State responsibility

From International cyber law: interactive toolkit
Revision as of 13:59, 22 June 2022 by Ccdcoe630 (talk | contribs)
Jump to navigation Jump to search

Definition

State responsibility
Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[1] The law of State responsibility is largely customary in nature; its codification is provided by the Draft Articles on the Responsibility of States for Internationally Wrongful Acts.[2] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[3] The law of State responsibility also applies to cyber operations and other cyber activities.[4]

Every internationally wrongful act of a State has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[5]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[6]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2012) (2012), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

National positions

Australia (2020)

"The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations."[7]

Brazil (2021)

"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."[8]

Canada (2022)

"28. The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.

29. In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks."[9]

"30. An internationally wrongful act in the cyber context is a cyber-related action or omission that: constitutes a breach of an international legal obligation, whether to another State or the entire international community; and is attributable to a State under international law.

31. International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures."[10]

Estonia (2019)

"[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."[11]

Estonia (2021)

The law of state responsibility is a cornerstone for responsible state behaviour in cyberspace when it comes to assessing the unlawfulness of cyber operations below the threshold of use of force.

"The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.

States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.

States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established."[12]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."

[...]

"According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law."[13]

Finland (2020)

"The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."[14]

France (2019)

Italy (2021)

"Italy concurs with the view that attribution of cyber wrongful acts from one State to another is governed by the general rules of international law on the attribution of State conduct as codified by the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). Still, Italy acknowledges the difficulties of applying the ARSIWA in a peculiar environment such as cyberspace."[15]

Japan (2021)

"Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."[16]

"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."

[...]

"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law."[17]

New Zealand (2020)

"Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities."[18]

Norway (2021)

Key message
In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law.

A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."[19]

Romania (2021)

"There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

  • attributable to the State under international law; and
  • constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components".[20]

[...]

"Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice)."[21]

Russia (2021)

"The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3)."[22]

[...]

"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence."[23]

Switzerland (2021)

"The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."[24]

United Kingdom (2018)

"There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control."[25]

United Kingdom (2021)

"A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility."[26]

United Kingdom (2022)

"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."[27]

United States (2012)

United States (2016)

"From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.

Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.

Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.

The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.

I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law."[28]

United States (2021)

"Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it."[29]

Appendixes

See also

Notes and references

  1. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
  2. Draft Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  3. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
  4. UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
  5. Articles on State Responsibility, Art 2.
  6. Articles on State Responsibility, Arts 20-26.
  7. Australian Government, Australia's position on how international law applies to State conduct in cyberspace
  8. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20-21.
  9. Government of Canada, International Law applicable in cyberspace, April 2022
  10. Government of Canada, International Law applicable in cyberspace, April 2022
  11. President of Estonia: international law applies also in cyber space, 29 May 2019
  12. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 27-28.
  13. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, (August 2021) 28.
  14. International law and cyberspace - Finland's national position
  15. Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,5-6.
  16. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 3-4
  17. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 4.
  18. The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
  19. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
  20. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78.
  21. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 79.
  22. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  23. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
  24. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 5.
  25. Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
  26. United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
  27. Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
  28. Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 17-20.
  29. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141.

Bibliography and further reading

Retrieved from "https://cyberlaw.ccdcoe.org/wiki/State_responsibility?oldid=3456"