On Wednesday, the United Kingdom’s Attorney General, Jeremy Wright, QC MP, gave a speech at Chatham House on the role of international law in cyberspace. It is the first official statement of the UK’s overarching view on the topic, including on some specific issues that are at the center of international policy and debate (the speech can be found here.) Here are eight key points:
First, it is important for states to publicly articulate their understanding of international law, especially in cyberspace. Wright acknowledged that rapidly changing technology and developing norms made clear rules difficult, but he warned against allowing cyberspace to become a “grey area.” Without leadership from leading states, appropriate laws for cyberspace will never be developed, undermining safety and international law generally. Importantly, Wright did not simply speak in policy terms. He said:
“states have a responsibility here. A responsibility to be clear about how our international law obligations bind us. A responsibility we fulfil through our treaty obligations, our actions and our practice, as well as through our public statements. And a responsibility I believe extends to cyberspace.”
Second, cyber is not lawless. Wright affirms the conclusions of the UN Expert Group 2015 report, which held that the UN Charter and the basic principles of international humanitarian law both apply in cyberspace.
Third, cyber-operations that result in an “equivalent scale” of death and destruction as an armed attack trigger a state’s right to self-defense under the UN Charter’s Article 51. Examples of such attacks, he stated, include interfering with nuclear reactors resulting in widespread loss of life, disabling air traffic control towers causing planes to crash, or “targeting of essential medical services.” (He did not explicitly state whether or how the latter might apply to the WannaCry ransomware attack.)
Fourth, the Article 2(7) prohibition on interference in “domestic affairs” (the principle of non-intervention) extends in the cyber context to “operations to manipulate the electoral system to alter the results of an election in another state, intervention in the fundamental operation of Parliament, or in the stability of our financial system.” Wright acknowledges, however, that the exact boundary of this prohibition is not clear.
Fifth, there is no cyber-specific rule prohibiting the “violation of territorial sovereignty” beyond the Article 2(7) prohibition described in the point above. As Wright puts it,
“Some have sought to argue for the existence of a cyber specific rule of a “violation of territorial sovereignty” in relation to interference in the computer networks of another state without its consent.
Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.”
This appears to be a rejection of the Tallinn Manual’s position on the issue, which had articulated an independent international legal rule prohibiting certain cyber operations as a violation of sovereignty.
Sixth, states are not bound to give prior notification of countermeasures when “responding to covert cyber intrusion.” An important condition to this principle is that the use of secrecy must be “necessary and proportionate to the original illegality” being addressed. This stance disagrees with the International Law Commission, which holds that prior notification must be given before all countermeasures. But Wright says that it “could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena.” It is unclear from the text of the speech if this applies in all cases or only if the original cyber intrusion was covert.
Seventh, there is no legal obligation to publicly disclose the information underlying a state’s attribution of hostile cyber-activity to a particular actor or state. Similarly, there is no universal obligation to publicly attribute hostile cyber activity suffered.
Eighth, a victim state does not have free rein to determine attribution for a malicious cyber operation before taking a countermeasure. Wright stated that “the victim state must be confident in its attribution,” and he added later, “Without clearly identifying who is responsible for hostile cyber activity, it is impossible to take responsible action in response.” This view contrasts with other writings in this field (see Sean Watts’ article at Just Security).