 3. According to the position, "An agreed norm of responsible state behaviour provides that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. Whether this norm also reflects a binding legal obligation is not settled".
  164. United Kingdom Foreign, Commonwealth & Development Office, ‘Application of international law to states’ conduct in cyberspace: UK statement’ (3 June 2021) para 12. According to the position: "the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace".
  165. Government of Canada, International Law applicable in cyberspace (April 2022) para. 26. According to the position, this does not "precludes the recognition of a binding legal rule of due diligence under customary international law. Canada continues to study this matter".
  166. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  167. See also Tallinn Manual 2.0, commentary to rule 6, para 4 (unanimously endorsing this view).
  168. Australia, ‘Australia’s International Cyber Engagement Strategy - Annex A: Australia’s Position on How International Law Applies to State Conduct in Cyberspace’ (October 2017) 91, stating that “if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law”.
  169. Czech Republic, Comments submitted by the Czech Republic in reaction to the initial “pre-draft” report of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (undated), stating that “ICT-specific norms reflect a general principle of international law obliging States to ensure that territory and objects over which they enjoy sovereignty are not used to harm other States’ rights.”
  170. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.”
  171. Finland, ‘Statement by Ambassador Janne Taalas at the second session of the open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security’ (11 February 2020), stating that “States have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other States, whether using ICTs or otherwise.”
  172. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that “In compliance with the due diligence requirement, [France] ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors.”
  173. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 3.
  174. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on International law and cyberspace’ (2021) 6-7.
  175. Ministry of Foreign Affairs of Japan, ‘Basic Position of the Government of Japan on International Law Applicable to Cyber Operations’ (28 May 2021) 5.
  176. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘The Netherlands ... does regard the principle [of due diligence] as an obligation in its own right, the violation of which may constitute an internationally wrongful act.’
  177. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States’ UNODA, A/76/136 (August 2021) 71-2.
  178. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 7.
  179. Government Offices of Sweden, ‘Position Paper on the Application of International Law in Cyberspace’ (July 2022) 4.
  180. Tallinn Manual 2.0, commentary to rule 6, para 5.
  181. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  182. While, in general, it is States, not individuals or private entities, which are able to violate international law, cyber operations carried out by individuals or private entities that nevertheless result in serious adverse consequences fall within a State’s due diligence obligation. See Tallinn Manual 2.0, commentary to rule 6, para 21.
  183. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  184. Tallinn Manual 2.0, rule 6.
  185. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  186. Tallinn Manual 2.0, rule 6.
  187. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  188. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  189. See Tallinn Manual 2.0, rule 6; Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020) (“States must take all feasible measures to prevent, stop and mitigate malicious cyber operations against the data or technologies used for  . . . vaccine research, trial, manufacture or distribution which they know or should have known emanate from their territory or jurisdiction.”).
  190. Tallinn Manual 2.0, commentary to rule 6, paras 37–39.
  191. Tallinn Manual 2.0, rule 7.
  192. See, for example, United Nations Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016), para 1; NATO, Warsaw Summit Communiqué (9 July 2016), para 70; G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011), para II/11; UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015) A/70/174, paras 13(e) and 28(b); UNGA, ‘Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security’ (14 July 2021) A/76/135, paras 36 and ff. This has been reaffirmed by most States in their national positions, such as Australia, Canada, Czech Republic, Estonia, Finland, Italy, Japan, the Netherlands, New Zealand, Norway, Romania, Sweden, Switzerland, the United Kingdom and the United States.
  193. See, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43 [170].
  194. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR); International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR).
  195. Formal title: Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953), ETS 5 (ECHR); there are several protocols which significantly expand and amend the obligations of the original Convention.
  196. Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 (EUCFR).
  197. American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123 (ACHR).
  198. African Charter on Human and Peoples’ Rights (‘Banjul Charter’) (adopted 27 June 1981, entered into force 21 October 1986), CAB/LEG/67/3 rev. 5, 21 I.L.M. 58 (1982) (ACHPR).
  199. Article 2(1) ICCPR.
  200. UN HRC, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting), para 10.
  201. Cf, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ Rep 136 [111]. See further, UN HRC, General comment No. 36, Article 6, Right to life (3 September 2019) CCPR/C/GC/36, para 63. See also the approach adopted by the European Court of Human Rights in Al-Skeini and others v. the United Kingdom, App no 55721/07 (ECtHR, 7 July 2011) [131] and ff; Loizidou v. Turkey, App no 15318/89 (ECtHR, 23 March 1995) [62], and recently in Carter v. Russia, App no. 20914/07 (ECtHR, 21 September 2021) [161]. For the position within the Inter-American System see Saldano v. Argentina, Report No 38/99 (Inter-American Commission of Human Rights, 11 March 1999) [17] and in particular the wide interpretation adopted by the Inter-Amercian Court of Human Rights in its Advisory Opinion 23/17 on the Environment and Human Rights, Series a 23 (IACtHR, 15 November 2017) para 104(h).
  202. See, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ 136, para 110; UN HRC, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  203. See, for example, Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81.
  204. Switzerland has expressly stated in its national position that ‘Human rights obligations are equally binding upon states operating in cyberspace as in physical space. This also applies when the cyber operation in question is being carried out extraterritorially, to the extent that the States exercise their sovereign authority in doing so’. See Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 8.
  205. Article 17 ICCPR; Article 8 ECHR; Article 7 EUCFR; Article 11 ACHR. The exact titles and scopes of the provisions vary. For example, this can be triggered be the practice of surveillance. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 194. See also Szabo and Vissy v Hungary, App no 37138/ 14 (ECtHR, 12 January 2016); Liberty and Others v United Kingdom, App No 58243/00 (ECtHR, 2008).
  206. Article 19 ICCPR; Article 10 ECHR; Article 11 EUCFR; Article 13 ACHR. The exact titles and scopes of the provisions vary, and include its counterpart, the right to access to information, as highlighted in the national positions of Estonia, Finland, Italy, Sweden, Switzerland and the United States. A violation of this right may be, for example by ‘a DDoS attack that inhibits access to the Internet or the voicing of views, and is attributable to a state’. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 194.
  207. As highlighted by many States in their national positions, including Australia, Canada, the Czech Republic, Estonia, the Netherlands and Sweden.
  208. See Helen McDermott, ‘Application of the International Human Rights Law Framework in Cyber Space’ in Dapo Akande and others (eds), Human Rights and 21st Century Challenges. Poverty, Conflict, and the Environment (Oxford University Press 2020) 195–197.
  209. See Soering v. the United Kingdom, App no 14038/88 (ECtHR, 07 July 1989) [88]; Ireland v. the United Kingdom, App no 5310/71 (ECtHR, 18 January 1978) [163]; Hurri Laws v. Nigeria, Communication No 225/98 (AComHPR, 6 November 2000) [41]; UN HRC, General Comment 20, Article 7 (Prohibition of Torture, or Other Cruel, Inhuman or Degrading Treatment or Punishment) (10 March 1992) para 3; CAT, General Comment 2 on the implementation of article 2 by States parties (24 January 2008) CAT/C/GC/2, paras 1 and 5.
  210. UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011), paras 21-36; See also ICCPR General Comment No. 27 (1 November 1999), paras 14-16; UN HRC, General Comment No. 31 [80] The Nature of the General Legal Obligation Imposed on States Parties to the Covenant (26 May 2004) CCPR/C/21/Rev.1/Add. 13, para 6.
  211. See, Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988) [177]. See also UN HRC, General Comment No. 31 [80] The Nature of the General Legal Obligation Imposed on States Parties to the Covenant (26 May 2004) CCPR/C/21/Rev.1/Add. 13, para 8; UN HRC, General comment No. 36, Article 6, Right to life (3 September 2019) CCPR/C/GC/36, para 7. See also the national positions of Finland and Switzerland.
  212. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 261–66.
  213. Tallinn Manual 2.0, introduction to Chapter 6, para 2.
  214. See International Covenant on Civil and Political Rights art. 6, Dec. 16, 1966, 999 U.N.T.S. 171 (“Every human being has the inherent right to life. This right shall be protected by law. No one shall be arbitrarily deprived of his life.”); International Covenant on Economic, Social and Cultural Rights, art. 12(1), Dec. 16, 1966, 993 U.N.T.S. 3. (“The States Parties to the present Covenant recognize the right of everyone to the enjoyment of the highest attainable standard of physical and mental health.”).
  215. See, e.g., Human Rights Comm., General Comment No. 24, ¶8, U.N. Doc. CCPR/C/21/Rev.1/Add.6, P 17 (Nov. 4, 1994) (“. . . a State may not reserve the right to . . . arbitrarily deprive persons of their lives, . . .); see also Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 818–19 (2016) (“It is under IHRL that the right to life is most clearly protected, as set out in the various international and regional human rights treaties, and the rules of customary international law.”).
  216. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 262; Tallinn Manual 2.0, introduction to Chapter 6, para. 5; Tallinn Manual 2.0, rule 36.
  217. See Convention for the Protection of Human Rights and Fundamental Freedoms art. 2(2), Nov. 4, 1950, 213 U.N.T.S. 222 (recognizing that a killing does not contravene the right to life under the Convention when it results from the use of the minimum amount of force necessary to defend a person from unlawful violence, to effect a lawful arrest, to prevent a lawfully detained person from escaping, or to quell a riot or insurrection); Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 821–22 (2016) (stating that a drone strike during an armed conflict “will be governed by both IHL and IHRL” and that “while the right not arbitrarily to be deprived of one's life continues to apply in situations of armed conflict, what is an arbitrary deprivation of life under the ICCPR . . . should be considered by reference to the IHL rules on the conduct of hostilities”).
  218. See Tallinn Manual 2.0, commentary to rule 34, para 1; Tallinn Manual 2.0, commentary to rule 35, para 1.
  219. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 262–63.
  220. Human Rights Comm. General Comment No. 36, ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically).
  221. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 263. See also Tallinn Manual 2.0, commentary to rule 34, para 6. But see Tallinn Manual 2.0, commentary to rule 34, para 7 (acknowledging, but disagreeing with, the view that customary international human rights categorically do not apply outside a State’s territory even when the State at issue exercises power or effective control over territory or persons therein); Georgia v. Russia (II), No. 38263/08, Eur. Ct. H.R. ¶137; (concluding that neither the spatial model of jurisdiction nor the personal model of jurisdiction applies to alleged violations of Article 2 ECHR (right to life) committed during active hostilities in an armed conflict).
  222. See Tallinn Manual 2.0, commentary to rule 34, para 6 (discussing belligerent occupation and the leasing of territory in another State as situations of power and control abroad sufficient to potentially trigger the application of IHRL).
  223. Compare Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 264 (stating that “an expansive view of the extraterritorial application of human rights obligations is both desirable and sensible”) and Human Rights Comm. General Comment No. 36, ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically) with Bankovic v. Belgium, 2001-XII Eur. Ct. H.R. ¶¶74-82 (refusing to interpret “within their jurisdiction” under Art. 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms to make the Art. 2 right to be free from arbitrary deprivations of life whenever anyone is killed by an act attributable to a State Party, regardless of where in the world the act was performed or its consequences felt) and Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights (Jul. 17, 2006) (asserting that “it is the long-standing view of the United States that the Covenant by its very terms does not apply outside of the territory of a State Party” and that although the United States is “aware of the views of members of this Committee regarding the extraterritorial application of the Covenant, including the Committee’s General Comment No. 31” the United States “has a principled and long-held view that the Covenant applies only to a State Party’s territory. It is the long-standing view of [the United States] that applying the basic rules for the interpretation of treaties described in the Vienna Convention on the Law of Treaties leads to the conclusion that the language in Article 2, Pargraph [sic.] 1, establishes that States Parties are required to respect and ensure the rights in the Covenant only to individuals who are BOTH within the territory of a State Party and subject to its jurisdiction.”).
  224. See Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 823 (2016) (“In its customary form, at least the negative obligation not arbitrarily to deprive someone of their life appears not to be limited to application within a State’s territory. Indeed, the Universal Declaration of Human Rights does not contain a limitation clause on its geographical application and simply states that '[e]veryone has the right to life'.”).
  225. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 265.
  226. Centre for Legal Resources on behalf of Valentin Câmpeanu v. Romania, No. 47848/08, Eur. Ct. H.R. ¶130 (2014).
  227. European Court of Human Rights, ‘Guide on Article 2 of the European Convention on Human Rights’ ¶9 (2021).
  228. See Case of Calvelli and Ciglio v. Italy, No. 32967/96, Eur. Ct. H.R. ¶49 (2002) (finding that the positive obligations under Article 2(1) “require States to make regulations compelling hospitals, [...] to adopt appropriate measures for the protection of their patients' lives” and that “[t]hey also require an effective independent judicial system to be set up” to hold those responsible for patient deaths accountable).

Bibliography and further reading[edit | edit source]

Contributions[edit | edit source]

Previous: Scenario 22: Cyber methods of warfare Next: Scenario 24: Internet blockage
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_23:_Vaccine_research_and_testing?oldid=3725"