The term “cyber attack” sounds dramatic, invoking images of war. Many commentators have talked about how the law on the use of force and the law of armed conflict apply to cyber attacks. But the reality is that cyber incursions by one State into another State’s territory are both more frequent and less dramatic than attacks that rise to the level of a use of force. The United Kingdom estimates that it is on the receiving end of an average of ten cyber attacks a week, most by State-sponsored hackers. These low level, persistent attacks do not constitute a use of force nor reach the level of intensity required to trigger an armed conflict. They will often leave no physical trace. But they can cause significant economic and political damage in the victim State. And they can violate other rules of international law, namely the principle of sovereignty, and/or the prohibition on intervention in another State’s affairs.
A new Chatham House Report discusses how these principles apply to States’ cyber operations below the threshold of use of force, and makes recommendations to governments on how they might make progress in reaching agreement in this area. The Report draws on the recent trend for States such as the UK, Australia, France and the Netherlands to put on record their views on how international law applies in the cyber context.
Sovereignty
In the non-cyber context, International Court of Justice cases such as Corfu Channel, Certain Activities carried out by Nicaragua, and Military and Paramilitary Activities in and against Nicaragua, as well as other international law sources discussed here, give examples of the violation of a State’s sovereignty without reference to other specific rules of international law. They show that violation of sovereignty amounts to commission of an internationally wrongful act with legal consequences. There is no reason why the principle of sovereignty should not apply in the cyber context as it applies in every other domain of State activity, as the UN Group of Government Experts recognised in their 2013 and 2015 consensus reports.
The Chatham House Report looks at sovereignty in the non-cyber context to inform its analysis of how the concept might be applied in the cyber context. It conceives sovereignty as a bundle of rights comprising territorial sovereignty, independence of state powers, and external sovereignty, and defines a violation of sovereignty as the exercise of State powers within the territory of another State without consent. This principle can apply both to the activity of a State agent physically present on the territory of the target State, or to activity carried out remotely from outside the target State with a harmful effect on the target State’s territory. Whereas the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations considers remote violations of sovereignty by reference to two different bases – the degree of infringement upon the target State’s territorial integrity and whether there has been an interference with or usurpation of inherently governmental functions – the Chatham House Report takes a more holistic approach. While the various elements of sovereignty can be separated out and are sometimes referred to individually, in practice they are inextricably linked and work together. A cyber incursion by one State into another’s territory can violate sovereignty both by penetrating a server in the target’s territory without consent and by simultaneously restricting the ability of the target State to carry out its sovereign functions in some way, with detrimental effects in the target State.
A thornier issue is whether or not there is a threshold for violations of sovereignty, and if so, of what that threshold consists. If a State agent is physically on the territory of another State without permission, does her mere presence there violate the territorial State’s sovereignty, or does she have to carry out some harmful effects on the territory of that State in order for that threshold to be reached? Some commentators (for example here and here) argue that sovereignty is a “catch-all” principle, under which any unauthorized exercise of authority by one state in another state’s territory – whether cyber or otherwise, and whether in the form of an agent physically on the territory or conducted from outside the territory – is capable of violating the target State’s sovereignty. But this open-ended, maximally protective approach to violation of sovereignty sits uneasily with the reality of States’ day to day interactions, particularly in cyberspace, where States constantly transit through each other’s portals, often without explicit authorization, especially in the intelligence context.
Perhaps recognizing the difficulties of a “purist” approach to sovereignty, some commentators favor a kind of half-way house position, under which some State cyber activity can violate another State’s sovereignty, but only if it reaches a certain threshold. The question then becomes what the criteria are for such a threshold – is it a de minimis threshold based on quantitative factors such as the number of citizens affected or the geographic reach of the attack; or is it based on qualitative factors such as the nature or intensity of the attack – or both?
When analyzing the application of the sovereignty principle in the cyber context, the international group of experts involved in the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations considered whether it is possible to identify criteria for infringements of the target State’s territorial integrity, whereby remote cyber intrusions will only reach the level of a violation of sovereignty if they cause a certain level of harmful effects on the territory of the victim state. They did so by reference to a hierarchy of scenarios: (i) physical damage (ii) loss of functionality (i.e. where the computer no longer works); and (iii) effects below loss of functionality, such as the temporary slowing down of a computer. But the group of experts were unable to agree on where the line should be drawn. While there was agreement that a cyber operation causing physical damage to cyber infrastructure would qualify as a violation of sovereignty, this was the only point on which consensus could be reached, and as it is rare for cyber attacks below the threshold of use of force to cause physical damage, it doesn’t get us that far. Measuring harmful effects is also not as straightforward as applying a descending scale of severity. The deletion of one State’s confidential critical data by another State will not necessarily cause physical effects or loss of functionality in the target State’s cyber infrastructure, but it may have a more serious effect on the ability of the target to exercise its sovereign functions.
The French government, in its recent position paper on how international law applies to cyberspace, published in September 2019, stated that any unauthorized cyber intrusion into the French system would constitute a violation of sovereignty, and that sovereignty can be violated by “any production of effects by cyber means on French territory.” The EU’s cyber sanctions regime is directed at cyber attacks that have, or have the potential to have, a “significant effect” and that constitute an external threat to the EU or its Member States. But to date most States have not put on record their views, and as yet, the matter is not clear or settled.
In due course, further State practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallised in other areas of international law. In the meantime, it’s worth noting how Western-centric the above debate is. States outside the West often come at sovereignty and non-intervention from a different perspective. Some authoritarian states exert tight internal controls over access to the internet and personal data (reflective of a concept China refers to as “cyber sovereignty,” itself an inspiration for Russia’s new “Sovereign Internet Law“). States that adopt a wide approach to the existence of their powers over all aspects of citizens’ behaviour take a similarly wide view of the duties of other States to respect their sovereignty, and may invoke violations of sovereignty or the non-intervention principle more regularly than others.
Given the differences and difficulties as to how States conceive of sovereignty, can the prohibition on intervening in another State’s affairs offer a more useful prism through which States can assess low-level cyber incidents?
The principle of non-intervention
The principle of non-intervention is the corollary of, and derives from, the principle of sovereignty. It prohibits a State from intervening by coercive means in matters within another State’s sovereign powers. Some argue that the non-intervention principle involves a relatively high threshold because of the requirement for the behaviour on the part of the perpetrating State to be coercive (Schmitt and Vihul, for example, have argued that “the prohibition on intervention and the use of force…contain thresholds that are seldom reached”; others have argued that coercion creates a “narrow standard,” which only occurs in “drastic cases“). The Chatham House Report argues that the non-intervention principle is in practice capable of broader application.
International law sources in the non-cyber context, including the International Court of Justice in Nicaragua and the Friendly Relations Declaration, suggest that coercive behaviour can be characterized as pressure on the target state that seeks to deprive the target of free will in relation to the exercise of its sovereign powers. Such pressure is applied in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state. The coercion is directed at securing a benefit for the perpetrating State, and it need not succeed – potential effects on the target State’s ability to exercise its free will can suffice.
As others have argued, coercive behaviour by a State can consist of a range of techniques: direct and indirect, overt and covert. It can include activity that seeks to restrict or stymie the target State’s ability to carry out its functions in order to achieve some advantage for the perpetrating State, whether this be forcing a change of policy or simply wanting to disrupt and destabilize. On this approach, the non-intervention principle has the potential to apply quite broadly to State-to-State cyber interactions where they result in a State losing control in some way of its sovereign functions. It could include, for example, cyber attacks on another State’s critical infrastructure such as disrupting transport services, causing temporary power black-outs or restricting access to government websites, provided the cyber activity had the aim of usurping the target State’s control over its sovereign functions. It could also extend to cyber attacks that tamper with electoral infrastructure to change results (as the United States, UK and Australia have argued). It could even – in some circumstances – apply to cyber operations that covertly seek to manipulate the views of the electorate. In the case of the latter, if the secret use of disinformation and micro-targeting is carried out extensively by the perpetrating State, it could have the effect of undermining the target State’s ability to conduct a free and fair election. The UK and Australia also cite the application of the principle to cyber intervention in the fundamental operation of parliament or in the stability of a State’s financial systems.
Overlap?
Those that apply sovereignty to State cyber operations, and those (most notably the UK) that consider that the non-intervention principle is the only appropriate rule to apply in State to State cyber operations below the use of force threshold, are not in practice too far apart. The international group of experts involved in the Tallinn Manual 2.0 considered that a State’s sovereignty could be violated where another State’s cyber activity results in the “usurpation of [the target’s] government functions,” and acknowledged that in practice examples will often violate both sovereignty and the non-intervention principle (para 16 of commentary to Rule 4). The sovereignty principle is closely linked to the prohibition on non-intervention, but without the requirement of coercion. The benefit of the coercion requirement is that it ensures that only certain State actions are caught; a mere attempt to influence another State in the conduct of its government functions is not enough. In practice, one State’s usurpation of another’s government functions, with detrimental effects on the government’s control over, for example, critical national infrastructure, will very often meet the definition of coercion.
There are debates around the point at which a cyber incident is coercive – which will of course depend on the facts in each case – but the content and criteria for the application of the non-intervention principle are reasonably well established. The same cannot currently be said of sovereignty. Unlike the debates over what criteria might exist for a violation of sovereignty (in both the non-cyber and cyber contexts), the non-intervention principle relies on definable criteria – the use by one state of coercive behaviour in order to deprive the target of its free will in relation to the exercise of its sovereign functions.
Where to go from here?
Those States that have gone public in their positions on how international law applies to cyberspace may have differences in approach, but they are united in their starting point that existing international law already provides a solid framework for regulating states’ cyber activities. By contrast, some other countries have questioned whether existing international law as it stands is capable of regulating states’ cyber interactions and have called for “new legal instruments” in this area. The discussions at the United Nations’ Open-Ended Working Group in September this year saw several countries claiming that a new legal instrument was needed to fill the “legal vacuum” (Cuba) or “the gap of ungoverned areas” (Indonesia).
This week at the UN, the renewed Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), consisting of 25 States, are discussing the application of international law to States’ cyber activities. Participating States should seek to protect the valuable consensus on the application of international law to cyberspace that has been reached at past GGEs. When discussing notions such as sovereignty, they should also push for conceptual clarity about what they mean; otherwise there is a risk of States’ simply talking past each other.
Ultimately, to move the debate forward, States may be better off focusing on how the rules apply to particular examples of malicious State-sponsored cyber activity (do we consider this behavior to constitute an internationally wrongful act, and why?) than getting too far into more abstract debates about the meaning of sovereignty in this context. The conversations about how international law applies in this area are urgent, but still at an early stage, and it’s going to be a long game.