The debate as to whether international law applies in cyberspace is fading away, for widespread agreement now exists that the rights, obligations and limitations of international law govern cyber activities. The UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) affirmed this conclusion in both its 2013 and 2015 reports, which were subsequently endorsed by the General Assembly (here and here). Indeed, the premise of international law’s applicability provides the foundation for continuing efforts at the United Nations in the guise of a sixth GGE and an Open-Ended Working Group, both of which will be convene this year to articulate consensus cyber norms. International organizations such as NATO, ASEAN, the EU and the OAS have taken the same stance, as have many States.
Attention is accordingly turning to the more difficult question of how international law’s existing rules should be interpreted in the cyber context. In the face of the understandably slow progress in multinational fora, as illustrated by the inability of the 2016-2017 GGE to issue a consensus report, headway is starting to be made in the form of statements by individual States as to their positions on the matter. Most have been rather anodyne – simply reaffirming, inter alia, the rules of jurisdiction; applicability of the UN Charter, including the prohibition of the use of force and the right of self-defense; or international humanitarian law’s role in governing cyber operations during armed conflict. Such statements are indispensable, although they do little to resolve the myriad grey zones that permeate questions of interpretation.
Estonia Stakes Out Practical Positions on Due Diligence in Cyberspace
Over the past year, a number of States have begun to address these zones of uncertainty. Last week, Estonia took a bold step in that regard. Speaking at the 2019 CyCon Conference, President Kersti Kaljulaid reaffirmed the applicability of international law in cyberspace before observing that “[s]overeignty entails not only rights, but also obligations.” She emphasized, drawing on the law of State responsibility, that States are responsible in law for “internationally wrongful cyber operations… whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state.” President Kaljulaid also powerfully stressed that “[i]f a cyber operation violates international law, this needs to be called out.” Doing so is crucial, for if interpretive efforts are to advance, States have to not only condemn other States for conducting hostile cyber operations, but also label them as violations of international law and specify the precise rule of law that they breached. Only with such specificity will condemnation yield meaningful normative value.
President Kaljulaid then turned her attention to two key grey zones of enormous practical importance, the obligation of due diligence and the right to take countermeasures. With regard to the former, she noted,
[S]tates must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information.
President Kaljulaid pointed out that “meeting this expectation [of due diligence] should encompass taking all feasible measures, rather than achieving concrete results.” Thus, by the Estonian interpretation, States are only required to take those measures that are practicable in the circumstances to put an end to harmful cyber operations launched from or through their territory, although they should strive as a matter of responsible State behavior to develop the capacity to ensure their territory is not misused. This rational and practical approach should alleviate much of the concern a number of States have about shouldering what they mistakenly see as an unduly heavy due diligence obligation. So too should the obligation’s limitation to adverse cyber operations that are “serious” and the fact that a State only breaches the obligation if it knows of the harmful cyber operations, conditions precedent that are widely recognized by those who style due diligence as a primary rule of international law.
A Bold Position on Collective Countermeasures
The most noteworthy aspect of the speech, however, was President Kaljulaid’s assertion that States have a right to engage in collective countermeasures pursuant to the law of State responsibility. She began by noting “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence.” She then delivered the highlight of the speech.
Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation.
Of course, that a State has the right to engage in collective defense upon the request of a State under armed attack is beyond question, for that right is specifically provided for in Article 51 of the UN Charter. Similarly, because diplomatic responses are acts of retorsion, and therefore lawful by definition, the right to take collective diplomatic responses is equally well-settled. However, the right to take collective countermeasures remains unresolved in international law, and therefore ripe for interpretation by States. Estonia was the first State to publicly speak to the issue, and it did so unequivocally.
The issue of collective countermeasures is not new. In Article 48(1) of its Articles on State Responsibility, the International Law Commission (ILC) provided that a State other than an injured State may invoke the responsibility of a State that commits an internationally wrongful act if “the obligation breached is owed to a group of States including that State, and is established for the protection of a collective interest of the group” (obligations erga omnes partes, as in the case of a breach of a multilateral treaty) or “the obligation breached is owed to the international community as a whole” (obligations erga omnes, as with aggression, genocide and self-determination). But in its Commentaries, the ILC left open the question of whether States other than the injured state may respond, in addition to invoking responsibility, with countermeasures.
The focus of the chapter is on countermeasures taken by injured States …. Occasions have arisen in practice of countermeasures being taken by other States…where no State is injured or else on behalf of and at the request of an injured State. Such cases are controversial and the practice is embryonic. This chapter does not purport to regulate the taking of countermeasures by States other than the injured State.
The Estonian President’s statement tackles the issue squarely. Indeed, it went further than the ILC in declaring that the right to take collective countermeasures is not limited to the two situations cited in Article 48(1).
From the perspective of countries lacking a robust cyber capability, as well as those that might come to their aid, the Estonian approach makes great sense. Countries like Estonia are often dependent on allies to ensure their security, as evidenced by the ongoing NATO air policing mission over Estonia, the enhanced forward presence of NATO troops in the country, and the recent defense cooperation agreement between Estonia and the United States. Thus, it is only logical that Estonia and other States that lack the capacity to confidently deal with hostile cyber operations on their own would want collective cyber countermeasures to be on the table in order to deter powerful opponents from targeting them in cyberspace and to respond effectively should deterrence fail. Those countermeasures could come in the form of assisting the injured State to conduct its own countermeasures or of cyber countermeasures on behalf of that State; both are presently subject to a degree of legal uncertainty. Of course, it is equally logical for States that might want to come to the injured State’s assistance in either way to clear the legal path of perceived obstacles to doing so.
Consider the alternative. Targeted by another State’s unlawful cyber operations, a State without significant cyber capabilities would be limited as a practical matter to taking countermeasures that are not in-kind, as in closing its territorial sea to innocent passage by vessels flagged in the responsible State or denying transit across national airspace by the responsible State’s aircraft contrary to a treaty obligation regarding aerial passage. Such measures would take much longer than cyber countermeasures to achieve their objective as the “cost” imposed would manifest much more slowly and, most importantly, cannot directly put an end to the offending hostile cyber operation. An ability to turn to allies who can either facilitate the injured State’s countermeasures or conduct cyber countermeasures for that State, especially taking down the cyber infrastructure involved in the harmful operations, affords victim States much more meaningful options for fending off hostile unlawful cyber operations.
Thus, the Estonian interpretation would be an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts by, or attributable to, other States. As noted by President Kaljulaid,
International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace.
Some might counter that collective countermeasures are potentially escalatory. However, they are only available for two purposes — to put an end to on-going unlawful cyber operations and/or to secure reparations (restitution, compensation, satisfaction) when appropriate. Further, they may not be taken if they are unlikely to prove successful (for they would then amount to mere retaliation) and, as emphasized by President Kaljulaid, “should follow the principle of proportionality and other principles established within the international customary law.” If the law is followed, their effect will be stabilizing, not escalatory.
There was one shortcoming in the President’s statement, a failure to unambiguously address the issue of whether respect for sovereignty is a primary rule of international law that cyber operations can violate. As explained below, the United Kingdom claims that it is not. The problem is that countermeasures are only available in response to an internationally wrongful act, the most likely by far being violation of the injured State’s sovereignty. This is because the element of coercion in the case of prohibited intervention, which is the likeliest alternative to a breach of sovereignty, sets the bar for unlawfulness quite high. In other words, if respect for sovereignty is not a rule that can be violated, the collective countermeasures response option will seldom arise. That being so, it would have been logical for Estonia to articulate its position on collective countermeasures in tandem with a recognition of sovereignty as a rule, the violation of which would trigger the right to countermeasures.
Estonia is not the first State to begin chipping away at the grey zone. Other States have also issued important statements on key unsettled issues. Especially noteworthy in this regard was the June 2018 statement by the Dutch Minister of Defense, AnkBijleveld, in which she stated, “if a cyber-attack targets the entire Dutch financial system or if it prevents the government from carrying out essential tasks such as policing or taxation…it would qualify as an armed attack. And it would thus trigger a state’s right to defend itself, even by force.” Minister Bijleved made it quite clear that the prohibition of the use of force and the right to respond to an armed attack in self-defense are, in the view of the Netherlands, not limited to hostile cyber operations that are physically destructive. Depending on the nature, severity, scale and scope of the attack, this is a reasonable reading of the use of force and armed attack thresholds, one likely to be embraced by other States as they grow increasingly dependent on digital capabilities.
Also notable was a Chatham House speech a month earlier by then UK Attorney General Jeremy Wright setting forth the United Kingdom’s views on attribution, intervention, countermeasures, the use of force and self-defense in the cyber context. Importantly, Attorney General Wright rejected the ILC’s suggestion in the Articles on State Responsibility of a requirement to notify the “responsible” States before responding with cyber countermeasures directed at it. As he sensibly opined, “it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena.”
Controversially, however, he stated that the United Kingdom does not agree that there is a primary rule of international law prohibiting the violation of sovereignty. By this view, a State may conduct cyber operations against another State’s private or public cyber infrastructure with relative impunity until those operations reach the level of unlawful intervention or a use of force, both very demanding thresholds. Unfortunately, the United Kingdom has offered no legal explication of the position, which is problematic both legally and practically. For instance, when in October 2018 the UK’s National Cyber Security Centre, a division of the GCHQ, accused Russia of having conducted cyber operations that violate international law, many in the international law community wondered how that could be if sovereignty violations are off the table. And for States that lack the impressive cyber capabilities of the United Kingdom, there is no logical rationale for discarding the rule, one supported by decades of expert commentary, judicial findings, and State practice and opinio juris. Nevertheless, the United Kingdom is to be commended for setting forth its positions on many other key aspects of international law’s applicability in cyberspace, thereby sharpening the essential interpretive dialogue among States. It remains a leader among States in this regard.
The path forward is clear. If the international law governing cyberspace is to ever to be clarified, an important goal in enhancing the law’s deterrent effect and avoiding unintended escalation, States have to embrace their responsibility for addressing the grey zones. Estonia, as well as numerous other States that have begun to openly set out their views, are to be applauded for taking stands on unsettled issues of great practical import to international security and stability in cyberspace. It is time for those that have not embarked on the interpretive journey to do likewise.