interactive-geo-maps domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131popup-builder domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131wp-tiktok-feed domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131interactive-geo-maps domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131updraftplus domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131web-stories domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131wpforms-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131polylang domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/cjwiorg/public_html/fa/wp-includes/functions.php on line 6131This is the national position of the United States of America on international law applicable to cyberspace. The position[1] has been submitted by the United States of America and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States.[2] The compendium has been publicly released in August 2021.[3]
“The United States believes that fostering discussion on how States understand their existing rights and obligations under international law, including with respect to self-defense, use of force, and armed conflict, apply in cyberspace actually promotes greater predictability and reduces the risk of unintended conflict.”[4]
“There are two related bodies of international law that are relevant to the question of how existing international law applies to ICTs and the use of force in and through cyberspace: jus ad bellum (the body of law that addresses, inter alia, uses of force triggering a State’s right to use force in self-defense) and jus in bello (the body of law governing the conduct of hostilities in the context of armed conflict).”[5]
“Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In determining whether a cyber activity constitutes a use of force prohibited by Article 2(4) of the UN Charter and customary international law or an armed attack sufficient to trigger a State’s inherent right of self defense, States should consider the nature and extent of injury or death to persons and the destruction of, or damage to, property. Although this is necessarily a case-by-case, fact-specific inquiry, cyber activities that proximately result in death, injury, or significant destruction, or represent an imminent threat thereof, would likely be viewed as a use of force / armed attack. If the physical consequences of a cyber activity result in the kind of damage that dropping a bomb or firing a missile would, that cyber activity should equally be considered a use of force / armed attack.
Some of the factors States should evaluate in assessing whether an event constitutes an actual or imminent use of force / armed attack in or through cyberspace include the context of the event, the actor perpetrating the action (recognizing the challenge of attribution in cyberspace, including the ability of an attacker to masquerade as another person/entity or manipulate transmission data to make it appear as if the cyber activity was launched from a different location or by a different person), the target and its location, the effects of the cyber activity, and the intent of the actor (recognizing that intent, like the identity of the attacker, may be difficult to discern, but that hostile intent may be inferred from the particular circumstances of a cyber activity), among other factors.”[6]
“A State’s inherent right of self-defense, recognized in Article 51 of the UN Charter, may in certain circumstances be triggered by cyber activities that amount to an actual or imminent armed attack. This inherent right of self-defense against an actual or imminent armed attack in or through cyberspace applies whether the attacker is a State actor or a non-State actor. There is no requirement that a State defend itself using the same capabilities with which it is being attacked. States may employ cyber capabilities that rise to the level of a use of force as a means of self-defense against a kinetic armed attack (i.e., one that was not launched in or through cyberspace). Additionally, States may in certain circumstances use kinetic military force in self-defense against an armed attack in or through cyberspace.
The use of force in self-defense must be limited to what is necessary and proportionate to address the imminent or actual armed attack in or through cyberspace. Before resorting to forcible measures in self-defense against an actual or imminent armed attack in or through cyberspace, States should consider whether passive cyber defenses or active defenses below the threshold of the use of force would be sufficient to neutralize the armed attack or imminent threat thereof.”[7]
“The 2015 GGE report recognized the applicability of the established jus in bello principles of humanity, necessity, proportionality, and distinction in cyberspace. The applicability of the jus in bello more broadly to States’ use of ICTs has been reaffirmed by a large number of Member States.
[…]The United States has also elaborated on how these principles would apply to cyber capabilities under an armed conflict. For example, the principle of distinction requires that only legitimate military objectives be made the object of attack. In the context of cyber capabilities used in armed conflict, the principle of distinction requires that only legitimate military objectives be made the object of attack.
The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects which would be excessive in relation to the concrete and direct military advantage anticipated. In the cyber context, this rule would require parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians. In addition to the potential physical damage that a cyber activity may cause, such as death or injury that may result from effects on critical infrastructure, parties must assess the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance but may be networked to military objectives.
In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.
The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals.”[8]
“In addition, when using cyber capabilities in armed conflict, States must comply with their obligations under international humanitarian law related to the protection of medical personnel and facilities. For example, medical personnel and facilities must not be knowingly attacked or unnecessarily prevented from discharging their proper functions, and parties to a conflict must take feasible precautions to reduce the risk of incidental harm to the civilian population and other protected persons and objects, including medical personnel and facilities.
The United States has specifically addressed how its international humanitarian law obligations apply to cyberspace operations in the context of armed conflict in the Department of Defense’s Law of War Manual, reflecting a commitment to ensure that U.S. legal obligations are understood and respected by its military. Several other States have taken similar steps to share their views on how international humanitarian law applies and / or address cyber specifically in their military manuals.”[9]
“The United States recognizes that cyber activities in the context of an armed conflict may in certain circumstances constitute an “attack” for purposes of the application of the jus in bello rules that govern the conduct of hostilities, including the principles of humanity, necessity, proportionality, and distinction recognized in the 2015 GGE report”.[10]
“As recognized in the 2013 and 2015 GGE reports, State sovereignty and the international principles that flow from sovereignty apply to States’ ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.
The United States believes that State sovereignty, among other long-standing international legal principles, must be taken into account in the conduct of activities in cyberspace. Whenever a State contemplates conducting activities in cyberspace, the equal sovereignty of other States needs to be considered.
The implications of sovereignty for cyber activities are complex, but we can start by noting two important implications of sovereignty for ICT-related activities. First, we acknowledge the continuing relevance of territorial jurisdiction, even to cyber activities, and second, we acknowledge the exercise of jurisdiction by the territorial State is not unlimited; it must also be consistent with applicable international law, including international human rights obligations.”[11]
“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions.”[12]
“Among other international legal principles, the 2015 GGE report acknowledges the principle of non-intervention in the internal affairs of other States. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. Other States have made similar observations.290 Further, a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population–for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic–could be considered a violation of the rule of non-intervention.”[13]
“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per see violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions.”[14]
“Finally, while the physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and is subject to the jurisdiction of the territorial State, the exercise of jurisdiction by the territorial State is not unlimited. It must be consistent with applicable international law, including international human rights obligations. The 1948 Universal Declaration of Human Rights (UDHR) says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” All human beings hold certain rights, whether they choose to exercise them in a city square or an Internet chat room. The right to freedom of expression is well-established internationally in both the UDHR and the International Covenant on Civil and Political Rights. Both of these instruments clearly state that this right can be exercised through any media and regardless of frontiers. Both of these instruments set forth the right of individuals to publish, to create art, to practice their religions, and to gather together and discuss issues of the day. Regardless of whether these activities occur online or offline, they are governed by the same principles.”[15]
“In recent public statements on how international law applies in cyberspace, a few States have referenced the concept of “due diligence”: that States have a general international law obligation to take steps to address activity emanating from their territory that is harmful to other States, and that such a general obligation applies more specifically, as a matter of international law, to cyber activities. The United States has not identified the State practice and opinio juris that would support a claim that due diligence currently constitutes a general obligation under international law. We do believe, however, that if a State is notified of harmful activity emanating from its territory it must take reasonable steps to address such activity.”[16]
“Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.
Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it.”[17]
“The law of State responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise elements of governmental authority are attributable to that State. As important, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies; cyber operations conducted by non-State actors are attributable to a State under the law of State responsibility when such operations are engaged in pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own. Thus, when there is information – whether obtained through technical means or all-source intelligence – that permits attribution of a cyber act of an ostensibly non-State actor to a State under the international law of State responsibility, the victim State has all of the rights and remedies against the responsible State permitted to it under international law.
The law of State responsibility does not set forth burdens or standards of proof for attribution. Such questions may be relevant for judicial or other types of proceedings, but they do not apply as an international legal matter to a State’s determination about attribution of internationally wrongful cyber acts for purposes of its response to such acts, including by taking unilateral, self-help measures permissible under international law, such as countermeasures. In that context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not required. Instead, international law generally requires that States act reasonably under the circumstances. Similarly, there is no international legal obligation to reveal evidence on which attribution is based. But to facilitate global understanding of emerging state practice in this rapidly developing area, public attributions should, wherever feasible, include sufficient evidence to allow corroboration or cross-checking of allegations.
Attribution plays an important role in States’ responses to malicious cyber activities as a matter of international law. It is crucial, however, to distinguish legal attribution from attribution in the technical and political senses. States and commentators often express concerns about the challenge of attribution in a technical sense – that is, the challenge in light of certain characteristics of cyberspace of obtaining facts, whether through technical indicators or all-source intelligence, that would inform a State’s policy and legal determinations about a particular cyber incident. Others have raised issues related to political decisions about attribution – that is, considerations that might be relevant to a State’s decision to go public and identify another State as the actor responsible for a particular cyber incident and to condemn a particular cyber act as unacceptable. As norms emerge to clarify how international law addresses the issue of attribution, it would be useful, wherever possible, for law-abiding states to share information regarding both technical knowhow and state practice.”[18]
“In certain circumstances, a State injured by cyber activities that are attributable to another State and that constitute an internationally wrongful act, but do not amount to an armed attack, may respond with non-forcible countermeasures. Such countermeasures must be directed only at the State responsible for the wrongful act, must meet the requirements of necessity and proportionality, must be designed to induce the State to return to compliance with its international obligations, and, under the customary international law of State responsibility, must be suspended without undue delay if the internationally wrongful act has ceased.
Before an injured State can undertake countermeasures in response to a cyber-based internationally wrongful act attributable to a State, it generally must call upon the responsible State to cease its wrongful conduct, unless urgent countermeasures are necessary to preserve the injured State’s rights. The sufficiency of this prior demand on the responsible State should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.
Countermeasures taken in response to cyber activities attributable to States that constitute internationally wrongful acts may take the form of cyber-based countermeasures or non-cyber-based countermeasures. Countermeasures are distinct from acts of retorsion, which are unfriendly acts that are not inconsistent with any international obligations”.[19]
“Acts of retorsion may include the imposition of sanctions or the declaration that a diplomat is persona non grata. A State can always undertake such responsive measures that are not inconsistent with any of its international obligations in order to influence the behavior of other States, including in response to destabilizing cyber activities.”[20]
This is the national position of the United States of America on international law applicable to cyberspace. The position [1] has been presented by Hon. Paul C. Ney, Jr., General Counsel of the US Department of Defense during the US Cyber Command Legal Conference on 2 March 2020.
“We recognize that State practice in cyberspace is evolving. As lawyers operating in this area, we pay close attention to States’ explanations of their own practice, how they are applying treaty rules and customary international law to State activities in cyberspace, and how States address matters where the law is unsettled.”[2]
“It continues to be the view of the United States that existing international law applies to State conduct in cyberspace. Particularly relevant for military operations are the Charter of the United Nations, the law of State responsibility, and the law of war. To determine whether a rule of customary international law has emerged with respect to certain State activities in cyberspace, we look for sufficient State practice over time, coupled with opinio juris—evidence or indications that the practice was undertaken out of a sense that it was legally compelled, not out of a sense of policy prudence or moral obligation.”[3]
“Article 2(4) of the Charter of the United Nations provides that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” At the same time, international law recognizes that there are exceptions to this rule. For example, in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context.
Depending on the circumstances, a military cyber operation may constitute a use of force within the meaning of Article 2(4) of the U.N. Charter and customary international law. In assessing whether a particular cyber operation—conducted by or against the United States—constitutes a use of force, DoD lawyers consider whether the operation causes physical injury or damage that would be considered a use of force if caused solely by traditional means like a missile or a mine. Even if a particular cyber operation does not constitute a use of force, it is important to keep in mind that the State or States targeted by the operation may disagree, or at least have a different perception of what the operation entailed.”[4]
“[…] the international law prohibition on coercively intervening in the core functions of another State (such as the choice of political, economic, or cultural system) applies to State conduct in cyberspace. For example, “a cyber operation by a State that interferes with another country’s ability to hold an election” or that tampers with “another country’s election results would be a clear violation of the rule of non-intervention.” Other States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.
There is no international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations. Because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.
Some situations compel us to take into consideration whether the States involved have consented to the proposed operation. Because the principle of non-intervention prohibits “actions designed to coerce a State … in contravention of its rights,” it does not prohibit actions to which a State voluntarily consents, provided the conduct remains within the limits of the consent given.”[5]
“[..] in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context.”[6]
“Depending on the circumstances, DoD lawyers may also consider whether an operation that does not constitute a use of force could be conducted as a countermeasure. In general, countermeasures are available in response to an internationally wrongful act attributed to a State. In the traditional view, the use of countermeasures must be preceded by notice to the offending State, though we note that there are varying State views on whether notice would be necessary in all cases in the cyber context because of secrecy or urgency. In a particular case it may be unclear whether a particular malicious cyber activity violates international law. And, in other circumstances, it may not be apparent that the act is internationally wrongful and attributable to a State within the timeframe in which the DoD must respond to mitigate the threat. In these circumstances, which we believe are common, countermeasures would not be available.”[7]
“For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. This proposition is recognized in the Department’s adoption of the “defend forward” strategy: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The Department’s commitment to defend forward including to counter foreign cyber activity targeting the United States—comports with our obligations under international law and our commitment to the rules-based international order.
The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).
Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.
Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations.”[8]
“As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.”[9]
“It is also longstanding DoD policy that U.S. forces will comply with the law of war “during all armed conflicts however such conflicts are characterized and in all other military operations.” Even if the law of war does not technically apply because the proposed military cyber operation would not take place in the context of armed conflict, DoD nonetheless applies law-of-war principles. This means that the jus in bello principles, such as military necessity, proportionality, and distinction, continue to guide the planning and execution of military cyber operations, even outside the context of armed conflict.”[10]
“DoD lawyers also advise on how a proposed cyber operation may implicate U.S. efforts to promote certain policy norms for responsible State behavior in cyberspace, such as the norm relating to activities targeting critical infrastructure. These norms are non-binding and identifying the best methods for integrating them into tactical-level operations remains a work in progress. But, they are important political commitments by States that can help to prevent miscalculation and conflict escalation in cyberspace. DoD OGC, along with other DoD leaders, actively supports U.S. State Department-led initiatives to build and promote this framework for responsible State behavior in cyberspace. This includes participation in the UN Group of Governmental Experts and an Open-Ended Working Group on information and communications technologies in the context of international peace and security. These diplomatic engagements are an important part of the United States’ overall effort to protect U.S. national interests by promoting stability in cyberspace.”[11]
This is the national position of the United States of America on international law applicable to cyber operations. The position [1] has been presented by Brian J. Egan, Legal Advisor of the US Department of State, during a speech at Berkeley Law School on 10 November 2016.
“Existing principles of international law form a cornerstone of the United States’ strategic framework of international cyber stability during peacetime and during armed conflict. The U.S. strategic framework is designed to achieve and maintain a stable cyberspace environment where all States and individuals are able to realize its benefits fully, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for States to engage in disruptive behavior or to attack one another.
There are three pillars to the U.S. strategic framework, each of which can help to ensure stability in cyberspace by reducing the risks of misperception and escalation. The first is global affirmation of the applicability of existing international law to State activity in cyberspace in both peacetime and during armed conflict. The second is the development of international consensus on certain additional voluntary, non-binding norms of responsible State behavior in cyberspace during peacetime, which is of course the predominant context in which States interact. And the third is the development and implementation of practical confidence-building measures to facilitate inter-State cooperation on cyber-related matters.”[2]
“[..] remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects.
Most States, including the United States, engage in intelligence collection abroad. As President Obama said, the collection of intelligence overseas is “not unique to America.” As the President has also affirmed, the United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decisionmakers have access to timely, accurate, and insightful information. Indeed, the President issued a directive in 2014 to clarify the principles that would be followed by the United States in undertaking the collection of signals intelligence abroad.
Such widespread and perhaps nearly universal practice by States of intelligence collection abroad indicates that there is no per se prohibition on such activities under customary international law. I would caution, however, that because “intelligence collection” is not a defined term, the absence of a per se prohibition on these activities does not settle the question of whether a specific intelligence collection activity might nonetheless violate a provision of international law.
Although certain activities—including cyber operations — may violate another State’s domestic law, that is a separate question from whether such activities violate international law. The United States is deeply respectful of other States’ sovereign authority to prescribe laws governing activities in their territory. Disrespecting another State’s domestic laws can have serious legal and foreign policy consequences. As a legal matter, such an action could result in the criminal prosecution and punishment of a State’s agents in the United States or abroad, for example, for offenses such as espionage or for violations of foreign analogs to provisions such as the U.S. Computer Fraud and Abuse Act. From a foreign policy perspective, one can look to the consequences that flow from disclosures related to such programs. But such domestic law and foreign policy issues do not resolve the independent question of whether the activity violates international law.”[3]
In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. This is a challenging area of the law that raises difficult questions. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions. Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.
Relatedly, consider the challenges we face in clarifying the international law prohibition on unlawful intervention. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. For increased transparency, States need to do more work to clarify how the international law on non-intervention applies to States’ activities in cyberspace.”[4]
“The Internet must remain open to the free flow of information and ideas. Restricting the flow of ideas also inhibits spreading the values of understanding and mutual respect that offer one of the most powerful antidotes to the hateful and violent narratives propagated by terrorist groups.
That is why the United States holds the view that use of the Internet, including social media, in furtherance of terrorism and other criminal activity must be addressed through lawful means that respect each State’s international obligations and commitments regarding human rights, including the freedom of expression, and that serve the objectives of the free flow of information and a free and open Internet. To be sure, the incitement of imminent terrorist violence may be restricted. However, certain censorship and content control, including blocking websites simply because they contain content that criticizes a leader, a government policy, or an ideology, or because the content espouses particular religious beliefs, violates international human rights law and must not be engaged in by States.” [5]
“From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.
Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.
Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.
The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.
I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law.”[6]
“[..]a State can always undertake unfriendly acts that are not inconsistent with any of its international obligations in order to influence the behavior of other States. Such acts—which are known as acts of retorsion—may include, for example, the imposition of sanctions or the declaration that a diplomat is persona non grata.“[7]
“The customary international law doctrine of countermeasures permits a State that is the victim of an internationally wrongful act of another State to take otherwise unlawful measures against the responsible State in order to cause that State to comply with its international obligations, for example, the obligation to cease its internationally wrongful act. Therefore, as a threshold matter, the availability of countermeasures to address malicious cyber activity requires a prior internationally wrongful act that is attributable to another State. As with all countermeasures, this puts the responding State in the position of potentially being held responsible for violating international law if it turns out that there wasn’t actually an internationally wrongful act that triggered the right to take countermeasures, or if the responding State made an inaccurate attribution determination. That is one reason why countermeasures should not be engaged in lightly.
Additionally, under the law of countermeasures, measures undertaken in response to an internationally wrongful act performed in or through cyberspace that is attributable to a State must be directed only at the State responsible for the wrongful act and must meet the principles of necessity and proportionality, including the requirements that a countermeasure must be designed to cause the State to comply with its international obligations—for example, the obligation to cease its internationally wrongful act — and must cease as soon as the offending State begins complying with the obligations in question.
The doctrine of countermeasures also generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken—in other words, the doctrine generally requires what I will call a “prior demand.” The sufficiency of a prior demand should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond.
I also should note that countermeasures taken in response to internationally wrongful cyber activities attributable to a State generally may take the form of cyber-based countermeasures or non-cyber-based countermeasures. That is a decision typically within the discretion of the responding State and will depend on the circumstances.”[8]
“Turning to cyber operations in armed conflict, I would like to start with the U.S. military’s cyber operations in the context of the ongoing armed conflict with the Islamic State of Iraq and the Levant (ISIL). As U.S. Defense Secretary Ashton Carter informed Congress in April 2016, U.S. Cyber Command has been asked “to take on the war against ISIL as essentially [its] first major combat operation […] The objectives there are to interrupt ISIL command-and-control, interrupt its ability to move money around, interrupt its ability to tyrannize and control population[s], [and] interrupt its ability to recruit externally.
The U.S. military must comply with the United States’ obligations under the law of armed conflict and other applicable international law when conducting cyber operations against ISIL, just as it does when conducting other types of military operations during armed conflict. To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations. For example, such operations must only be directed against military objectives, such as computers, other networked devices, or possibly specific data that, by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Such operations also must comport with the requirements of the principles of distinction and proportionality. Feasible precautions must be taken to reduce the risk of incidental harm to civilian infrastructure and users. In the cyber context, this requires parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users.”[9]
“[..]To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations […] Not all cyber operations, however, rise to the level of an “attack” as a legal matter under the law of armed conflict. When determining whether a cyber activity constitutes an “attack” for purposes of the law of armed conflict, States should consider, among other things, whether a cyber activity results in kinetic or non-kinetic effects, and the nature and scope of those effects, as well as the nature of the connection, if any, between the cyber activity and the particular armed conflict in question. Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war.”[10]
“To the extent that such cyber operations constitute “attacks” under the law of armed conflict, the rules on conducting attacks must be applied to those cyber operations. For example, such operations must only be directed against military objectives, such as computers, other networked devices, or possibly specific data that, by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage. Such operations also must comport with the requirements of the principles of distinction and proportionality. Feasible precautions must be taken to reduce the risk of incidental harm to civilian infrastructure and users. In the cyber context, this requires parties to a conflict to assess the potential effects of cyber activities on both military and civilian infrastructure and users.[11]
“Even if they do not rise to the level of an “attack” under the law of armed conflict, cyber operations during armed conflict must nonetheless be consistent with the principle of military necessity. For example, a cyber operation that would not constitute an “attack,” but would nonetheless seize or destroy enemy property, would have to be imperatively demanded by the necessities of war. Additionally, even if a cyber operation does not rise to the level of an “attack” or does not cause injury or damage that would need to be considered under the principle of proportionality in conducting attacks, that cyber operation still should comport with the general principles of the law of war.”[12]
“[..] another element of the United States’ strategic framework for international cyber stability: the development of international consensus on certain additional voluntary, non-binding norms of responsible State behaviour in cyberspace that apply during peacetime.
Internationally, the United States has identified and promoted four such norms:
These four U.S.-promoted norms seek to address specific areas of risk that are of national and/or economic security concern to all States. Although voluntary and non-binding in nature, these norms can serve to define an international standard of behavior to be observed by responsible, like-minded States with the goal of preventing bad actors from engaging in malicious cyber activity. If observed, these measures—which can include measures of self-restraint—can contribute substantially to conflict prevention and stability. Over time, these norms can potentially provide common standards for responsible States to use to identify and respond to behavior that deviates from these norms. As more States commit to observing these norms, they will be increasingly willing to condemn the malicious activities of bad actors and to join together to ensure that there are consequences for those activities.
It is important, however, to distinguish clearly between international law, on the one hand, and voluntary, non-binding norms on the other. These four norms identified by the United States, or the other peacetime cyber norms recommended in the 2015 UN GGE report, fall squarely in the voluntary, non-binding category. These voluntary, non-binding norms set out standards of expected State behavior that may, in certain circumstances, overlap with standards of behavior that are required as a matter of international law. Such norms are intended to supplement existing international law. They are designed to address certain cyber activities by States that occur outside of the context of armed conflict that are potentially destabilizing. That said, it is possible that if States begin to accept the standards set out in such non-binding norms as legally required and act in conformity with them, such norms could, over time, crystallize into binding customary international law. As a result, States should approach the process of identifying and committing to such non-binding norms with care.”[13]
This is the national position of the United States of America on international law applicable to cyber operations. The position[1] has been presented by Harold Hongju Koh, Legal Advisor of the US Department of State, during the USCYBERCOM Inter-Agency Legal Conference at Ft. Meade, Maryland on 18 September 2012.
“[…]international law principles do apply in cyberspace. Everyone here knows how cyberspace opens up a host of novel and extremely difficult legal issues. But on this key question, this answer has been apparent, at least as far as the U.S. Government has been concerned. Significantly, this view has not necessarily been universal in the international community. At least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the internet. Some have also said that existing international law is not up to the task, and that we need entirely new treaties to impose a unique set of rules on cyberspace. But the United States has made clear our view that established principles of international law do apply in cyberspace.”[2]
“Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. For example, cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example, (1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force.”[3]
“A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”[4]
“[…]the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack”—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity.”[5]
“In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense, and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.”[6]
“The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives.”[7]
“As you all know, information and communications infrastructure is often shared between state militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bello rules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation.”[8]
“States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. The U.S. Government undertakes at least two stages of legal review of the use of weapons in the context of armed conflict: first, an evaluation of new weapons to determine whether their use would be per se prohibited by the law of war; and second, specific operations employing weapons are always reviewed to ensure that each particular operation is also compliant with the law of war.”[9]
“States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered.”[10]
“States are legally responsible for activities undertaken through “proxy actors,” who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful.”[11]
[…]“[..]cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges — in particular, those concerning attribution — are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones.”[12]
This is the national position of the Unite Kingdom on international law applicable to cyberspace. The position has been delivered on 19 May 2022 by UK Attorney General Suella Braverman during a speech at Chatham House titled “International Law in Future Frontiers”. [1]
“Commentators often talk in hushed tones of cyber weapons, with little understanding of what they are, or of the rules which govern how they are used. This misunderstanding means we can see every cyber incident as an act of warfare which threatens to bring down the modern world around us and it’s not uncommon for even seasoned observers to think in this way, as they speak of cyber as a new battlespace where no rules apply. But cyberspace is not a lawless ‘grey zone’. International law governs and plays a fundamental role in regulating cyberspace.
Which is why today I would like to set out how the UK considers international law applies in cyberspace during peacetime, against the backdrop of the Prime Minister’s Integrated Review and the Government’s National Cyber Strategy. With particular focus on the rule on non-intervention, its application to key sectors, and avenues for response.
I’m focusing on the law applicable in peacetime because the UK has already set out that cyber operations are capable of breaching the prohibition on the threat or use of force, and that the law applicable in armed conflict applies just the same to the use of cyber means as other means of waging war. And I want to be clear that in the same way that a country can lawfully respond when attacked militarily, there is also a basis to respond, and options available, in the face of hostile cyber operations in peacetime.”[2]
“States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.”[3]
“I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation.”[4]
“Coordination between States, in a more general sense, is also crucial in responding to hostile State activity in cyberspace and imposing a cost on those who seek to abuse the freedom and opportunity that technological progress has provided them. States are developing more sophisticated and coordinated diplomatic and economic responses. This can be seen in the response to the recent operation targeting Microsoft Exchange servers, where 39 partners including NATO, the EU and Japan coordinated in attributing hostile cyber activity to China. It can also be seen in the response to the Russian SolarWinds hack which saw coordinated US, UK and allied sanctions and other measures.”[5]
“[..] [U]nder the international law doctrine of countermeasures, a State may respond to a prior unlawful act, in ways which would under normal circumstances be unlawful, in order to stop the offending behaviour and ensure reparation. The UK has previously made clear that countermeasures are available in response to unlawful cyber operations by another State. It is also clear that countermeasures need not be of the same character as the threat and could involve non-cyber means, where it is the right option in order to bring unlawful behaviour in cyberspace to an end.
However, some countries simply do not have the capability to respond effectively by themselves in the face of hostile and unlawful cyber intrusions. It is open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding collectively.”[6]
“Turning to the law – one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention.
Customary international law is the general practice of States accepted as law. As such, it is not static. It develops over time according to what States do and what they say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs States’ behaviour.
A well-known formulation of the rule on non-intervention comes from the International Court of Justice in its Military and Paramilitary Activities judgment. According to the Court in that case, all States or groups of States are forbidden from intervening –
…directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.
The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.
It serves as a benchmark by which to assess lawfulness, to hold those responsible to account, and to calibrate responses.
This rule is particularly important in cyberspace for two main reasons.
First, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to State sovereignty. As long ago as 1966, the UK made clear its position that:
…the principle of non-intervention, as it applied in relations between States, [is] not explicitly set forth in the United Nations Charter but flow[s] directly and by necessary implication from the prohibition of the threat or use of force and from the principle of the sovereign equality of States…
Four years later, in 1970, the UK set out its view that “non-intervention reflected the principle of the sovereign equality of states.” And that these principles were equally valid and interrelated. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.
States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.
What matters in practice is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyber activity which traverses multiple international boundaries millions of times a second.
Second, the rule on non-intervention is also of increasing relevance due to the prevalence of hostile activity by States that falls below the threshold of the use of force or is on the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which States can define behaviour as unlawful.
Having identified the importance of the rule on non-intervention, I will now turn to the threshold for its application. The fact that behaviour attributed to another State is unwelcome, irresponsible, or indeed hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offending behaviour must be coercive.
Coercion was rightly described in the Military and Paramilitary Activities case as “the very essence” of a prohibited intervention. It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information-gathering and influencing activities that States carry out as part of international relations.
But what exactly is coercion?
Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.
But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking.
Of course, in considering whether the threshold for a prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.
It is therefore important to bring the non-intervention rule to life in the cyber context, through examples of what kinds of cyber behaviours could be unlawful in peacetime. To move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.
And being clear on what is unlawful means we can then be clearer on the range of potential options that can lawfully be taken in response. That is, the kinds of activities which would require legal justification, for example, as a proportionate response to prior illegality by another State. This is crucial in enabling States to act within the law whilst taking robust and decisive action.
With that in mind, today I will set out new detail to illustrate how this rule applies. A non-exhaustive list, to move this discussion forward. I will cover four of the most significant sectors that are vulnerable to disruptive cyber conduct: energy security; essential medical care; economic stability; and democratic processes.
Ensuring the provision of essential medical services and secure and reliable energy supply to a population are sovereign functions of a State. They are matters in respect of which international law affords free choice to States. The Integrated Review highlights the interconnected nature of the global health system, and the importance of building resilience to address global health risks. Covid is a clear example. Likewise, energy security is recognised as including protection of critical national infrastructure from cyber security risks.
Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies would breach the rule on non-intervention.
Of course, every case needs to be assessed on its facts, but prohibited cyber activity in the energy and medical sectors could include:
disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention.
Such cyber operations could include disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy.
Lastly, democratic processes. Free and open elections, using processes in which a population has confidence, are an essential part of the political system in democratic States. All States have the freedom to make their views known about processes in other countries – delivering hard, sometimes unwelcome messages, and drawing attention to concerns. This is part and parcel of international relations. However, covert cyber operations by a foreign State which coercively interfere with free and fair electoral processes would constitute a prohibited intervention.
Again, every activity needs to be assessed on its facts, but such activities could include:
operations that disrupt the systems which control electoral counts to change the outcome of an election; or operations to disrupt another State’s ability to hold an election at all, for example by causing systems to malfunction with the effect of preventing voter registration. I hope that these illustrative examples will assist in the future when considering what is unlawful in cyberspace.
I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation.”[7]
“If a State carries out irresponsible, hostile, or unlawful cyber activity, what then are the options available to the victim State?
There are a wide range of effective response options available to impose a cost on States carrying out irresponsible or hostile cyber activity, regardless of whether the cyber activity constitutes an internationally unlawful act. These kinds of measures, referred to as acts of retorsion in international law, could include economic sanctions, restrictions on freedom of movement, exclusion from international groupings and wider diplomatic measures. So, there are always options available to stand up to unacceptable behaviour. And you do not have to look far to see how the impact of taking these kinds of measures is amplified when acting alongside other like-minded States.
Let me be clear. This means that when states like Russia or China carry out irresponsible or hostile cyber activity, the UK and our allies are always able to take action, whether or not the activity was itself unlawful. Today that might be in response to hostile cyber activity occurring in Ukraine, tomorrow it could be a response to hostile activity in Taiwan.”[8]
“Where a State falls victim to unlawful cyber activity carried out against it by another State, it may also be appropriate to pursue remedies through the courts. Current events in Ukraine have demonstrated the continued relevance of forums like the International Court of Justice (ICJ) in the context of a wider response. The UK has accepted the compulsory jurisdiction of the ICJ, and we encourage others to do likewise.”[9]
National position of the United Kingdom (2021)
This is the national position of the United Kingdom on international law applicable to cyberspace. The position [1] has been submitted as part of the Group of Governmental Experts process (“GGE”), by the participating governmental expert from the United Kingdom in accordance with the mandate of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, established pursuant to General Assembly resolution 73/266A.[2]
“International law is fundamental to maintaining security and stability in cyberspace and international law applies to States’ conduct in cyberspace on the same basis as it applies to their other conduct. The application of international law to States’ conduct in cyberspace is clearly recognised by the international community. In the recent 2021 OEWG report, States reaffirmed their understanding (as already set out in the 2013 and 2015 GGE reports) that ‘international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment’.”[3]
“Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any State or in any other manner inconsistent with the purposes of the United Nations. Depending on the facts and circumstances in each case, conduct by States carried out in cyberspace is capable of constituting a threat or use of force if the actual or threatened conduct has or would have the same or similar effects of conduct using kinetic means. The circumstances in which the threat or use of force is not unlawful under international law are the same irrespective of whether the conduct is by kinetic or cyber means.”[4]
“An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means. Factors in considering the scale and effects of an attack may include the (actual or anticipated) physical destruction of property, injury and death. The exercise of the inherent right of self-defence against an imminent or on-going armed attack whether by kinetic or cyber means, may itself be by cyber or kinetic means and must always fulfil the requirements of necessity and proportionality. Whether or not to have recourse to the exercise of the inherent right of self-defence will always be carefully considered having regard to all the circumstances.”[5]
“Article 2(3) and the provisions of Chapter VI of the Charter on the peaceful settlement of disputes can equally apply in relation to States’ activities in cyberspace. Thus, in accordance with Article 33(1), States that are party to any cyber-related international dispute the continuation of which is likely to endanger the maintenance of international peace and security, shall endeavour to settle such dispute by peaceful means as described in Article 33 of the Charter: negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice.”[6]
“Below the threshold of the threat or use of force, the customary international law rule prohibiting interventions in the domestic affairs of States applies to States’ operations in cyberspace as it does to their other activities. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of the rule on non-intervention is to ensure that all States remain free from external coercive intervention in matters affecting a State’s powers, which are at the heart of a State’s sovereignty such as the freedom to choose its own political, social, economic and cultural system.
As the UK has noted previously, while the precise boundaries of this rule continue to be the subject of on-going debate, it provides a clearly established basis in international law for assessing the legality of State conduct. Thus the use of hostile cyber operations to manipulate the electoral system in another State to alter the results of an election, to undermine the stability of another State’s financial system or to target the essential medical services of another State could all, depending on the circumstances, be in violation of the international law prohibition on intervention.
The International Court of Justice has established that a prohibited intervention is one bearing on matters which each State is permitted, by the principle of State sovereignty, to decide freely.”[7]
“Sovereignty, as a general principle, is a fundamental concept in international law. The United Kingdom recalls that any prohibition on the activities of States whether in relation to cyberspace or other matters, must be clearly established either in customary international law or in a treaty binding upon the States concerned. The United Kingdom does not consider that the general concept of sovereignty by itself provides a sufficient or clear basis for extrapolating a specific rule or additional prohibition for cyber conduct going beyond that of non-intervention referred to above. At the same time, the United Kingdom notes that differing viewpoints on such issues should not prevent States from assessing whether particular situations amount to internationally wrongful acts and arriving at common conclusions on such matters.”[8]
“A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility.”[9]
“UNGGE Norm 13(c) provides that States should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology. This norm provides guidance on what may be expected to constitute appropriate State behaviour. The UK recognises the importance of States taking appropriate, reasonably available, and practicable steps within their capacities to address activities that are acknowledged to be harmful in order to enhance the stability of cyberspace in the interest of all States. But the fact that States have referred to this as a non-binding norm indicates that there is not yet State practice sufficient to establish a specific customary international law rule of ‘due diligence’ applicable to activities in cyberspace.”[10]
“As well as bearing responsibility for acts of its organs and agents, a State is also responsible in accordance with international law where, for example, a person or a group of persons acts on its instructions or under its direction or control.”
[…]“The term ‘attribution’ is used in relation to cyberspace in both a legal and non-legal sense. It is used in a legal sense to refer to identifying those who are responsible for an internationally wrongful act. It is also used in a non-legal sense to describe the identification of actors (including non-state actors) who have carried out cyber conduct which may be regarded as hostile or malicious but does not necessarily involve an internationally wrongful act.
For the UK, there are technical and diplomatic considerations in determining whether to attribute publicly such activities in cyberspace. The decision whether to make a public attribution statement is a matter of policy. Each case is considered on its merits. The UK will publicly attribute conduct in furtherance of its commitment to clarity and stability in cyberspace or where it is otherwise in its interests to do so.
Whatever the nature of the attribution, there is no general legal obligation requiring a State to publicly disclose any underlying information on which its decision to attribute conduct is based.”[11]
“Resort may be had to countermeasures in response to an internationally wrongful act, in accordance with international law, in relation to States’ activities in cyberspace as in relation to their other activities. This includes both resorting to countermeasures against a State whose cyber activities constitute internationally wrongful acts and carrying out countermeasures by means of cyber operations. Countermeasures need not be symmetrical: where the internationally wrongful act is itself not a cyber activity, the response may nonetheless involve cyber-based countermeasures (and vice versa).
An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act in order to induce that State to comply with its obligations. Any measures adopted must be commensurate with the injury suffered. They must be carried out in accordance with the conditions and restrictions established in international law and must in particular not contravene the prohibition on the threat or use of force, must be necessary and proportionate to the purpose of inducing the responsible State to comply with its obligations and must not contravene any other peremptory norm of international law.
The application of international law to the use of countermeasures in cyberspace must take account of the nature of cyber activities, which might commence and then cease almost instantaneously or within a short timeframe. In those circumstances, a wider pattern of cyber activities might collectively constitute an internationally wrongful act justifying a response.
The UK does not consider that States taking countermeasures are legally obliged to give prior notice (including by calling on the State responsible for the internationally wrongful act to comply with international law) in all circumstances. Prior notice may not be a legal obligation when responding to covert cyber intrusion with countermeasures or when resort is had to countermeasures which themselves depend on covert cyber capabilities. In such cases, prior notice could expose highly sensitive capabilities and prejudice the very effectiveness of the countermeasures in question. However any decision to resort to countermeasures without prior notice must be necessary and proportionate to the purpose of inducing compliance in the circumstances.”[12]
“Human rights obligations apply to States’ activities in cyberspace as they do to in relation to their other activities. The UK continues to support the view set out in Human Rights Council Resolution 20/8 that ‘the same rights that people have offline must also be protected online…’. States have an obligation to act in accordance with applicable international human rights law, including customary international law, and international conventions to which they are a party, such as the International Covenant on Civil and Political Rights, other UN treaties, and regional instruments such as the European Convention on Human Rights.
States’ respect for their human rights obligations in relation to their activities in cyberspace is essential to ensuring an open, secure, stable, accessible and peaceful environment and certain rights may have particular relevance to States’ activities in cyberspace including the right not to be subjected to arbitrary or unlawful interference with privacy, family, home or correspondence, the right to freedom of thought, conscience and religion and the right to freedom of expression.”[13]
“IHL applies to operations in cyberspace conducted in the furtherance of hostilities in armed conflict just as it does to other military operations.
IHL seeks to limit the effects of armed conflict – it protects persons who are not, or who are no longer, participating in hostilities, and limits the methods and means of warfare employed by the belligerents.”[14]
“IHL seeks to limit the effects of armed conflict and it is not therefore correct that its applicability to cyber operations in armed conflict would encourage the militarisation of cyberspace.”[15]
“[..] Those responsible for planning, deciding upon, or executing attacks necessarily have to reach decisions on the basis of their assessment of the information from all sources which is reasonably available to them at the relevant time. All relevant rules of IHL must be observed when planning and conducting operations whether by cyber or other means – the complexity of cyber operations is no excuse for a lower standard of protection to be afforded to civilians and civilian objects.”[16]
“A cyber operation is capable of being an ‘attack’ under IHL where it has the same or similar effects to kinetic action that would constitute an attack. Where an operation in cyberspace amounts to an ‘attack’, the principles of distinction, proportionality, humanity and military necessity apply in the same way as they do to an attack by any other means.”[17]
“Civilians are protected from attack unless and for such time as they take a direct part in hostilities. To the extent that civilians carry out cyber operations in an armed conflict that amount to attacks, they would lose their protected status under IHL and, by taking a direct part in hostilities, become legitimate military targets.” [18]
National position of the United Kingdom (2018)
This is the national position of the United Kingdom on international law applicable to cyberspace. The position has been presented by the UK Attorney General Jeremy Wright on 23 May 2018 during a Chatham House speech titled “Cyber and International Law in the 21st Century”. [1]
“Cyber space is not – and must never be – a lawless world. It is the UK’s view that when states and individuals engage in hostile cyber operations, they are governed by law just like activities in any other domain. The UK has always been clear that we consider cyber space to be an integral part of the rules based international order that we are proud to promote. The question is not whether or not international law applies, but rather how it applies and whether our current understanding is sufficient.
What this means is that hostile actors cannot take action by cyber means without consequence, both in peacetime and in times of conflict. States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law.”[2]
“[..]a further contested area amongst those engaged in the application of international law to cyber space is the regulation of activities that fall below the threshold of a prohibited intervention, but nonetheless may be perceived as affecting the territorial sovereignty of another state without that state’s prior consent. Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.[3]
“There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.
The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control.”[4]
“These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear – states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control.”
“As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.
There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances.
However, the UK can and does attribute malicious cyber activity where we believe it is in our best interests to do so, and in furtherance of our commitment to clarity and stability in cyberspace. Sometimes we do this publicly, and sometimes we do so only to the country concerned. We consider each case on its merits.
For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community.”[5]
“Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.
These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.
In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.
In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa.”[6]
“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.
The international law prohibition on intervention in the internal affairs of other states is of particular importance in modern times when technology has an increasing role to play in every facet of our lives, including political campaigns and the conduct of elections. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of this principle is to ensure that all states remain free from external, coercive intervention in the matters of government which are at the heart of a state’s sovereignty, such as the freedom to choose its own political, social, economic and cultural system.
The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.”[7]
“[..]in addition to the provisions of the UN Charter, the application of international humanitarian law to cyber operations in armed conflicts provides both protection and clarity. When states are engaged in an armed conflict, this means that cyber operations can be used to hinder the ability of hostile groups such as Daesh to coordinate attacks, and in order to protect coalition forces on the battlefield. But like other responsible states, this also means that even on the new battlefields of cyber space, the UK considers that there is an existing body of principles and rules that seek to minimise the humanitarian consequences of conflict.”[8]
First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.
The next relevant provision of the UN Charter is in Article 2(4) which prohibits the threat or use of force against the territorial independence or political integrity of any state. Any activity above this threshold would only be lawful under the usual exceptions – when taken in response to an armed attack in self-defence or as a Chapter VII action authorised by the Security Council. In addition, the UK remains of the view that it is permitted under international law, in exceptional circumstances, to use force on the grounds of humanitarian intervention to avert an overwhelming humanitarian catastrophe.
Thirdly, the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter.
If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.
Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means.”[9]
National position of the United Kingdom (2021)
This is the national position of the Russian Federation on international law applicable to cyberspace. The position[1] has been submitted by the Russian Federation and included within the official UNGGE compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States.[2] The compendium has been publicly released in August 2021.[3]
“Russia assumes that, for the present, the international community has reached consensus on the applicability of the universally accepted principles and norms of international law, which are enshrined, first and foremost, in the Charter of the United Nations and the Declaration on principles of international law, friendly relations and cooperation among States in accordance with the Charter of the United Nations of October 24, 1970, to information space. These include, in particular, the principles of sovereign equality of States, non-use of force and threat of force, settlement of international disputes by peaceful means, non interference into internal affairs of States, obligation of States to cooperate with each other, equal rights and self-determination of peoples, fulfillment of international law obligations in good faith, inviolability of State borders, and territorial integrity of States. This understanding was agreed upon at relevant UN platforms on international information security and set forth, inter alia, in the 2013 and 2015 reports of the UN Group of Governmental Experts (GGE) and in the 2021 report of the UN Open-ended Working Group (OEWG), as well as in the UN General Assembly resolution (A/RES/73/27, para. 17 of the preamble) proposed by Russia and adopted in 2018. It is presumed that international obligations of States, including those stemming from international treaties as the main sources of international law, are applicable in information space.
At the same time, given the specific legal nature of the information environment, notably, the fact that activities therein can be anonymous, the application of international law to the use of information and communications technologies (ICTs) should not be automatic and should not be carried out by simple extrapolation. There is a need to substantively discuss the issue of how specific instruments of the existing international law apply to the ICT-sphere, as well as to elaborate a universal approach to this matter under the UN auspices.”[4]
“Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence”.[5]
“The countermeasures, which can be taken by an injured State against a State which is responsible for an internationally wrongful act, shall not affect the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations; obligations for the protection of fundamental human rights; obligations of a humanitarian character prohibiting reprisals; other obligations under peremptory norms of general international law (article 50).”[6]
“The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3).”[7]
[…]“Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence.”[8]
This is the national position of the Republic of Poland on international law applicable to cyberspace. The position[1] has been publicly released on 29 December 2022.[2] The document has been created on the initiative of the Ministry of Foreign Affairs of the Republic of Poland.
“By presenting this position, the Republic of Poland wishes to join the states that have already formulated their views in this respect. In Poland’s view, the practice of publicly presenting positions in key matters concerning international law increases the level of legal certainty and transparency, at the same time contributing to strengthening respect for international law commitments, and offers an opportunity to develop customary law.
Poland is also in favour of the discussion on how to apply international law to cyberspace, taking place in the UN in the field of information and telecommunications in the context of international security since 2013 within the Group of Governmental Experts, and also within the Open-Ended Working Group since 2021. As indicated in Poland’s position presented at the UN in 2016, “Respect for international law and norms are a necessary condition for maintaining peace and security between States in cyberspace”.
Respect for the fundamental norms of international law is in turn instrumental in preventing international conflicts and their escalation. The above also applies to activities in cyberspace. This position is thus a natural continuation of Poland’s two years of non permanent membership of the Security Council (2018-2019), where the issue of respect for international law was one of Poland’s priorities.”[3]
“Application of International law to actions in cyberspace
| 1. The existing international law, including the Charter of the United Nations, applies to cyberspace. Therefore, states are required to adhere to international law in cyberspace. |
The lack of universal treaties referring directly to the actions of states and other actors in cyberspace does not mean that this space lies outside the law or is unregulated. The norms of international law derived both from the treaties and from other sources of law, in particular customary international law, apply to it. So far, the stance that the existing norms of international law apply to cyberspace has been taken among others by the European Union, the North Atlantic Treaty Organization, the UN Group of Governmental Experts (UN GGE) and a number of states.”[4]
| 2. The principle of sovereignty applies to cyberspace |
“State sovereignty is a basic principle of international law. According to this principle, states are independent and equal in international relations, while their territorial integrity and political independence are inviolable. As a consequence, states exercise supreme power over their own territory.
The principle of sovereignty is closely linked to the principle of non-intervention in affairs falling under the domestic jurisdiction of a state. The norms concerning the jurisdiction of a state and the immunities of a state and its representatives are also derived from the principle of sovereignty.
A state exercises power over cyberspace users located within its territory, over IT infrastructure and over data. While respecting the norms of international law by which it is bound, it may exercise its sovereign prerogatives over such actors and facilities. It is also entitled to protect them. As a result, the Republic of Poland takes the position that the violation of a state‘s sovereignty may occur both in the event of an attack against state infrastructure and against private infrastructure. A mere fact that IT infrastructure is linked in a number of ways with an international network does not result in the state‘s losing any of its rights with respect to such infrastructure.
As it was indicated earlier, sovereignty has an external dimension as well. External sovereignty means that a state is independent in its external relations and is capable of freely engaging in any actions in cyberspace, also outside its own territory, subject to restrictions under international law. Another consequence of sovereignty is a state’s capacity to enter into treaties, including those on cyberspace.
The principle of sovereignty requires other states to refrain from any actions that would violate sovereignty, and in particular states are obliged not to knowingly make their territory available for the purposes of acts that would violate the rights of other states. Poland is of the opinion that in the event of a hostile operation conducted in cyberspace, causing serious adverse effects within the territory of a state, such actions should be considered a violation of the principle of sovereignty, irrespective of whether such effects are of kinetic nature or are limited to cyberspace. The violation of the principle of sovereignty may be exemplified by a conduct attributable to a third country that consists in interfering with the functioning of state organs, for instance by preventing the proper functioning of ICT networks, services or systems of public entities, or by a theft, erasure or public disclosure of data belonging to such entities.”[5]
“Actions in cyberspace that violate the prohibition of the use of force and the principle of non-intervention in affairs falling under the domestic jurisdiction of a state would also violate the principle of sovereignty.”[6]
“States should exercise due care to ensure that the IT infrastructure located within their territory is not used for unauthorised actions targeted at third countries. The same applies to persons staying within the territory of the state. An assessment of whether the state exercised due care or not should be contingent upon its technological advancement, expertise/resources and knowledge about actions in cyberspace initiated within its territory.”[7]
| 3. Actions in cyberspace may constitute unlawful intervention in affairs falling under the domestic jurisdiction of a state. |
“Intervention in internal or external affairs of another state that fall under its domestic jurisdiction is an action that contravenes international law. The principle of non-intervention is a natural consequence of the principle of sovereignty – to the extent to which the state exercises its exclusive sovereign rights, the other states have an obligation to respect them. The threshold for considering a specific operation in cyberspace to be in breach of the principle of non-intervention is higher than in the case of deeming it solely a violation of the principle of sovereignty. To be in breach of international law, an intervention must include the element of coercion that aims at influencing the state’s decisions belonging to its domaine réservé, i.e. the area of state activity that remains its exclusive competence under the principle of sovereignty. Therefore, it is possible to refer to a violation of the non-intervention principle if a state interferes with internal or external affairs falling under the exclusive competence of another state by using an element of coercion.
There is no universally acceptable definition of “coercion”, but an unambiguous example of a prohibited intervention is the use of force.
A cyber operation that adversely affects the functioning and security of the political, economic, military or social system of a state, potentially leading to the state‘s conduct that would not occur otherwise, may be considered a prohibited intervention. In particular, any action in cyberspace that would prevent the filing of tax returns online or any interference with ICT systems that would prevent a reliable and timely conduct of democratic elections would be a violation of international law. Similarly, depriving the parliament working remotely of the possibility of voting online to adopt a law or modifying the outcome of such voting would also be such a violation. It should also be noted that a wide-scale and targeted disinformation campaign may also contravene the principle of non-intervention, in particular when it results in civil unrest that requires specific responses on the part of the state.”[8]
| 4. In certain circumstances actions in cyberspace may constitute a violation of the prohibition of the use of force |
“The prohibition on the threat or use of force is laid down in Article 2(4) of the Charter of the United Nations and customary international law. According to the Advisory Opinion of the International Court of Justice on the legality of the threat or use of nuclear weapons, an action may be considered the use of force irrespective of the means used. What matters are the effects of the actions taken. As a result, it cannot be ruled out that in some circumstances a cyberattack will reach such a threshold that it will be deemed the use of force. Perceiving a cyberattack as the use of force is supported by the possibility of it causing similar effects to those caused by a classic armed attack executed with the use of conventional weapons. When assessing whether or not a cyber operation reaches the threshold of the use of force, the situation must be analysed individually, taking into consideration the circumstances of actions taken in accordance with the requirements of international law. An action in cyberspace that leads to: a permanent and significant damage of a power plant, a missile defence system deactivation or taking control over an aircraft or a passenger ship and causing an accident with significant effects may be considered the use of force. This list is not exhaustive – the legal qualification will always depend on the circumstances of a specific attack.
A cyberattack that does not reach the threshold of the prohibited use of force may be deemed a prohibited intervention or an action that violates the principle of sovereignty.”[9]
| 5. A cyberattack may be qualified as an armed attack. The right to self-defence applies to cyberspace |
“Pursuant to Article 51 of the Charter of the United Nations and customary international law, a state has the right of self-defence in the event of an armed attack. In the context of cyberspace, a cyberattack that results in death or injury of people or damage or destruction of property of significant value may be considered an armed attack. In such circumstances, according to international law, a state enjoys the right of self-defence, however, this right should be exercised in line with the principles arising from customary international law, namely the principle of necessity and proportionality.
Self-defence does not need to involve the same means through which the armed attack was inflicted. In response to a cyberattack that reaches the threshold of an armed attack, it is possible to respond both in cyberspace exclusively or with the use of traditional armed forces. Deprivation of the right to respond to such a cyberattack with kinetic means could render the self defence right illusory when the perpetrator of an armed attack is little dependent on its functioning in cyberspace.
According to international law, the right of self-defence may also apply to cyberattacks reaching the threshold of an armed attack inflicted by non-state actors. The right of collective self-defence applies to cyberspace as well. This is supported by a declaration adopted by the representatives of states attending the meeting of the North Atlantic Council during the summit of the North Atlantic Treaty Organization in Wales in 2014. The declaration stipulates among others that a cyberattack can reach a threshold that threatens national and EuroAtlantic prosperity, security, and stability. Its impact could be as harmful to modern societies as a conventional attack. It was, therefore, affirmed that cyber defence is part of NATO‘s core task of collective defence.”[10]
| 6. A state is responsible for actions in cyberspace that violate international law |
“Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”).”[11]
“Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”).
The document reiterates that “Every internationally wrongful act of a State entails the international responsibility of that State.” (Article 1). A state is responsible for conduct consisting of both an action or omission that is attributable to the state under international law and constitutes a breach of an international obligation of the state (Article 2). Articles 4– 11 describe the rules governing the attribution of responsibility to a state. According to these rules, the State is responsible among others for the conduct of its organs, persons or entities which, even though they are not organs, are empowered by law to exercise governmental authority, as well as persons or groups of persons acting on the instructions of, or under the direction or control of that state.
The above norms also apply to conduct of states in cyberspace. The state may therefore be responsible for internationally wrongful acts of, for instance of hacker groups or individual hackers, if the conditions expressed in the Articles on the Responsibility of States are satisfied. At the same time, it should be remembered that the specific nature of cyberspace severely hampers the attribution of internationally wrongful acts to states or other actors.”[12]
| 7. International human rights law applies to cyberspace |
“High anonymity, control of data flow, and a largely non-territorial nature of cyberspace pose a challenge for protecting human rights online. Nonetheless, international human rights law applies to conduct in cyberspace. Rights that people have offline must also be protected online. States have an obligation not to violate human rights and to protect such rights when they are violated by non-state actors or other states. The above-mentioned examples of unlawful actions by external actors that constitute violations of a state’s sovereignty or an act of violence may at the same time result in a violation of human rights.
Freedom of speech and right to privacy require special protection in cyberspace. As the European Court of Human Rights pointed out, “the Internet plays an important role in enhancing the public’s access to news and facilitating the dissemination of information in general”. Depriving individuals of access to the Internet or specific websites may constitute a violation because, as the Court emphasised, “user-generated expressive activity on the Internet provides an unprecedented platform for the exercise of freedom of expression”. At the same time, it must be taken into account that such rights may be subject to restrictions necessary in a democratic society, in particular due to public security interest, protection of public order, health and morality or the protection of rights and freedoms of other persons.
Protection of international human rights law in the context of cyberspace requires efforts for the open and safe Internet. Respecting sovereignty in cyberspace must not serve as an excuse for violations of international human rights law. The effective protection of human rights requires that a state refrain from unjustified interference with rights and freedoms exercised on the Internet, and in some circumstances it requires positive actions aimed at guaranteeing effective execution and protection of human rights on the Internet.”[13]
| 8. The norms of international humanitarian law apply to cyberspace |
“The norms of international humanitarian law (IHL) apply in the event of an armed conflict, an international or non international one. The basic principles of international humanitarian law include the principle of humanity, proportionality, military necessity and distinction. The requirements of international humanitarian law apply also to actions carried out in cyberspace during an armed conflict. When taking actions in cyberspace, it is necessary to consider both direct and indirect effects of such operations.”[14]
“In accordance with international law, a state has a right to take measures in response to hostile actions in cyberspace that do not reach the threshold of an armed attack.
International practice shows that states may use a range of measures to ensure that law is respected by other actors subject to international law. In particular the state which is the target of an cyberattack may respond to hostile actions by using retorsion or countermeasures.
Retorsion is a response of the state to actions contrary to its interest or hostile actions of another state. Measures taken as a retorsion may be in reaction to both legal and illegal actions of another subject of international law, but in itself they must be in compliance with international law.”[15]
“Countermeasures are the reaction of a state whose international rights have been violated by another actor. They consist in refraining from the performance of international obligations for some time in order to persuade the state that violates international law to fulfil its obligations and to persuade it against further violations.
At the same time, the Republic of Poland expresses the view that the evolution of customary international law over the last two decades provides grounds for recognising that a state may take countermeasures in pursuit of general interest as well. In particular, the possibility of taking such measures materialise itself in response to states’ violations of peremptory norms, such as the prohibition of aggression.
When applying such measures, the state is required to act in accordance with the principle of proportionality. Moreover, both retorsion and countermeasures cannot constitute the violation of norms pertaining to fundamental human rights, obligations under international humanitarian law and peremptory norms.”[16]
This is the national position of the People’s Republic of China on international law applicable to cyberspace. The position[1] has been rendered available by the Ministry of Foreign Affairs in October 2021. Furthermore, in December 2021, the People’s Republic of China issued a paper outlining its views on the application of the principle of sovereignty in cyberspace whose content is equally reflected on this page.[2]
“The phenomenal development of information technology revolution and digital economy is exerting far-reaching influence over social and economic development of States and human civilization. All parties should uphold multilateralism, ensure fairness and justice, put equal emphasis on security and development, step up dialogue and cooperation, promote global governance and international rules-making, and build a community of shared future in cyberspace.”[3]
“[..]The international community, with a view to maintaining international peace and security, should undertake discussions within the framework of the UN on how international law applies to the use of ICTs by States, taking into account the unique attributes of ICTs, and further develop common understandings on this issue.
The UN Charter and the principles enshrined in it, including sovereign equality, refraining from the use or threat of force, settlement of international disputes by peaceful means and non-intervention in the internal affairs of other States, apply in cyberspace. The application of these principles is the cornerstone of the peace, security and stability in cyberspace.
States should handle the applicability of the law of armed conflicts and jus ad bellum with prudence, and prevent escalation of conflicts or turning cyberspace into a new battlefield.
To maintain long-lasting peace and stability in cyberspace, new international legal instruments tailored to the attributes of ICTs and evolving realities should be developed based on broad participation of all States. Cyber terrorism imposes significant threat on national security and social stability of States, which could be considered as an important direction for new legal instruments.”[4]
“States can conduct policy and technical exchanges, law-enforcement cooperation and information sharing on a voluntary basis to enhance mutual trust and reduce misperception and miscalculation.
For realizing fair, reasonable and universal access to the Internet, popularization of ICTs, equal sharing of digital dividends and global common and sustainable development, international cooperation and assistance on ICT security should be promoted. States should step up cooperation on emergency response capabilities. States should not conduct malicious cyber activities against the State which is seeking the assistance or a third State under the pretext of providing assistance.”[5]
“The principle of sovereignty applies in cyberspace. States should exercise jurisdiction over the ICT infrastructure, resources, data as well as ICT-related activities within their territories, and have the rights to protect their information systems and important data against damage resulting from threats, interference, attack and sabotage. States have the right to make ICT-related public policies, laws and regulations to protect legitimate interests of their citizens, enterprises and social organizations. States should refrain from using ICTs to interfere in intermal affairs of other States and undermine their political, economic and social stability, or to conduct activities that undermine other States’ national security and public interests. States should participate in the management and distribution of international Internet resources on equal footings, and build a global Internet governance system of multilateralism, democracy and transparency.”[6]
“State sovereignty in cyberspace is a legally binding principle under international law. If a State infringes on the internal supremacy and external independence that another State enjoys on the basis of its national sovereignty over ICT-related infrastructure, entities and activities as well as relevant data and information within its territory, it is a violation of the principle of sovereignty, which will constitute a wrongful act under international law. The acts may include, among others, unauthorized penetration into the network systems in the territory or within the jurisdiction of another State, causing disruption or damage of relevant infrastructure or undermining a State’s exclusive sovereign rights in cyberspace.”[7]
“No State shall intervene in other States’ rights to survival, security and development in cyberspace. No State shall support or allow separatist forces to undermine other States’ territorial integrity, national security and social stability through use of ICTs.”[8]
“No State shall knowingly allow its territory, or territory or ICT facilities, data and information under the control of its government, to be used for ICT activities that undermine national security or interests.”[9]