Definition

CollapseTargeted restrictive measures

The term “targeted restrictive measures” denotes sanctions taken by States outside of the framework of the United Nations, against individuals or companies which are being held responsible for conducting – or being otherwise involved in the conduct of – a cyber operation. Typically, restrictive measures take the form of travel bans or asset freezes for individuals and companies, but may also include other measures.[1] Targeted restrictive measures are measures typically taken within the domestic legal framework of a State or a group of States and operate territorially within the jurisdiction of that State or group of States. By virtue of their internal sovereignty, States are in principle free to adopt any measures they consider necessary or appropriate with regard to persons engaged in cyber activities.[2] To assess the legality of such restrictive measures taken within the domestic legal framework, it is necessary to inquire whether they violate any applicable international legal obligations of the acting State. This may be the case, for instance, if the targeted persons or entities enjoy jurisdictional immunities[3] or if the measures in question affect rights granted by an international agreement between the acting State and the State where such persons or entities are based (such as a bilateral trade agreement). In this case, the acting State would need to be able to invoke circumstances precluding the wrongfulness of such measures, in order for their imposition to be justified.[4] If no international legal obligations are breached, the restrictive measures are permissible under international law and may be qualified at most as acts of retorsion. Provided that these conditions are met, States may also impose such restrictive measures collectively.[5] Publicly available national positions that address this issue include: (2019), (2019).

National positions

Estonia (2019)

“More than simply attributing, we must take a stance that harmful cyber operations cannot be carried out without consequences. One good example would be EU’s Cyber Diplomacy Toolbox, which foresees a framework for joint EU diplomatic response to malicious cyber activities. Two weeks ago, EU Member States agreed on a horizontal framework which will allow to impose restrictive measures, or sanctions, against malicious cyber operations in similar manner as it is possible for terrorist acts or use of chemical weapons. Several allies have already taken diplomatic steps or set in place economic restrictive measures against adversarial states, or individuals responsible for harmful cyber operations.”^[6]

Netherlands (2019)

“As the international debate on the application and scope of international law in cyberspace proceeds, some countries continue to engage in harmful activities. Diplomatic measures against undesirable state-led cyber operations, ideally coordinated at international level or in coalition with like-minded countries, can be an effective way to strengthen the international legal order and protect security interests at home and abroad. The government is therefore working to strengthen our capacity to mount a diplomatic and political response to cyber operations that undermine our interests. The international response after the foiled cyber operation targeting the OPCW is a good example of this. The efforts of the mission network are essential in this respect, so as to ensure coordinated action. When assessing the options for responding, the focus above all must be on carefully and comprehensively weighing up the Netherlands’ interests, including those in the realm of security.

In order to provide further structure to international cooperation at EU level, an EU cyber diplomacy ‘toolbox’ has been developed, at the Netherlands’ initiative.6 The toolbox is a framework which allows various instruments of the Common Foreign and Security Policy to be used to hold parties conducting harmful cyber activities to account. In this connection, on 17 May 2019 an EU cyber sanctions regime was introduced at the Netherlands’ initiative, making it possible to freeze assets and impose entry bans.”^[7]

Appendixes

See also

Notes and references

Definition

CollapseState responsibility

Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[1] The law of State responsibility is largely customary in nature; its codification is provided by the International Law Commission’s Articles on State Responsibility.[2] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[3] The law of State responsibility also applies to cyber operations and other cyber activities.[4] Every internationally wrongful act of a State – entailing both acts and omissions –, has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[5]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[6] An internationally wrongful act entails the State’s international responsibility and gives rise to legal consequences, including the obligation to cease the conduct (if applicable) and the obligation to make full reparation for the injury caused.[7] Publicly available national positions that address this issue include: (2020), (2021), (2022), (2023), (2023), (2019), (2021), (2020), (2021), (2021), (2020), (2021), (2022), (2021), (2021), (2022), (2021), (2018), (2021), (2022), (2021).

National positions

Australia (2020)

“The customary international law on State responsibility, much of which is reflected in the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations.”^[8]

Brazil (2021)

“Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status.”^[9]

Canada (2022)

“28. The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.

29. In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks.”^[10]

“30. An internationally wrongful act in the cyber context is a cyber-related action or omission that: constitutes a breach of an international legal obligation, whether to another State or the entire international community; and is attributable to a State under international law.

31. International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures.”^[11]

Costa Rica (2023)

“10. Costa Rica believes that, under customary international law, as codified in Articles 1 and 2 of the International Law Commission (ILC)’s Articles on Responsibility of States for Internationally Wrongful Acts (‘the ILC Articles’), cyber operations may amount to internationally wrongful acts engaging the responsibility of a State when they can be attributed to it and involve a breach of its international obligation(s).”^[12]

Denmark (2023)

“Denmark is of the view that the general rules of State responsibility apply in cyberspace. A State bears international responsibility if it breaches an international obligation owed to another State. A State may be responsible under international law for acts undertaken by an organ of the State or by actors exercising government authority on behalf of that State. Acts by a non-State actor may be attributable to a State where the non-State actor carries out a cyber operation under the instruction of, or under the direction or control of that State, or where the State actor acknowledges and adopts the operations carried out by the non-State actor as its own.

Each State may decide whether to publicly attribute cyber acts to other States or not. There is no obligation under international law for States to share documentation or other evidence supporting an attribution. The application of international law and State responsibility does not depend on public attribution.”^[13]

Estonia (2019)

“[…] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out.”^[14]

Estonia (2021)

The law of state responsibility is a cornerstone for responsible state behaviour in cyberspace when it comes to assessing the unlawfulness of cyber operations below the threshold of use of force.

“The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.

States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.

States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established.”^[15]

“In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs.”

[…]

“According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law.”^[16]

Finland (2020)

“The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged.”^[17]

Italy (2021)

“Italy concurs with the view that attribution of cyber wrongful acts from one State to another is governed by the general rules of international law on the attribution of State conduct as codified by the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). Still, Italy acknowledges the difficulties of applying the ARSIWA in a peculiar environment such as cyberspace.”^[18]

Japan (2021)

“Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights.”^[19]

“Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act.”

[…]

“There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law.”^[20]

New Zealand (2020)

“Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities.”^[21]

Norway (2021)

Key message

In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law. A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.

“The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory.”^[22]

Poland (2022)

6. A state is responsible for actions in cyberspace that violate international law

“Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”).”^[23]

Romania (2021)

“There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

• attributable to the State under international law; and
• constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components”.^[24]

[…]

“Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice).”^[25]

Russia (2021)

“The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3).”^[26]

[…]

“Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence.”^[27]

Sweden (2022)

“An internationally wrongful act by a State entails the responsibility of that State under international law. The articles on State responsibility drafted by the International Law Commission constitute secondary norms of international law, identifying conditions when a State is internationally responsible for wrongful acts and the effects thereof. The general norms on State responsibility apply also in relation to wrongful acts in the cyber context.

Technical difficulties pose new challenges in identifying those responsible for cyber operations, compared with kinetic operations, but the rules on attribution under the law of State responsibility also apply in a cyber context.”^[28]

Switzerland (2021)

“The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law.”^[29]

United Kingdom (2018)

“There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control.”^[30]

United Kingdom (2021)

“A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility.”^[31]

United Kingdom (2022)

“I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation.”^[32]

United States (2021)

“Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it.”^[33]

Appendixes

See also

Notes and references

National positions

Costa Rica (2023)

“58. IHL affords specific protection to certain persons, objects and activities, such as medical personnel and units; humanitarian personnel and relief objects; and objects indispensable to the survival of the civilian population.”^[1]

Sweden (2022)

“Cyber operations in the context of an armed conflict need to comply not only with rules governing the conduct of hostilities; certain persons, objects and activities are subject to special protection, such as medical personnel and units, including their cyber infrastructure, and religious or humanitarian personnel and objects.”^[2]

Switzerland (2021)

“Full compliance with IHL is not limited to the rules and principles governing the conduct of hostilities. There are other specific rules of IHL that must be respected, including when conducting military operations that do not qualify as an ‘attack’. For example, certain categories of persons and objects are subject to special protection, such as medical, religious or humanitarian personnel and objects, which must be respected and protected in all circumstances.

This is also applicable to cyberspace. For cyber operations that are linked to any of these specially protected persons or objects, or to other activities governed by IHL, all of the relevant, specific rules must be observed.”^[3]

Appendixes

See also

Notes and references

Definition

CollapseSovereignty

Sovereignty is a core principle of international law. According to a widely accepted definition of the term in the 1928 Island of Palmas arbitral award, [s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.[1] Multiple declarations by the UN,[2] NATO,[3] OSCE,[4] the European Union,[5] and individual States have confirmed that international law applies in cyberspace. Accordingly, so too does the principle of sovereignty.[6] However, there is some debate as to whether this principle operates as a standalone rule of international law, the breach of which gives rise to state responsibility. For the proponents of this view, the prohibition on violating the sovereignty of other States is a substantive primary rule of international law, the breach of which is an internationally wrongful act. This view was unanimously accepted by the experts who prepared the Tallinn Manual 2.0.[7] It has also been adopted by several States including Austria,[8] Brazil, [9] Canada,[10] the Czech Republic,[11] Estonia,[12] Finland,[13] France,[14] Germany,[15] Iran,[16] Italy,[17] Japan,[18] the Netherlands,[19] New Zealand,[20] Norway,[21] Romania[22] and Sweden.[23] By contrast, the opposing view is that sovereignty is a principle of international law that may guide State interactions, but it does not amount to a standalone primary rule.[24] This view has been adopted by one State, the United Kingdom,[25] and has been partially endorsed by the U.S. Department of Defense General Counsel.[26] By this approach, cyber operations cannot violate sovereignty as a rule of international law, although they may constitute prohibited intervention, use of force, or other internationally wrongful acts. The remainder of this section proceeds on the basis of the former “sovereignty-as-rule” approach. Those espousing the latter “sovereignty-as-principle” approach should refer to other relevant sections of the legal analysis (such as that on the prohibition of intervention or use of force). It is understood that sovereignty has both an internal and an external component.[27] In the cyber context, the “internal” facet of sovereignty entails that “[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.”[28][29] This encompasses both private and public infrastructure.[30] The external component entails that States are “free to conduct cyber activities in [their] international relations”, subject to their international law obligations.[31] As a general rule, each State must respect the sovereignty of other States.[32]However, within the cyber realm – and particularly regarding remote cyber operations – there is still no agreement on the criteria[33] and the required threshold[34] to qualify an operation as a sovereignty violation.[35] It is clear that a cyber operation with severe destructive effects, comparable to a “non-cyber” armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.[36] Accordingly, the assessment needs to be done on a case-by-case basis.[37] The following modalities, highlighted in the Tallinn Manual 2.0, represent different ways of determining what a “sovereignty violation” might mean in the context of cyber operations: A State organ conducting cyber operations against a target State or entities or persons located there while physically present in the target State’s territory violates the target State’s sovereignty.[38] This was agreed by all Experts drafting the Manual; however, “a few” of the Experts thought that the extensive State practice carved out an exception for espionage operations.[39] Causation of physical damage or injury by remote means;[40] again, “a few” Experts took the position that this is a relevant but not a determinative factor by itself.[41] Causation of a loss of functionality of cyber infrastructure: although the Tallinn Manual 2.0 experts agreed that a loss of functionality constituted “damage” and thus a breach of sovereignty, no consensus could be achieved as on the precise threshold for a loss of functionality (the necessity of reinstallation of the operating system or other software was proposed but not universally accepted);[42] Below this threshold, there was no agreement among the Experts whether operations that do not cause physical consequences or a loss of functionality qualify as a violation of sovereignty.[43] Interference with data or services that are necessary for the exercise of “inherently governmental functions“;[44] although the Experts could not conclusively define the term “inherently governmental functions”, they agreed that, for example, the conduct of elections would so qualify.[45] Usurpation of “inherently governmental functions”, such as exercise of law enforcement functions in another State’s territory without justification.[46] The Tallinn Manual’s view of what constitutes a violation of sovereignty has been expressly endorsed by several States including Canada,[47] Germany[48] and the Netherlands;[49] and followed to some extent by other States, such as the Czech Republic,[50] Norway,[51] Sweden[52] and Switzerland.[53] An alternative test has been proposed by France, which argues that a breach of sovereignty occurs already when there is “any unauthorised penetration by a State of [the victim State’s] systems”;[54]similarly, Iran has argued that “unlawful intrusion to the (public or private) cyber structures” abroad may qualify as a breach of sovereignty.[55] Attributing the relevant cyber operation to a State different from the target State is a necessary prerequisite for qualifying the cyber operation as a violation of the target State’s sovereignty. Whether non-State actors can violate territorial sovereignty on their own is a matter of disagreement.[56] Publicly available national positions that address this issue include: (2020), (2021), (2022), (2021), (2023), (2020), (2023), (2019), (2021), (2020), (2019), (2021), (2020), (2023), (2020), (2021), (2021), (2021), (2019), (2020), (2021), (2023), (2022), (2021), (2021), (2022), (2021), (2018), (2021), (2022), (2012), (2016), (2020), (2021).

National positions

Australia (2020)

“To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States.”^[57]

Brazil (2021)

“State sovereignty is one of the founding principles of international law. As the ICJ has stated in the Corfu Channel Case, “between independent States, the respect for territorial sovereignty is an essential foundation for ‘international relations’”. It is applicable as a standalone rule, including to the use of ICTs by States, and entails an independent obligation of “every State to respect the territorial sovereignty of others”. Currently, there is neither broad state practice nor sufficient opinio juris to generate new customary international norm allowing for the violation of State sovereignty, including by means of ICTs.

Violations of State sovereignty by another State, including by means of ICTs, constitute an internationally wrongful act and entail the international responsibility of the State in violation. Interceptions of telecommunications, for instance, whether or not they are considered to have crossed the threshold of an intervention in the internal affairs of another State, would nevertheless be considered an internationally wrongful act because they violate state sovereignty. Similarly, cyber operations against information systems located in another State’s territory or causing extraterritorial effects might also constitute a breach of sovereignty.”^[58]

Canada (2022)

“10. Sovereignty is a fundamental element of international law and international relations. It is axiomatic that the principle of sovereignty applies in cyberspace, just as it does elsewhere. It animates a number of obligations for all States.”^[59]

“13. Territorial sovereignty is a rule under international law.^[60] Every State must respect the territorial sovereignty of every other State. States enjoy sovereignty over their territory, including in particular infrastructure located within their territory and activities associated with that infrastructure. An infringement upon the affected State’s territorial integrity, or an interference with or usurpation of inherently governmental functions of the affected State, would be a violation of territorial sovereignty.^[61]“^[62]

“14. In assessing the possible infringement of a State’s territorial sovereignty, several key factors must be considered. The scope, scale, impact or severity of disruption caused, including the disruption of economic and societal activities, essential services, inherently governmental functions, public order or public safety must be assessed to determine whether a violation of the territorial sovereignty of the affected State has taken place.

15. In general, the impact or severity of cyber effects will be evaluated in the same manner and according to the same criteria as for physical activities. Cyber activities that rise above a level of negligible or de minimis effects, causing significant harmful effects within the territory of another State without that State’s consent, could amount to a violation of the rule of territorial sovereignty with respect to the affected State. It is also important to note that cyber activities with effects in another State do not constitute physical presence in the territory of that State. As such, territorial sovereignty is not violated by virtue merely of remote activities having been carried out on or through the cyber infrastructure located within the territory of another State. Furthermore, cyber activities carried out remotely from within Canada with negligible effects in a foreign State do not involve an extraterritorial exercise of enforcement jurisdiction by Canada.

16. Cyber activities that cause a loss of functionality with respect to cyber infrastructure located within the territory of the affected State may also constitute a violation of territorial sovereignty if the resulting loss of functionality causes significant harmful effects similar to those caused by physical damage to persons or property. For example, a violation of the territorial sovereignty will occur when the cyber activity creates a significant harmful effect that necessitates the repair or replacement of physical components of cyber infrastructure in the affected State. The loss of functionality of physical equipment that relies on the affected infrastructure in order to operate could also form part of the violation. The assessment of the effects includes both intended and unintended consequences that reach the threshold required to trigger a violation.

17. The rule of territorial sovereignty does not require consent for every cyber activity that has effects, including some loss of functionality, in another State. Activities causing negligible or de minimis effects would not constitute a violation of territorial sovereignty regardless of whether they are conducted in the cyber or non-cyber context. Nor are States precluded by the rule of territorial sovereignty from taking measures that have negligible or de minimis effects to defend against the harmful activity of malicious cyber actors or to protect their national security interests. For example, Canada considers that a cyber activity that requires rebooting or the reinstallation of an operating system is likely not a violation of territorial sovereignty.

18. The other key basis for assessing a violation of territorial sovereignty is whether a cyber activity interferes with or usurps the inherently governmental functions of another State. Cyber activities that have significant harmful effects on the exercise of inherently governmental functions would constitute an internationally wrongful act. For Canada, this would include government activities in areas such as health care services, law enforcement, administration of elections, tax collection, national defence and the conduct of international relations, and the services on which these depend. There can be a violation of territorial sovereignty by way of effects on governmental functions regardless of whether there is physical damage, injury, or loss of functionality. An example would be a cyber activity that interrupts health care delivery by blocking access to patient health records or emergency room services, resulting in risk to the health or life of patients.

19. Importantly, some cyber activities, such as cyber espionage, do not amount to a breach of territorial sovereignty, and hence to a violation of international law.^[63] They may however be prohibited under the national laws of a State.^[64]

20. It is possible that a series of cyber activities could lead to significant harmful effects that violate the rule of territorial sovereignty. This is the case even if the individual cyber activity on its own would not reach this threshold.

21. Canada will assess whether a violation of territorial sovereignty has occurred on a case-by-case basis. As noted below, Canada believes further State practice and opinio juris will help clarify the scope of customary law in this area over time. In any event, Canada considers that the existence of varied approaches to assessing the legality of cyber activities should not prevent States from agreeing that particular malicious cyber activities are internationally wrongful acts.”^[65]

China (2021)

“The principle of sovereignty applies in cyberspace. States should exercise jurisdiction over the ICT infrastructure, resources, data as well as ICT-related activities within their territories, and have the rights to protect their information systems and important data against damage resulting from threats, interference, attack and sabotage. States have the right to make ICT-related public policies, laws and regulations to protect legitimate interests of their citizens, enterprises and social organizations. States should refrain from using ICTs to interfere in intermal affairs of other States and undermine their political, economic and social stability, or to conduct activities that undermine other States’ national security and public interests. States should participate in the management and distribution of international Internet resources on equal footings, and build a global Internet governance system of multilateralism, democracy and transparency.”^[66]

“State sovereignty in cyberspace is a legally binding principle under international law. If a State infringes on the internal supremacy and external independence that another State enjoys on the basis of its national sovereignty over ICT-related infrastructure, entities and activities as well as relevant data and information within its territory, it is a violation of the principle of sovereignty, which will constitute a wrongful act under international law. The acts may include, among others, unauthorized penetration into the network systems in the territory or within the jurisdiction of another State, causing disruption or damage of relevant infrastructure or undermining a State’s exclusive sovereign rights in cyberspace.”^[67]

Costa Rica (2023)

“18. Sovereignty is a fundamental principle of international law, underpinning the entire international legal order and firmly grounding the position of States therein. Sovereignty has been traditionally understood in a territorial and physical sense. It means, first and foremost, a State’s right to exercise legislative, adjudicative, and enforcement jurisdiction in its territory, as well as the power to regulate the conduct of certain persons and events abroad. Sovereign rights also have corollary duties, in particular, the obligation of a State to respect other States’ sovereign rights and protect them within its territory.

19. Sovereignty also applies to cyberspace, including its physical and non-physical components. After all, in the digital age, a State’s sovereign powers over its territory and other objects or subjects are increasingly exercised through and dependent on the use of ICTs. In Costa Rica’s view, sovereignty is also a self-standing right accompanied by a binding international legal obligation that can be breached by both cyber and non-cyber activities.

20. Such breaches may occur when cyber operations cause physical damage or loss of functionality of cyber infrastructure located in the victim State, regardless of ownership. Examples range from personal computers to programmable logic controllers or industrial computers that control energy, water, and sanitation facilities. For Costa Rica, a loss of functionality of these devices may occur in two ways. First, when the cyber operation attributable to another State entails the need to repair or replace physical components of the targeted cyber infrastructure or compromises physical equipment reliant on such infrastructure. Second, loss of functionality may occur if the operating system or database upon which the targeted cyber infrastructure relies stops functioning as intended, as may be the case, for instance, as a result of ransomware.

21. Breaches of sovereignty may also occur when a State engages in cyber operations that constitute a usurpation of inherently governmental functions, irrespective of any physical or non-physical effects on hardware or software located in the territory of the victim State. Examples of cyber operations amounting to this type of violation are those interfering with a State’s democratic processes, such as elections, responses to a national security or health emergency, such as the COVID-19 pandemic, and its choice of foreign policy.

22. It is important to note that it is often difficult to technically distinguish between a mere data-gathering operation from an operation penetrating a governmental system in order to interfere with a State’s sovereign functions. Real-world examples show that, once a piece of malware successfully enters a system or network, it remains a latent threat to its integrity. This may damage software or hardware and thus interfere with the conduct of State affairs. Furthermore, surveillance operations may be carried out in ways that lead to breaches of State sovereignty or other rules of international law. As such, Costa Rica believes that, in some circumstances, cyber espionage may amount to a breach of State sovereignty”.^[68]

Czech Republic (2020)

“[…]the Czech Republic recalls that the principles of sovereignty and sovereign equality of States are cornerstones of the UN Charter and thus concurs with the conclusion contained in the report of the UN GGE that in their use of ICT´s States are obliged to observe principles of international law, including the principle of sovereignty. The Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.

The Czech Republic firmly believes that under this principle States may freely exercise without interference in any form by another State both aspects of sovereignty in cyberspace, be it an internal one, with the exclusive jurisdiction over the ICTs located on its territory, or the external one, including the determination of its foreign policy, subject only to obligations under international law. The Czech Republic considers the following cyber operations in a State’s territory as violation of its sovereignty, if attributable to another State:

A. a cyber operation causing death or injury to persons or significant physical damage;

B.a cyber operation causing damage to or disruption of cyber or other infrastructure with a significant impact on national security, economy, public health or environment;

C.a cyber operation interfering with any data or services which are essential for the exercise of inherently governmental functions, and thereby significantly disrupting the exercise of those functions; for example, distributing ransomware which encrypts the computers used by a government and thus significantly delaying the payment of retirement pensions;

D. cyber operation against a State or entities or persons located therein, including international organisations, conducted by a physically present organ of another State;”^[69]

Denmark (2023)

“Sovereignty denotes each State’s authority to exercise within its territory the functions of a State, to the exclusion of any other State. Denmark is of the view that sovereignty is not only a principle but a primary rule of international law a breach of which amounts to an internationally wrongful act and if attributable to a State it may give rise to State responsibility.

Denmark shares the view that sovereignty applies to States’ cyber activities as has been widely endorsed by other States who have voiced their national positions on international law in cyberspace.

Sovereignty has both an internal and external dimension. Internal sovereignty signifies the independent right of a State to exercise the functions of a State in regard to a given territory to the exclusion of any other State. It pertains to a State’s jurisdiction over all persons, entities, and objects within its territory and some manifestations of the State outside its territory.

It follows that all States may exercise sovereignty over any cyber infrastructure located on their territory and all activities associated with that infrastructure – irrespective of whether such infrastructure or activity is of a public or private character. In the exercise of governmental authority, the State may promulgate and enforce domestic laws or protect cyber infrastructure and cyber activity located or taking place in its territory unless prohibited from doing so by its international legal obligations such as the limitations set out in international human rights conventions and international law on State and diplomatic immunity. A State’s internal sovereignty also encompasses an obligation for the State not to allow its territory to be used for acts contrary to the rights of other States (as further elaborated under section 6 on due diligence).

External sovereignty pertains to the international equal rights and duties of a State in its relations to other States. It derives from the principle of sovereign equality of States as recognized in article 2(1) of the UN Charter and requires all States to respect the territorial integrity and political independence of other States. Other principles and rules of international law such as the prohibition of the use of force, the prohibition on intervention, and the right of self-defence are based on this principle.

As sovereignty is a primary rule under international law States are obliged to respect the sovereignty of other States and must not conduct activities that violate another State’s sovereignty. Whether or not a given act in cyberspace is done in violation of another State’s sovereignty requires a case-by-case assessment of all relevant factors, in particular the nature of and the effects caused by the cyber operation. Denmark supports the view that the lawfulness of a cyber operation should be assessed based on two different bases: the degree of infringement upon the target State’s territorial integrity, and whether there has been an interference with or usurpation of inherently governmental functions. Unlike the prohibition on intervention, a breach of sovereignty is not contingent on a coercion element.

With respect to infringements on a State’s territory Denmark generally shares the view that cyber operations which result in physical damage or injury constitute a violation of a State’s sovereignty and may also violate the principle of non-intervention, or the prohibition of the use of force, cf. section 3 and 4. In addition to physical damage or injury loss of functionality may also, depending on its nature, scale, and effects, constitute such a violation. Cyber operations that alter or delete data without necessarily resulting in physical damage or loss of functionality may also, based on a case-by-case assessment of the nature, scale, and effects of the operation in question, constitute a violation. Cyber activities causing negligible physical effects or loss of functionality would generally not be considered a violation of sovereignty.

Furthermore, interference with or usurpation of a State’s inherently governmental functions may constitute a violation of a State’s sovereignty or prohibited intervention. This assessment is not contingent on whether physical damage, injury, or loss of functionality have occurred, but rather if a cyber operation has interfered with data or services necessary for the exercise of inherently governmental functions. This applies irrespective of whether such inherently government functions are performed by the State itself (either by central, regional or local government) or have been delegated to non-governmental entities.”^[70]

Estonia (2019)

“Sovereignty entails not only rights, but also obligations.”^[71]

Estonia (2021)

Sovereignty as a fundamental principle of international law applies in cyberspace.

“The 2013 and 2015 GGE consensus reports underscore that sovereignty and the international norms and principles that flow from it apply to state conduct of ICT-related activities. In addition, the 2013 GGE emphasised the importance of international law, the Charter of the UN and the principle of sovereignty as the basis for the use of ICTs by states.

States have territorial sovereignty over the ICT infrastructure and persons engaged in cyber activities on their territory. However, states’ right to exercise sovereignty on their territory is not unlimited; states must respect international law, including human rights obligations. States also bear the responsibility to comply with legal obligations flowing from sovereignty – for example, the responsibility not to breach the sovereignty of other states and to take reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. The principle of sovereignty is also closely linked with the principle of non-intervention and the principles of the prohibition of the threat or use of force.

The violation of sovereignty through cyber means can breach international law, and therefore may give the victim state the right to take measures, including countermeasures. Views on what constitutes a breach of sovereignty in cyberspace differ. Malicious cyber operations can be complex, cross several jurisdictions and may not always produce physical effects on targeted infrastructure.”^[72]

Finland (2020)

“It is undisputed that the principle of State sovereignty applies in cyberspace. While cyberspace as a whole cannot be subject to appropriation by any State, each State has jurisdiction over the cyber infrastructure and the persons engaged in cyber activities within its territory.”

“Finland sees sovereignty as a primary rule of international law, a breach of which amounts to an internationally wrongful act and triggers State responsibility. This rule is fully applicable in cyberspace. Whether an unauthorized cyber intrusion violates the target State’s sovereignty depends on its nature and consequences and is subject to a case-by-case assessment.”^[73]

France (2019)

“Cyberattacks may constitute a violation of sovereignty. The international norms and principles that flow from State sovereignty apply to the use of ICT by States and to their territorial jurisdiction over ICT infrastructure. France exercises its sovereignty over the information systems located on its territory”.^[74]

“Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ, a person or an entity exercising elements of governmental authority or by a person or persons acting on the instructions of or under the direction or control of a State constitutes a breach of sovereignty.”^[75]

“The principle of sovereignty applies to cyberspace. France exercises its sovereignty over the information systems located on its territory. The gravity of a breach of sovereignty will be assessed on a case-by-case basis in accordance with French cyberdefence governance arrangements in order to determine possible responses in compliance with international law”.^[76]

Germany (2021)

“The legal principle of State sovereignty applies to States’ activities with regard to cyberspace. State sovereignty implies, inter alia, that a State retains a right of regulation, enforcement and adjudication (jurisdiction) with regard to both persons engaging in cyber activities and cyber infrastructure on its territory. It is limited only by relevant rules of international law, including international humanitarian law and international human rights law. Germany recognizes that due to the high degree of cross-border interconnectedness of cyber infrastructures, a State’s exercise of its jurisdiction may have unavoidable and immediate repercussions for the cyber infrastructure of other States. While this does not limit a State’s right to exercise its jurisdiction, due regard has to be given to potential adverse effects on third States.

By virtue of sovereignty, a State’s political independence is protected and it retains the right to freely choose its political, social, economic and cultural system. Inter alia, a State may generally decide freely which role information and communication technologies should play in its governmental, administrative and adjudicative proceedings. Foreign interference in the conduct of elections of a State may under certain circumstances constitute a breach of sovereignty or, if pursued by means of coercion, of the prohibition of wrongful intervention. Moreover, by virtue of its sovereignty, a State may decide freely over its foreign policy also in the field of information and communication technologies.

Furthermore, a State’s territorial sovereignty is protected. Due to the rootedness of all cyber activities in the actions of human beings using physical infrastructure, cyberspace is not a deterritorialized forum. In this regard, Germany underlines that there are no independent ‘cyber borders’ incongruent with a State’s physical borders which would limit or disregard the territorial scope of its sovereignty. Within its borders, a State has the exclusive right – within the framework of international law – to fully exercise its authority, which includes the protection of cyber activities, persons engaging therein as well as cyber infrastructures in the territory of a State against cyber and non-cyber-related interferences attributable to foreign States.”^[77]

“Germany agrees with the view that cyber operations attributable to States which violate the sovereignty of another State are contrary to international law. In this regard, State sovereignty constitutes a legal norm in its own right and may apply directly as a general norm also in cases in which more specific rules applicable to State behaviour, such as the prohibition of intervention or the use of force, are not applicable. Violations of State sovereignty may inter alia involve its territorial dimension; in this regard, the following categories of cases may be relevant (without excluding the possibility of other cases):

Germany essentially concurs with the view proffered, inter alia, in the Tallinn Manual 2.0 that cyber operations attributable to a State which lead to physical effects and harm in the territory of another State constitute a violation of that State’s territorial sovereignty. This encompasses physical damage to cyber infrastructure components per se and physical effects of such damage on persons or on other infrastructure, i.e. cyber or analogue infrastructure components connected to the damaged cyber component or infrastructure located in the vicinity of the damaged cyber infrastructure (provided a sufficient causal link can be established).

Germany generally also concurs with the view expressed and discussed in the Tallinn Manual 2.0 that certain effects in form of functional impairments with regard to cyber infrastructures located in a State’s territory may constitute a violation of a State’s territorial sovereignty. In Germany’s view, this may also apply to certain substantial non-physical (i.e. software-related) functional impairments. In such situations, an evaluation of all relevant circumstances of the individual case will be necessary. If functional impairments result in substantive secondary or indirect physical effects in the territory of the target State (and a sufficient causal link to the cyber operation can be established), a violation of territorial sovereignty will appear highly probable.

In any case, negligible physical effects and functional impairments below a certain impact threshold cannot – taken by themselves – be deemed to constitute a violation of territorial sovereignty.

Generally, the fact that a piece of critical infrastructure (i.e. infrastructure which plays an indispensable role in ensuring the functioning of the State and its society) or a company of special public interest in the territory of a State has been affected may indicate that a State’s territorial sovereignty has been violated. However, this cannot in and of itself constitute a violation, inter alia because uniform international definitions of the terms do not yet exist. Also, cyber operations in which infrastructures and/or companies which do not qualify as ‘critical’ or ‘of particular public interest’ are affected may likewise violate the territorial sovereignty of a State.”^[78]

Iran (2020)

“Article II: Sovereignty Policies of Armed forces of the Islamic Republic of Iran

1. The Islamic Republic of Iran has developed its sovereignty fields consistent with necessary capabilities for protection of its strategic military, economic, social, cultural, and political authority. In doing so, the development of expertise and advanced cyber tools for active and deterrent cyber-defense is, among others, one of the significant priorities for the protection of the strategic authority of the state.

2. Rules of modern international law imply the existence of limited territory in geographical borders of states exercising sovereignty or at least jurisdiction within those borders. According to the armed forces of the Islamic Republic of Iran, the territorial sovereignty and jurisdiction of the states are also extended to all elements of the cyberspace.

3. Any intentional use of cyber-force with tangible or non-tangible implications which is or can be a threat to the national security or may, due to political, economic, social, and cultural destabilization, result in destabilization of national security constitutes a violation of the sovereignty of the state.

4. Any utilization of cyberspace if and when involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state.

5. The sovereignty of states is not an extra-legal matter. It shall be interpreted under the other fundamental legal principles such as non-intervention, good faith, self-determination, and other basic principles. It must be kept in mind that the sovereignty of states is subject to the principle of equality and the sovereignty of any state is not above the sovereignty of the other states. Therefore, any limiting and freezing measure, including sanctions, constitutes the violation of the sovereignty of independent states because of not respecting the sovereignty of target states.”^[79]

Ireland (2023)

“4. State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by states of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.[1]. The principle of state sovereignty encompasses the concepts of territorial integrity and territorial authority, the independence of state powers, and the equality of states in the international order. A state enjoys a right to exercise jurisdiction in terms of regulation, adjudication and enforcement in relation to cyber infrastructure as well as persons engaging in cyber activities on its territory. A state may also be entitled, in limited circumstances, to exercise extraterritorial jurisdiction in accordance with international law.

5. The International Court of Justice (ICJ) in the Nicaragua case noted that “the principle of respect for state sovereignty […] is closely linked with the principles of prohibition of the use of force and non-intervention”.[2] In line with the stated position of many other states, Ireland considers that respect for sovereignty is an obligation in its own right. A violation of state sovereignty by way of cyber activities is capable of amounting to an internationally wrongful act and triggering state responsibility, even if such a violation falls short of the threshold of non-intervention or the use of force.

6. A violation of a state’s sovereignty may arise where a cyber-operation attributable to another state causes physical damage to ICT or other infrastructure (whether or not in state ownership or control), functional impairment to such infrastructure, interference with data, and/or secondary effects. The nature and consequences of a cyber-operation are relevant to determining whether a violation has occurred in any given case.

7. Sovereignty may not be relied on to justify a state’s non-compliance with applicable obligations under international law. Ireland notes with regret that sovereignty has at times been relied on by some states as justification for cyber measures and/or restrictions within their jurisdiction – such as cyber surveillance or censorship – which compromise human rights, in particular the right to freedom of expression, freedom of thought, conscience and religion, and the right to privacy.”^[80]

Israel (2020)

“To begin with, there are diverging views regarding whether sovereignty is merely a principle, from which legal rules are derived, or a binding rule of international law in itself, the violation of which could be considered an internationally wrongful act. This issue has many facets, and while I will not offer any definitive position for the time being, I would like to stress a number of important points.

A second, and related, point is that States undoubtedly have sovereign interests in protecting cyber infrastructure and data located in their territory. However, States may also have legitimate sovereign interests with respect to data outside their territory. For example, as governments store more and more of their data by using cloud services provided by third parties, whose servers are located abroad, how do we describe the interest that they have in relation to that data? Would the interest in protecting the data not be a sovereign interest in this case as well? Or, alternatively, when a State conducts a criminal investigation and needs to access data located abroad from its own territory, under what circumstances does it need to request the consent of the territorial State? Of course, there are no easy answers to these questions, and some of them are currently being discussed, such as in the context of the protocol to the Budapest Cybercrime Convention currently being negotiated to address this very topic.

These questions reflect an inherent tension between States’ legitimate interest and the concept of territorial sovereignty, as we understand it in the physical world. In practice, States occasionally do conduct cyber activities that transit through, and target, networks and computers located in other States, for example for national defense, cybersecurity, or law enforcement purposes. Under existing international law, it is not clear whether these types of actions are violations of the rule of territorial sovereignty, or perhaps that our understanding of territorial sovereignty in cyberspace is substantively different from its meaning in the physical world.”^[81]

Italy (2021)

“Italy attaches fundamental importance to the application of the principle of sovereignty to cyberspace, including its ancillary rules, such as the right to internal self-determination. Italy considers that both the internal and external aspects of sovereignty apply in cyberspace.

The principle of sovereignty is a primary rule of international law, the violation of which amounts to an internationally wrongful act. Italy considers that the principle in question prohibits a State from conducting cyber operations, which produce harmful effects on the territory of another State, irrespective of the physical location of the perpetrator. Italy finds that, according to the same principle, a State may not conduct cyber operations from the territory of another State without its express authorization. This is without prejudice to situations of distress where the state of necessity entails the applicability of a different discipline.

Each State’s exclusive jurisdiction over the physical, social and logical layers of cyberspace located on its territory may be exercised within the limits imposed by international law, including international obligations deriving from diplomatic privileges and immunities and those arising from human rights obligations. Responses to violations of sovereignty should be assessed on a case-by-case basis taking into account the nature and consequences of each violation.”^[82]

Japan (2021)

“A State must not violate the sovereignty of another State by cyber operations. Moreover, a State must not intervene in matters within domestic jurisdiction of another State by cyber operations.”^[83]

“On the other hand, regarding a violation of sovereignty that does not necessarily constitute an intervention, in the Lotus case, the Permanent Court of International Justice held that a State may not exercise its power in the territory of another State, while, in the Island of Palmas case, the Arbitral Tribunal stated as follows: “Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.” Taking these and other judgments into account, the Government of Japan considers that there exist certain forms of violation of sovereignty which may not necessarily constitute unlawful intervention prohibited under the principle of non-intervention.

With respect to violation of sovereignty, the International Court of Justice (ICJ), in the Nicaragua case (1986), held that the United States had acted in breach of its obligation under customary international law not to intervene in the affairs of another State, and, in addition, that the United States, by directing or authorizing overflights of Nicaraguan territory, had acted in breach of its obligation under customary international law not to violate the sovereignty of another State. In addition, in the Costa Rica v. Nicaragua case (2015), the ICJ cited the absence of evidence that Costa Rica exercised authority on Nicaragua ’s territory as the reason for dismissing Nicaragua’s claim concerning the violation of its territorial integrity and sovereignty. Considering these cases, it can be presumed that, in some cases, a violation of sovereignty constitutes a violation of international law even when it does not fall within the scope of unlawful intervention.”^[84]

“An act of causing physical damage or loss of functionality by means of cyber operations against critical infrastructure, including medical institutions, may constitute an unlawful intervention, depending on the circumstances, and at any rate, it may constitute a violation of sovereignty. As various opinions were expressed on the relationship between violation of sovereignty and unlawful intervention at the sixth GGE and the OEWG, it is desirable that a common understanding be forged through State practices and future discussions.”^[85]

Kenya (2021)

“The UN Charter forms a strong foundation for the interpretation of existing international laws underlined by inter alia the principles of State sovereignty, sovereign equality, and settlement of international disputes by peaceful means. It is the Charter’s emphasis on these principles that is fully aligned with Kenya’s peaceful stance in international affairs.”^[86]

Netherlands (2019)

“The principle of sovereignty, i.e. that states are equal and independent and hold the highest authority within their own borders, is one of the fundamental principles of international law. More specific rules of international law, such as the prohibition of the use of force, the principle of non-intervention and the right of self-defence stem from this principle. These rules will be discussed in more detail below.

According to some countries and legal scholars, the sovereignty principle does not constitute an independently binding rule of international law that is separate from the other rules derived from it. The Netherlands does not share this view. It believes that respect for the sovereignty of other countries is an obligation in its own right, the violation of which may in turn constitute an internationally wrongful act. This view is supported, for example, by the case law of the International Court of Justice, which ruled in Nicaragua v. United States of America that the United States had acted in breach of its obligation under customary international law not to violate the sovereignty of another state. Below the government will discuss the significance of this obligation in more detail.

Firstly, sovereignty implies that states have exclusive jurisdiction over all persons, property and events within their territory, within the limits of their obligations under international law, such as those relating to diplomatic privileges and immunity, and those arising from human rights conventions. This is the internal aspect of sovereignty. Secondly, sovereignty implies that states may freely and independently determine their own foreign policy, enter into international obligations and relations, and carry out activities beyond their own borders, provided they respect the rules of international law. This is the external aspect of sovereignty.

Both aspects apply equally in cyberspace. States have exclusive authority over the physical, human and immaterial (logical or software-related) aspects of cyberspace within their territory. Within their territory they may, for example, set rules concerning the technical specifications of mobile networks, cybersecurity and resilience against cyberattacks, take measures to combat cybercrime, and enforce the law with a view to protecting the confidentiality of personal data. In addition, they may independently pursue foreign ‘cyber’ policy and enter into treaty obligations in the area of cybersecurity. The Netherlands’ decision to accede to the Convention on Cybercrime of the Council of Europe is an example of the exercise of Dutch sovereignty.

States have an obligation to respect the sovereignty of other states and to refrain from activities that constitute a violation of other countries’ sovereignty. Equally, countries may not conduct cyber operations that violate the sovereignty of another country. It should be noted in this regard that the precise boundaries of what is and is not permissible have yet to fully crystallise. This is due to the firmly territorial and physical connotations of the traditional concept of sovereignty. The principle has traditionally been aimed at protecting a state’s authority over property and persons within its own national borders. In cyberspace, the concepts of territoriality and physical tangibility are often less clear. It is possible, for example, for a single cyber operation to be made up of numerous components or activities initiated from or deployed via different countries in a way that cannot always be traced. In addition, there are various ways of masking the geographic origin of activities performed in cyberspace. What is more, data stored using a cloud-based system is often moved from one location to another, and those locations are not always traceable. So it is by no means always possible to establish whether a cyber operation involves a cross-border component and thus violates a country’s sovereignty. Even if the origin or route of a cyber operation can be established, these kinds of operations do not always have a direct physical or tangible impact.

From the perspective of law enforcement (which is part of a state’s internal sovereignty), the manner in which the principle of sovereignty should be applied has not fully crystallised at international level either. Shared investigative practices do seem to be developing in Europe and around the world, however. Data relevant to criminal investigations is increasingly stored beyond national borders, for example in the cloud, in mainly private data centres. And when it comes to criminal offences committed on, or by means of, the internet, the location of data – including malicious software or code – and physical infrastructure is often largely irrelevant. It is easy to hide one’s identity and location on the internet, moreover, and more and more communications are now encrypted. Even in purely domestic criminal cases – including cybercrime – where the suspect and victim are both in the Netherlands, cyber investigations often encounter data stored beyond our borders, particularly when investigators require access to data held by online service providers or hosting services, or need to search networks or (covertly) gain remote entry to an automated system. The act of exercising investigative powers in a cross-border context is traditionally deemed a violation of a country’s sovereignty unless the country in question has explicitly granted permission (by means of a treaty or other instrument). Opinion is divided as to what qualifies as exercising investigative powers in a cross-border context and when it is permissible without a legal basis founded in a treaty. In cyberspace too, countries’ practices differ in their practical approaches to the principle of sovereignty in relation to criminal investigations. The Netherlands actively participates in international consultations on the scope for making investigations more effective, paying specific attention to ensuring the right safeguards are in place.

In general the government endorses Rule 4, proposed by the drafters of the Tallinn Manual 2.0, on establishing the boundaries of sovereignty in cyberspace.5 Under this rule, a violation of sovereignty is deemed to occur if there is 1) infringement upon the target State’s territorial integrity; and 2) there has been an interference with or usurpation of inherently governmental functions of another state. The precise interpretation of these factors is a matter of debate.”^[87]

New Zealand (2020)

“The principle of sovereignty prohibits the interference by one state in the inherently governmental functions of another and prohibits the exercise of state power or authority on the territory of another state. In the physical realm, the principle has legal effect through the prohibition on the use of force, through the rule of non-intervention and also through a standalone rule of territorial sovereignty. Subject to limited exceptions (e.g. authorisation by the United Nations Security Council, self-defence, consent), that standalone rule prohibits a state from sending its troops or police forces into or through, or its aircraft over, foreign territory, and prohibits a state from carrying out official investigations or otherwise exercising jurisdiction on foreign territory.

In the cyber realm, the principle of sovereignty is given effect through the prohibition on the use of force and the rule of non-intervention. New Zealand considers that the standalone rule of territorial sovereignty also applies in the cyber context but acknowledges that further state practice is required for the precise boundaries of its application to crystallise.

In New Zealand’s view, the application of the rule of territorial sovereignty in cyberspace must take into account some critical features that distinguish cyberspace from the physical realm. In particular: i) cyberspace contains a virtual element which has no clear territorial link; ii) cyber activity may involve cyber infrastructure operating simultaneously in multiple territories and diffuse jurisdictions; and iii) the lack of physical distance in cyberspace means malicious actors can apply instantaneous effects on targets without warning. These features present unique opportunities for malicious actors and significant defensive challenges for states. They also make it difficult for states to prevent malicious cyber activity being conducted from or routed through their territory.

Bearing those factors in mind, and having regard to developing state practice, New Zealand considers that territorial sovereignty prohibits states from using cyber means to cause significant harmful effects manifesting on the territory of another state. However, New Zealand does not consider that territorial sovereignty prohibits every unauthorised intrusion into a foreign ICT system or prohibits all cyber activity which has effects on the territory of another state. There is a range of circumstances – in addition to pure espionage activity – in which an unauthorised cyber intrusion, including one causing effects on the territory of another state, would not be internationally wrongful. For example, New Zealand considers that the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors.

A detailed factual enquiry is required in each case to determine whether state cyber activity that has effects manifesting on the territory of another state, but which does not amount to a use of force or a prohibited intervention, nonetheless involves a violation of the standalone rule of territorial sovereignty. That factual enquiry should take into account the scale and significance of the effects, the objective of the activity, and the nature of the target.”^[88]

Norway (2021)

Key message
Sovereignty is not just a principle, but also a primary rule of international law. A State must not conduct cyber operations that violate another State’s sovereignty. Whether a cyber operation violates the target State’s sovereignty depends on the nature of the operation, the scale of the intrusion and its consequences, and must be assessed on a case-by-case basis.

“The principle of sovereignty is one of the fundamental principles of international law and applies in cyberspace. It refers to the supreme authority of every State within its territory to the exclusion of other States, and also in its relations with other States.

The internal dimension of a State’s sovereignty includes the exclusive right to exercise jurisdiction within its territory, including over the information systems located on its territory, and to exercise independent State powers. The external dimension includes the right of the State to decide its foreign policy and to enter into international agreements. Both dimensions of sovereignty apply in cyberspace, subject only to obligations under international law.

Norway is of the view that sovereignty constitutes both an international law principle from which various rules derive, such as the prohibition of intervention and the prohibition of the use of force, and a primary rule in its own right capable of being violated. Thus, cyber operations that do not amount to a prohibited intervention or a prohibited use of force may nevertheless amount to a violation of a State’s sovereignty under international law.

The International Court of Justice (ICJ) has consistently held that States have an obligation to respect the territorial integrity and political independence of other States as a matter of international law. In a cyber context this means that a State must not conduct cyber operations that violate another State’s sovereignty.

A cyber operation that manifests itself on another State’s territory may, depending on its nature, the scale of the intrusion and its consequences, constitute a violation of sovereignty.

Causing physical damage by cyber means on another State’s territory may easily qualify as a violation of territorial sovereignty. For example, a cyber operation against an industrial control system at a petrochemical plant that led to a malfunction and a subsequent fire would constitute a violation of the State’s territorial sovereignty. In addition to physical damage, causing cyber infrastructure to lose functionality may also be taken into consideration and may amount to a violation. This includes the use of crypto viruses to encrypt data and thus render them unusable for a substantial period of time.

The principle of sovereignty encompasses cyber infrastructure located in a State’s territory irrespective of whether it is governmental or private.

Similarly, a cyber operation that interferes with or usurps the inherently governmental functions of another State may constitute a violation of sovereignty.

This is based on the premise that a State enjoys the exclusive right to exercise within its territory, ‘to the exclusion of any other State, the functions of a State’. Accordingly, what matters is not whether physical damage, injury, or loss of functionality has resulted, but whether the cyber operation has interfered with data or services that are necessary for the exercise of inherently governmental functions. Cases in point would include altering or deleting data or blocking digital communication between public bodies and citizens so as to interfere with the delivery of social services, the conduct of elections, the collection of taxes, or the performance of key national defence activities. Another example could be the manipulation of police communications so that patrol cars are unable to communicate with police dispatch/operation centres. In this context it is irrelevant whether the inherently governmental function is performed by central, regional or local governments and authorities, or by non-governmental bodies in the exercise of powers delegated by such governments or authorities. Conducting elections is a clear example of an inherently governmental function. In contrast to the case of a cyber operation in breach of the prohibition of intervention, there is no requirement for the interference to reach to the level of coercion.

The precise threshold of what constitute a cyber operation in violation of sovereignty is not settled in international law, and will depend on a case-by-case assessment.”^[89]

Pakistan (2023)

“6. Pakistan believes that the principles of non-use of force, sovereign equality of all nations, non-interventionism, and peaceful settlement of disputes, as enshrined in the UN Charter, continue to apply in cyberspace as in the physical world.”^[90]

Poland (2022)

2. The principle of sovereignty applies to cyberspace

“State sovereignty is a basic principle of international law. According to this principle, states are independent and equal in international relations, while their territorial integrity and political independence are inviolable. As a consequence, states exercise supreme power over their own territory.

The principle of sovereignty is closely linked to the principle of non-intervention in affairs falling under the domestic jurisdiction of a state. The norms concerning the jurisdiction of a state and the immunities of a state and its representatives are also derived from the principle of sovereignty.

A state exercises power over cyberspace users located within its territory, over IT infrastructure and over data. While respecting the norms of international law by which it is bound, it may exercise its sovereign prerogatives over such actors and facilities. It is also entitled to protect them. As a result, the Republic of Poland takes the position that the violation of a state‘s sovereignty may occur both in the event of an attack against state infrastructure and against private infrastructure. A mere fact that IT infrastructure is linked in a number of ways with an international network does not result in the state‘s losing any of its rights with respect to such infrastructure.

As it was indicated earlier, sovereignty has an external dimension as well. External sovereignty means that a state is independent in its external relations and is capable of freely engaging in any actions in cyberspace, also outside its own territory, subject to restrictions under international law. Another consequence of sovereignty is a state’s capacity to enter into treaties, including those on cyberspace.

The principle of sovereignty requires other states to refrain from any actions that would violate sovereignty, and in particular states are obliged not to knowingly make their territory available for the purposes of acts that would violate the rights of other states. Poland is of the opinion that in the event of a hostile operation conducted in cyberspace, causing serious adverse effects within the territory of a state, such actions should be considered a violation of the principle of sovereignty, irrespective of whether such effects are of kinetic nature or are limited to cyberspace. The violation of the principle of sovereignty may be exemplified by a conduct attributable to a third country that consists in interfering with the functioning of state organs, for instance by preventing the proper functioning of ICT networks, services or systems of public entities, or by a theft, erasure or public disclosure of data belonging to such entities.”^[91]

“Actions in cyberspace that violate the prohibition of the use of force and the principle of non-intervention in affairs falling under the domestic jurisdiction of a state would also violate the principle of sovereignty.”^[92]

Romania (2021)

“Romania considers that respect for the state sovereignty is an international obligation per se, the breach of which constitutes an internationally wrongful act; States have an obligation to respect the sovereignty of other States and refrain from activities that constitute a violation of their sovereignty; this holds true both in what concerns the internal as well as the external facet of the principle of sovereignty.

At the same time, we acknowledge that the difficulty in relation to this principle lies in the absence in cyberspace context of the territoriality and physical dimensions, which are the specific elements of the analysis when dealing with the sovereignty in the traditional sense.

In relation to these aspects, RO is of the view that cyber operations (conducted by a State organ or by a person or entity exercising elements of governmental authority or by a person acting under the instructions of or under the direction or control of a State) that interferes with or prevents in any way a State from exercising its (internal and/ or external) sovereign prerogatives (i.e. authority over its territory, over the property and persons situated therein) constitute a violation of the principle of State sovereignty and, thus, a breach of international law.

If there is not a State or State endorsed operation one can speak of a criminal act, which should be investigated and punished in accordance with the criminal law of the State concerned.”^[93]

Singapore (2021)

“Singapore affirms that the following key principles enshrined in the UN Charter apply in cyberspace as they do in the physical world, and are of fundamental importance to small States, such as Singapore:

• First, the principles of State sovereignty and sovereign equality of all States. Singapore’s position is that a cyber operation could, in certain circumstances, amount to a violation of sovereignty.^[94]

Sweden (2022)

“The principle of sovereign equality of States is also applicable to cyberspace. Within their territories, States have jurisdiction and the right to exercise authority within the framework of international law. At international level, States are independent and enjoy sovereign equality in relation to other States. State sovereignty provides a basic foundation for other principles and rules such as those governing the prohibition of intervention and the prohibition of the use of force. However, States also have an obligation to respect the sovereignty of other States, and a breach of this obligation would amount to a wrongful act and give rise to State responsibility.

A State’s jurisdiction and authority apply to persons and objects within its territorial borders, including cyber-related activities. A State has a right to protect persons and objects within its territory, or otherwise under its jurisdiction, against interference by cyber means. A State’s authority and jurisdiction include a responsibility not to allow knowingly its territory to be used for acts contrary to the rights of other States.

In general, Sweden is of the view that violations of sovereignty may arise from cyber operations that result in damage or loss of functionality. Altering and interfering with data without causing physical harm may also violate sovereignty. Such acts include those directed against cyber infrastructure belonging to private individuals or entities. Interference with a State’s inherently governmental functions may also constitute a violation of State sovereignty, including when undertaken with cyber means.

Whether an intrusion has in fact resulted in a violation of sovereignty needs to be assessed on a case-by-case basis taking into consideration the nature and character of the intrusion.”^[95]

Switzerland (2021)

“State sovereignty is also applicable to cyberspace. Owing to the special characteristics of cyberspace, which has no clear territorial boundaries, putting the principle of sovereignty into practice is a particular challenge. One major issue is who has jurisdiction over or access to digital data. In the cyber context, the key question is which states have legitimate control over digital data and are authorised to access that data – which may, depending on the circumstances, be stored on a different territory or may not be localised geographically. Conversely, in terms of interstate relations at cybersecurity level, the principle of sovereignty provides wide scope for protection against cyber operations.For example, state sovereignty protects information and communication technologies (ICT) infrastructure on a state’s territory against unauthorised intrusion or material damage. This includes the computer networks, systems and software supported by the ICT infrastructure, regardless of whether the infrastructure is private or public.

Switzerland recognises that defining what constitutes a violation of the principle of sovereignty in cyberspace is particularly challenging and has yet to be clarified conclusively. It supports considering the following two criteria in such assessments: first, does the incident violate the state’s territorial integrity and second, does it constitute interference with or usurpation of an inherently governmental function. A precise definition of these criteria is a question of interpretation and subject to debate. The current debate includes among other aspects i) incidents whereby the functionality of infrastructure or related equipment has been damaged or limited, ii) cases where data has been altered or deleted, interfering with the fulfilment of inherently governmental functions such as providing social services, conducting elections and referendums, or collecting taxes, and iii) situations in which a state has sought to influence, disrupt or delay democratic decision-making processes in another state through the coordinated use of legal and illegal methods in cyberspace e.g. propaganda, disinformation and covert actions by intelligence services. The assessment of an individual case depends on the nature of the cyber incident and its repercussions.”^[96]

United Kingdom (2018)

“[..]a further contested area amongst those engaged in the application of international law to cyber space is the regulation of activities that fall below the threshold of a prohibited intervention, but nonetheless may be perceived as affecting the territorial sovereignty of another state without that state’s prior consent. Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.^[97]

United Kingdom (2021)

“Sovereignty, as a general principle, is a fundamental concept in international law. The United Kingdom recalls that any prohibition on the activities of States whether in relation to cyberspace or other matters, must be clearly established either in customary international law or in a treaty binding upon the States concerned. The United Kingdom does not consider that the general concept of sovereignty by itself provides a sufficient or clear basis for extrapolating a specific rule or additional prohibition for cyber conduct going beyond that of non-intervention referred to above. At the same time, the United Kingdom notes that differing viewpoints on such issues should not prevent States from assessing whether particular situations amount to internationally wrongful acts and arriving at common conclusions on such matters.”^[98]

United Kingdom (2022)

“States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.”^[99]

United States (2012)

“States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the Internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered.”^[100]

United States (2016)

“[..] remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimis effects.

Most States, including the United States, engage in intelligence collection abroad. As President Obama said, the collection of intelligence overseas is “not unique to America.” As the President has also affirmed, the United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decisionmakers have access to timely, accurate, and insightful information. Indeed, the President issued a directive in 2014 to clarify the principles that would be followed by the United States in undertaking the collection of signals intelligence abroad.

Such widespread and perhaps nearly universal practice by States of intelligence collection abroad indicates that there is no per se prohibition on such activities under customary international law. I would caution, however, that because “intelligence collection” is not a defined term, the absence of a per se prohibition on these activities does not settle the question of whether a specific intelligence collection activity might nonetheless violate a provision of international law.

Although certain activities—including cyber operations — may violate another State’s domestic law, that is a separate question from whether such activities violate international law. The United States is deeply respectful of other States’ sovereign authority to prescribe laws governing activities in their territory. Disrespecting another State’s domestic laws can have serious legal and foreign policy consequences. As a legal matter, such an action could result in the criminal prosecution and punishment of a State’s agents in the United States or abroad, for example, for offenses such as espionage or for violations of foreign analogs to provisions such as the U.S. Computer Fraud and Abuse Act. From a foreign policy perspective, one can look to the consequences that flow from disclosures related to such programs. But such domestic law and foreign policy issues do not resolve the independent question of whether the activity violates international law.”^[101]

United States (2020)

“As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.”^[102]

United States (2021)

“As recognized in the 2013 and 2015 GGE reports, State sovereignty and the international principles that flow from sovereignty apply to States’ ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.

The United States believes that State sovereignty, among other long-standing international legal principles, must be taken into account in the conduct of activities in cyberspace. Whenever a State contemplates conducting activities in cyberspace, the equal sovereignty of other States needs to be considered.

The implications of sovereignty for cyber activities are complex, but we can start by noting two important implications of sovereignty for ICT-related activities. First, we acknowledge the continuing relevance of territorial jurisdiction, even to cyber activities, and second, we acknowledge the exercise of jurisdiction by the territorial State is not unlimited; it must also be consistent with applicable international law, including international human rights obligations.”^[103]

“In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions.”^[104]

Appendixes

See also

Notes and references

Definition

CollapseSelf-defence

A State may respond with force to a cyber operation that qualifies as an “armed attack” pursuant to the customary right to self-defence, as codified in Article 51 of the UN Charter. Most commentators consider only grave uses of force – typically, those that kill or injure persons or damage or destroy property – to constitute armed attacks.[1] The United States, however, takes an outlier position, consistently arguing that any illegal use of force gives rise to the use of force in self-defence.[2] In Nicaragua, the ICJ identified “scale and effects” as criteria upon which to judge whether a use of force constitutes an armed attack. In the Court’s view, only “the most grave” uses of force do so.[3] Thus, only cyber operations that seriously injure or kill a number of persons or cause significant damage to, or destruction of, property would undoubtedly constitute armed attacks.[4] Publicly available national positions that address this issue include: (2020), (2021), (2022), (2023), (2021), (2020), (2019), (2021), (2020), (2023), (2020), (2021), (2021), (2019), (2020), (2021), (2022), (2021), (2022), (2021), (2018), (2021), (2012), (2020), (2021).

National positions

Australia (2020)

“A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State’s inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter.

Australia considers that the thresholds and limitations governing the exercise of self-defence under Article 51 apply in respect of cyber activities that constitute an armed attack and in respect of acts of self-defence that are carried out by cyber means. Thus, if a cyber activity – alone or in combination with a physical operation – results in, or presents an imminent threat of, damage equivalent to a traditional armed attack, then the inherent right to self-defence is engaged. Any use of force in self-defence must be necessary to repel the actual or imminent armed attack and be a proportionate response in scope, scale and duration. Any reliance on Article 51 must be reported directly to the UN Security Council.

The rapidity of cyber activities, as well as their potentially concealed and/or indiscriminate character, raises new challenges for the application of established principles. These challenges have been noted by Australia in explaining its position on imminence and the right of self-defence in the context of national security threats that have evolved as a result of technological advances. For example, in a speech to the University of Queensland in 2017, then Attorney-General, Senator the Hon. George Brandis QC, explained that:

‘[A] state may act in anticipatory self-defence against an armed attack when the attacker is clearly committed to launching an armed attack, in circumstances where the victim will lose its last opportunity to effectively defend itself unless it acts. This standard reflects the nature of contemporary threats, as well as the means of attack that hostile parties might deploy. Consider, for example, a threatened armed attack in the form of an offensive cyber operation, …which could cause large-scale loss of human life and damage to critical infrastructure. Such an attack might be launched in a split-second. Is it seriously to be suggested that a state has no right to take action before that split-second?'”^[5]

Brazil (2021)

“Amongst the gravest forms of the use of force in international relations are armed attacks, which trigger the right of states to resort to self-defense, in accordance with article 51 of the UN Charter. Being self-defense an exception to the general principle on the prohibition to the use of force, it needs to be interpreted restrictively. This view is in line with the case law of the International Court of Justice, the principal judicial organ of the United Nations.

As a consequence, self-defense is only triggered by an armed attack undertaken by or attributable to a State. It is not possible to invoke self-defense as a response to acts by non-State actors, unless they are acting on behalf or under the effective control of a state. This norm becomes even more relevant with cyber operations, where technical, legal and operational challenges to determine attribution might make it impossible to verify potential abuses of the right of self defense, which in turns creates the risk of low impact persistent unilateral military action undermining the collective system established under the Charter.

In the same vein, contemporary international law does not allow for self-defense on the basis that the territorial state would be “unwilling and unable” to repress non-state actors whose cyber acts have extraterritorial effects. The definition of “armed attack” is limited to the use of force attributable to a state and, therefore, actions from non-state actors with similar effects might amount to serious crimes, but not an “armed attack”. If such a situation arises, the territorial state should adopt measures, in good faith and within its capabilities, to cease the action and ensure accountability.

If it fails to do so, this omission might constitute an internationally wrongful act, thus entailing this states’international responsibility. According to customary international law, in this case the victim state is entitled to remedies, to be pursued only through peaceful means.

Moreover, self-defense should be a temporary remedy. Member states that exercise their right to self-defense must immediately report it to the Security Council, in line with article 51 of the Charter. Given the novelty of cyberattacks and the uncertainties related to it, reporting to the Security Council is even more important. As the ICJ highlighted, “the absence of a report may be one of the factors indicating whether the State in question was itself convinced that it was acting in self defense”. Once the incident is reported to the Security Council, it is expected that the temporary act of self-help is replaced by collective action, adopted and pursued in line with the UN Charter.

For Brazil, the right to self-defense exists once there is an actual or imminent armed attack. Under international law, there is no right to “preventive self-defense” – a notion that does not find legal grounds neither in art. 51 of the Charter nor in customary international law. Finally, as with responses to armed activities using conventional weapons, self-defense against armed attacks caused by digital means must be necessary and proportionate.”^[6]

Canada (2022)

“46. Canada considers that the inherent right of self-defence if an armed attack occurs against a State also applies in cyberspace.^[7]

47. Canada will respond to cyber activities that amount to an armed attack in a manner that is consistent with international law. Canada’s response may include cyber operations. The right to self-defence is both an individual and collective right of States.”^[8]

Denmark (2023)

“In certain instances, use of force may due to its scale and effects reach the level of an armed attack and thus give rise to a right to self-defence of the target State, cf. article 51 of the UN Charter. In its Nicaragua judgment the ICJ defined an armed attack as the most grave form of the use of force.[6] Denmark subscribes to the understanding that not all illegal use of force under article 2(4) of the UN Charter necessarily amounts to an armed attack under article 51 of the Charter.

Denmark takes the view that a cyber attack may qualify as an armed attack under article 51 of the UN Charter if the effects generated are comparable to effects resulting from an action, which would otherwise qualify as an armed attack. Thus, Denmark considers that a cyber operation, which e.g. leads to serious injury or death, or which causes significant physical damage, may qualify as an armed attack. This could be the case if a cyber attack leads to the disabling of an air traffic control system which causes planes to crash or an interference with the operating system of a power station, which causes serious physical damage.

Certain States take the view that an armed attack can only be undertaken by State actors or entities acting under the control or instruction of States, and thus no right to self-defense exists against an armed attack by a non-State actor. Denmark does not share this view, but contends that State practice supports that a State might in some instances and under certain conditions be permitted to exercise self-defence against an armed attack by a non-State actor.”^[9]

Estonia (2019)

“[…] states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence. Cyber should no longer look like an easy choice of weapons and therefore we must be ready to use deterrence tools. First and foremost, states must refrain from the threat of or use of force against the territorial integrity and political independence of other states. However, we already know that cyber operations, which cause injury or death to persons or damage or destruction of objects, could amount to use of force or armed attack under the UN Charter. We here in Estonia are very much dependent on a stable and secure cyberspace. Such harmful effects could be caused by a cyber operation, which for example, targets digital infrastructure or services necessary for the functioning of society. And let’s not forget – growing digitalization of our societies and services can also lower the threshold for harmful effects. In order to prevent such effects, states maintain all rights, in accordance with international law, to respond to harmful cyber operations either individually or in a collective manner.”^[10]

Estonia (2021)

“In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs.”^[11]

In accordance with Article 51 of the UN Charter, states have the right for self-defence in the case of an armed attack.

“In order to assess if a cyber operation reaches the threshold of the use of force or an armed attack based on Article 2(4) or 51 of the UN Charter, we must consider the scale and effects of the operation. If the effects of a cyber operation are comparable to a kinetic attack, it could constitute an armed attack.

In such a situation, the injured state has the right to self-defence considering all applicable restrictions of the UN Charter and customary international law, such as proportionality and necessity.

In its response to an armed attack by cyber means, the injured state is not necessarily limited to taking measures by cyber means – all means remain reserved to states in order to respond to an armed attack in a manner that is proportionate and in accordance with other provisions of international law.

Estonia believes that cyber operations that cause injury or death to persons, damage or destruction could amount to an armed attack under the UN Charter.”^[12]

Finland (2020)

“While there is currently no established definition of a cyberattack that would pass the threshold of “use of force” in the sense of article 2(4) of the UN Charter, or “armed attack” in the sense of article 51, it is widely recognized that such a qualification depends on the consequences of a cyberattack. For a cyberattack to be comparable to use of force, it must be sufficiently serious and have impacts in the territory of the target State, or in areas within its jurisdiction, that are similar to those of the use of force. A threat of such a cyberattack could also violate Article 2(4) of the Charter, if the threat is sufficiently precise and directed against another State. Similarly, most commentators agree that when the scale and effects of a cyberattack correspond to those of an armed attack responding to the cyberattack is justifiable as self-defence. It is obvious that the attack must have caused death, injury or substantial material damage, but it is impossible to set a precise quantitative threshold for the effects, and other circumstantial factors must be taken into account in the analysis, as well.”

“A question has also been raised, whether a cyberattack producing significant economic effects such as the collapse of a State’s financial system or parts of its economy should be equated to an armed attack. This question merits further consideration. Any interpretation of the use of force in cyberspace should respect the UN Charter and not just the letter of the Charter but also its object and purpose, which is to prevent the escalation of armed activities. This would mean, for instance, that the distinction between armed attack as a particularly serious violation of the Charter, on the one hand, and any lesser uses of force, on the other, is preserved. Similarly, the conditions for the exercise of the right of self-defence apply in cyberspace as they do with regard to the use of armed force. The right of self-defence arises if a cyberattack comparable to an armed attack occurs and can be attributed to a particular State. It is reasonable to think that a State victim to such an attack can respond with either cyber means or armed action. At the same time, the use of force must not be disproportionate or excessive.”^[13]

France (2019)

“Some cyberoperations may violate the prohibition of the threat or use of force. The most serious violations of sovereignty, especially those that infringe France’s territorial integrity or political independence, may violate the prohibition of the threat or use of force, which applies to any use of force, regardless of the weapons employed. In digital space, crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation. A cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.

However, not every use of force is an armed attack within the meaning of Article 51 of the United Nations Charter, especially if its effects are limited or reversible or do not attain a certain level of gravity.

The prohibition of the use of force enshrined in the United Nations Charter applies to cyberspace. Certain cyberoperations may constitute a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter.”^[14]

“In accordance with the case law of the International Court of Justice (ICJ), France distinguishes the gravest forms of the use of force, which constitute an armed attack to which the victim State may respond by individual or collective self-defence, from other less grave forms. Cyberattacks may constitute a grave form of the use of force to which France could respond by self-defence.”^[15]

“France reaffirms that a cyberattack may constitute an armed attack within the meaning of Article 51 of the United Nations Charter, if it is of a scale and severity comparable to those resulting from the use of physical force. In the light of these criteria, the question of whether a cyberattack constitutes armed aggression will be examined on a case-by-case basis having regard to the specific circumstances. A cyberattack could be categorised as an armed attack if it caused substantial loss of life or considerable physical or economic damage. That would be the case of an operation in cyberspace that caused a failure of critical infrastructure with significant consequences or consequences liable to paralyse whole swathes of the country’s activity, trigger technological or ecological disasters and claim numerous victims. In such an event, the effects of the operation would be similar to those that would result from the use of conventional weapons.

To be categorised as an armed attack, a cyberattack must also have been perpetrated, directly or indirectly, by a State. Leaving aside acts perpetrated by persons belonging to State organs or exercising elements of governmental authority, a State is responsible for acts perpetrated by non-state actors only if they act de facto on its instructions or orders or under its control in accordance with the rules on State responsibility for internationally wrongful acts and ICJ case law. To date, no State has categorised a cyberattack against it as an armed attack.

In accordance with ICJ case law, France does not recognise the extension of the right to self-defence to acts perpetrated by non-state actors whose actions are not attributable, directly or indirectly, to a State. France has, in exceptional cases, invoked self-defence against an armed attack perpetrated by an actor having the characteristics of a “quasi-State”, as with its intervention in Syria against the terrorist group Daesh (ISIS/ISIL). However, this exceptional case cannot constitute the definitive expression of recognition of the extension of the concept of self-defence to acts perpetrated by non-state actors acting without the direct or indirect support of a State.

Nonetheless, it cannot be ruled out that general practice may shift towards an interpretation of the law of self-defence as being authorised in response to an armed attack by non-state actors whose acts are not attributable to a State. However, any such development will have to be made bearing in mind the Rome Statute of the International Criminal Court (ICC) as amended in 2010 to add the crime of aggression, and the case law of the ICC that may emerge in this sphere.”^[16]

“Under Article 51 of the United Nations Charter, a State that suffers an armed attack is entitled to use individual or collective self-defence. Self-defence in response to an armed attack carried out in cyberspace may involve digital or conventional means in compliance with the principles of necessity and proportionality. On a decision by the President of the Republic to commit the French armed forces, the Armed Forces Ministry may carry out cyberoperations for military purposes in cyberspace.

Cyberattacks which do not reach the threshold of an armed attack when taken in isolation could be categorised as such if the accumulation of their effects reaches a sufficient threshold of gravity, or if they are carried out concurrently with operations in the physical sphere which constitute an armed attack, where such attacks are coordinated and stem from the same entity or from different entities acting in concert. In exceptional circumstances, France allows itself to use pre-emptive self-defence in response to a cyberattack that “has not yet been triggered but is about to be, in an imminent and certain manner, provided that the potential impact of such an attack is sufficiently serious”. However, it does not recognise the legality of the use of force on the grounds of preventive self-defence.

States which, in the conduct of a cyberoperation or in their response to a cyberattack, decide to use non-state actors, such as companies providing offensive cyber services or groups of hackers, are responsible for those actors’ actions. In view of the risk of systemic instability arising from the private-sector use of offensive capabilities, France, following on from the Paris Call, is in favour of regulating them strictly and prohibiting such non-state actors from carrying out offensive activities in cyberspace for themselves or on behalf of other non-state actors.

Lastly, any response on the grounds of self-defence remains provisional and subordinate. It must be promptly reported to the UNSC and suspended as soon as the Security Council takes the matter in hand, replacing unilateral action with collective measures or, failing that, as soon as it has achieved its purpose, namely to repel or end the armed attack. Other measures, such as counter-measures or referral to the UNSC, may be preferred if they are deemed more appropriate.”^[17]

Germany (2021)

“The right to self-defence according to art. 51 UN Charter is triggered if an armed attack occurs. Malicious cyber operations can constitute an armed attack whenever they are comparable to traditional kinetic armed attack in scale and effect. Germany concurs with the view expressed in rule 71 of the Tallinn Manual 2.0.

Furthermore, Germany acknowledges the view expressed in the ICJ’s Nicaragua judgment, namely that an armed attack constitutes the gravest form of use of force. Assessing whether the scale and effects of the cyber operation are grave enough to consider it an armed attack is a political decision taken in the framework of international law. Physical destruction of property, injury and death (including as an indirect effect) and serious territorial incursions are relevant factors. The decision is not made based only on technical information, but also after assessing the strategic context and the effect of the cyber operation beyond cyberspace. This decision is not left to the discretion of the State victim of such a malicious cyber operation, but needs to be comprehensibly reported to the international community, i.e. the UN Security Council, according to art. 51 UN Charter.

The response to malicious cyber operations constituting an armed attack is not limited to cyber counter-operations. Once the right to self-defence is triggered, the State under attack can resort to all necessary and proportionate means in order to end the attack. Self-defence does not require using the same means as the attack which provided the trigger for its exercise.

Acts of non-State actors can also constitute armed attacks. Germany has expressed this view both with regard to the attacks by Al Qaeda and the attacks of ISIS.

In Germany’s view, art. 51 UN Charter requires the attack against which a State can resort to self-defence to be ‘imminent’. The same applies with regard to self-defence against malicious cyber operations. Strikes against a prospective attacker who has not yet initiated an attack do not qualify as lawful self-defence.”

Ireland (2023)

“27. The customary international law right to self-defence is acknowledged in Article 51 of the UN Charter, which states: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” States can invoke the right to self-defence in response to an “armed attack”. Not every threat or use of force within the meaning of Article 2(4) of the Charter will amount to an armed attack and it is necessary to consider scale and effects.[20]

28. A cyber-operation that by virtue of its scale and effects reaches the threshold of an armed attack would permit the exercise of self-defence in accordance with Article 51 and customary international law. Due to the nature of a cyber-operation, it seems that only in exceptional circumstances could it reach the threshold of “armed attack”. To reach this threshold, the scale and effects of a cyber-operation must correspond to an armed attack involving a physical use of force. It is conceivable that this need not necessitate physical damage, where for example loss or impairment of functionality to ICT infrastructure is inflicted on such a scale and with such effects that it is comparable to a conventional armed attack.”^[18]

Iran (2020)

“Article IV: Use of Force and Cyber Attack from the View-point of the Armed Forces of the Islamic Republic of Iran

1. Armed forces of the Islamic Republic of Iran believe that certainly, those cyber operations resulting in material damage to property and/or persons in the widespread and grave manner and or it logically is probable to result in such implications constitutes use of force. Should such operations affect the vital national infrastructures, including defensive infrastructures- whether owned by the public or private sector- they shall violate the principle of the non-use of force.

2. Armed forces of the Islamic Republic of Iran, also, believe that their right to self-defense shall be reserved if the gravity of the cyber operation against the vital infrastructure of the state is reached in the threshold of the conventionally armed attack.”^[19]

Israel (2020)

“First — and this has already been acknowledged by many others— the customary prohibition set out in Article 2(4) of the Charter of the United Nations, on “the threat or use of force” in international relations, is clearly applicable in the cyber domain.

We share the support among States for the view that a cyber operation can amount to use of force if it is expected to cause physical damage, injury, or death, which would establish the use of force if caused by kinetic means. For example, hacking into the computers of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains can amount to use of force. As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force.

Second, when the use of force in the cyber domain, by either a State or non-State actor, can be considered as an actual or imminent armed attack, the State under attack may act in accordance with its inherent right to self-defense, as enshrined in Article 51 of the U.N. Charter. Of course, the exercise of this right is subject to the customary principles of necessity and proportionality.

Finally, the use of force in accordance with the right of self-defense, against an armed attack conducted through cyber means, may be carried out by either cyber or kinetic means; just as use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means.”^[20]

Italy (2021)

“In line with the conclusions reached by the ICJ in the Nicaragua v. United States case, Italy considers that the gravest form of use of force constitutes an armed attack. There is no established definition or threshold of hostile cyber operations falling within ‘armed attack’ in the sense of article 51 of the UN Charter. Such assessment will be determined on a case-by-case basis depending on the consequences of any given cyber operation.

Italy deems that wrongful cyber operations conducted by State or non-State actors may constitute an armed attack when their scale and effects are comparable to those resulting from conventional armed attacks, resulting in significant physical damage of property, human injury and loss of life, or disruption in the functioning of critical infrastructure.

The occurrence of an armed attack triggers the right to self-defence, and the victim-State may resort to all necessary and proportionate means to end the aggression. The decision as to when a cyber operation amounting to armed attack would lead to collective self-defence will be taken on a case-by-case basis.”^[21]

Japan (2021)

“When a cyber operation constitutes an armed attack under Article 51 of the UN Charter, States may exercise the inherent right of individual or collective self-defence recognized under Article 51 of the UN Charter.”^[22]

Netherlands (2019)

“A state targeted by a cyber operation that can be qualified as an armed attack may invoke its inherent right of self-defence and use force to defend itself.20 This right is laid down in article 51 of the UN Charter. This therefore amounts to a justification for the use of force that would normally be prohibited under article 2(4) of the UN Charter. For this reason strict conditions are attached to the exercise of the right of self-defence.

An armed attack is not the same as the use of force within the meaning of article 2(4) of the UN Charter (see above). In the Nicaragua case, the International Court of Justice defined an armed attack as the most serious form of the use of force. This implies that not every use of force constitutes an armed attack.

To determine whether an operation constitutes an armed attack, the scale and effects of the operation must be considered. International law is ambiguous on the precise scale and effects an operation must have in order to qualify as an armed attack. It is clear, however, that an armed attack does not necessarily have to be carried out by kinetic means. This view is in line with the Nuclear Weapons Advisory Opinion of the International Court of Justice, in which the Court concluded that the means by which an attack is carried out is not the decisive factor in determining whether it constitutes an armed attack. The government therefore endorses the finding of the CAVV and the AIV that ‘a cyber attack that has comparable consequences to an armed attack (fatalities, damage and destruction) can justify a response with cyber weapons or conventional weapons (…)’. There is therefore no reason not to qualify a cyberattack against a computer or information system as an armed attack if the consequences are comparable to those of an attack with conventional or non-conventional weapons.

At present there is no international consensus on qualifying a cyberattack as an armed attack if it does not cause fatalities, physical damage or destruction yet nevertheless has very serious non-material consequences. The government endorses the position of the International Court of Justice, which has observed that an armed attack must have a cross-border character. It should be noted that not all border incidents involving weapons constitute armed attacks within the meaning of article 51 of the UN Charter. This depends on the scale and effects of the incident in question.

The burden of proof for justifiable self-defence against an armed attack is a heavy one. The government shares the conclusion of the CAVV and the AIV that ‘No form of self-defence whatever may be exercised without adequate proof of the origin or source of the attack and without convincing proof that a particular state or states or organised group is responsible for conducting or controlling the attack.’ States may therefore use force in self-defence only if the origin of the attack and the identity of those responsible are sufficiently certain. This applies to both state and non-state actors.

When exercising their right of self-defence, states must also meet the conditions of necessity and proportionality. In this regard the government shares the view of the CAVV and the AIV that invoking the right of self-defence is justifiable only ‘provided the intention is to end the attack, the measures do not exceed that objective and there are no viable alternatives. The proportionality requirement rules out measures that harbour the risk of escalation and that are not strictly necessary to end the attack or prevent attacks in the near future.’“^[23]

New Zealand (2020)

“The United Nations Charter and customary international law rules concerning the use of force apply to state activity in cyberspace. Relevant obligations include:

a. the requirement to settle disputes by peaceful means;

b. the prohibition on the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations; and

c. the right of self-defence against an imminent or ongoing armed attack.

State cyber activity can amount to a use of force for the purposes of international law. Whether it does in any given context depends on an assessment of the scale and effects of the activity. State cyber activity will amount to a use of force if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law. Such effects may include death, serious injury to persons, or significant damage to the victim state’s objects and/or state functioning. In assessing the scale and effects of malicious state cyber activity, states may take into account both the immediate impacts and the intended or reasonably expected consequential impacts.

Cyber activity that amounts to a use of force will also constitute an armed attack for the purposes of Article 51 of the UN Charter if it results in effects of a scale and nature equivalent to those caused by a kinetic armed attack. As an example, cyber activity that disables the cooling process in a nuclear reactor, resulting in serious damage and loss of life, would constitute an armed attack.”^[24]

“Where malicious cyber activity gives rise to a situation leading to international friction or a dispute endangering the maintenance of peace and security, any UN Member State may bring the situation or dispute to the attention of the UN Security Council and/or General Assembly.

A state subjected to malicious cyber activity amounting to an armed attack has further recourse to the inherent right of individual and/or collective self-defence in accordance with Article 51 of the UN Charter. The right to self-defence also arises when an armed attack is imminent, including by cyber means. Any exercise of that right:

a. may include, but is not limited to, cyber activities; and

b. must be consistent with relevant UN Charter and customary international law obligations, including notification to the United Nations, necessity, and proportionality.”^[25]

Norway (2021)

Key message
A cyber operation may, depending on its scale and effects, violate the prohibition on the threat or use of force in Article 2(4) of the UN Charter. A cyber operation that is in violation of the prohibition on the threat or use of force may, depending on its scale and effects, constitute an armed attack under international law. An armed attack is the gravest form of the use of force.

Article 2(4) of the UN Charter prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any other manner inconsistent with the purposes of the UN. The prohibition is a norm of customary international law. It applies to any use of force, regardless of the weapons or means employed.

There are only three exceptions to the prohibition on the use of force in the sense that using force would not be in violation of international law: if the state on whose territory the use of force takes place consents; if it is authorised by the Security Council under Chapter VII of the UN Charter; or in the case of self-defence, in response to an armed attack as recognised in Article 51 of the UN Charter.

Whether a cyber operation violates the prohibition on the threat or use of force in Article 2(4) of the UN Charter depends on its scale and effects, physical or otherwise. Depending on its gravity, a cyber operation may also constitute an armed attack under international law. In accordance with the case law of the International Court of Justice (ICJ), an armed attack is the gravest form of the use of force.

A cyber operation may constitute use of force or even an armed attack if its scale and effects are comparable to those of the use of force or an armed attack by conventional means. This must be determined based on a case-by-case assessment having regard to the specific circumstances. A number of factors may be taken into consideration, such as the severity of the consequences (the level of harm inflicted), immediacy, directness, invasiveness, measurability, military character, State involvement, the nature of the target (such as critical infrastructure) and whether this category of action has generally been characterised as the use of force. This list is not exhaustive.

Cyber operations that cause death or injury to persons or physical damage to or the destruction of objects could clearly amount to the use of force. Likewise, a cyber operation causing severe disruption to the functioning of the State such as the use of crypto viruses or other forms of digital sabotage against governmental or private power grid- or telecommunications infrastructure, or cyber operations leading to the destruction of stockpiles of Covid-19 vaccines, could amount to the use of force in violation of Article 2(4). Similarly, the use of crypto viruses or other forms of digital sabotage against a State’s financial and banking system, or other operations that cause widespread economic effects and destabilisation, may amount to the use of force in violation of Article 2(4).

A cyber operation that severely damages or disables a State’s critical infrastructure or functions may furthermore be considered as amounting to an armed attack under international law. Depending on its scale and effect, this may include a cyber operation that causes an aircraft crash.^[26]

“A State that is the victim of a cyber operation that qualifies as an armed attack under international law, may exercise its inherent right of individual or collective self-defence under Article 51 of the UN Charter The right of self-defence as reflected in Article 51 is a norm of customary international law. It must be exercised subject to the requirements of necessity and proportionality, and may involve both digital and conventional means.^[27]

Poland (2022)

5. A cyberattack may be qualified as an armed attack. The right to self-defence applies to cyberspace

“Pursuant to Article 51 of the Charter of the United Nations and customary international law, a state has the right of self-defence in the event of an armed attack. In the context of cyberspace, a cyberattack that results in death or injury of people or damage or destruction of property of significant value may be considered an armed attack. In such circumstances, according to international law, a state enjoys the right of self-defence, however, this right should be exercised in line with the principles arising from customary international law, namely the principle of necessity and proportionality.

Self-defence does not need to involve the same means through which the armed attack was inflicted. In response to a cyberattack that reaches the threshold of an armed attack, it is possible to respond both in cyberspace exclusively or with the use of traditional armed forces. Deprivation of the right to respond to such a cyberattack with kinetic means could render the self defence right illusory when the perpetrator of an armed attack is little dependent on its functioning in cyberspace.

According to international law, the right of self-defence may also apply to cyberattacks reaching the threshold of an armed attack inflicted by non-state actors. The right of collective self-defence applies to cyberspace as well. This is supported by a declaration adopted by the representatives of states attending the meeting of the North Atlantic Council during the summit of the North Atlantic Treaty Organization in Wales in 2014. The declaration stipulates among others that a cyberattack can reach a threshold that threatens national and EuroAtlantic prosperity, security, and stability. Its impact could be as harmful to modern societies as a conventional attack. It was, therefore, affirmed that cyber defence is part of NATO‘s core task of collective defence.”^[28]

Singapore (2021)

“[..]the obligation of all States to refrain from the threat or use of force against the territorial integrity or political independence of any State. A cyber operation can cause severe consequences and effects. In determining whether a cyber operation amounts to the use of force, factors that may be taken into account include, but are not limited to, the prevailing circumstances at the time of the cyber operation, the origin of the cyber operation, the effects caused or sought by the cyber operation, the degree of intrusion of the cyber operation, and the nature of the target.

While Singapore considers the above principles to be essential ones underpinning the international legal order, Singapore’s position is that it bears noting that ultimately, none of these impair a State’s inherent right of self-defence, as provided under the UN Charter. This right of self-defence also applies in the cyber domain. In other words, a State has the inherent right of self-defence if malicious cyber activity amounting to an armed attack, or an imminent threat thereof, occurs against that State.

Malicious cyber activity attributable to a State that causes death, injury, physical damage or destruction equivalent to a traditional non-cyber armed attack, or presenting an imminent threat thereof, would constitute an armed attack. Singapore notes the increasing prevalence of this view amongst States.

In Singapore’s view, it is also possible that, in certain limited circumstances, malicious cyber activity may amount to an armed attack even if it does not necessarily cause death, injury, physical damage or destruction, taking into account the scale and effects of the cyber activity. An example might be a targeted cyber operation causing sustained and long-term outage of Singapore’s critical infrastructure.

A series or combination of cyber-attacks, whether or not it is in combination with kinetic attacks, may amount to an armed attack, even if the individual attacks do not reach the threshold equivalent to an armed attack, as long as the attacks are launched by the same actor or by different attackers acting in concert.”^[29]

Sweden (2022)

“Under Article 51 of the UN Charter, States have a right of self-defence if an armed attack occurs. It is not a requirement under the right of self-defence that the armed attack use kinetic means, nor that the use of force in self-defence is limited to such means. An attack by cyber means may have the potential to constitute an armed attack if its scale and effects are comparable to an armed attack by kinetic means. The exercise of the right of self-defence needs to be reported to the Security Council. Any use of force in the exercise of self-defence, including through cyber means, needs to adhere to principles of necessity and proportionality.”^[30]

Switzerland (2021)

“One of the key founding principles of the UN Charter is the prohibition on the use of force (Art. 2 para. 4). There are only two exceptions: if the use of force is authorised by the UN Security Council (Art. 42) or if the strict conditions under which the right of self-defence may be exercised are fulfilled (Art. 51).

The prohibition on the use of force and the right of self-defence are also applicable to cyberspace. The right of self-defence may only be exercised if an armed attack occurs first. In accordance with ICJ case law, not every violation of the prohibition on the use of force constitutes an armed attack, but only its gravest form. In order to qualify, the scale and effect of the attack must reach a certain threshold of gravity. The ICJ has also determined that an armed attack does not necessarily have to involve kinetic military action or the use of weapons because the means by which an attack is perpetrated is not the decisive factor. A state is permitted to exercise its right of self-defence in response to a cyber incident if the incident amounts in scale and effect to that of a kinetic operation in terms of inflicting death or serious injury to persons, or extensive material damage to objects. There are no binding quantitative or qualitative guidelines as to when the threshold of an armed attack in terms of scale and effect has been reached. Current discussions on how to define an armed attack in cyberspace are focusing on attacks on critical infrastructure (e.g. nuclear power plants, power grids) which reach the required threshold in terms of scale and effect i.e. serious injury to persons and/or extensive damage to objects.

The purpose of the UN Charter must guide the interpretation of the prohibition on the use of force and the right to exercise self-defence in the face of an armed attack. The Charter’s objective is to maintain and, where necessary, restore international peace and security. Consequently, even if an armed attack occurs, a state is only permitted to undertake countermeasures that are necessary and proportionate in order to repel the attack. The right of self-defence only applies if the UN Security Council has not taken the necessary measures to maintain international peace and security (Art. 51 UN Charter). If the actions taken in self-defence exceed this framework, the state itself is in breach of the prohibition on the use of force.”^[31]

United Kingdom (2018)

First, there is the rule prohibiting interventions in the domestic affairs of states both under Article 2(7) of the Charter and in customary international law. This prohibition means that any activity in cyber space which reaches the level of such an intervention is unlawful. Any activity of this nature by a state could only become permissible in response to some prior illegality by another state.

The next relevant provision of the UN Charter is in Article 2(4) which prohibits the threat or use of force against the territorial independence or political integrity of any state. Any activity above this threshold would only be lawful under the usual exceptions – when taken in response to an armed attack in self-defence or as a Chapter VII action authorised by the Security Council. In addition, the UK remains of the view that it is permitted under international law, in exceptional circumstances, to use force on the grounds of humanitarian intervention to avert an overwhelming humanitarian catastrophe.

Thirdly, the UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter.

If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.

Acts like the targeting of essential medical services are no less prohibited interventions, or even armed attacks, when they are committed by cyber means.”^[32]

United Kingdom (2021)

“An operation carried out by cyber means may constitute an armed attack giving rise to the inherent right of individual or collective self-defence, as recognised in Article 51 of the UN Charter where the scale and effects of the operation are equivalent to those of an armed attack using kinetic means. Factors in considering the scale and effects of an attack may include the (actual or anticipated) physical destruction of property, injury and death. The exercise of the inherent right of self-defence against an imminent or on-going armed attack whether by kinetic or cyber means, may itself be by cyber or kinetic means and must always fulfil the requirements of necessity and proportionality. Whether or not to have recourse to the exercise of the inherent right of self-defence will always be carefully considered having regard to all the circumstances.”^[33]

United States (2012)

“A state’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof. As the United States affirmed in its 2011 International Strategy for Cyberspace, “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”^[34]

“[…]the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response—such responses must still be necessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack”—triggering the right to self-defense—as a subset of uses of force, which passes a higher threshold of gravity.”^[35]

United States (2020)

“[..] in the exercise of its inherent right of self-defense a State may use force that is necessary and proportionate to respond to an actual or imminent armed attack. This is true in the cyber context just as in any other context.”^[36]

United States of America (2021)

“A State’s inherent right of self-defense, recognized in Article 51 of the UN Charter, may in certain circumstances be triggered by cyber activities that amount to an actual or imminent armed attack. This inherent right of self-defense against an actual or imminent armed attack in or through cyberspace applies whether the attacker is a State actor or a non-State actor. There is no requirement that a State defend itself using the same capabilities with which it is being attacked. States may employ cyber capabilities that rise to the level of a use of force as a means of self-defense against a kinetic armed attack (i.e., one that was not launched in or through cyberspace). Additionally, States may in certain circumstances use kinetic military force in self-defense against an armed attack in or through cyberspace.

The use of force in self-defense must be limited to what is necessary and proportionate to address the imminent or actual armed attack in or through cyberspace. Before resorting to forcible measures in self-defense against an actual or imminent armed attack in or through cyberspace, States should consider whether passive cyber defenses or active defenses below the threshold of the use of force would be sufficient to neutralize the armed attack or imminent threat thereof.”^[37]

Appendixes

See also

Notes and references

Definition

CollapseRetorsion

An act of retorsion is “an unfriendly but nevertheless lawful act by the aggrieved party against the wrongdoer”.[1] Such acts may include the prohibition of or limitations upon normal diplomatic relations, the imposition of trade embargoes or the withdrawal of voluntary aid programmes.[2] Cyber-specific retorsions may include sending warnings to cyber operatives belonging to another State, observing the adversary’s cyber activities on one’s own network using tools such as “honeypots”, or slowing down malicious cyber operations conducted by other States.[3] Publicly available national positions that address this issue include: 2023, 2021, 2021, 2019, 2020, 2021, 2022, 2021, 2021, 2022, 2016, 2021.

National positions

Costa Rica 2023

“15. […] Countermeasures must be distinguished from acts of retorsion, i.e., unfriendly acts taken in response to lawful but equally unfriendly acts by another State, such as the suspension of diplomatic relations. Measures of retorsion are also available in cyberspace, including in response to wrongful or unfriendly cyber operations”.^[4]

Estonia 2021

“In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs.”^[5]

Retorsions may be taken as a response to malicious cyber operations as long as they are not in violation with international law.

“Retorsions will remain as measures for a state to respond to unfriendly acts or violations of international law, which by themselves do not constitute a countermeasure. States have the right to apply these measures as long as they do not violate obligations under international law.

These measures could, for example include the expulsion of diplomats or applying restrictive measures to officials of a third country such as asset freezes or travel bans. One example of such a mechanism would be the European Union’s cyber sanctions regime and cyber diplomacy toolbox, which offer an array of measures that could be taken as a response to malicious cyber operations.”^[6]

Germany 2021

“A State may engage in measures of retorsion to counter a cyber operation carried out against it. Retorsions are unfriendly acts directed against the interests of another State without amounting to an infraction of obligations owed to that State under international law. Since retorsions are predominantly rooted in the political sphere, they are not subject to such stringent legal limitations as other types of response such as countermeasures.

Measures of retorsion may be adopted to counter (merely) unfriendly cyber operations perpetrated by another State. They may likewise be enacted in reaction to an unlawful cyber operation if more intensive types of response (countermeasures, self-defence) are unavailable for legal reasons (for example, in cases in which counter-measures would be disproportionate) or politically unfeasible. Moreover, they may be adopted as a reaction to an unlawful cyber operation in combination with other types of response, such as countermeasures, as part of a State’s comprehensive, multi-pronged response to malicious cyber activities directed against it.”^[7]

Netherlands 2019

“Retorsion relates to acts that, while unfriendly, are not in violation of international law. This option is therefore always available to states that wish to respond to undesirable conduct by another state, because it is a lawful exercise of a state’s sovereign powers. States are free to take these kinds of measures as long they remain within the bounds of their obligations under international law.

A state may respond to a cyber operation by another state, for example, by declaring diplomats ‘persona non grata’, or by taking economic or other measures against individuals or entities involved in the operation. Another retorsion measure a state may consider is limiting or cutting off the other state’s access to servers or other digital infrastructure in its territory, provided the countries in question have not concluded a treaty on mutual access to digital infrastructure in each other’s territory.”^[8]

New Zealand 2020

“Regardless of whether the activity amounts to an internationally wrongful act, a state may always attribute political responsibility for malicious state cyber activity and may always respond with retorsion (i.e. unfriendly acts not inconsistent with international law).”^[9]

Norway 2021

“A State may respond to any form of cyber operation by retorsion. Retorsion refers to the taking of measures that are lawful but unfriendly, directed against another State. Retorsion may therefore be used regardless of whether international law has been violated and regardless of whether State responsibility applies. Examples of acts of retorsion are breaking off or limiting diplomatic relations, for instance by declaring a diplomat persona non grata, or the imposition of sanctions. Publicly declaring that another State is responsible for a cyber operation is in itself an act of retorsion.”^[10]

Poland 2022

“In accordance with international law, a state has a right to take measures in response to hostile actions in cyberspace that do not reach the threshold of an armed attack.

International practice shows that states may use a range of measures to ensure that law is respected by other actors subject to international law. In particular the state which is the target of an cyberattack may respond to hostile actions by using retorsion or countermeasures.

Retorsion is a response of the state to actions contrary to its interest or hostile actions of another state. Measures taken as a retorsion may be in reaction to both legal and illegal actions of another subject of international law, but in itself they must be in compliance with international law.”^[11]

Singapore 2021

“Apart from counter-measures, a victim State that is subject to malicious cyber activity short of an internationally wrongful act may also respond with acts of retorsion.”^[12]

Switzerland 2021

“Retorsion allows states to respond to such activities regardless of whether international law has been violated or not. It refers to unfriendly but lawful measures in response to unwelcome acts by another state. Typical examples of retorsion include refraining from signing a trade agreement that would benefit both parties, recalling an ambassador, or breaking off diplomatic relations as a last resort.”^[13]

United Kingdom 2022

“If a State carries out irresponsible, hostile, or unlawful cyber activity, what then are the options available to the victim State?

There are a wide range of effective response options available to impose a cost on States carrying out irresponsible or hostile cyber activity, regardless of whether the cyber activity constitutes an internationally unlawful act. These kinds of measures, referred to as acts of retorsion in international law, could include economic sanctions, restrictions on freedom of movement, exclusion from international groupings and wider diplomatic measures. So, there are always options available to stand up to unacceptable behaviour. And you do not have to look far to see how the impact of taking these kinds of measures is amplified when acting alongside other like-minded States.

Let me be clear. This means that when states like Russia or China carry out irresponsible or hostile cyber activity, the UK and our allies are always able to take action, whether or not the activity was itself unlawful. Today that might be in response to hostile cyber activity occurring in Ukraine, tomorrow it could be a response to hostile activity in Taiwan.”^[14]

United States 2016

“[..]a State can always undertake unfriendly acts that are not inconsistent with any of its international obligations in order to influence the behavior of other States. Such acts—which are known as acts of retorsion—may include, for example, the imposition of sanctions or the declaration that a diplomat is persona non grata.“^[15]

United States 2021

“Acts of retorsion may include the imposition of sanctions or the declaration that a diplomat is persona non grata. A State can always undertake such responsive measures that are not inconsistent with any of its international obligations in order to influence the behavior of other States, including in response to destabilizing cyber activities.”^[16]

Appendixes

See also

Notes and references

Definition

CollapseResponsibility of a State for the conduct of another State

A joint or collective wrongful act may result in a plurality of responsible States.[1] According to the principle of independent responsibility, each State is responsible for its own internationally wrongful conduct.[2] However, a State may also be responsible for a wrongful act of another State if it is implicated in the conduct of the latter. International law recognizes several forms of derived international responsibility:[3] Aid or assistance with a view to assisting in the commission of a wrongful act by another State;[4] Direction or control over the commission of an internationally wrongful act of another State;[5] Coercion of another State into the commission of an internationally wrongful act.[6] In all three cases, the State is responsible if it acts with knowledge of the circumstances of the internationally wrongful act.[7] These forms of implication have in common that the specific nature of the relationship between the State that is the actual author of the unlawful act and the implicated State causes the incurrence of responsibility of the latter.[8] The assisting State will typically not be responsible for the assisted wrongful act[9] but for a distinct wrongful act – i.e., for deliberately assisting another State in breaching an international obligation by which they are both bound.[10] In contrast, the exercise of direction and control or coercion by one State over the commission of an internationally wrongful act by another incurs responsibility for the act itself[11] towards the injured State.[12] The coerced State might benefit from force majeure if the requirements are met.[13] In that case, it would be solely the State exerting coercion that would bear responsibility.[14] Publicly available national positions that address this issue include: (2021), (2020).

National positions

Germany (2021)

“Generally, the mere (remote) use of cyber infrastructure located in the territory of a State (forum State) by another State (acting State) for the implementation of malicious cyber operations by the latter does not lead to an attribution of the acting State’s conduct to the forum State. However, the forum State may under certain circumstances incur responsibility on separate grounds, for example if its conduct with regard to another State’s use of its cyber infrastructure for malicious purposes qualifies as aid or assistance. This inter alia applies if the forum State actively and knowingly provides the acting State with access to its cyber infrastructure and thereby facilitates malicious cyber operations by the other State.”^[15]

New Zealand (2020)

“States may also be internationally responsible for aiding or assisting internationally wrongful cyber activity carried out by another state.”^[16]

Appendixes

See also

Notes and references

Definition

CollapseProtection of medical units during armed conflict

Under treaty and customary IHL, “medical units” – a term that includes military and civilian hospitals (the latter if belonging to a party to the conflict and recognized and authorized by the competent authority of one of the Parties to the conflict) – must be “respected and protected” by the parties to the conflict at all times and “shall not be the object of attack”.[1] Intentionally directing attacks against medical units and facilities may constitute a war crime.[2] The obligation to “respect” medical facilities is broader than just protecting them against operations that amount to attacks as defined in IHL, meaning it is also prohibited to interfere with the functioning of medical services in ways that do not necessarily result in death, injury, or damage.[3] As the ICRC Commentary explains, under the relevant IHL provisions it is prohibited to “harm [medical facilities] in any way. This also means that there should be no interference with their work (for example, by preventing supplies from getting through) or preventing the possibility of continuing to give treatment to the wounded and sick who are in their care”.[4] In light of the comprehensive protection for medical facilities under IHL, the obligation to respect medical facilities encompasses a prohibition against deleting, altering or otherwise negatively affecting medical data.[5] Relevant data in the medical context include “data necessary for the proper use of medical equipment and for tracking the inventory of medical supplies” as well as “personal medical data required for the treatment of patients”.[6] Publicly available national positions that address this issue include: (2023), (2021).

National positions

Costa Rica (2023)

“59. Under IHL, medical facilities must be respected and protected by the parties to the conflict at all times. The obligation to respect and protect such facilities entails that it is also prohibited to interfere with their functioning using cyber means, irrespective of whether doing so would amount to an attack as understood under IHL. In Costa Rica’s view, this obligation also encompasses a prohibition against deleting or tampering with medical data (a category that includes data necessary for the proper use of medical equipment, tracking medical supplies, and personal medical data required for patient treatment).”^[7]

Switzerland (2021)

“Full compliance with IHL is not limited to the rules and principles governing the conduct of hostilities. There are other specific rules of IHL that must be respected, including when conducting military operations that do not qualify as an ‘attack’. For example, certain categories of persons and objects are subject to special protection, such as medical, religious or humanitarian personnel and objects, which must be respected and protected in all circumstances.

This is also applicable to cyberspace. For cyber operations that are linked to any of these specially protected persons or objects, or to other activities governed by IHL, all of the relevant, specific rules must be observed.”^[8]

Appendixes

See also

Notes and references

Definition of proportionality

CollapseProportionality

The principle of proportionality prohibits attacks ‘which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated’.[1] The principle of proportionality is codified in Articles 51(5)(b) and 57(2)(a)(iii)(b) of the 1977 Additional Protocol I and reflects customary international law.[2] The nature of the principle makes it relevant only to attacks directed at military objectives or persons who are lawful targets, where incidental civilian loss of life, injury, damage to civilian objects, or a combination thereof, is expected. These three types of harms are commonly referred to as ‘incidental civilian harm’.[3] The principle of proportionality is ex ante in nature, as it demands a balancing of the expected civilian harm and the anticipated military advantage. A proportionality assessment must therefore be made in advance of an attack and cannot be judged based on hindsight. The assessment must be made on the basis of a ‘reasonable military commander’s’ assessment of the information which is reasonably available from all sources at the relevant time.[4] The decision must be made in good faith.[5] The ICRC has expressed the view that all direct and indirect incidental civilian harm that is foreseeably caused by the attack must be taken into consideration in the proportionality assessment.[6] Direct harm relates to consequences that are directly and immediately caused by a cyber attack. All other harms are considered indirect harms; sometimes referred to as the ‘reverberating’ effects of an attack.[7] For example, if it is reasonably expected that a cyber attack against a power grid will cause deaths in a hospital emergency ward due to a lack of power, those deaths must be part of the proportionality assessment. While one military manual claims the assessment of incidental civilian harm is generally understood to be limited to immediate or direct harm,[8] most of them do not limit the assessment in this way and a number of manuals and other relevant official State documents expressly require the consideration of indirect effects.[9] When considering what constitutes ‘damage’ to civilian objects, some have argued that the damage does not have to be physical, but may include loss or deprivation of functionality.[10] However, Tallinn Manual experts agreed that damage must go beyond inconvenience, irritation, stress, or fear since these consequences do not amount to incidental loss of civilian life, injury to civilians, or damage to civilian objects.[11] Finally, when different types of incidental civilian harm are anticipated, the harms must be assessed in combination, and not in isolation of each other.[12] The ‘concrete and direct’ military advantage that is assessed is that which is ‘substantial and relatively close’.[13] Conversely, ‘advantages which are hardly perceptible and those which would only appear in the long term should be disregarded’.[14] Among others, the expected military advantage to be assessed cannot be merely speculative.[15] Additionally, advantages that are solely political, psychological, economic, financial, social, or moral in nature do not constitute ‘military advantage’ under the principle of proportionality.[16] When ratifying Additional Protocol I, a number of States explained that they consider the military advantage from an attack to refer to the ‘advantage anticipated from the attack as a whole and not only from isolated or particular parts of an attack’.[17] When assessing whether the incidental civilian harm will be excessive to the attack’s anticipated concrete and direct military advantage, determining ‘excessiveness’ entails a subjective assessment that allows for a ‘fairly broad margin of judgement’.[18] At the same time, the determination of excessiveness also has an objective element since it ‘must be based on that of the “reasonable commander”’.[19] Publicly available national positions that address this issue include: (2023).

National positions

Costa Rica (2023)

“47. The principle of proportionality prohibits parties to armed conflicts from launching a cyber-attack against a military objective, which may be expected to cause incidental civilian harm that would be excessive in relation to the concrete and direct military advantage anticipated. In Costa Rica’s view, the incidental harm to be taken into consideration includes any incidental loss of functionality of civilian computers, systems or networks. For Costa Rica’s understanding of the notion of loss of functionality, refer to para. 20 of this position.”^[20]

Appendixes

See also

• Scenario 28: Extraterritorial incidental civilian cyber harm

Notes and references

Definition

CollapseProhibition of intervention

The obligation of non-intervention, a norm of customary international law,[1] prohibits States from intervening coercively in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 Nicaragua v United States case: A prohibited intervention must […] be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.[2] In order for an act, including a cyber operation,[3] to qualify as a prohibited intervention, it must fulfil the following conditions:[4] The act must bear on those matters in which States may decide freely.[5] The spectrum of such issues is particularly broad and it includes both internal affairs (such as the “choice of a political, economic, social, and cultural system”[2] or the conduct of national elections[6]), and external affairs (“formulation of foreign policy”;[2] or “recognition of states and membership of international organisations”[7])—the so-called domaine réservé of States.[8] The content of the domaine réservé is determined by the scope and nature of the State’s international legal obligations. The act must be coercive in nature. There is no generally accepted definition of “coercion” in international law. In this respect, two main approaches have emerged in the cyber context:[9] Under the first approach, an act is coercive if it is specifically designed to compel the victim State to change its behaviour with respect to a matter within its domaine reservé.[10] Under this approach, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”.[11] Under the second approach giving meaning to “coercion”, it is sufficient for an act to effectively deprive the target State of its ability to control or govern matters within its domaine reservé.[12] This latter approach distinguishes itself from the former by accepting that mere deprivation of the target State’s control over a protected matter, without actually or potentially compelling that State to change its behaviour, may constitute intervention.[13] Under both approaches, however, merely influencing the target State by persuasion or propaganda or causing a nuisance without any particular goal is insufficient to qualify as coercion.[14] The element of coercion also entails the requirement of intent.[15] While coercion is evident in the case of an intervention involving the use of force, ‘either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State’, as affirmed by the ICJ,[16] it is less clear with respect to non-forcible forms of interference.[17] Some States support the approach that intervention may take various forms, such as economic and political coercion.[18] One example that has been reiterated in several States’ positions, including Australia,[19] Brazil,[20] Canada,[21] Germany,[22] Israel,[23] New Zealand,[24] Norway,[25] Singapore,[26] the United Kingdom[27] and the United States,[28] is the case of cyber operations by a State interfering with another state’s ability to hold an election or manipulating the election results. Many States have affirmed that the assessment has to be done on a case-by-case basis.[29] Both potential and actual effects are considered to be relevant when assessing the coercion element.[30] Finally, there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.[31] The prohibition of intervention applies between States, and thus it is not applicable to the activities of non-State groups, unless their conduct can be attributed to a State under the rules on attribution under international law.[32] Publicly available national positions that address this issue include: (2020), (2021), (2022), (2023), (2021), (2023), (2021), (2019), (2021), (2020), (2023), (2020), (2021), (2021), (2019), (2020), (2021), (2023), (2022), (2021), (2021), (2022), (2021), (2018), (2021), (2022), (2016), (2020), (2021).

National positions

Australia (2020)

“Harmful conduct in cyberspace that does not constitute a use of force may still constitute a breach of the duty not to intervene in the internal or external affairs of another State. This obligation is encapsulated in Article 2(7) of the Charter and in customary international law.

A prohibited intervention is one that interferes by coercive means, either directly or indirectly, in matters that a State is permitted by the principle of State sovereignty to decide freely. Such matters include a State’s economic, political, social systems and foreign policy. Coercive means are those that effectively deprive the State of the ability to control, decide upon or govern matters of an inherently sovereign nature. Accordingly, the use by a hostile State of cyber activities to manipulate the electoral system to alter the results of an election in another State, intervention in the fundamental operation of Parliament, or in the stability of States’ financial systems would constitute a violation of the principle of non-intervention.”^[33]

Brazil (2021)

The principle of non-intervention, which is considered customary international law, refers to “the right of every sovereign State to conduct its affairs without outside interference”. In the Declaration on the Principles of International Law concerning Friendly Relations and Co-operation among States, the General Assembly affirmed that “the strict observance by States of the obligation not to intervene in the affairs of any other State is an essential condition to ensure that nations live together in peace with one another”. Even though Resolution 2625 (XXV) preceded the widespread use of ICTs, the customary norm prohibiting intervention in the internal affairs of another State applies irrespective of the means or medium used and extends to the use of ICTs by States.

To violate the principle of non-intervention, the malicious use of ICTs against another State must involve an element of coercion affecting the right of the victim State to freely choose its political, economic, social and cultural system, and to formulate its foreign policy. If attributable to a State, this breach entails this State’s international responsibility.

There has been a growing discussion on whether cyberoperations aimed at interfering in the electoral processes of another State could amount to violations of the principle of non-intervention. Considering that elections are at the core of a State’s internal affairs, should the malicious use of ICTs against a State involve some level of coercion, then it must be prohibited by the principle of non-intervention.”^[34]

Canada (2022)

“22. State cyber activities may breach the foundational international law prohibition of intervention in the internal or external affairs of another State. This would be the case where both of the following conditions are met: the activities aim to interfere with the internal or external affairs of the affected State involving its inherently sovereign functions, known as domaine réservé^[35]; and the activities would cause coercive effects that deprive, compel, or impose an outcome on the affected State on matters in which it has free choice.^[36]

23. In its most serious form, coercion may arise through the threat or use of force but could also arise where a cyber activity is designed to deprive the affected State of its freedom of choice. Coercion must be distinguished from other conduct such as public diplomacy, criticism, persuasion, and propaganda.

24. An example of a prohibited intervention would be a malicious cyber activity that hacks and disables a State’s election commission days before an election, preventing a significant number of citizens from voting, and ultimately influencing the election outcome. Another example would be a malicious cyber activity that disrupts the functioning of a major gas pipeline, compelling the affected State to change its position in bilateral negotiations surrounding an international energy accord.

25. Whether or not a cyber activity meets the threshold for a violation of the rule on territorial sovereignty or rises to the level of a violation of the rule against intervention will be determined on a case-by-case basis. As with the thresholds for violations of territorial sovereignty, Canada believes that further State practice and opinio juris will help clarify the thresholds for the rule of non-intervention, and the scope of customary law in this area over time.”^[37]

Costa Rica (2023)

“23. The principle of non-intervention is grounded in customary international law and prohibits States from interfering directly or indirectly with matters within the domestic jurisdiction of other States, i.e., their internal or external affairs. According to the ICJ, a prohibited intervention is one bearing ‘on matters in which each State is permitted, by the principle of State sovereignty, to decide freely’. Examples include ‘the choice of a political, economic, social and cultural system, and the formulation of foreign policy’, whether these are carried out by private or public entities, and irrespective of a State’s new undertakings under international law. Moreover, according to the ICJ, a wrongful intervention is one which ‘uses methods of coercion in regard to such choices, which must remain free ones’.

24. Coercion is clear-cut when a State uses or threatens to use force against another one. Nonetheless, it can also occur in a multitude of ways where one State, directly or indirectly through support for non-State actors, deprives another State of the capacity to make free and informed choices pertaining to its internal or external affairs. Coercion may occur when a State provides financial or other forms of support to secessionist, subversive or violent groups in the territory of another State, when it exercises significant political or economic pressure on another State, or when it engages in or supports subversive or hostile propaganda or the dissemination of false news that interfere in the internal or external affairs of another State. Moreover, coercion needs not be successful in intervening within a State’s internal or external affairs. Mere threats of intervention or acts seeking to interfere within another State’s domaine reservé may also breach the principle. For such breaches to occur, it suffices that a State intends to coerce another State, employs coercive methods, or eventually causes coercive effects in another State.

25. In Costa Rica’s view, these various forms of coercion may well be carried out in or through ICTs and amount to violations of the principle of non-intervention insofar as they interfere with a State’s internal or external affairs. A prominent example of a breach of non-intervention are ransomware attacks crippling or simply interfering with a State’s ability to run public services, such as finance, education, and social security. Moreover, foreign election interference may also infringe the principle of non-intervention. This may take the form of cyber operations directly interfering with mail ballots or voter databases, or electoral disinformation campaigns seeking to mislead the electorate about the vote itself, candidates, electoral polls or results. Other types of disinformation, such as those affecting a State’s health policies, may also amount to a prohibited intervention. Posts inciting individuals or other States to wage wars of aggression or to disrupt or subvert the internal order of another State may likewise breach the principle of non-intervention”.^[38]

China (2021)

“No State shall intervene in other States’ rights to survival, security and development in cyberspace. No State shall support or allow separatist forces to undermine other States’ territorial integrity, national security and social stability through use of ICTs.”^[39]

Denmark (2023)

“The principle of non-intervention is a fundamental principle of international law. It is a corollary of the principle of sovereignty, and more specifically the aspect that provides for the sovereign equality of States as set forth in article 2(1) of the UN Charter.

Denmark is of the view that the prohibition of intervention is a rule of international law forming part of customary international law. This was established by the ICJ in the Nicaragua v. United States of America case where the Court held that States are prohibited from intervening directly or indirectly in internal or external affairs of other States.[1]

In order for an action to qualify as an unlawful intervention it must qualify as an intervention in matters that are the sovereign prerogative of a State, the so-called domaine réservé, and it must involve an element of coercion.[2]

The scope of activities falling within the domaine réservé include but are not limited to “ (…) the choice of a political, economic, social, and cultural system, and the formulation of foreign policy.”[3] The range of activities covered by the non-intervention rule largely overlap with the activities reserved to States under the rule of sovereignty.

The term coercion is not defined in either treaty law or customary international law. Denmark takes the view that an act may be considered of a coercive nature when the act of interference has a potential for compelling the target State to engage in an action that it would otherwise not take. However, a distinction must be drawn between activities that merely involve influencing, as opposed to compelling, the voluntary actions of a target State. Acts of influence, such as persuasion, criticism, and public diplomacy are insufficient to qualify as an intervention. To be coercive the effort to intervene must be designed to have a decisive impact on outcomes or conduct with respect to a matter reserved to the target State. As emphasized by the Court in the Nicaragua judgment coercive acts involving the use of force are particularly obvious examples of unlawful interventions.[4] Denmark considers that coercion is not limited to means of direct or indirect use of force and that also measures below this threshold may constitute coercion. Cyber activities that do not amount to use of force can therefore also be coercive.

An example of unlawful intervention in the cyber domain could be where a State coercively interferes in the internal political process of another. In the cyber context this could potentially occur by using cyber technology to alter electronic ballots and thereby affecting the results of a political election.”^[40]

Estonia (2021)

The principle of non-intervention is a well-established rule of international law, which flows from the principle of sovereignty, and applies to state conduct in cyberspace.

“If an operation attributable to another state affects a state’s internal or external affairs in such a manner that it coerces a state to take a course of action it would not voluntarily seek, it would constitute a prohibited intervention.”

When discussing if a cyber operation constitutes an unlawful intervention into the external or internal affairs of another state, the element of coercion is a key factor. The possibility for a cyber operation to constitute an unlawful intervention in the functions that form a part of a state’s domaine réservé has found acceptance among states, including Estonia, especially regarding the rights and obligations deriving from the principle of state sovereignty. States’ domaine réservé according to the ICJ includes the “choice of a political, economic, social, and cultural system, and the formulation of foreign policy.” Stemming from that, cyber operations that aim to force another nation to act in an involuntary manner or to refrain from acting in a certain manner, and target the other nation’s domaine réservé (e.g. national democratic processes such as elections, or military, security or critical infrastructure systems) could constitute such an intervention.”^[41]

France (2019)

“Many States are acquiring the capacity to prepare and conduct operations in cyberspace. When carried out to the detriment of the rights of other States, such operations may breach international law. Depending on the extent of their intrusion or their effects, they may violate the principles of sovereignty, non-intervention or even the prohibition of the threat or use of force. States targeted by such cyberattacks are entitled to respond to them within the framework of the options offered by international law. In response to a cyberattack, France may consider diplomatic responses to certain incidents, counter-measures, or even coercive action by the armed forces if an attack constitutes armed aggression.”^[42]

Interference by digital means in the internal or external affairs of France, i.e. interference which causes or may cause harm to France’s political, economic, social and cultural system, may constitute a violation of the principle of non-intervention.^[43]

Germany (2021)

“The prohibition of a wrongful intervention between States is not explicitly mentioned in the UN Charter. However, it is a corollary of the sovereignty principle, can be derived from art. 2 para. 1 UN Charter and is grounded in customary international law. Generally, for State-attributable conduct to qualify as a wrongful intervention, the conduct must (1) interfere with the domaine réservé of a foreign State and (2) involve coercion. Especially the definition of the latter element requires further clarification in the cyber context.

In its Nicaragua judgement, the International Court of Justice (ICJ) held that ‘[t]he element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.’ Malicious cyber activities will only in some cases amount to direct or indirect use of force. However, measures below this threshold may also qualify as coercive. Generally, Germany is of the opinion that cyber measures may constitute a prohibited intervention under international law if they are comparable in scale and effect to coercion in non-cyber contexts.

Coercion implies that a State’s internal processes regarding aspects pertaining to its domaine réservé are significantly influenced or thwarted and that its will is manifestly bent by the foreign State’s conduct. However, as is widely accepted, the element of coercion must not be assumed prematurely. Even harsher forms of communication such as pointed commentary and sharp criticism as well as (persistent) attempts to obtain, through discussion, a certain reaction or the performance of a certain measure from another State do not as such qualify as coercion. Moreover, the acting State must intend to intervene in the internal affairs of the target State – otherwise the scope of the non-intervention principle would be unduly broad.

In the context of wrongful intervention, the problem of foreign electoral interference by means of malicious cyber activities has become particularly virulent. Germany generally agrees with the opinion that malicious cyber activities targeting foreign elections may – either individually or as part of a wider campaign involving cyber and non-cyber-related tactics – constitute a wrongful intervention. For example, it is conceivable that a State, by spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots. Such activities may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion in the above-mentioned sense. A detailed assessment of the individual case would be necessary.

Also, the disabling of election infrastructure and technology such as electronic ballots, etc. by malicious cyber activities may constitute a prohibited intervention, in particular if this compromises or even prevents the holding of an election, or if the results of an election are thereby substantially modified.

Furthermore, beyond the mentioned examples, cyber activities targeting elections may be comparable in scale and effect to coercion if they aim at and result in a substantive disturbance or even permanent change of the political system of the targeted State, i.e. by significantly eroding public trust in a State’s political organs and processes, by seriously impeding important State organs in the fulfilment of their functions or by dissuading significant groups of citizens from voting, thereby undermining the meaningfulness of an election. Due to the complexity and singularity of such scenarios, it is difficult to formulate abstract criteria. Discussions in this context are still ongoing.”^[44]

Iran (2020)

“Article III: Intervention in Internal [and external] Affairs of other States from the View-Point of the Armed Forces of the Islamic Republic of Iran

1. The principle of non-intervention, without any doubt, is an independent principle of customary international law and any measure to change the political regime such as political forceful intervention is a gross violation of this principle. Measures like cyber manipulation of elections or engineering the public opinions on the eve of the elections may be constituted of the examples of gross intervention. The intervention, also, covers situations in which the non-cyber measures may occur in the cyber activities relating to the internal and external affairs of the other state. Cyber activities paralyzing websites in a state to provoke internal tensions and conflicts or sending mass messages in a widespread manner to the voters to affect the result of the elections in other states is also considered as the forbidden intervention.

2. Armed intervention and all other forms of intervention or attempt to threaten against the personality of state or political, economic, social, and cultural organs of it through cyber and any other tools are regarded as unlawful. No state may compel the other state, by resorting to cyber and other means, to use or encourage to use of political, economic, or any other measures to subject that state in exercising its sovereign rights or guaranteeing concessions from that state.

3. All explicit and dainty forms and complicated techniques of duress, overthrow, and outrage (whether Cyber or non-cyber) to intrigue in the political, social, or economic order of other states or destabilizing governments seeking liberalization of their own economic, political and cultural system form control or intervention of foreigners, is unlawful.

4. Every state enjoys the inherent right to the full development of information system and mass media and their employment, without intervention, to advance their own political, social, economic, and cultural interests and aspirations. Any measure resulting in impediment, denying, and or restricting operation of signals and means of information transfer and providing control systems and exercising the sovereignty of the state is regarded as unlawful.

5. Any capacity-building program in the field of cyber shall be designed and applied under the national plans and needs of states and in consistence with their economic, social, and cultural situations. These programs shall not become a means for intervention in the internal affairs of states.”^[45]

Ireland (2023)

“8. The principle of non-intervention in the internal affairs of states, a corollary of the principle of sovereignty, involves the right of every sovereign state to conduct its affairs without interference.[3] The principle of non-intervention, outside the context of use of force, applies to one state’s actions in relation to another state where two elements are present: (i) coercion by one state of another state; and (ii) in relation to “matters in which each state is permitted, by the principle of state sovereignty, to decide freely.”[4] As regards what is encompassed by the latter element, the ICJ in the Nicaragua case provided specific examples such as the “choice of a political, economic, social and cultural system, and the formulation of foreign policy.”[5] This is often referred to as the domaine réservé of a state.

9. In order for the principle to be engaged, an intervention in the cyber context must be of sufficient seriousness, comparable in scale and effects to coercive action in a non-cyber context. For instance, malicious cyber-operations seriously compromising healthcare systems or national elections are capable of amounting to unlawful interventions.

10. Unlawful interventions should be distinguished from lawful forms of influence and pressure on states, such as lobbying governments or unfriendly acts. Likewise, they do not include countermeasures permitted under international law to induce a state to comply with its obligations on foot of an internationally wrongful act.”^[46]

Israel (2020)

“Another matter closely related to the issue of sovereignty is that of non-intervention. Traditionally, this concept has been understood as having a high threshold. It has been taken to mean that State A cannot take actions to “coerce” State B in pursuing a course of action, or refraining from a course of action, in matters pertaining to State B’s core internal affairs, such as its economic or foreign policy choices. Its traditional application has focused on military intervention and support to armed groups seeking the overthrow of the regime in another State. This could presumably also relate to support given to armed groups in the cyber domain, such as providing information regarding cyber vulnerabilities of the State.

A more recent issue that has come to the fore relates to interference in national elections. We concur with the various positions expressed in this regard, such as that which was presented by former U.S. State Department Legal Adviser Brian J. Egan, and more recently reiterated by U.S. Department of Defense General Counsel Paul C. Ney Jr., that a “cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention.”^[47]

Italy (2021)

“Italy believes that cyber operations constitutes a violation of the customary principle of nonintervention in the internal affairs of other States when a State employs coercive means to compel another State to undertake or desist from a specific action, in matters falling under its domain réservé.

The accelerating pace of technological change, the unpredictable effects of its applications, as well as the difficulty to measure the coercive impact of influence activities, which are on the rise, cannot be overlooked. Therefore, Italy sees merit in continuing to deepen the study of possible violations of the principle of non-intervention in cyberspace. That is particularly the case with regard to influence activities aimed, for instance, at undermining a State’s ability to safeguard public health during a pandemic, or at manipulating voting behaviour.”^[48]

Japan (2021)

“With respect to the principle of non-intervention, cyber operations may constitute unlawful intervention when requirements including the element of coercion, which are clarified in the Nicaragua judgement (1986), are met.”^[49]

“An act of causing physical damage or loss of functionality by means of cyber operations against critical infrastructure, including medical institutions, may constitute an unlawful intervention, depending on the circumstances, and at any rate, it may constitute a violation of sovereignty. As various opinions were expressed on the relationship between violation of sovereignty and unlawful intervention at the sixth GGE and the OEWG, it is desirable that a common understanding be forged through State practices and future discussions.” ^[50]

Netherlands (2019)

“The development of advanced digital technologies has given states more opportunities to exert influence outside their own borders and to interfere in the affairs of other states. Attempts to influence election outcomes via social media are an example of this phenomenon. International law sets boundaries on this kind of activity by means of the non-intervention principle, which is derived from the principle of sovereignty. The non-intervention principle, like the sovereignty principle from which it stems, applies only between states.

Intervention is defined as interference in the internal or external affairs of another state with a view to employing coercion against that state. Such affairs concern matters over which, in accordance with the principle of sovereignty, states themselves have exclusive authority. National elections are an example of internal affairs. The recognition of states and membership of international organisations are examples of external affairs.

The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law. In essence it means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state. Although there is no clear definition of the element of coercion, it should be noted that the use of force will always meet the definition of coercion. Use of force against another state is always a form of intervention.”^[51]

New Zealand (2020)

“Malicious state cyber activity may be inconsistent with the rule of non-intervention. Such activity will violate the rule of non-intervention if it:

a. has significant effects on a matter which falls within the target state’s inherently sovereign functions / domaine réservé (e.g. the right freely to choose its political, economic, social and cultural system, or matters such as taxation, national security, policing, border control, and the formulation of foreign policy); and

b. is coercive (i.e. there is an intention to deprive the target state of control over matters falling within the scope of its inherently sovereign functions). Coercion can be direct or indirect and may range from dictatorial threats to more subtle means of control. While the coercive intention of the state actor is a critical element of the rule, intention may in some circumstances be inferred from the effects of cyber activity.

Examples of malicious cyber activity that might violate the non-intervention rule include: a cyber operation that deliberately manipulates the vote tally in an election or deprives a significant part of the electorate of the ability to vote; a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic; and cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network.”^[52]

Norway (2021)

Key message
Cyber operations that compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé), will constitute an intervention in violation of international law.

“The prohibition of intervention applies to a State’s cyber operations as it does to other State activities. Accordingly, a State must not carry out cyber operations in breach of the prohibition of intervention, according to customary international law.

A cyber operation must therefore not be carried out to compel the target State to take a course of action, whether by act or omission, in a way that it would not otherwise voluntarily have pursued (coercion) in matters relating to its internal or external affairs (domaine réservé) – such as a State’s political, economic, social or cultural system or the formulation of its foreign policy. The constituent element of coercion means that cyber activities that are merely influential or persuasive will not qualify as illegal intervention.

Holding elections is an example of a matter within a State’s domaine réservé. Thus, carrying out cyber operations with the intent of altering election results in another State, for example by manipulating election systems or unduly influencing public opinion through the dissemination of confidential information obtained through cyber operations (‘hack and leak’), would be in violation of the prohibition of intervention. Another example is a cyber operation deliberately causing a temporary shutdown of the target State’s critical infrastructure, such as the power supply or TV, radio, Internet or other telecommunications infrastructure in order to compel that State to take a course of action.”^[53]

Pakistan (2023)

“6. Pakistan believes that the principles of non-use of force, sovereign equality of all nations, non-interventionism, and peaceful settlement of disputes, as enshrined in the UN Charter, continue to apply in cyberspace as in the physical world.”^[54]

Poland (2022)

3. Actions in cyberspace may constitute unlawful intervention in affairs falling under the domestic jurisdiction of a state.

“Intervention in internal or external affairs of another state that fall under its domestic jurisdiction is an action that contravenes international law. The principle of non-intervention is a natural consequence of the principle of sovereignty – to the extent to which the state exercises its exclusive sovereign rights, the other states have an obligation to respect them. The threshold for considering a specific operation in cyberspace to be in breach of the principle of non-intervention is higher than in the case of deeming it solely a violation of the principle of sovereignty. To be in breach of international law, an intervention must include the element of coercion that aims at influencing the state’s decisions belonging to its domaine réservé, i.e. the area of state activity that remains its exclusive competence under the principle of sovereignty. Therefore, it is possible to refer to a violation of the non-intervention principle if a state interferes with internal or external affairs falling under the exclusive competence of another state by using an element of coercion.

There is no universally acceptable definition of “coercion”, but an unambiguous example of a prohibited intervention is the use of force.

A cyber operation that adversely affects the functioning and security of the political, economic, military or social system of a state, potentially leading to the state‘s conduct that would not occur otherwise, may be considered a prohibited intervention. In particular, any action in cyberspace that would prevent the filing of tax returns online or any interference with ICT systems that would prevent a reliable and timely conduct of democratic elections would be a violation of international law. Similarly, depriving the parliament working remotely of the possibility of voting online to adopt a law or modifying the outcome of such voting would also be such a violation. It should also be noted that a wide-scale and targeted disinformation campaign may also contravene the principle of non-intervention, in particular when it results in civil unrest that requires specific responses on the part of the state.”^[55]

Romania (2021)

“[..]the principle of prohibition of the intervention in the internal affairs of another State should be addressed (situations of tampering with the electoral processes in other States are relevant as a discussion under this principle).

According to international law, States are under the duty not to intervene in matters within the domestic jurisdiction of any State, in accordance with the Charter; this means that no State has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.

In order for such intervention to be illegal under international law, it must be coerced, meaning that the goal of the intervention must be to effectively change the behavior of the target State; the incidence of coercion must be assessed on a case-bycase basis, in order to determine the violation of the principle of non-intervention.

In other words, the following criteria must be met in order for an act to qualify as prohibited intervention under international law:

• the act must bear on those matters in which States may decide freely (internal and external affairs – the domain reservé of States);
• the act must be coercive in nature;
• there has to be a causal nexus between the coercive act and the effect on the internal or external affairs of the target State.

Therefore, depending on the situation, interference in the internal or external affairs of Romania (that is interference which causes or may cause harm to Romania’s economic, political, social and/ or cultural system) may constitute a violation of the principle of non-intervention.”^[56]

Singapore (2021)

“[..] Singapore affirms that the principle of non-intervention in the internal affairs of other States applies to cyberspace. A prohibited intervention by one State against another must have a bearing on matters in which the victim State is permitted, by the principle of State sovereignty, to decide freely, including its choice of a political, economic, social and cultural system, and the formulation of foreign policy. In Singapore’s view, intervention necessarily involves an element of coercion. As non exhaustive examples, where there is interference in Singapore’s electoral processes through cyber means, or cyber-attacks against our infrastructure in an attempt to coerce our government to take or forbear a certain course of action on a matter ordinarily within its sovereign prerogative, these instances will constitute a violation of the principle of non-intervention.”^[57]

Sweden (2022)

“The principle of non-intervention is a fundamental principle of international law also applicable in cyberspace. It is not expressly mentioned in the UN Charter but is a corollary of the sovereign equality of all States. In the Friendly Relations Declaration, the principle of non-intervention is explained as “No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.”

The prohibition of intervention is generally understood to include two elements: intervening in matters in which each State is permitted to decide freely, and the involvement of coercion. These elements were confirmed by the International Court of Justice (ICJ) in the Nicaragua case. With regard to the latter, the Court held that the “element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.” The prohibition of intervention is applicable between States and does not apply directly to non-state actors.

While coercion is not defined in international law, it must be distinguished from other acts that would not qualify as coercion, such as criticism or other ways of influencing through diplomatic means. What constitutes coercion in the cyber context may not be easy to determine, requiring a case-by-case assessment that takes the specific circumstances into account.”^[58]

Switzerland (2021)

“The principle of non-intervention is the corollary of the sovereign equality of all states (Art. 2 para. 1 UN Charter) and is considered customary international law. In this context, intervention is understood to be the direct or indirect interference by one sovereign state in the internal or external affairs of another using coercive measures. It covers those areas where the state has exclusive jurisdiction (known as domaine réservé). The non-intervention principle protects a state’s ability to shape its own internal affairs (political, economic, social and cultural systems) as well as its foreign policy. An infringement of sovereignty and a prohibited intervention are not the same. The latter must be coercive in nature, i.e. through its intervention a state seeks to cause another to act (or refrain from acting) in a way it would not otherwise. This means that the threshold for a breach of the non-intervention principle is significantly higher than that for a violation of state sovereignty.

The prohibition of intervention is also applicable to cyberspace. This means that in cyberspace, an unlawful act of interference by one state in the political or economic affairs of another may, in addition to constituting a violation of sovereignty, also breach the non-intervention principle under international law if the respective requirements are fulfilled. The distinction between exerting influence, which is permissible, and coercion, which is not, must be determined on a case-by-case basis. This is particularly true of economic coercion, which could be the case if a company that is systemically relevant was paralysed through a cyber operation. An assessment of whether the operation can be deemed coercive in nature, and thereby be in breach of the non-intervention principle, can only be made on a case-by-case basis.”^[59]

United Kingdom (2018)

“In certain circumstances, cyber operations which do not meet the threshold of the use of force but are undertaken by one state against the territory of another state without that state’s consent will be considered a breach of international law.

The international law prohibition on intervention in the internal affairs of other states is of particular importance in modern times when technology has an increasing role to play in every facet of our lives, including political campaigns and the conduct of elections. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of this principle is to ensure that all states remain free from external, coercive intervention in the matters of government which are at the heart of a state’s sovereignty, such as the freedom to choose its own political, social, economic and cultural system.

The precise boundaries of this principle are the subject of ongoing debate between states, and not just in the context of cyber space. But the practical application of the principle in this context would be the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system. Such acts must surely be a breach of the prohibition on intervention in the domestic affairs of states.”^[60]

United Kingdom (2021)

“Below the threshold of the threat or use of force, the customary international law rule prohibiting interventions in the domestic affairs of States applies to States’ operations in cyberspace as it does to their other activities. As set out by the International Court of Justice in its judgment in the Nicaragua case, the purpose of the rule on non-intervention is to ensure that all States remain free from external coercive intervention in matters affecting a State’s powers, which are at the heart of a State’s sovereignty such as the freedom to choose its own political, social, economic and cultural system.

As the UK has noted previously, while the precise boundaries of this rule continue to be the subject of on-going debate, it provides a clearly established basis in international law for assessing the legality of State conduct. Thus the use of hostile cyber operations to manipulate the electoral system in another State to alter the results of an election, to undermine the stability of another State’s financial system or to target the essential medical services of another State could all, depending on the circumstances, be in violation of the international law prohibition on intervention.

The International Court of Justice has established that a prohibited intervention is one bearing on matters which each State is permitted, by the principle of State sovereignty, to decide freely.”^[61]

United Kingdom (2022)

“Turning to the law – one of the rules of customary international law which is of particular importance in this area is the rule on non-intervention.

Customary international law is the general practice of States accepted as law. As such, it is not static. It develops over time according to what States do and what they say. It can adapt to accommodate change in the world, including technological advances. Customary international law is a framework that can adapt to new frontiers and which governs States’ behaviour.

A well-known formulation of the rule on non-intervention comes from the International Court of Justice in its Military and Paramilitary Activities judgment. According to the Court in that case, all States or groups of States are forbidden from intervening –

…directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social, and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.

The UK’s position is that the rule on non-intervention provides a clearly established basis in international law for assessing the legality of State conduct in cyberspace during peacetime.

It serves as a benchmark by which to assess lawfulness, to hold those responsible to account, and to calibrate responses.

This rule is particularly important in cyberspace for two main reasons.

First, the rule on non-intervention lies at the heart of international law, serving to protect matters that are core to State sovereignty. As long ago as 1966, the UK made clear its position that:

…the principle of non-intervention, as it applied in relations between States, [is] not explicitly set forth in the United Nations Charter but flow[s] directly and by necessary implication from the prohibition of the threat or use of force and from the principle of the sovereign equality of States…

Four years later, in 1970, the UK set out its view that “non-intervention reflected the principle of the sovereign equality of states.” And that these principles were equally valid and interrelated. More colloquially, we might say that sovereignty and non-intervention are two sides of the same coin.

States have expressed different views on the precise significance of sovereignty in cyberspace. The UK reiterated its own position on this point as recently as June 2021. Namely, that any prohibition on the activities of States, whether in relation to cyberspace or other matters, must be clearly established in international law. The general concept of sovereignty by itself does not provide a sufficient or clear basis for extrapolating a specific rule of sovereignty or additional prohibition for cyber conduct going beyond that of non-intervention.

What matters in practice is whether there has been a violation of international law. Differences in legal reasoning must not obscure the common ground which I believe exists when it comes to certain types of unacceptable and unlawful cyber behaviours. I think that common ground also extends to an appreciation that we must carefully preserve the space for perfectly legitimate everyday cyber activity which traverses multiple international boundaries millions of times a second.

Second, the rule on non-intervention is also of increasing relevance due to the prevalence of hostile activity by States that falls below the threshold of the use of force or is on the margins of it. In such circumstances, the rule on non-intervention becomes particularly significant as another benchmark by which States can define behaviour as unlawful.

Having identified the importance of the rule on non-intervention, I will now turn to the threshold for its application. The fact that behaviour attributed to another State is unwelcome, irresponsible, or indeed hostile, does not mean that it is also unlawful. A core element of the non-intervention rule is that the offending behaviour must be coercive.

Coercion was rightly described in the Military and Paramilitary Activities case as “the very essence” of a prohibited intervention. It is this coercive element that most obviously distinguishes an intervention prohibited under international law from, for example, more routine and legitimate information-gathering and influencing activities that States carry out as part of international relations.

But what exactly is coercion?

Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.

But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking.

Of course, in considering whether the threshold for a prohibited intervention is met, all relevant circumstances, including the overall scale and effect of a cyber operation, need to be considered. But I believe that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.

It is therefore important to bring the non-intervention rule to life in the cyber context, through examples of what kinds of cyber behaviours could be unlawful in peacetime. To move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.

And being clear on what is unlawful means we can then be clearer on the range of potential options that can lawfully be taken in response. That is, the kinds of activities which would require legal justification, for example, as a proportionate response to prior illegality by another State. This is crucial in enabling States to act within the law whilst taking robust and decisive action.

With that in mind, today I will set out new detail to illustrate how this rule applies. A non-exhaustive list, to move this discussion forward. I will cover four of the most significant sectors that are vulnerable to disruptive cyber conduct: energy security; essential medical care; economic stability; and democratic processes.

Ensuring the provision of essential medical services and secure and reliable energy supply to a population are sovereign functions of a State. They are matters in respect of which international law affords free choice to States. The Integrated Review highlights the interconnected nature of the global health system, and the importance of building resilience to address global health risks. Covid is a clear example. Likewise, energy security is recognised as including protection of critical national infrastructure from cyber security risks.

Covert cyber operations by a foreign State which coercively restrict or prevent the provision of essential medical services or essential energy supplies would breach the rule on non-intervention.

Of course, every case needs to be assessed on its facts, but prohibited cyber activity in the energy and medical sectors could include:

disruption of systems controlling emergency medical transport (e.g., telephone dispatchers); causing hospital computer systems to cease functioning; disruption of supply chains for essential medicines and vaccines; preventing the supply of power to housing, healthcare, education, civil administration and banking facilities and infrastructure; causing the energy supply chain to stop functioning at national level through damage or prevention of access to pipelines, interchanges, and depots; or *preventing the operation of power generation infrastructure. Turning to economic stability, covert cyber operations by a foreign State that coercively interfere with a State’s freedom to manage its domestic economy, or to ensure provision of domestic financial services crucial to the State’s financial system, would breach the rule on non-intervention.

Such cyber operations could include disruption to the networks controlling a State’s fundamental ability to conduct monetary policy or to raise and distribute revenue, for instance through taxation. Or disruption to systems which support lending, saving and insurance across the economy.

Lastly, democratic processes. Free and open elections, using processes in which a population has confidence, are an essential part of the political system in democratic States. All States have the freedom to make their views known about processes in other countries – delivering hard, sometimes unwelcome messages, and drawing attention to concerns. This is part and parcel of international relations. However, covert cyber operations by a foreign State which coercively interfere with free and fair electoral processes would constitute a prohibited intervention.

Again, every activity needs to be assessed on its facts, but such activities could include:

operations that disrupt the systems which control electoral counts to change the outcome of an election; or operations to disrupt another State’s ability to hold an election at all, for example by causing systems to malfunction with the effect of preventing voter registration. I hope that these illustrative examples will assist in the future when considering what is unlawful in cyberspace.

I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation.”^[62]

United States (2016)

In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. This is a challenging area of the law that raises difficult questions. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions. Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.

Relatedly, consider the challenges we face in clarifying the international law prohibition on unlawful intervention. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. For increased transparency, States need to do more work to clarify how the international law on non-intervention applies to States’ activities in cyberspace.”^[63]

United States (2020)

“[…] the international law prohibition on coercively intervening in the core functions of another State (such as the choice of political, economic, or cultural system) applies to State conduct in cyberspace. For example, “a cyber operation by a State that interferes with another country’s ability to hold an election” or that tampers with “another country’s election results would be a clear violation of the rule of non-intervention.” Other States have indicated that they would view operations that disrupt the fundamental operation of a legislative body or that would destabilize their financial system as prohibited interventions.

There is no international consensus among States on the precise scope or reach of the non-intervention principle, even outside the context of cyber operations. Because States take different views on this question, DoD lawyers examining any proposed cyber operations must tread carefully, even if only a few States have taken the position publicly that the proposed activities would amount to a prohibited intervention.

Some situations compel us to take into consideration whether the States involved have consented to the proposed operation. Because the principle of non-intervention prohibits “actions designed to coerce a State … in contravention of its rights,” it does not prohibit actions to which a State voluntarily consents, provided the conduct remains within the limits of the consent given.”^[64]

United States (2021)

“Among other international legal principles, the 2015 GGE report acknowledges the principle of non-intervention in the internal affairs of other States. As articulated by the International Court of Justice (ICJ) in its judgment on the merits in the Nicaragua Case, this rule of customary international law forbids States from engaging in coercive action that bears on a matter that each State is entitled, by the principle of State sovereignty, to decide freely, such as the choice of a political, economic, social, and cultural system. This is generally viewed as a relatively narrow rule of customary international law, but States’ cyber activities could run afoul of this prohibition. For example, a cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention. Other States have made similar observations.290 Further, a cyber operation that attempts to interfere coercively with a State’s ability to protect the health of its population–for example, through vaccine research or running cyber-controlled ventilators within its territories during a pandemic–could be considered a violation of the rule of non-intervention.”^[65]

Appendixes

See also

Notes and references