State responsibility

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

State responsibility
Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[1] The law of State responsibility is largely customary in nature; its codification is provided by the International Law Commission's Articles on State Responsibility.[2] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[3] The law of State responsibility also applies to cyber operations and other cyber activities.[4]

Every internationally wrongful act of a State – entailing both acts and omissions –, has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[5]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[6]

An internationally wrongful act entails the State’s international responsibility and gives rise to legal consequences, including the obligation to cease the conduct (if applicable) and the obligation to make full reparation for the injury caused.[7]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2021) (2021).

National positions[edit | edit source]

African Union (2024)[edit | edit source]

"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace.

62. The African Union is of the view that, in conformity with the relevant rules of international law, the burden to substantiate a claim that a State has committed an internationally wrongful act through ICTs in cyberspace is on the State making such a claim. The African Union also underscores the importance of cooperation, including between national authorities, such as Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to detect, investigate, prevent, and halt internationally wrongful acts undertaken through ICTs in cyberspace.

63. The African Union underscores that responses to internationally wrongful acts committed through ICTs in cyberspace should be in accordance with its obligations under the UN Charter, especially the obligations relating to the peaceful settlement of disputes, and the other applicable rules of international law, including the obligation to respect the territorial sovereignty of States."[8]

Australia (2020)[edit | edit source]

"The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations."[9]

Brazil (2021)[edit | edit source]

"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."[10]

Canada (2022)[edit | edit source]

"28. The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.

29. In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks."[11]

"30. An internationally wrongful act in the cyber context is a cyber-related action or omission that: constitutes a breach of an international legal obligation, whether to another State or the entire international community; and is attributable to a State under international law.

31. International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures."[12]

Costa Rica (2023)[edit | edit source]

"10. Costa Rica believes that, under customary international law, as codified in Articles 1 and 2 of the International Law Commission (ILC)’s Articles on Responsibility of States for Internationally Wrongful Acts (‘the ILC Articles’), cyber operations may amount to internationally wrongful acts engaging the responsibility of a State when they can be attributed to it and involve a breach of its international obligation(s)."[13]

Denmark (2023)[edit | edit source]

"Denmark is of the view that the general rules of State responsibility apply in cyberspace. A State bears international responsibility if it breaches an international obligation owed to another State. A State may be responsible under international law for acts undertaken by an organ of the State or by actors exercising government authority on behalf of that State. Acts by a non-State actor may be attributable to a State where the non-State actor carries out a cyber operation under the instruction of, or under the direction or control of that State, or where the State actor acknowledges and adopts the operations carried out by the non-State actor as its own.

Each State may decide whether to publicly attribute cyber acts to other States or not. There is no obligation under international law for States to share documentation or other evidence supporting an attribution. The application of international law and State responsibility does not depend on public attribution."[14]

Estonia (2019)[edit | edit source]

"[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."[15]

Estonia (2021)[edit | edit source]

The law of state responsibility is a cornerstone for responsible state behaviour in cyberspace when it comes to assessing the unlawfulness of cyber operations below the threshold of use of force.

"The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.

States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.

States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established."[16]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."

[...]

"According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law."[17]

Finland (2020)[edit | edit source]

"The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."[18]

Italy (2021)[edit | edit source]

"Italy concurs with the view that attribution of cyber wrongful acts from one State to another is governed by the general rules of international law on the attribution of State conduct as codified by the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). Still, Italy acknowledges the difficulties of applying the ARSIWA in a peculiar environment such as cyberspace."[19]

Japan (2021)[edit | edit source]

"Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."[20]

"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."

[...]

"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law."[21]

New Zealand (2020)[edit | edit source]

"Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities."[22]

Norway (2021)[edit | edit source]

Key message
In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law.

A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."[23]

Poland (2022)[edit | edit source]

6. A state is responsible for actions in cyberspace that violate international law

"Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”)."[24]

Romania (2021)[edit | edit source]

"There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

  • attributable to the State under international law; and
  • constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components".[25]

[...]

"Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice)."[26]

Russia (2021)[edit | edit source]

"The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3)."[27]

[...]

"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence."[28]

Sweden (2022)[edit | edit source]

"An internationally wrongful act by a State entails the responsibility of that State under international law. The articles on State responsibility drafted by the International Law Commission constitute secondary norms of international law, identifying conditions when a State is internationally responsible for wrongful acts and the effects thereof. The general norms on State responsibility apply also in relation to wrongful acts in the cyber context.

Technical difficulties pose new challenges in identifying those responsible for cyber operations, compared with kinetic operations, but the rules on attribution under the law of State responsibility also apply in a cyber context."[29]

Switzerland (2021)[edit | edit source]

"The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."[30]

United Kingdom (2018)[edit | edit source]

"There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control."[31]

United Kingdom (2021)[edit | edit source]

"A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility."[32]

United Kingdom (2022)[edit | edit source]

"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."[33]

United States (2021)[edit | edit source]

"Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it."[34]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
  2. Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  3. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
  4. UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
  5. ILC Articles on State Responsibility, Art 2.
  6. ILC Articles on State Responsibility, Arts 20-26.
  7. ILC Articles on State Responsibility, Arts 28, 30 and 31.
  8. African Union Peace and Security Council, "Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace" (29 January 2024) 10.
  9. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  10. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20-21.
  11. Government of Canada, International Law applicable in cyberspace, April 2022
  12. Government of Canada, International Law applicable in cyberspace, April 2022
  13. Ministry of Foreign Affairs of Costa Rica, "Costa Rica's Position on the Application of International Law in Cyberspace" (21 July 2023) 3 (footnotes omitted).
  14. Government of Denmark, "Denmark’s Position Paper on the Application of International Law in Cyberspace"(4 July 2023) 7.
  15. President of Estonia: international law applies also in cyber space, 29 May 2019
  16. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 27-28.
  17. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, (August 2021) 28.
  18. International law and cyberspace - Finland's national position
  19. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,5-6.
  20. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 3-4
  21. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 4.
  22. The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  24. The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 6.
  25. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78.
  26. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 79.
  27. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  28. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  29. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,5
  30. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 5.
  31. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  32. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  33. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  34. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141.

Bibliography and further reading[edit | edit source]