In a July 2019 letter to parliament, the Dutch Minister of Foreign Affairs set out the Government’s views on “the application in cyberspace of relevant elements of existing international law.” That letter has now been made public. It is an extremely granular statement, not only in terms of scope, but also with respect to the legal basis for the positions taken. As such, it is a major contribution to the growing body of opinio juris on the subject that includes the recently released French Ministry of Armies’ International Law Applicable to Operations in Cyberspace, (see here, here, and here), the Estonian President’s speech this year, the UK Attorney General’s Chatham House speech last year, and Australia’s current International Cyber Engagement Strategy (annex on international law).
International cyber law is a subject close to home for the Netherlands, which in April 2018 was the site of a Russian military intelligence (GRU) cyber operation targeting the Organisation for the Prohibition of Chemical Weapons. The country clearly understands that clarity in international law can serve deterrent purposes , lessen the likelihood of unintended escalation in cyberspace, and enable certain robust responses to hostile cyber operations (see here and here). Accordingly, the country is very active in the ongoing work in the UN of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace (GGE) and in the UN Open Ended Working Group (OEWG). The Netherlands has also taken the lead in other norms-strengthening activities, including the Global Commission on the Stability of Cyberspace, the EU Cyber Diplomacy Toolbox, and the Hague Process, by which that country engages in international law capacity-building around the world.
This post examines the Dutch legal positions outlined in the Minister’s letter. These include the obligations of states vis-a-vis sovereignty, non-intervention, the use of force, due diligence, international humanitarian law (IHL), and international human rights law (IHRL), as well as attribution of cyber operations and the core responses to hostile cyber operations that international law makes available.
Obligations in Cyberspace
Although sovereignty is clearly a principle of international law from which certain duties and rights, such as the obligation of non-intervention, the prohibition on the use of force, and the right of self-defense, emanate, disagreement exists as to whether it is a rule of law that itself may be violated. For instance, the UK has taken the position that it is not, such that a remote cyber operation by one country into another’s cyber infrastructure does not violate the latter’s sovereignty. By contrast, France has recently asserted that such operations sometimes violate the target state’s sovereignty, a view consistent with that of the “International Group of Experts” (IGE) that produced Tallinn Manual 2.0.
The Netherlands unequivocally comes down on the side of the “sovereignty as a rule” camp. In doing so, it points to the ICJ’s judgment in the Nicaragua case, where the court forcefully embraced respect for sovereignty as a primary rule of international law that was violated by some of the U.S. actions in question.
[T]he assistance to the contras, as well as the direct attacks on Nicaraguan ports, oil installations, etc., … not only amount to an unlawful use of force, but also constitute infringements of the territorial sovereignty of Nicaragua…. Similarly, the mining operations in the Nicaraguan ports not only constitute breaches of the principle of the non-use of force, but also affect Nicaragua’s sovereignty over certain maritime expanses. The Court has in fact found that these operations were carried on in Nicaragua’s territorial or internal waters or both … and accordingly they constitute a violation of Nicaragua’s sovereignty. The principle of respect for territorial sovereignty is also directly infringed by the unauthorized overflight of a State’s territory by aircraft belonging to or under the control of the government of another State.
Extensive state practice and opinio juris support the notion of a primary rule of sovereignty (see here). The challenge, as France, the Netherlands, and others, including the Tallinn Manual 2.0 IGE, correctly observe, lies in determining which remote cyber operations qualify as sovereignty violations.
In this regard, the Netherlands expressly adopts the approach taken by the IGE according to which sovereignty may be violated either on the basis that effects of the operation in question manifest on the territory of the state concerned or the operation interferes with or usurps inherently governmental functions of another state. With respect to the former, certain cyber operations, such as those causing physical damage or injury, clearly qualify (physical damage is usually understood as extending to relatively permanent loss of functionality of the cyber infrastructure affected). Most commentators agree, by contrast, that remotely conducted espionage does not per se violate sovereignty. Between these extremes, uncertainty reins, a fact acknowledged by the Dutch. While France has adopted a reasonable approach by which the causation of effects on another state’s territory constitutes a sovereignty violation, the Minister’s letter does not set forth the Dutch stance on the nature of remote cyber operations that so qualify. Therefore, it will be interesting to see how the Dutch characterize remotely conducted cyber operations into their territory in the future.
As to the second basis for violation, certain functions are inherently governmental in the sense that only states may engage in them or authorize other entities to do so on their behalf. Examples include conducting elections, collecting taxes, and that cited in the Dutch letter, law enforcement. For instance, conducting remote law enforcement database searches or taking down botnets in other states without their consent would usurp a function reserved to the territorial state and thereby violate its sovereignty. The letter perceptively cautions that whether various actions, like searches of databases stored in the cloud, qualify as an exercise of cross border investigative functions is not always clear.
The Netherlands takes a conventional approach to the universally accepted prohibition of intervention. As did the ICJ in Nicaragua, and like the Tallinn Manual 2.0 IGE, it defines intervention as having two elements: (1) coercion with respect to; (2) another state’s domaine réservé.
Domaine réservé denotes an area of activity left to states in the sense of being relatively unaddressed by international law. The Minister’s letter offers the clear-cut examples of elections and the recognition of states.
The element of coercion presents the greater challenge, for there is no accepted international law definition of coercion. The Dutch have adopted a practical understanding, one tracking closely that adopted by the IGE, according to which coercion “means compelling a state to take a course of action (whether an act or omission) that it would not otherwise pursue.” By this standard, there is a difference between using cyber operations to influence another state and coercing that state. The former may make a choice difficult, but it does not practically deprive the state of that choice; the latter effectively does. As an example, a powerful social media campaign designed to affect elections is not intervention, whereas the manipulation of election results qualifies.
The devil is, of course, in the details. For instance, while no one would disagree that disabling election machinery is intervention, it is not clear that Russian exfiltration and release of email and files in the 2016 U.S. elections qualified (see here). In light of the growing frequency of cyber operations implicating the prohibition, further clarification by the international community of the threshold for intervention is badly needed.
The Prohibition on the Threat or Use of Force
Set forth in Article 2(4) of the UN Charter and customary international law, the prohibition on the threat or use of force is likewise well-accepted. As observed in the Minister’s letter, there is no basis for excluding cyber operations “when the effects of the operation are comparable to those of a conventional act of violence covered by the prohibition.” Yet ambiguity exists as to when, if ever, cyber operations not having these effects may still qualify as a use of force.
Tallinn Manual 2.0 highlighted a non-exclusive set of factors that states are likely to consider in making this assessment. The Netherlands has taken the same tack, as did France and the United States, by which each case must be assessed individually. Referring to the Manual, the letter specifically mentions “how serious and far-reaching the cyber operation’s consequences are, whether the operation is military in nature, and whether it is carried out by a state.” Interestingly, it highlights the situation typically raised in this context – “a cyber operation with a very serious financial or economic impact” – observing that qualification of such an operation as a use of force “cannot be ruled out.” Cautious though it may be, the statement is the most committal that any state has made on the matter to date.
The Netherlands joins France and a number of other countries in taking a stand on the unsettled issue of an obligation of due diligence in cyberspace. The due diligence rule was set forth by the ICJ in the Corfu Channel case and supported in the cyber context by the Tallinn Manual 2.0 IGE. It provides that a state has a legal obligation to put an end to another state or a non-state actor’s hostile cyber operation that is being mounted from, or that remotely employs cyber infrastructure on, its territory when that operation has serious adverse consequences with respect to a third state’s rights under international law, typically sovereignty.
Not all states are entirely comfortable with the obligation, as evidenced by its treatment in both the consensus 2013 and 2015 UN GGE reports as a voluntary non-binding norm, rather than a binding legal obligation. This does not mean there was no support for its characterization as binding, but only that consensus could not be reached on that status. The concern of the states that did not endorse the binding nature of the rule appears to be that it imposes an unduly heavy burden. Such concern is misguided. As confirmed in the Minister’s letter, the obligation only attaches when a legal right of another state under international law is at stake, the consequences are serious (although not necessarily physical), and the territorial state has knowledge of the operation. Importantly, the remedial action must be feasible, a condition signaled by the Dutch explanation that only measures a reasonable state would be expected to take are required. And the letter, correctly in my opinion, posits no preventive obligation, as in monitoring network activity or mandating particular cyber hygiene practices. In fact, the duty is far from onerous; presumably, responsible states would take actions consistent with the due diligence rule irrespective of whether it is binding or not.
International Humanitarian Law (IHL)
The section of the Minister’s letter on IHL applicability is short, primarily confirming that IHL governs cyber operations conducted during armed conflict. Despite concerns, like those expressed by China during the recent OEWG session, that this position somehow legitimizes cyber operations during armed conflict, the prevailing view, and the only one supported by a principled application of IHL, is that IHL applies fully to cyber operations, which are already an integral facet of modern warfare. The Netherlands rejects the assertion on non-applicability, and rightly so. In doing so, it is in the good company of most other states (see, e.g., here, here, and here), the European Union, NATO, the ICRC, and the scholarly community, including the members of the Tallinn Manual 2.0 IGE.
The letter also affirms the applicability of neutrality law to cyber operations during international armed conflict, highlighting in particular that denial of access to a neutral state’s IT systems must be applied equally to the belligerents. It further emphasizes that the Netherlands would be within its rights to take measures to put an end to use of its cyber infrastructure by a belligerent, as in the case of a botnet that employs cyber infrastructure on its territory. Indeed, this would be an obligation under neutrality law in most cases.
One topic the letter does not address directly is transmission of belligerent code across neutral infrastructure. The aforementioned reference to denying access equally implies that there may be situations in which access does not have to be denied, so long as it is granted to all belligerents. If this is the position of the Netherlands, it would be on sound ground. Article 8 of the Hague Convention V and customary law (see here) provide that a neutral Power need not “forbid or restrict the use on behalf of the belligerents of telegraph or telephone cables or of wireless telegraphy apparatus.” A majority of the Tallinn Manual 2.0 IGE was of view that the provision should be interpreted as applying to cyber communications using public and openly accessible networks, even for military purposes. This is, in my estimation, the correct application of neutrality law in the modern context.
International Human Rights Law (IHRL)
The applicability of IHRL rules is far more complicated. Disagreement exists over the extent to which such rules apply extraterritorially, as well as the content of customary IHRL, particularly because so much of the relevant discussion focuses on the application of treaty law like the European Convention on Human Rights. In the cyber context, there is also uncertainty over the issue of to whom states owe human rights obligations. For instance, whether a state owes IHRL obligations to individuals who are not on its territory, but store data there or use its cyber infrastructure remotely, is unclear. Also unresolved is whether a state that can control the exercise of a human right on another territory, as in blocking protected expression on a website hosted abroad, owes affected individuals the relevant IHRL obligations if it exercises that capability.
Nevertheless, painting with a fairly broad brush, the Minister’s letter confirms that IHRL applies in cyberspace, a point that has been made by, inter alia, the UN General Assembly. The state’s obligations include both the negative duty to refrain from interfering with the enjoyment of human rights in cyberspace (especially privacy and expression) and a positive duty to protect them from interference by others. Taking measures to ensure that companies respect the right to privacy of Dutch citizens (and presumably others on Dutch territory) is offered as an example of the latter duty.
The Netherlands acknowledges that human rights are not absolute and sometimes lawfully may be limited, as in restricting hate speech on the internet or prohibiting incitement to violence on social media. Such restrictions must serve a legitimate purpose like national security, be based in law, and be both necessary to achieve the legitimate end and proportionate to that end. Emphasizing that society’s reliance on cyberspace for the exercise and enjoyment of human rights such as expression, privacy, association, and certain social and economic rights is growing rapidly, the Minister’s letter emphasizes the Netherlands’ support for a “secure, open and free internet.” In doing so, it signals the country’s resistance to efforts to rely on such principles as sovereignty to exert excessive control over the enjoyment of human rights online.
The letter then turns to the challenge of attribution. It insightfully and usefully distinguishes between technical attribution (factual and technical in nature), political attribution (a policy matter), and legal attribution. The focus is on the latter.
The Dutch positions on attribution track those set forth by the International Law Commission in its Articles on State Responsibility (ASR), which also provided the basis for many of the conclusions of the Tallinn Manual 2.0 IGE. First, in accordance with Article 4, a state is responsible for the acts (including actions and omissions) of its organs, such as the Dutch National Cyber Security Centre. It is likewise responsible for the cyber operations of non-state actors, such as cyber firms, hacktivists, or terrorist groups, when those entities act pursuant to the state’s instructions or direction or control (so-called “effective control”). Although the precise parameters of this basis for attribution are somewhat vague, the Minister’s letter emphasizes that the threshold is “high,” offering financially contributing to the activities of a non-state actor conducting hostile cyber operations as an example of activity that does not result in attribution (a position the ICJ analogously took in its Nicaragua judgment).
Importantly, the Netherlands is of the view that it need not publicly set forth the basis on which it attributes a cyber operation, as is sometimes asserted by certain other states. The French and the Tallinn Manual 2.0 IGE are in accord. The letter cautions, however, that such evidence may have to be produced if an international tribunal considers a cyber operation. Additionally, the Netherlands has voiced no objection to the voluntary non-binding norm set forth in the 2015 GGE report that calls on states to produce evidence underlying attribution when possible. Of course, security and operational concerns may mitigate against doing so.
A further question is the quantum and quality of information upon which attribution must be based. When the matter is before judicial or other fora, the evidentiary rules of that body apply. Otherwise, states should act as reasonable states would in the same or similar circumstances. The Netherlands suggests that the standard is one of “sufficient certainty.” This is a flexible standard that may vary “depending on the seriousness of the act,” a dynamic approach advanced by Judge Higgins in the ICJ’s Oil Platforms case. In this regard, note that misattribution of a wrongful cyber operation does not violate international law, although acting on mistaken attribution, as in taking countermeasures, arguably can in some circumstances.
There are four general response options in the face of hostile, including unlawful, cyber operations – retorsion, countermeasures, necessity, and self-defense. The Minister’s letter addresses each serially.
An act of retorsion is an unfriendly, albeit lawful, response to anther state’s action. Examples include economic sanctions and declaring diplomats “persona non grata,” measures that were taken by the Obama administration in reaction to Russian election meddling. Since acts of retorsion are by definition lawful, the cyber operations that motivate them need not violate international law. Thus, for example, the United States did not have to claim that the Russian cyber actions were unlawful before taking these steps.
The Minister’s letter makes clear that the Netherlands considers retorsion to be a valuable response tool in the cyber context. Interestingly, it specifically cites “limiting or cutting off the other state’s access to servers or other digital infrastructure in its territory, so long as no treaty mandates such access,” as an example of retorsion. I agree that doing so would qualify as retorsion because the action is consistent with the enjoyment of sovereignty over infrastructure on the state’s territory.
The Dutch approach to countermeasures as a response option is quite conventional. Countermeasures are acts (actions or omissions) that would normally be unlawful but for the fact that they are taken in response to another state’s unlawful conduct. There is no in-kind requirement. An “injured state” may take cyber countermeasures against cyber or non-cyber wrongful acts by the “responsible state,” and non-cyber countermeasures are equally available to the injured state against the responsible state’s unlawful cyber operations. The Minister’s letter offers an injured state’s cyber operation that shuts down networks or systems that the responsible state is using for a cyber attack as an illustration of a countermeasure.
There are strict limitations on countermeasures, a point the letter emphasizes. They may only be taken when the act to which they respond qualifies as “internationally wrongful” on the basis that it: (1) breaches international law vis-à-vis the injured state; and (2) is attributable to the responsible state pursuant to the law of state responsibility. The cyber operation most likely to meet these requirements is one that violates the injured state’s sovereignty. Countermeasures have to be proportionate in the sense of rough equivalence in severity to the harm caused by the responsible state’s cyber operation and must not violate fundamental human rights (it is unclear which human rights qualify as such) or diplomatic law obligations.
Several points in the Dutch discussion merit mention. First, although ASR Article 43 provides that notice must be provided in advance of a countermeasure to give the responsible state an opportunity to desist in its unlawful conduct and make any appropriate reparations, the letter states that “if immediate action is required in order to enforce the rights of the injured state and prevent further damage, such notification may be dispensed with.” This position is consistent with that taken by both the United Kingdom and France, as well as Tallinn Manual 2.0.
Second, the letter states that countermeasures “must be temporary.” This requirement, however, does not require that they be reversible. Rather, as noted in Article 49 of the ASR, “[c]ountermeasures shall, as far as possible, be taken in such a way as to permit the resumption of performance of the obligations in question,” a requirement drawn from the ICJ’s Gabčíkovo-Nagymaros judgment. The “as far as possible” text leaves open the option of, for instance, permanently disabling a targeted system that is being used by the responsible state, if necessary. The “temporary” limitation also denotes that an action cannot qualify as a countermeasure if the responsible state has terminated its unlawful action and has provided any reparations due the injured state.
The Netherlands also is of the view that countermeasures must not reach the level of a use of force. This position is consistent with Article 50(1)(a) of the ASR and is the prevailing view among states and commentators. It is also a rejection of the suggestion by Judge Simma in the ICJ’s Oil Platforms case that a state may take forceful countermeasures in response to another state’s act that crosses the use of force threshold but does not reach that of an “armed attack,” the point at which a defensive use of force is allowed (see below).
Finally, no mention is made of collective countermeasures, whereby a state takes countermeasures on behalf of an injured state or assists in that state’s own countermeasures. This is an important, albeit controversial, issue for states that lack the ability to engage in cyber measures beyond their borders. Estonia recently asserted (see here) a right to engage in such actions, while France has taken the opposite position. In light of the disparate cyber capabilities states field, there is likely to be growing support for such a right, and, in my view, rightly so.
The third option for responding to a hostile cyber operation is the plea of necessity, a right captured in ASR Article 25. Necessity permits a state to engage in an otherwise unlawful action, such as a hack back that would violate the sovereignty of the state into which it is conducted, when doing so is the “only way” to “safeguard an essential interest against a grave and imminent peril.” The Minister’s letter observes that although the term “essential interest” is “open to interpretation in practice,” “the electricity grid, water supply and the banking system certainly fall into this category.” This is a reasonable conclusion, one most other states would also likely make when facing such an attack
Responses based on the plea of necessity are exceptional measures to be taken only when, as the letter notes, there are “potentially very serious consequences” at stake. The letter offers the examples of “situations in which virtually the entire internet is rendered inaccessible or where there are severe shocks to the financial markets.” Any response may violate obligations owed to other states, such as respect for sovereignty, but may not seriously interfere with their essential interests. Importantly, necessity does not require that state responsibility be established vis-à-vis the state affected by the response. Thus, and unlike countermeasures, actions based on the plea of necessity are available when a non-state actor’s cyber operation causes the underlying harm or when attribution to another state cannot be reliably established. Necessity accordingly serves as a valuable safety valve for states facing severe cyber attacks when the strict conditions for the taking of countermeasures cannot be satisfied.
Finally, the Netherlands notes that a state that is the victim of a cyber “armed attack” may respond with kinetic or cyber measures at the use of force level pursuant to UN Charter Article 51 and customary international law. However, a long-standing debate surrounds the range of the term “armed attack.” For the United States, any use of force, whether kinetic or cyber in nature, amounts to an armed attack opening the door to a forceful response. However, in its Nicaragua judgment, the ICJ characterized an armed attack as the “most grave” form of use of force. The Netherlands, together with most other states and scholars, adopts the ICJ’s characterization, according to which not every cyber operation crossing the use of force threshold amounts to an armed attack justifying the use of force in self-defense.
The difficulty lies in determining when a use of force reaches the armed attack threshold. Drawing on the ICJ’s discussion in Nicaragua, the Netherlands focuses on the “scale and effects” of the operation, such that “a cyber attack that has comparable consequences to an armed attack (fatalities, damage and destruction) can justify a response with cyber weapons or conventional weapons.” Therefore, it concludes, there is “no reason not to qualify a cyberattack against a computer or information system as an armed attack” if the requisite consequences manifest. However, the Minister’s letter fairly observes that “[a]t present there is no international consensus on qualifying a cyberattack as an armed attack if it does not cause fatalities, physical damage or destruction yet nevertheless has very serious non-material consequences.”
It is interesting in this regard that the letter did not expressly echo Dutch Minister of Defence Ank Bijleveld’s 2018 suggestion that if “a cyber-attack targets the entire Dutch financial system…or if it prevents the government from carrying out essential tasks such as policing or taxation…… it would qualify as an armed attack.” As noted above, such an attack would merit a response based on the plea of necessity, but whether the Netherlands today would treat it as justifying a use of kinetic or cyber force in self-defense is uncertain. In my opinion, it should.
Finally, the Minister’s letter grapples with the nature and extent of information a state must have before defensive measures may be taken, an especially important question given the practical difficulties of cyber-related attribution. It notes that there must be “adequate proof of the origin or source of the attack,” a reference to factual attribution, and that a “particular state or states or organised group is responsible for conducting or controlling the attack,” which addresses the requirement for legal attribution. The letter concludes that states must be “sufficiently certain” before acting in self-defense. Although it does not develop this point, the reference to sufficiency could be read to suggest, correctly in my estimation, that the requisite degree and nature of information is contextual in the sense that factors such as the severity of the cyber armed attack may bear on whether it is reasonable to mount a forceful defensive response.
The Netherlands has long been a thought-leader in the field of cyber norms and has devoted significant energy and resources to supporting global efforts to understand how international law applies in cyberspace. The Minister’s letter is a major contribution to those objectives. Its breadth and the accompanying depth of the legal analysis are striking. Indeed, unlike the positions taken by certain other states, there is no normative cherry-picking, nor is there any hint that the Dutch have allowed factors other than strict legal evaluation to influence the conclusions drawn. Other states would be well-served by following the Dutch lead in this regard. Whether they should adopt the Dutch legal positions is, of course, a matter of their own sovereign prerogative. However, countering the sophisticated legal analysis proffered by the Netherlands would prove a daunting task.
IMAGE: The Netherlands’ Minister of Foreign Affairs Stef Blok speaks during a debate at the Senate, in The Hague, on December 26, 2019. (Photo by ROBIN UTRECHT/ANP/AFP via Getty Images)