In Part I of this two-part post, we outlined the importance of United Kingdom Attorney General Jeremy Wright’s recent speech setting out the UK’s views on cyber operations and international law. In that post, we focused on two of the four most salient points of his speech: the applicability of the jus ad bellum and the rule of prohibited intervention to cyber operations. As we noted, Wright’s comments on these two central primary norms were an important contribution to reinforcing international law’s role in regulating states’ activities in cyberspace. We also identified some aspects of these primary norms in need of clarification, or perhaps of adaptation to the particularities of cyberspace as the attorney general correctly counseled, but did not necessarily provide. We now return to his speech to discuss the two remaining and much more groundbreaking points that he made: the normative status and applicability of the principle of sovereignty to cyberspace, and the content of the rule of countermeasures as a self-help remedy to cyber-enabled breaches of international law.
We pointed out in our last post that when appropriately applied, and perhaps adjusted to account for the novel threats presented by emerging technologies, the rule of prohibited intervention can serve as a powerful tool for enforcing acceptable state behavior in cyberspace. However, the prohibition does not bring within its scope all sub-use-of-force cyber activities and must be distinguished from mere interferences in the internal affairs or against the sovereign interests of another state. This raises the important question of whether, and if so, how, international law regulates cyber activities that fall below the threshold or outside the scope of a prohibited intervention. It is on this point that the attorney general’s speech does its most important work in offering the UK’s resounding rejection of the existence of a primary norm of territorial sovereignty, which would make internationally wrongful a nonconsensual interference in the computer networks of another state.
Although the shortest part of his speech, Wright’s statement on sovereignty is perhaps the most impactful. In less than 100 words he summed up the current debate on the issue of the normative force of sovereignty in cyberspace and made crystal clear the UK’s position:
“Some have sought to argue for the existence of a cyber specific rule of a ‘violation of territorial sovereignty’ in relation to interference in the computer networks of another state without its consent. Sovereignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government’s position is therefore that there is no such rule as a matter of current international law.”
Since at least the launch of Tallinn 2.0., a lively debate has been had among academics, practitioners and commentators over whether sovereignty exists as a primary rule of international law applicable to cyber operations, the violation of which would be an internationally wrongful act in and of itself, or as a foundational principle, which could only be violated by infringing on some other sovereignty-based primary rule.
As one of the authors of this post, along with his co-author Robert Taylor, argued here, contrary to the views expressed in Tallinn 2.0, and separately by some of its authors, there is insufficient evidence of either state practice or opinio juris to support claims that the principle of sovereignty operates as an independent primary rule of international law that regulates states’ actions in cyberspace. The UK clearly comes down on the sovereignty-as-principle-vice-rule side of the ledger.
The significance of Wright’s statement on sovereignty cannot be overstated. Until now, no states have offered an official view on this fundamental issue. Hence, his speech is an extremely important statement by one of the major cyber powers in the international community. That alone is worthy of note. In addition, how states ultimately resolve the sovereignty question will have a profound impact on the options available to them to confront the growing threats emanating from, or enabled by, cyberspace. In this regard, the substance of the UK’s position is even more significant.
Since its inception, the concept of sovereignty has been tightly tied to geography. The same cannot be said of cyberspace. There is at most a tenuous connection between geography and the logical and social layers of cyberspace, i.e., the software, protocols, and data that combine to generate outputs, and the various digital identities and aliases of the human users of the internet. Further, the undeniable reality is that owing to the nature and construct of cyberspace, malicious cyber operations are nearly always mounted from globally dispersed and often coopted infrastructure. Countering these threats without implicating at least some of these nodes in third-party states is nearly impossible. One of the authors previously pointed this out in the context of a non-state terrorist organization’s use of the internet to conduct or facilitate its operations, and the impact the sovereignty issue has on a state’s ability to confront this threat. The same holds true equally, if not more, in the context of state-sponsored or conducted malicious cyber operations where their offensive capabilities are likely far more substantial.
As the problem highlights, a robust view of sovereignty as a rule would preclude any action against the aggressor’s cyber infrastructure without the consent of the third-party state. Wright made clear in his speech that such a sweeping rule is too strong and not supported by current international law. Rather, a state wishing to take action to disrupt malicious cyber operations, terrorist or otherwise, must certainly consider sovereign interests before taking non-consensual activity on the IT infrastructure located within the territory of a third-party state, but seeking advance permission of that state in all cases is not required as a matter of international law. Activities that themselves do not breach the rule of prohibited intervention are legally available options of response.
Academics and commentators who oppose Wright’s view point to due diligence and the plea of necessity as affording viable response options to victim states. The myriad reasons these assertions prove unavailing are too numerous to address here. Suffice it to say that even assuming these rules apply, under the most generous reading of them, victim states would still be unreasonably constrained from adequately responding to malicious cyber actors leveraging globally dispersed infrastructure. As Wright intimates, ceding that type of operational maneuver space to aggressors is unsustainable.
This is not to say the attorney general’s declaration is conclusive on the issue. It is the considered view of but one state, and more will have to weigh in on the matter before firm conclusions can be drawn about the status of the debate. Hopefully, more states will heed Wright’s call to do so. In the meantime, as a clear expression of opinio juris, his declaration on the normative status of sovereignty not only moves the debate where it needs to be—in the hands of states—but does so by setting the tone and bringing a sorely needed degree of clarity to this critical question.
As is the case with the issue of sovereignty, much has been written on the potential use of countermeasures in cyber operations, including a full analysis in the Tallinn Manual, a discussion of the inequities between countermeasures and self-defense, and a caution on the potentially escalatory nature of cyber countermeasures. Wright’s statement adds critical understanding to how at least one cyberpower views the role of countermeasures with respect to cyber operations.
Countermeasures are traditionally viewed as otherwise unlawful actions that do not amount to a use of force, but are considered lawful when taken for the sole purpose of causing another state to stop its unlawful conduct. According to Article 53 of the Draft Articles on Responsibility of States, because of the connection to an original unlawful action, countermeasures must be reversible and must be terminated as soon as the violating state returns to lawful compliance. Further, the use of countermeasures must be necessary and proportionate. Wright confirmed these traditional requirements on the use of countermeasures:
“Consistent with the de-escalatory nature of international law, there are clear restrictions on the actions that a victim state can take under the doctrine of countermeasures. A countermeasure can only be taken in response to a prior internationally wrongful act committed by a state, and must only be directed towards that state. This means that the victim state must be confident in its attribution of that act to a hostile state before it takes action in response. In cyberspace of course, attribution presents particular challenges, to which I will come in a few moments. Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law.”
Another traditional limitation on a state’s use of countermeasures is that the state contemplating the use of countermeasures must put the violating state on notice of the illegality of their actions and of the impending use of countermeasures in order to allow them a chance to stop the illegal activity. With respect to this aspect of countermeasures in cyber operations, Wright’s statement signaled a significant departure.
These restrictions under the doctrine of countermeasures are generally accepted across the international law community. The one area where the UK departs from the excellent work of the International Law Commission on this issue is where the UK is responding to covert cyber intrusion with countermeasures.
In such circumstances, we would not agree that we are always legally obliged to give prior notification to the hostile state before taking countermeasures against it. The covertness and secrecy of the countermeasures must of course be considered necessary and proportionate to the original illegality, but we say it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena, as in any other arena.
The Tallinn Manual came to a similar conclusion, noting “the Experts agreed that if notification of intent to take a countermeasure would likely render that measure meaningless, notice need not be provided.”
Wright’s statement of opinio juris is important not only in clarifying that the traditional requirements generally apply, but perhaps more importantly in denouncing the notice requirement. In addition to the simple statement of law, it reflects that state’s will understand the application of cyber norms in a very practical way. Wright’s justification for the UK’s departure from the accepted norm was not a legal one, but rather a practical concern about the sensitive nature of cyber operations. The signal that cyber norms will be governed by the unique nature of cyber operations, even when it might require the evolution of accepted legal requirements is an important clarification for international law.
Finally, Wright confirmed that countermeasures are not bound by the nature of the original violation.
“In addition, it is also worth stating that, as a matter of law, there is no requirement in the doctrine of countermeasures for a response to be symmetrical to the underlying unlawful act. What matters is necessity and proportionality, which means that the UK could respond to a cyber intrusion through non-cyber means, and vice versa.”
Again, the Tallinn Manual agrees with this approach, noting that
“Proportionality does not imply reciprocity; there is no requirement that an injured State’s countermeasure breach the same obligation violated by the responsible State. Nor is there any requirement that countermeasures be of the same nature as the underlying internationally wrongful act that justifies them. Non-cyber countermeasures may be used in response to an internationally wrongful act involving cyber operations, and vice-versa.”
While this particular part of the attorney general’s speech is not necessarily an innovation on the use of countermeasures, it solidifies the generally accepted view among commentators that has been assumed to be the approach of states, but not necessarily openly confirmed.
This departure from at least one traditional limitation on the use of countermeasures in the cyber context may signal that states are willing to revisit other aspects of cyber countermeasures. For example, countermeasures do not allow collective action on behalf of a victim state, even if that victim state is technologically incapable of responding on its own. Further, in an age where much of the malicious cyber activity originates from non-state actors, countermeasures may only be used against states. Additionally, there is no ability to use countermeasures in anticipation of an illegal act, only in response to one. These three examples are meaningful when reflecting on countermeasures because states have made exceptions to the traditional rule of self-defense to allow its exercise in precisely these three instances. And cyber countermeasures seem ideally suited for these three exceptions as they could most likely be effected without the cautioning concern of inevitable escalation.
The fact that the UK is looking at the law applicable to countermeasures in a way that allows for potential evolution from traditional norms, or at least a clarified understanding, is a valuable and informative statement. Further clarification by the UK, and by other states, is still necessary and will hopefully be forthcoming.
There is no doubt that this statement by the UK attorney general is one of the most important and clear official statements on the application of international law to cyber operations by a state. The particular points dealing with the use of force, prohibited intervention, sovereignty, and countermeasures are all vitally important because by letting the international community clearly know where the UK stands, it encourages other to likewise step forward. Wright said as much in his remarks.
[A]s authors and subjects of international law, states have a responsibility here. A responsibility to be clear about how our international law obligations bind us. A responsibility we fulfil through our treaty obligations, our actions and our practice, as well as through our public statements. And a responsibility I believe extends to cyberspace.
The very pervasiveness of cyber makes silence from states on the boundaries of acceptable behaviour in cyberspace unsustainable. If we stay silent, if we accept that the challenges posed by cyber technology are too great for the existing framework of international law to bear, that cyberspace will always be a grey area, a place of blurred boundaries, then we should expect cyberspace to continue to become a more dangerous place.
While a current reading of the statement may be profitable to outline specific views on well-recognized and accepted doctrines of international law and state interaction, the more important achievement of this statement will certainly be if it spurs other states to take up Wright’s call to speak up and not “stay silent.” If states want to ensure that the international law governing cyber space develops in an acceptable and sustainable way, they should follow Wright’s lead and be clear about their “international law obligations” in cyberspace.
The views expressed are those of the authors and do not necessarily reflect the views of the United States Cyber Command, the Department of Defense, or the U.S. Government.