Targeted restrictive measures

From International cyber law: interactive toolkit
Jump to navigation Jump to search

Definition[edit | edit source]

Targeted restrictive measures

The term “targeted restrictive measures” denotes sanctions taken by States outside of the framework of the United Nations, against individuals or companies which are being held responsible for conducting – or being otherwise involved in the conduct of – a cyber operation. Typically, restrictive measures take the form of travel bans or asset freezes for individuals and companies, but may also include other measures.[1]

Targeted restrictive measures are measures typically taken within the domestic legal framework of a State or a group of States and operate territorially within the jurisdiction of that State or group of States. By virtue of their internal sovereignty, States are in principle free to adopt any measures they consider necessary or appropriate with regard to persons engaged in cyber activities.[2]

To assess the legality of such restrictive measures taken within the domestic legal framework, it is necessary to inquire whether they violate any applicable international legal obligations of the acting State. This may be the case, for instance, if the targeted persons or entities enjoy jurisdictional immunities[3] or if the measures in question affect rights granted by an international agreement between the acting State and the State where such persons or entities are based (such as a bilateral trade agreement). In this case, the acting State would need to be able to invoke circumstances precluding the wrongfulness of such measures, in order for their imposition to be justified.[4] If no international legal obligations are breached, the restrictive measures are permissible under international law and may be qualified at most as acts of retorsion. Provided that these conditions are met, States may also impose such restrictive measures collectively.[5]

Publicly available national positions that address this issue include: National position of Estonia (2019) (2019), National position of the Netherlands (2019) (2019).

National positions[edit | edit source]

Estonia (2019)[edit | edit source]

"More than simply attributing, we must take a stance that harmful cyber operations cannot be carried out without consequences. One good example would be EU’s Cyber Diplomacy Toolbox, which foresees a framework for joint EU diplomatic response to malicious cyber activities. Two weeks ago, EU Member States agreed on a horizontal framework which will allow to impose restrictive measures, or sanctions, against malicious cyber operations in similar manner as it is possible for terrorist acts or use of chemical weapons. Several allies have already taken diplomatic steps or set in place economic restrictive measures against adversarial states, or individuals responsible for harmful cyber operations."[6]

Netherlands (2019)[edit | edit source]

"As the international debate on the application and scope of international law in cyberspace proceeds, some countries continue to engage in harmful activities. Diplomatic measures against undesirable state-led cyber operations, ideally coordinated at international level or in coalition with like-minded countries, can be an effective way to strengthen the international legal order and protect security interests at home and abroad. The government is therefore working to strengthen our capacity to mount a diplomatic and political response to cyber operations that undermine our interests. The international response after the foiled cyber operation targeting the OPCW is a good example of this. The efforts of the mission network are essential in this respect, so as to ensure coordinated action. When assessing the options for responding, the focus above all must be on carefully and comprehensively weighing up the Netherlands’ interests, including those in the realm of security.

In order to provide further structure to international cooperation at EU level, an EU cyber diplomacy 'toolbox’ has been developed, at the Netherlands’ initiative.6 The toolbox is a framework which allows various instruments of the Common Foreign and Security Policy to be used to hold parties conducting harmful cyber activities to account. In this connection, on 17 May 2019 an EU cyber sanctions regime was introduced at the Netherlands’ initiative, making it possible to freeze assets and impose entry bans."[7]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. See e.g. Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, ST/7299/2019/INIT, OJ L 129I, 17.5.2019, p. 13–19, Art. 1.
  2. Tallinn Manual 2.0, commentary to rule 2, paras 1-2.
  3. See, e.g., Jurisdictional Immunities of the State (Germany v. Italy: Greece intervening) (Judgment) [2012] ICJ Rep. 99, para 136; but cf. Tom Ruys, ‘Non-UN Financial Sanctions against Central Banks and Heads of State: in breach of international immunity law?’ EJILTalk!, 12 May 2017 (arguing that State immunity is only recognized in judicial proceedings, not against administrative or executive actions).
  4. ILC Articles on State Responsibility, Art 22.
  5. See, eg, Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17 (“Unlike countermeasures, international law does not restrict nations from collaborating on retorsion. For instance, if a state has repeatedly acted maliciously in cyberspace with targets in multiple states, all of those states could collectively engage in sanctions or release a joint public statement condemning the bad actor.”).
  6. President of Estonia: international law applies also in cyber space, 29 May 2019
  7. Dutch Minister of Foreign Affairs, Letter to the parliament on the international legal order in cyberspace, 5 July 2019., 2-3.

Bibliography and further reading[edit | edit source]