Sovereignty

Definition

Sovereignty is a core principle of international law. According to a widely accepted definition in the Island of Palmas arbitral award of 1928,

[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.^[1]

According to multiple declarations by the UN,^[2] NATO,^[3] OSCE,^[4] and individual States, international law applies in cyberspace, and hence also the principle of sovereignty applies in cyberspace. It is the subject of some debate to what extent this principle operates as a standalone rule of international law.

• For the proponents of this view, the prohibition on violation of sovereignty is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual^[5] and it has reportedly not been challenged by any of over fifty States that had participated in the process of consultations of the Manual in 2017.^[6]
• By contrast, the opposing view considers that sovereignty is ‘a principle of international law that guides state interactions, but is not itself a binding rule‘.^[7] It was originally formulated by two high-level US government legal advisors writing in their private capacity^[8] and it has since been endorsed at least by the UK attorney general.^[9]

The remainder of this section proceeds on the basis of the former ‘sovereignty-as-rule’ approach. Those espousing the latter ‘sovereignty-as-principle’ approach should refer to the prohibition of intervention.

The ‘internal’ facet of sovereignty entails that ‘[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.’^[10]

Each State’s sovereignty is protected by international law from violation by other States.^[11] It is clear that a cyber operation with severe destructive effects, comparable to a ‘non-cyber’ armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.

The following options have been proposed in the Tallinn Manual 2.0:

1. A State organ conducting cyber operations against State A while physically present in State A’s territory violates the State’s sovereignty.^[12]  This was agreed by all Experts drafting the Manual; however, ‘a few’ of the Experts thought that the extensive State practice carved out an exception for espionage operations.^[13]
2. Causation of physical consequences by remote means;^[14] again, ‘a few’ Experts took the position that this is not a determinative factor by itself;^[15]
3. Causation of a loss of functionality of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted); ^[16]
4. Interference with data or services that are necessary for the exercise of ‘inherently governmental functions’;^[17] although the Experts could not definitively define the term ‘inherently governmental functions’, they agreed that the conduct of elections would so qualify;^[18]
5. Usurpation of ‘inherently governmental functions’, such as exercise of law enforcement functions in another State’s territory without justification. ^[19]

Attributing the conduct to a State different from State A is a necessary prerequisite for qualifying it as a violation of sovereignty. Non-State actors cannot violate sovereignty on their own.

Appendixes

See also

• General matters 001: Attribution
• General matters 002: Countermeasures

Notes and references

Bibliography and further reading

• MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
• Etc.

External links

• (...)