Scenario 23: Vaccine research and testing

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© totojang1977. Licensed from Shutterstock.

A major State-run hospital serving as a virus testing and vaccine research facility falls victim to both research espionage and a two-day distributed denial of service (DDoS) attack during a pandemic. Several months of research and clinical trial data is exfiltrated to a neighbouring State. As a result of the DDoS attack, the victim State’s population cannot access information about virus testing availability and cannot obtain test results. The scenario considers attribution of the cyber operations and whether such incidents constitute a violation of sovereignty, a prohibited intervention, a use of force, or a violation of international human rights law.

1 Scenario[edit | edit source]

1.1 Keywords[edit | edit source]

Attribution, sovereignty, peacetime cyber espionage, prohibition of intervention, use of force, international human rights law, DDoS, hospitals

1.2 Facts[edit | edit source]

[F1] State A and State B are suffering from a pandemic caused by a highly communicable, previously unidentified respiratory virus. Common symptoms of the virus include high fever, cough, shortness of breath, and fatigue. Because some infected persons are symptomatic and others are contagious despite appearing asymptomatic, the virus is spreading virtually unchecked. Hospitals are rapidly becoming overwhelmed. The virus’ high mortality rate, if not treated promptly, means both States desperately want to develop an effective treatment for those infected and a vaccine to protect others from becoming ill.

[F2] Over the prior decade, the relationship between States A and B has deteriorated significantly. The recent rise to power of an ultra-nationalist prime minister in State B, unrestrained by a similarly disposed parliament, has worsened the decline in relations. In the last year, State B has frequently accused State A of mistreating its large ethnic minority.

[F3] The largest State-run hospital in State A, which also serves as a vaccine research facility and the primary national virus testing facility, was recently victimized by a pair of hostile cyber operations. Eight months of vaccine research and clinical trial data was copied and exfiltrated (incident 1). Forensic investigators in State A cannot definitively rule-out the possibility that the perpetrator maintains persistent access to the hospital’s information systems. However, investigators conclude, with moderate certainty, that the integrity of the original data remains intact and unchanged. State A appears to still have full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. The operation appears to have been limited to exfiltration of data and, consequently, a loss of confidentiality.

[F4] A two-day distributed denial of service (DDoS) attack left the public unable to access the hospital’s website to obtain information about testing availability and unable to view test results (incident 2).

[F5] Both publicly and through diplomatic channels, State B denies any involvement in the incidents. Despite these denials, State A cybersecurity authorities conclude with a high degree of confidence, based on forensic analysis, that State B is the most probable actor responsible for both the exfiltration of the vaccine research and the DDoS attack. The vaccine research and clinical trial data obtained from State A were exfiltrated to the Ministry of Health in State B. Moreover, the techniques used for both the data theft and the DDoS attack are identical to those employed by State B’s intelligence service in previous cyber operations conducted against State C, an ally of State A.

1.3 Examples[edit | edit source]

2 Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario focuses on three main issues: 1) Whether the cyber operations conducted against State A are attributable to State B; 2) Whether the exfiltration of State A’s vaccine research is an internationally wrongful act; and 3) Whether the DDoS operation against State A is an internationally wrongful act.

2.1 Attribution[edit | edit source]

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[1]
  2. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;[2]
  3. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."[3]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[4]

[L2] Both the cyber espionage operation and the DDoS attack are attributable to State B. State A considered the possibility that this hostile cyber operation is, in fact, a “false flag” operation perpetrated by a third State in such a way as to make it appear State B is responsible. However, in light of its increasingly strained diplomatic relationship with State B, the fact that the vaccine research was exfiltrated to the Ministry of Health in State B, and because the techniques employed to conduct both operations comport with those previously used by State B’s intelligence service against State C, State A has a high degree of confidence State B is responsible. State B’s intelligence service is undeniably functioning as part of State B’s central government and thus a State organ the conduct of which is attributable to State B under Article 4 of the International Law Commission’s Draft Articles on the Responsibility of States for Internationally Wrongful Acts. Consequently, the balance of the analysis of this scenario considers whether State B breached international law either by exfiltrating vaccine research data or by conducting the DDoS operation against the hospital in its capacity as a vaccine research site and as State A’s principal virus testing facility.

2.2 Breach of an international obligation[edit | edit source]

[L3] This section considers whether the cyber espionage and the DDoS attack by State B breach an international obligation owed to State A—specifically, whether State B breached the international law rules prohibiting violations of State sovereignty and intervention into the domaine réservé of another State, perpetrated an unlawful use of force against State A, or violated the human rights of inhabitants of State A.

2.2.1 Obligation to respect the sovereignty of other States[edit | edit source]

Sovereignty
Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award,
[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[5]
Multiple declarations by the UN,[6] NATO,[7] OSCE,[8] the European Union,[9] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty. However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility.
  • For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[10] It has also been adopted by several States including Austria,[11] the Czech Republic,[12] Finland,[13] France,[14] Germany,[15] Iran,[16] and the Netherlands.[17]
  • By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[18] This view has now been adopted by one State, the United Kingdom,[19] and has been endorsed by the U.S. Department of Defense General Counsel.[20] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts.

The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention).

It is understood that sovereignty has both an internal and an external component.[21] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[22][23]

As a general rule, each State must respect the sovereignty of other States.[24] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[25]

The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations:

  1. A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State's territory violates the target State's sovereignty.[26] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[27]
  2. Causation of physical damage or injury by remote means;[28] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[29]
  3. Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);[30] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[31]
  4. Interference with data or services that are necessary for the exercise of "inherently governmental functions";[32] although the Experts could not conclusively define the term "inherently governmental functions", they agreed that, for example, the conduct of elections would so qualify.[33]
  5. Usurpation of "inherently governmental functions", such as exercise of law enforcement functions in another State’s territory without justification.[34]

The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Germany[35] and the Netherlands.[36] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”.[37]

Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State's sovereignty.

Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[38]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of the Czech Republic (2020) (2020), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020).

[L4] State B’s DDoS attack (incident 2) violated State A’s sovereignty. Under one view, which is held by a number of states, as well as numerous scholars, a remotely conducted cyber operation breaches the sovereignty of another State if it causes concrete effects within the territory of the victim State.[39] A contrasting view, succinctly expressed by France, is that that a cyber operation penetrating a State’s systems violates that State’s sovereignty even if the cyber operation does not cause concrete effects within victim State territory.[40] One can conclude with a high degree of certainty that, by interfering with the dissemination of virus testing information and test results, State B caused the virus to spread more rapidly among people in State A than it otherwise would have done. The inability of State A’s population to know how and when to schedule testing or to obtain the results of completed tests in a timely manner meant that people were unable to identify themselves as carriers of the virus, were unaware they posed a public health risk, and likely were slow to implement appropriate precautions. That lack of information means persons carrying the virus almost certainly unknowingly spread it to others. Likewise, State A more than likely experienced an increased mortality rate from the virus because the inability of the population to get tested and to obtain test results delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment.

[L5] For this prong of analysis of incident 2, the physical effects must be ascertained and causally linked to the cyber operation.[41] Mere rescheduling of planned surgeries or a minor delay in delivering the test results would be a less serious effect than directly interfering with the immediate delivery of medical care; likewise, the impossibility of testing at one location could simply result in people taking the test elsewhere, so it may be difficult to pinpoint the causal link between the cyber operation and the additional infections.

[L6] There exists some uncertainty whether interference in, or usurpation of, inherently government functions is a relevant test for determining the existence of a violation of sovereignty, even though several States have already made declarations in favour of this interpretation. Applying that analysis to incident 2, State B also breached State A’s sovereignty by interfering with its ability to carry out its inherently governmental function of managing the public health crisis ongoing within its territory.[42] By denying State A’s populace access to critical information about operations at the State’s primary virus testing facility, State B’s DDoS attack interfered with a vital aspect of State A’s plan for managing the health crisis. The act of interfering with State A’s inherently governmental function, wholly apart from whether that interference causes concrete effects to manifest in State A, results in a sovereignty violation.[43]

[L7] As for State B exfiltrating the vaccine research from State A (incident 1), under the facts of this scenario, this likely does not constitute a sovereignty violation.[44] First, State A suffered no damage or destruction to its cyber infrastructure. Second, State B did not, merely by exfiltrating vaccine research, necessarily cause increased spread of the virus or higher mortality rates among those infected with the virus in State A. If, however, State B accessing the clinical trial data caused the clinical trial to fail procedural protocols and need to be restarted, the resulting delay in State A’s vaccine development effort may shift the analysis in favour of a breach of sovereignty. Finally, State B did not impair the ability of State A to perform its inherently governmental functions; in particular its ability to manage the public health crisis within its borders.

2.2.2 Cyber espionage[edit | edit source]

Peacetime cyber espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[45]

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations.

Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[46] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[47]

Publicly available national positions that address this issue include: National position of the United States of America (2020) (2020).

[L8] State B’s cyber espionage efforts do not per se violate international law.[48] Under the analysis above, remotely-conducted cyber espionage only violates a State’s sovereignty when it either causes concrete effects in the territory of that State—including serious damage to or destruction of cyber systems—or, according to those who hold this view, interferes with that State’s performance of its inherently governmental functions, whether or not such effects result from the espionage activities.[49] Under the facts of this scenario, State B exfiltrating the vaccine research from State A likely does not constitute a sovereignty violation (see para L7).[50]

2.2.3 Economic espionage[edit | edit source]

Economic cyber espionage
The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[51] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[52] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[53]

Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law.

However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[54] Several authors,[55] including experts of the Tallinn Manual 2.0,[56] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[57] Additionally, no international consensus exists that agreements such as the WTO TRIPS[58] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[59]

Accordingly, such conduct is not subject to any general prohibition under extant international law.

[L9] Exfiltrating eight months of vaccine research and clinical trial data from State A may fairly be considered economic cyber espionage of State A’s intellectual property. However, current international law does not prohibit economic cyber espionage. Therefore, attributing the data theft to State B and characterizing incident 1 as economic cyber espionage is insufficient to establish State B’s responsibility under international law. Absent a relevant treaty commitment between State B and State A, State B’s economic cyber espionage does not, itself, violate an international legal obligation binding upon it.

2.2.4 Non-intervention[edit | edit source]

Prohibition of intervention
The obligation of non-intervention, a norm of customary international law prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:
A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[60]
In order for an act, including a cyber operation, to qualify as a prohibited intervention, it must fulfil the following conditions:
  1. The act must bear on those matters in which States may decide freely. The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[60] or the conduct of national elections[61]), and external affairs (“formulation of foreign policy”;[60] “recognition of states and membership of international organisations”[62])—the so-called domaine réservé of States.[63] The content of the domaine réservé is determined by the scope and nature of the State's international legal obligations.
  2. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[64]
    1. Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[65] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[66]
    2. Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[67] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[68]
    Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[69] The element of coercion also entails the requirement of intent.[70]
  3. Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[71]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Iran (2020) (2020), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020).

[L10] The exfiltration of vaccine research by State B (incident 1) lacks the coercive element necessary to qualify as a prohibited intervention. State A retains full, unrestricted access to the research data in its continuing effort to develop an effective vaccine. State A’s ability to continue to execute its crisis response plan, a matter within its domaine réservé,[72] is not adversely impacted by State B copying and appropriating the vaccine data to its own use.

[L11] In contrast, according to the more widely held position, the DDoS attack (incident 2) constitutes an unlawful intervention because it interfered with the crisis response plan developed by State A’s Ministry of Health by rendering the largest and principal virus testing centre in State A unable to perform its intended function as a key component of State A’s plan to manage the public health crisis ongoing in its territory.

2.2.5 Use of force[edit | edit source]

Use of force
Article 2(4) of the UN Charter prescribes States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”.[73] This prohibition is reflective of customary international law[74] and it is frequently described as a peremptory norm of international law.[75] However, the notion of “force” in this context is limited to armed force[76], and to operations whose scale and effects are comparable to the use of armed force.[77]

At present, there is a debate as to whether cyber operations with no physical effects may amount to a prohibited use of force. It has been argued that disruptive cyber operations of this kind fall under the scope of Article 2(4) if the resulting disruption is “significant enough to affect state security”.[78] Undoubtedly, one of the purposes of the prohibition of force under international law is to safeguard the national security of the potentially affected States.[79] However, many forms of outside interference including various forms of political and economic coercion may affect the national security of the victim State. And yet, the drafters of the UN Charter had expressly rejected the proposal to extend the prohibition of force beyond the strict confines of military (or armed) force.[80] This is reflected also in the preamble, which explicitly stipulates that the drafters sought “to ensure, by the acceptance of principles and the institution of methods, that armed force shall not be used, save in the common interest”.[81]

In principle, it could be argued that the notion of “force”, like other generic terms in treaties of unlimited duration, should be presumed to have an evolving meaning.[82]

As of 2021, there is limited State practice supporting the claim that the meaning of “force” has evolved to include non-destructive cyber operations against critical national infrastructure[83] and no victim State of an operation of this kind has suggested that the operation would have amounted to a use of force.[84] However, States have begun addressing this question. In particular, France[85] and the Netherlands[86] allow for the possibility of cyber operations, which do not produce physical effects, to qualify as uses of force, if certain criteria are met. These criteria include the seriousness and reach of a given cyber operation’s consequences and its military nature,[87] as well as “the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target”.[88] Several of these criteria are also reflected in the Tallinn Manual 2.0.[89]

Even if an operation does not meet the threshold of the use of force, it may still be considered a violation of other rules of international law.[90] In this regard, the prohibition of non-intervention, the obligation to respect the sovereignty of other States, and the possible obligation to refrain from launching cyber operations against other States’ critical infrastructure are all of potential relevance.

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of Romania (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2020) (2020).

[L12] Uses of force need neither be perpetrated by the armed forces of a State nor involve the use of kinetic weapons.[91] However, there is no consensus on the precise test or criteria by which to determine whether a particular cyber operation may properly be characterized as a use of force.[92] That said, it is generally accepted that a cyber operation causing injury or death to persons or significant physical damage or destruction of objects qualifies as a use of force.[93]

[L13] The DDoS attack by State B (incident 2) significantly lessened the ability of State A’s population to get tested and to obtain test results. Further, it almost certainly delayed at least some persons carrying the virus and manifesting symptoms from seeking necessary and proper treatment. State B’s conduct likely caused State A to experience increased rates of infection and mortality from the virus than would have been the case otherwise. Those increased rates of infection and mortality are reasonably foreseeable effects of State B’s cyber operation. If persons in State A in fact fell ill or died at any significant scale as a result of the DDoS attack (incident 2), then it may reasonably be characterized as an unlawful use of force against State A by State B.[94] Even if such effects were not manifest and the hostile cyber operation did not qualify as a use of force, similar cyber operations repeatedly demonstrating the capacity to significantly disrupt cyber systems in a way likely to produce concrete effects might cross the Article 2(4) threshold as a threat to use force.[95]

[L14] Even if the DDoS attack (incident 2) by State B qualifies as an unlawful use of force, State A and its allies may not respond in self-defence under UN Charter, Article 51, and its customary international law equivalent unless the DDoS attack is sufficiently grave to amount to an “armed attack.”[96] Even then, a response in self-defence is further limited by the requirements that it be necessary and proportionate.[97] State B was identified as the source of the DDoS attack (incident 2) only after the disruption. Indications that further cyber or kinetic attacks may follow are absent. Thus, it would be difficult for State A to reasonably claim that a use of force in self-defence was necessary to repel an ongoing or imminent attack by State B.[98] State A could, if it chose, call upon the UN Security Council to characterise State B’s conduct as a “threat to the peace” or a “breach of the peace” and prescribe measures under Chapter VII of the UN Charter.[99] Setting aside the prospect of UN Security Council action, it is at least arguably unnecessary to draw a conclusion regarding whether State B’s DDos attack (incident 2) against State A crossed the threshold of violating Article 2(4) of the UN Charter because it breached other applicable international legal rules.[100] Even if international lawyers cannot agree on the precise rule(s) of international law violated by State B’s hostile cyber operations, there is a growing view that State cyber operations causing “significant adverse or harmful consequences for the research, trial, manufacture, and distribution” of vaccines, including “by means that damage the content or impair the use of sensitive research data, particularly trial results, or which impose significant costs on targeted facilities in the form of repair, shutdown, or related preventive activities” violate international law.[101]

[L15] The unilateral responses available to State A under international law for a prohibited use of force—acts of retorsion[102] and countermeasures[103]—are identical to those available in response to other violations of international law.

2.2.6 Due diligence[edit | edit source]

Due diligence
According to the traditional formulation by the ICJ in the Corfu Channel case, every State is under an “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”.[104] In the cyber context, the UN General Assembly urged States already in 2000 to “ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies”.[105]

It is the matter of some controversy whether the principle of due diligence reflects a binding obligation applicable to cyber operations.[106] It has also been proposed that in the cyber context, it is preferable to construe due diligence as a standard of attribution rather than as a standalone primary rule of international law.[107] Nevertheless, the present analysis proceeds on the basis that as a matter of lex lata, due diligence constitutes a general international obligation for every State not to knowingly allow its territory to be used for internationally wrongful acts using cyber means.[108] This view has also been endorsed by several States, including Australia,[109] Czech Republic,[110] Estonia,[111] Finland,[112] France,[113] and the Netherlands.[114]

Due diligence does not entail a duty of prevention,[115] but rather an obligation of conduct.[116] A State breaches its due diligence obligation in the presence of the following cumulative elements:

  1. The existence of acts (by a non-State actor or a third State) contrary to the rights of a victim State,[117]
  2. which are conducted from or through the territory of the potentially responsible State (or from or through the territory or cyber infrastructure under its control),[118]
  3. which would have been unlawful if conducted by the potentially responsible State,[119]
  4. which have serious adverse consequences for the victim State,[120]
  5. with respect to which the potentially responsible State has actual or constructive knowledge,[121] and
  6. upon which the potentially responsible State can act, but fails to take all feasible measures.[122]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of the Czech Republic (2020) (2020), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Israel (2020) (2020), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021).

[L16] In the event that State B denies responsibility or even goes so far as to proffer evidence suggesting that the hostile cyber operations are not, in fact, attributable to it, State B may still potentially be liable for failure to meet its due diligence obligation. Assuming arguendo that State B was not in fact responsible for the hostile cyber operations themselves, it was still under an international legal obligation not to allow its territory and cyber infrastructure under its control to be used to affect State A’s rights and produce serious adverse consequences for State A.[123] To be responsible for failing to meet its due diligence obligation, State B must have had actual knowledge that its territory or cyber infrastructure was being so used, or the facts must be such that State B “in the normal course of events would have become aware.”[124] Assuming it knew or should have known its territory or infrastructure was being used to harm State A, State B was obligated “to take all measures that are feasible in the circumstances to put an end to [the hostile cyber operations].”[125]

2.2.7 International human rights law[edit | edit source]

International human rights law
International human rights law applies in cyberspace; individuals enjoy the same human rights online as they enjoy offline.[126] States are therefore bound by their human rights obligations to both respect and ensure human rights in cyberspace. States also bear international responsibility for the violation of human rights obligations that are attributable to them.[127]

The source of these obligations is primarily treaty law. The two key global treaties are the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR);[128] many of these treaties’ provisions, along with the provisions of the Universal Declaration of Human Rights, are regarded as reflective of customary international human rights law, even though there is no universally accepted codification. Apart from the ICCPR and ICESCR, there exist important regional human rights treaty systems, especially for Europe (European Convention on Human Rights – ECHR)[129], the European Union (Charter of Fundamental Rights of the European Union – EUCFR),[130] and America (American Convention on Human Rights – ACHR)[131], which provide for adjudicatory mechanisms by which individuals can assert their human rights against States and which have generated a considerable amount of case-law as a result.

In order to determine whether a State has breached its human rights obligations, the following steps of analysis should be conducted:

  1. Since cyber operations often take place in the cyber infrastructure of multiple States, the issue of jurisdiction must be addressed. Each human rights treaty has its own bespoke jurisdictional requirements and scope. In this regard, every State party to the ICCPR has undertaken “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the [ICCPR]”.[132] The UN Human Rights Committee has understood this provision to mean that the human rights obligations recognized within the ICCPR apply not only to persons physically located within a State’s territory, but also to situations where the State exercises “power or effective control” either over the territory on which an individual is located (the spatial model of jurisdiction) or over the individual (the personal model of jurisdiction).[133] The International Court of Justice (ICJ) has gone even further by stating that the ICCPR “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.[134] A few States (such as the US and Israel) have adopted the contrary view and maintain that human rights obligations do not apply extraterritorially. To date, however, these States remain in the minority.[135] As such, although the exact criteria for the applicability of human rights obligations to extraterritorial activities of States are not settled and are subject to ongoing academic and political debate,[136] the prevailing opinion at present is that human rights obligations do apply to some acts of a State outside its territory.
  2. If an international human rights regime is applicable, the second question is whether a cyber operation attributable to a State constitutes an interference with a particular human right. The human rights that are often implicated by cyber operations include the right to privacy[137] and the right to freedom of opinion and expression.[138]
  3. Not every State interference with a human right is also a violation of international human rights law. For an interference to be legal, it must be justified, namely:
    1. in accordance with an accessible and foreseeable domestic law (“legality”),
    2. pursuing a legitimate objective of public interest (such as national security, public order, public health, or morals) or for the protection of rights of others,
    3. necessary to achieve that objective, and
    4. proportionate in balancing the means and the end.[139]

Apart from the responsibility for human rights violations attributed to it, a State can also be held responsible for its failure to take all reasonable measures to protect the human rights of individuals in its territory and subject to its jurisdiction (for instance, if it unlawfully allows non-State actors to violate human rights).[140]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of the Czech Republic (2020) (2020), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of Japan (2021) (2021), National position of Kazakhstan (2021) (2021), National position of Kenya (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2021) (2021), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016).

[L17] International human rights law (IHRL) is an applicable, and more direct, legal mechanism for vindicating the rights of the individuals (vice the States) harmed by State B’s DDoS attack (incident 2).[141] Although there is no definitive listing of the international human rights regarded as customary, many human rights captured in treaties such as the ICCPR and the ICESCR are considered to reflect customary international law.[142] Numerous treaties, including both the ICCPR and the ICESCR, protect the individual rights to health and life,[143] as does customary international law.[144]

[L18] The international legal obligation to respect individuals’ rights to life and health means States must refrain from conduct that unjustifiably interferes with, or otherwise adversely affects, these rights.[145] The concept of State conduct resulting in an arbitrary deprivation of life arises most apparently in the contexts of domestic law enforcement operations and targeting during armed conflict.[146] However, there is no reason, in principle, why an unjustified State cyber operation adversely impacting the individual human rights to life and health should be beyond the reach of IHRL.[147]

[L19] A threshold issue with which one must grapple in determining the applicability of IHRL to State cyber operations conducted into another State which disrupt individuals’ access to health care services, interfere with the other State’s ability to preserve public health, and increase the rates of infection and mortality, is extraterritoriality.[148] Although the Human Rights Committee has offered a more expansive and controversial conception of extraterritorial jurisdiction based upon a State’s exercise of control over the enjoyment of the right to life,[149] the prevailing view is that human rights treaties apply where either (a) the State against which the IHRL obligation is to be levied controls the territory in which the victim’s rights are violated, or (b) an organ of the State against which the IHRL obligation is to be levied exercises power or control over the individual victim(s).[150] Neither of these circumstances necessarily limits the application of IHRL to within the territorial borders of the acting State.[151] Although not beyond reasonable debate as lex ferenda rather than lex lata,[152] the customary right to be free from arbitrary deprivations of life may likewise not be constrained in application to the territorial confines of the acting State.[153]

[L20] A State cyber operation conducted into the territory of another State that either directly injures or kills persons or increases the rates of infection and mortality by disrupting access to health care services or interfering with the other State’s ability to preserve public health likely violates the rights to life and health under customary IHRL and, for States Party to an applicable IHRL treaty, also under the relevant treaty or treaties.[154]

[L21] So far, the focus has been on the legality of State B’s activities, but consideration must also be given to whether State A has satisfied its human rights obligations. Article 2(1) of the International Covenant on Political and Civil Rights requires States “to respect and to ensure to all individuals within its territory and subject to its jurisdiction [the right to life].” Article 2(1) of the Convention for the Protection of Human Rights and Fundamental Freedoms also obligates State A to affirmatively take steps to protect the lives of those within its jurisdiction.[155] The latter positive obligation includes both “the duty to provide a regulatory framework; and the obligation to take preventive operational measures”[156] and it applies in various contexts, including that of public health.[157] It is unclear whether State A may bear some responsibility for failing to properly enact cybersecurity standards that could have prevented or minimized State B’s hostile cyber operations and the illness and death caused by them, but the possibility should not be overlooked.

3 Checklist[edit | edit source]

  • Sovereignty
    • What is the victim State’s position on whether sovereignty is a primary rule of international law, and if so, the content of this rule?
    • Was the operation: (a) conducted remotely; or (b) conducted from within the territory of the victim State and without its consent?
    • Did the operation cause physical damage, significant loss of functionality, or destruction of cyber infrastructure in the victim State?
    • Did the operation cause damage to or destruction of something other than cyber infrastructure in the victim State?
    • Did the operation, directly or indirectly, cause injury or death to individuals?
    • Did the operation interfere with the victim State performing its inherently governmental functions?
    • Did the operation usurp the performance of an inherently governmental function of the victim State?
    • If the facts support finding a violation of sovereignty, is there a circumstance precluding the wrongfulness of that violation?
  • Prohibition of intervention
    • Did the operation interfere with or usurp a matter unregulated by international law or left solely to the prerogative of the victim State under international law?
    • Did the operation amount to a coercive act, and if so, under what definition of “coercion”?
    • If the facts support finding a violation of the prohibition on intervention, is there a circumstance precluding the wrongfulness of that violation?
  • Use of force
    • Did the operation cause physical effects in the territory of the victim State?
    • If no physical effects manifested in the territory of the victim State, what is the victim State’s position on whether cyber operations not causing concrete effects can qualify as a use of force?
    • If physical effects resulted from the operation, were more than a de minimis number of persons in the victim State injured or killed? Did the operation result in significant physical damage or destruction of objects?
    • Did the effects generated in the victim State result immediately or near immediately from the operation?
    • Are the effects generated in the victim State directly traceable to the operation as the cause?
    • Is the perpetrator of the operation a State organ that might be expected to employ kinetic means typically characterised as a use of force (e.g., armed forces or intelligence agencies)?
    • Is the system targeted in the victim State public (governmental) or private (non-governmental)?
    • Is the scale of the effects generated in the victim State reasonably quantifiable?
  • International human rights
    • Did the operation interfere with an individual right recognized under a human rights treaty to which the States are party or that is recognized by customary international law?
    • Does the State perpetrating the operation control the territory in which the victim’s rights are violated, or does an organ of the perpetrating State exercise power or control over the victim?
    • If the organ of the State perpetrating the cyber operation does not exercise power or control over the victim in a physical sense, does that State organ exercise control over the victim’s ability to enjoy a human right recognized under a human rights treaty to which the States are party or recognized by customary international law?
    • If the operation interferes with an individual right recognized under an applicable human rights treaty or under customary international law, is that interference (a) authorized by a domestic law; (b) undertaken in the pursuit of a legitimate public interest (e.g., national security, public order, or public health) or to protect the rights of others; (c) necessary to achieve that the public interest; and (d) conducted in a manner proportionate to the desired end?
    • Did the victim State fulfil its positive obligations under IHRL (e.g., protecting the right to life of those under its jurisdiction)?

4 Appendixes[edit | edit source]

4.1 See also[edit | edit source]

4.2 Notes and references[edit | edit source]

  1. ILC Articles on State Responsibility, Art 4(1).
  2. ILC Articles on State Responsibility, Art 6.
  3. ILC Articles on State Responsibility, Art 5.
  4. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  5. Island of Palmas (Neth. v. U.S.), 2 RIAA 829, 838 (Perm. Ct. Arb. 1928).
  6. UNGA Res 71/237 (30 December 2015) UN Doc A/RES/20/237.
  7. North Atlantic Treaty Organization, 'Wales Summit Declaration' (issued by the Head of State and Government participating in the meeting of the North Atlantic Council in Wales (5 September 2015) para 72.
  8. Organization for Security and Cooperation in Europe, Decision No. 1202, OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies (Permanent Council, 10 March 2016) PC.DEC/1202.
  9. Council of the European Union,"Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU" (Council conclusions, 20 November 2017).
  10. Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30,40; Tallinn Manual 2.0, commentary to rule 4, para 2 (‘States shoulder an obligation to respect the sovereignty of other States as a matter of international law’).
  11. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility’.
  12. Czech Republic, Statement by Mr. Richard Kadlčák, Special Envoy for Cyberspace, 2nd substantive session of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (11 February 2020), stating that ‘[t]he Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.’
  13. Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3, stating that ‘Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace.’
  14. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, stating that ‘Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty’.
  15. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 3, noting that ‘Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law’.
  16. Iran, ‘Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace’ (July 2020), para 4 (‘Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.’).
  17. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘countries may not conduct cyber operations that violate the sovereignty of another country’.
  18. Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207, 208 (arguing that sovereignty is ‘a principle of international law that guides state interactions’).
  19. Jeremy Wright, ‘Cyber and International Law in the 21st Century’ (23 May 2018) (stating that he was ‘not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law’); see also Memorandum from JM O’Connor, General Counsel of the Department of Defense, ‘International Law Framework for Employing Cyber Capabilities in Military Operations’ (19 January 2017) (considering that sovereignty is not ‘a binding legal norm, proscribing cyber actions by one State that result in effects occurring on the infrastructure located in another State, or that are manifest in another State’), as cited by Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771, 829.
  20. Paul C. Ney, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March 2020, arguing that ‘the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory’.
  21. Cf. James Crawford, Brownlie's Principles of Public International Law (OUP 2012) 448.
  22. Tallinn Manual 2.0, rule 2.
  23. Sovereignty over cyber infrastructure derives from the traditional concept of sovereignty, independent of the use of cyberspace. See Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123 (noting that '[t]erritorial sovereignty [..] implies that, subject to applicable customary or conventional rules of international law, the State alone is entitled to exercise jurisdiction, especially by subjecting objects and persons within its territory to domestic legislation and to enforce these rules.')
  24. UN GA Res 2625 (XXV) (24 October 1970) (Friendly Relations Declaration), preamble (emphasizing “that the purposes of the United Nations can be implemented only if States enjoy sovereign equality and comply fully with the requirements of this principle in their international relations”); Tallinn Manual 2.0, rule 4.
  25. Tallinn Manual 2.0, commentary to rule 4, para 5 and 12.
  26. See, eg, Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Judgment) [2015] ICJ Rep 665, 704–05, paras 97–99 (holding that the presence of Nicaragua’s military personnel in the territory under Costa Rica’s sovereignty amounted to a violation of Costa Rica’s territorial sovereignty); see also Tallinn Manual 2.0, commentary to rule 4, para 6.
  27. Tallinn Manual 2.0, commentary to rule 4, para 7; commentary to rule 32, para 9.
  28. Tallinn Manual 2.0, commentary to rule 4, para 11.
  29. Tallinn Manual 2.0, commentary to rule 4, para 12.
  30. Tallinn Manual 2.0, commentary to rule 4, para 13.
  31. Tallinn Manual 2.0, commentary to rule 4, para 14.
  32. Tallinn Manual 2.0, commentary to rule 4, para 15.
  33. Tallinn Manual 2.0, commentary to rule 4, para 16.
  34. Tallinn Manual 2.0, commentary to rule 4, para 18.
  35. Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), p. 4.
  36. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), p. 3.
  37. French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p. 6.
  38. In favour: see, eg, Theodore Christakis, ‘The ICJ Advisory Opinion on Kosovo: Has International Law Something to Say about Secession?’ (2011) 24 LJIL 73, 84; Marcelo Kohen, ‘The Court’s Contribution to Determining the Content of Fundamental Principles of International Law’ in Giorgio Gaja and Jenny Grote Stoutenburg (eds), Enhancing the Rule of Law through the International Court of Justice (Brill 2012) 145. Against: see, eg, Tallinn Manual 2.0, commentary to rule 4, para 3.
  39. See Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253.
  40. See French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7.
  41. Tallinn Manual 2.0, commentary to rule 4, paras 10–14; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 253 (effects), 258, 268 (causal nexus per analogiam).
  42. Tallinn Manual 2.0, commentary to rule 4, paras 15–16; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  43. Tallinn Manual 2.0, commentary to rule 4, para 19; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  44. See Tallinn Manual 2.0, rule 4 and commentary to rule 4, para 27; Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6. But see, French Ministry of the Armies, International Law Applied to Operations in Cyberspace, p 7; Iran, Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace.
  45. Tallinn Manual 2.0, rule 32.
  46. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  47. Id.; Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 291, 302-3.
  48. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 254.
  49. Tallinn Manual 2.0, rule 4 and commentary to rule 4, paras. 10–16; Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’ (2020) 11 J. Nat’l Security L. & Pol’y 247, 254.
  50. See Tallinn Manual 2.0, rule 4 and commentary to rule 4, para 27; Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  51. President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  52. G20 Leaders’ Communiqué (15–16 November 2015), para 26; see also G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  53. See US, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  54. UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015), A/70/174.
  55. Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443, 488-492; David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights; Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  56. Tallinn Manual 2.0, rule 32, commentary 3.
  57. For an opposing view, see Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  58. Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  59. Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018), page 5: “Economic espionage, to the extent it qualifies as a violation of intellectual property rights, should arguably be treated as an act comparable to commercial activities, jure gestionis. A [S]tate would then not be able to claim state immunity for such acts and could thus instead face a normal trial in a domestic court.“
  60. 60.0 60.1 60.2 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 205.
  61. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3; Finland, ‘International law and cyberspace: Finland’s national positions’ (15 October 2020), 3; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5.
  62. Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  63. See, for example, Katja Ziegler, “Domaine Réservé”, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008) (updated April 2013) (defining the domaine réservé as those “areas where States are free from international obligations and regulation”).
  64. See also Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [10–12 in pre-print].
  65. See, eg, Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019) 3, defining coercion as ‘compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue’ and noting that ‘[t]he goal of the intervention must be to effect change in the behaviour of the target state’; Germany, ‘On the Application of International Law in Cyberspace: Position Paper’ (March 2021), 5, defining coercion as a situation in which a State’s ‘will is manifestly bent by the foreign State’s conduct’ and noting that ‘the acting State must intend to intervene in the internal affairs of the target State’; see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘The majority of Experts was of the view that the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target State.’).
  66. Tallinn Manual 2.0, commentary to rule 66, para 21. See also Dutch Minister of Foreign Affairs, ‘Letter to the President of the House of Representatives on the International Legal Order in Cyberspace – Appendix: International Law in Cyberspace’ (5 July 2019), 3.
  67. See, eg, Australia, ‘Supplement to Australia’s Position on the Application of International Law to State Conduct in Cyberspace’ (2019) 4 (‘A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely.’); New Zealand, ‘The Application of International Law to State Activity in Cyberspace’ (1 December 2020), para 9(b) (stating that a State cyber activity is coercive if ‘there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions’); see also Tallinn Manual 2.0, commentary to rule 66, para 19 (‘A few Experts took the position that to be coercive it is enough that an act has the effect of depriving the State of control over the matter in question.’).
  68. Harriet Moynihan, ‘The Vital Role of International Law in the Framework for Responsible State Behaviour in Cyberspace’ (2020) 5 Journal of Cyber Policy __, ___ [11 in pre-print].
  69. Tallinn Manual 2.0, commentary to rule 66, para 21.
  70. Tallinn Manual 2.0, commentary to rule 66, paras 19 and 27.
  71. Tallinn Manual 2.0, commentary to rule 66, para 24 (the exact nature of the causal nexus was not agreed on).
  72. See Marko Milanovic & Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 255.
  73. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4).
  74. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, para 87; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, paras 187–190.
  75. See, for example,The International Law Commission, 'Document A/6309/ Rev.1: Reports of the International Law Commission on the second part of its seventeenth and on its eighteenth session' Yearbook of the International Law Commission Vol. II (1966) 247 (“The law of the Charter concerning the prohibition of the use of force in itself constitutes a conspicuous example of a rule in international law having the character of jus cogens”); Christine Gray, International Law and the use of force (OUP 2018) 32; Oliver Corten, The Law against War (Hart Pub. 2010) 44; Oliver Dörr and Albrecgr Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012), 231, para 67 (“the prohibition of the use of force laid down in Art. 2 (4) is usually acknowledged in State practice and legal doctrine to have a peremptory character, and thus to be part of the international ius cogens”).
  76. Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma et al (eds), The Charter of the United Nations: A Commentary Vol I (OUP 2012) 208 para 16 (“The term [‘force’] does not cover any possible kind of force, but is, according to the correct and prevailing view, limited to armed force.”).
  77. Cf. Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 362 (“[Art 2(4)] applies to force other than armed force”); Tallinn Manual 2.0, rule 69 (“A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”).
  78. Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 55.
  79. Cf. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) art. 2(4) (expressly prohibiting the use of force against the “political independence” of any State).
  80. Documents of the United Nations Conference on International Organization (1945), vol VI, 334.
  81. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) preamble.
  82. Cf. Dispute regarding Navigational and Related Rights (Costa Rica v Nicaragua) Judgment [2009 ICJ Rep 213], para 66 (“[W]here the parties have used generic terms in a treaty, the parties necessarily having been aware that the meaning of the terms was likely to evolve over time, and where the treaty has been entered into for a very long period or is ‘of continuing duration’, the parties must be presumed, as a general rule, to have intended those terms to have an evolving meaning”).
  83. However, such claims are occasionally made in the scholarship: see, for example, Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 59; Nicholas Tsagourias 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17 (2) Journal of Conflict and Security Law 23; Gary Brown and Keira Poellet, ‘The Customary International Law of Cyberspace’ (2012) Strategic Studies Quarterly 137.
  84. Dan Efrony and Yuval Shany, ‘A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice’ (2018) 112 AJIL 583, 638.
  85. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7, stating that ‘France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force’.
  86. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4, stating that ‘in the view of the government, at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.
  87. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) at p. 4.
  88. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’, 9 September 2019, at p. 7.
  89. Tallinn Manual 2.0, commentary to rule 69, para 9.
  90. Cf. US, State Department Legal Advisor Brian Egan, International Law and Stability in Cyberspace, Speech at Berkeley Law School (10 November 2016), 13 (“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.”) (emphasis original); UK, Attorney General Jeremy Wright QC MP, Cyber and International Law in the 21st Century, Speech (23 May 2018) (“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.”).
  91. Tallinn Manual 2.0, commentary to rule 68, para 4; Tallinn Manual 2.0, introduction to Chapter 14, para 1.
  92. See generally Michael N. Schmitt, The Use of Cyber Force and International Law, in Oxford Handbook on the Use of Force in International Law 1110 (Marc Weller ed. 2015).
  93. See, e.g., Harold Hongju Koh, Legal Adviser, U.S. Dep’t of State, International Law in Cyberspace: Remarks as Prepared for Delivery to the USCYBERCOM Inter-Agency Legal Conference (Sept. 18, 2012), reprinted in 54 Harv. Int’l L.J. Online 1, 4 (2012). Tallinn Manual 2.0, commentary to rule 69, para 8.
  94. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 258–59.
  95. See Duncan B. Hollis & Tsvetelina van Benthem, ‘What Would Happen If States Started Looking at Cyber Operations as a “Threat” to Use Force?’ Lawfare (March 30, 2021).
  96. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 51. A minority view should be acknowledged here, according to which the right of self-defense potentially applies against any illegal use of force, irrespective of its qualification as an “armed attack”. See, e.g., US DoD, Law of War Manual (December 2016), para 1.11.5.2.
  97. See, e.g., Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits) [1986] ICJ Rep 14, para 194; Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 41; Oil Platforms (Iran v US) [2003] ICJ Rep 161, para 43.
  98. Cf G Nolte and A Randelzhofer, ‘Article 51’ in B Simma et al (eds), The Charter of the United Nations: A Commentary (3rd edn, OUP 2012) vol II, 1426–27, para 60 (noting that the use of force in self-defence is limited to ending the attack so that the specific impulse from which the attack emerged is no longer present); but see David Kretzmer, ‘The Inherent Right to Self-Defence and Proportionality in Jus Ad Bellum’ (2013) 24 EJIL 235, 264–66 (arguing that states that have been the victims of an armed attack may under certain conditions use force to pre-empt future attacks).
  99. See Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16 (UN Charter) Art 39.
  100. See generally, Certain Activities Carried out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica along the San Juan River (Nicaragua v Costa Rica) (Merits) [2015] ICJ Rep 665, para. 97.
  101. Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020).
  102. See, e.g., James Crawford, State Responsibility: The General Part, 676 (CUP 2008) (describing acts of retorsion as “[t]he most common unilateral self-help measure in international practice” and “retaliation against another state in a manner that does not interfere with the target state’s rights under international law”).
  103. See, e.g., James Crawford, State Responsibility: The General Part, 685 (CUP 2008) (describing countermeasures as “non-compliance with an international obligation owed towards another state, adopted in response to a prior breach of international law by that other state and aimed at inducing it to comply with its obligations of cessation and reparation”).
  104. Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 22.
  105. UN GA Res 55/63 (4 December 2000), Doc A/RES/55/63, para 1(a).
  106. Cf. UN GGE 2015 report, paras 13(c) and 28(e) (using non-mandatory language to express the due diligence principle in the cyber context: “States should not knowingly allow their territory to be used for internationally wrongful acts using [cyber means]” and “States ... should seek to ensure that their territory is not used by non-State actors to commit such acts”, respectively) (emphases added).
  107. See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 ICLQ 643.
  108. See also Tallinn Manual 2.0, commentary to rule 6, para 4 (unanimously endorsing this view).
  109. Australia, ‘Australia’s International Cyber Engagement Strategy - Annex A: Australia’s Position on How International Law Applies to State Conduct in Cyberspace’ (October 2017) 91, stating that “if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law”.
  110. Czech Republic, Comments submitted by the Czech Republic in reaction to the initial “pre-draft” report of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (undated), stating that “ICT-specific norms reflect a general principle of international law obliging States to ensure that territory and objects over which they enjoy sovereignty are not used to harm other States’ rights.”
  111. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states.”
  112. Finland, ‘Statement by Ambassador Janne Taalas at the second session of the open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security’ (11 February 2020), stating that “States have an obligation not to knowingly allow their territory to be used for activities that cause serious harm to other States, whether using ICTs or otherwise.”
  113. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that “In compliance with the due diligence requirement, [France] ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors.”
  114. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019), stating that ‘The Netherlands ... does regard the principle [of due diligence] as an obligation in its own right, the violation of which may constitute an internationally wrongful act.’
  115. Tallinn Manual 2.0, commentary to rule 6, para 5.
  116. Cf. Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgement) [2007] ICJ Rep 43, para 430; see further James Crawford, State Responsibility: The General Part (CUP 2013) 226–32 (on the distinction between due diligence and obligations of prevention); Rudiger Wolfrum, ‘Obligation of Result Versus Obligation of Conduct: Some Thoughts About the Implementation of International Obligations’ in Mahnoush H Arsanjani et al, Looking to the Future: Essays on International Law in Honor of Michael Reisman (Brill 2010).
  117. Corfu Channel judgment, para 22; Tallinn Manual 2.0, commentary to rule 6, para 2 and 15.
  118. Tallinn Manual 2.0, rule 6.
  119. Tallinn Manual 2.0, commentary to rule 6, para 18-24.
  120. Tallinn Manual 2.0, rule 6.
  121. Tallinn Manual 2.0, commentary to rule 6, para 37-42.
  122. Tallinn Manual 2.0, commentary to rule 6, para 43; commentary to rule 7, para 2 and 18.
  123. See Tallinn Manual 2.0, rule 6; Second Oxford Statement on International Law Protections of the Healthcare Sector During COVID-19: Safeguarding Vaccine Research (7 August 2020) (“States must take all feasible measures to prevent, stop and mitigate malicious cyber operations against the data or technologies used for  . . . vaccine research, trial, manufacture or distribution which they know or should have known emanate from their territory or jurisdiction.”).
  124. Tallinn Manual 2.0, commentary to rule 6, paras 37–39.
  125. Tallinn Manual 2.0, rule 7.
  126. See, for example, United Nations Human Rights Council, The promotion, protection and enjoyment of human rights on the Internet, Resolution A/HRC/RES/32/13 (1 July 2016), para 1; NATO, Warsaw Summit Communiqué (9 July 2016), para 70; G8 Summit of Deauville, Declaration: Renewed Commitment for Freedom and Democracy (27 May 2011), para II/11.
  127. See, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, para 170.
  128. International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR); International Covenant on Economic, Social and Cultural Rights (adopted 16 December 1966, entered into force 3 January 1976) 993 UNTS 3 (ICESCR).
  129. Formal title: Convention for the Protection of Human Rights and Fundamental Freedoms (opened to the signature in Rome on 4 November 1950, entered into force 3 September 1953), ETS 5 (ECHR); there are several protocols which significantly expand and amend the obligations of the original Convention.
  130. Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 (EUCFR).
  131. American Convention on Human Rights (open for signature from 22 November 1969, entered into force 18 July 1978), 1144 UNTS 123 (ACHR).
  132. Article 2(1) ICCPR.
  133. UN HRC, ‘General Comment No. 31 (80): The Nature of the General Legal Obligation Imposed on States Parties to the Covenant’ (adopted on 29 March 2004, 2187th meeting), para 10.
  134. Cf, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ Rep 136, para 111.
  135. See, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territories (Advisory Opinion) [2004] ICJ 136, para 110; UN HRC, Summary Record of the 1405th Meeting, CCPR/C/SR.1405 (31 March 1995) 6 [20].
  136. See, for example, Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81.
  137. Article 17 ICCPR; Article 8 ECHR; Article 7 EUCFR; Article 11 ACHR. The exact titles and scopes of the provisions vary.
  138. Article 19 ICCPR; Article 10 ECHR; Article 11 EUCFR; Article 13 ACHR. The exact titles and scopes of the provisions vary.
  139. UN Human Rights Committee, ICCPR General Comment No. 34 (12 September 2011), paras 21-36; See also ICCPR General Comment No. 27 (1 November 1999), paras 14-16.
  140. See, Velásquez Rodríguez v. Honduras, (Merits) IACrtHR (Ser. C) No. 4 (29 July 1988) [177].
  141. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 261–66.
  142. Tallinn Manual 2.0, introduction to Chapter 6, para 2.
  143. See International Covenant on Civil and Political Rights art. 6, Dec. 16, 1966, 999 U.N.T.S. 171 (“Every human being has the inherent right to life. This right shall be protected by law. No one shall be arbitrarily deprived of his life.”); International Covenant on Economic, Social and Cultural Rights, art. 12(1), Dec. 16, 1966, 993 U.N.T.S. 3. (“The States Parties to the present Covenant recognize the right of everyone to the enjoyment of the highest attainable standard of physical and mental health.”).
  144. See, e.g., Human Rights Comm., General Comment No. 24, ¶8, U.N. Doc. CCPR/C/21/Rev.1/Add.6, P 17 (Nov. 4, 1994) (“. . . a State may not reserve the right to . . . arbitrarily deprive persons of their lives, . . .); see also Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 818–19 (2016) (“It is under IHRL that the right to life is most clearly protected, as set out in the various international and regional human rights treaties, and the rules of customary international law.”).
  145. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 262; Tallinn Manual 2.0, introduction to Chapter 6, para. 5; Tallinn Manual 2.0, rule 36.
  146. See Convention for the Protection of Human Rights and Fundamental Freedoms art. 2(2), Nov. 4, 1950, 213 U.N.T.S. 222 (recognizing that a killing does not contravene the right to life under the Convention when it results from the use of the minimum amount of force necessary to defend a person from unlawful violence, to effect a lawful arrest, to prevent a lawfully detained person from escaping, or to quell a riot or insurrection); Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 821–22 (2016) (stating that a drone strike during an armed conflict “will be governed by both IHL and IHRL” and that “while the right not arbitrarily to be deprived of one's life continues to apply in situations of armed conflict, what is an arbitrary deprivation of life under the ICCPR . . . should be considered by reference to the IHL rules on the conduct of hostilities”).
  147. See Tallinn Manual 2.0, commentary to rule 34, para 1; Tallinn Manual 2.0, commentary to rule 35, para 1.
  148. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 262–63.
  149. Human Rights Comm. General Comment No. 36, ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically).
  150. Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 263. See also Tallinn Manual 2.0, commentary to rule 34, para 6. But see Tallinn Manual 2.0, commentary to rule 34, para 7 (acknowledging, but disagreeing with, the view that customary international human rights categorically do not apply outside a State’s territory even when the State at issue exercises power or effective control over territory or persons therein); Georgia v. Russia (II), No. 38263/08, Eur. Ct. H.R. ¶137; (concluding that neither the spatial model of jurisdiction nor the personal model of jurisdiction applies to alleged violations of Article 2 ECHR (right to life) committed during active hostilities in an armed conflict).
  151. See Tallinn Manual 2.0, commentary to rule 34, para 6 (discussing belligerent occupation and the leasing of territory in another State as situations of power and control abroad sufficient to potentially trigger the application of IHRL).
  152. Compare Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 264 (stating that “an expansive view of the extraterritorial application of human rights obligations is both desirable and sensible”) and Human Rights Comm. General Comment No. 36, ¶63, CCPR/C/GC/36 (Sep. 2, 2019) (adopting the position that “subject to its jurisdiction” under Art. 2 of the International Covenant on Civil and Political Rights refers not to the exercise of State power or control over the person but rather the exercise of State power and control over the enjoyment of the right to life and that the relevant consideration is direct and foreseeable impact on the right to life, wherever the victim may be located physically) with Bankovic v. Belgium, 2001-XII Eur. Ct. H.R. ¶¶74-82 (refusing to interpret “within their jurisdiction” under Art. 1 of the Convention for the Protection of Human Rights and Fundamental Freedoms to make the Art. 2 right to be free from arbitrary deprivations of life whenever anyone is killed by an act attributable to a State Party, regardless of where in the world the act was performed or its consequences felt) and Matthew Waxman, Principal Deputy Director of Policy Planning, U.S. Department of State, Opening Statement to the U.N. Human Rights Committee on the Report Concerning the International Covenant on Civil and Political Rights (Jul. 17, 2006) (asserting that “it is the long-standing view of the United States that the Covenant by its very terms does not apply outside of the territory of a State Party” and that although the United States is “aware of the views of members of this Committee regarding the extraterritorial application of the Covenant, including the Committee’s General Comment No. 31” the United States “has a principled and long-held view that the Covenant applies only to a State Party’s territory. It is the long-standing view of [the United States] that applying the basic rules for the interpretation of treaties described in the Vienna Convention on the Law of Treaties leads to the conclusion that the language in Article 2, Pargraph [sic.] 1, establishes that States Parties are required to respect and ensure the rights in the Covenant only to individuals who are BOTH within the territory of a State Party and subject to its jurisdiction.”).
  153. See Christof Heyns, Dapo Akande, Lawrence Hill-Cawthorne, & Thompson Chengeta, The International Legal Framework Regulating Armed Drones, 65 Int’l Comp. L.Q. 791, 823 (2016) (“In its customary form, at least the negative obligation not arbitrarily to deprive someone of their life appears not to be limited to application within a State’s territory. Indeed, the Universal Declaration of Human Rights does not contain a limitation clause on its geographical application and simply states that '[e]veryone has the right to life'.”).
  154. See Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic’, (2020) 11 J. Nat’l Security L. & Pol’y 247, 265.
  155. Centre for Legal Resources on behalf of Valentin Câmpeanu v. Romania, No. 47848/08, Eur. Ct. H.R. ¶130 (2014).
  156. European Court of Human Rights, ‘Guide on Article 2 of the European Convention on Human Rights’ ¶9 (2021).
  157. See Case of Calvelli and Ciglio v. Italy, No. 32967/96, Eur. Ct. H.R. ¶49 (2002) (finding that the positive obligations under Article 2(1) “require States to make regulations compelling hospitals, . . . to adopt appropriate measures for the protection of their patients' lives” and that “[t]hey also require an effective independent judicial system to be set up” to hold those responsible for patient deaths accountable).

4.3 Bibliography and further reading[edit | edit source]

4.4 Contributions[edit | edit source]

Previous: Scenario 22: Cyber methods of warfare Next: Scenario 24: Internet blockage