A recent United Nations event gave States a new opportunity to announce their positions on how international law applies to cyberspace, and those of Austria and the Czech Republic stood out. The United Nations Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG) held its second substantive session February 10-14. In their statements, both States took firm positions in the ongoing debate concerning whether sovereignty is merely a principle, or also a rule of international law, with both supporting the latter view by recognizing the existence of an independent obligation to respect sovereignty in cyberspace.
Austria has recently been the target of a severe cyber operation. In that context, we would like to refer to the principle of state sovereignty. A violation of this rule constitutes an internationally wrongful act – if attributable to a state – for which a target state may seek reparation under the law of state responsibility. A target state may also react through proportionate countermeasures. It is clear, however, that references to state sovereignty must not be abused to justify human rights violations within a state’s borders. In other words, state sovereignty must not serve as a pretext for tightening control over a state’s citizens which undermines their basic human rights such as the right to privacy and the freedom of expression.
Similarly, the Czech representative stated:
The Czech Republic concurs with those considering the principle of sovereignty as an independent right and the respect to sovereignty as an independent obligation.
The Czech Republic firmly believes that under this principle States may freely exercise without interference in any form by another State both aspects of sovereignty in cyberspace, be it an internal one, with the exclusive jurisdiction over the ICTs [Information and Communication Technologies] located on its territory, or the external one, including the determination of its foreign policy, subject only to obligations under international law.
These statements are important contributions to the ongoing discussion about the status of the principle of sovereignty in cyberspace (for an overview of different views see earlier work by Michael Schmitt, Harriet Moynihan and myself, but also Colonel (Retired) Gary Corn and Corn with Robert Taylor and Corn with Eric Jensen). Some States, most notably the United Kingdom (and possibly the United States, which will be discussed later), hold the view that sovereignty is merely a principle of international law and does not create autonomous and separate legal obligations, but is protected by other established rules of international law, such as the prohibition of the use of force or the principle of non-intervention. Other States, such as France, Germany and the Netherlands, have come out in support of the sovereignty-as-a-rule position and argued that a cyber operation may, under certain conditions, also violate a targeted State’s sovereignty.
It is the latter, sovereignty-as-a-rule camp that Austria and the Czech Republic now join. Importantly, both statements leave no doubt as to the legal character of sovereignty in cyberspace underlining that sovereignty “is an independent right” and respect for sovereignty “is an independent obligation” (Czech Republic) and “a violation of this rule constitutes an internationally wrongful act” (Austria). This clarity is most welcome, as it eliminates the possibility of (mis-)interpreting the statements to hold that references to “violations of sovereignty” may nevertheless only point to the “principle of sovereignty,” rather than to a binding legal obligation.
The Threshold of Sovereignty Violations in Cyberspace
Among the proponents of the sovereignty-as-a-rule position, there exist two different views on when a violation of sovereignty may occur (a more detailed analysis of these differences can be found in a policy brief I have written and in a Chatham House report). Under the French “penetration”-based approach, “[a]ny unauthorized penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty.”
It follows from this approach that already the breach of the confidentiality, integrity or availability of an ICT system might be regarded by France as constituting a violation of sovereignty.
Under the opposing “de minimis” approach, advocated for instance by the Tallinn Manual 2.0 and the Netherlands, not every breach of cyber security would automatically constitute a violation of sovereignty, but only those breaches which do so with a certain degree of infringement upon the target State’s territorial integrity, or through interfering with or usurping inherently governmental functions. While Austria has not stated its view on the precise threshold of a sovereignty violation, the Czech Republic endorses the de minimis approach, as becomes clear from the examples of cyber operations, which they would consider as violation of a State’s sovereignty. The Czech Republic listed the following:
A. a cyber operation causing death or injury to persons or significant physical damage;
B. a cyber operation causing damage to or disruption of cyber or other infrastructure with a significant impact on national security, economy, public health or environment;
C. a cyber operation interfering with any data or services which are essential for the exercise of inherently governmental functions, and thereby significantly disrupting the exercise of those functions; for example, distributing ransomware which encrypts the computers used by a government and thus significantly delaying the payment of retirement pensions;
D. cyber operation against a State or entities or persons located therein, including international organizations, conducted by a physically present organ of another State.
Examples A, B and D reflect the first alternative formulated by the Tallinn Manual 2.0 and also found in the Dutch position, while example C speaks to the second alternative.
With regard to example A, it seems likely that a cyber operation causing death or injury to persons or significant physical damage might also qualify as a use of force, especially if the Czech Republic endorses the “scale and effects” test for the comparability of cyber attacks to “traditional” uses of force, which is currently favored by most States that have put forward views on this matter (for a comparative analysis, see my policy brief).
Example D reflects the position that sovereignty protects a State’s right to control the access of another State’s agents to its physical territory or airspace. Unfortunately, the Czech position does not explain why the defining factor should be the physical presence of another State’s agent within the territory of the targeted State when the cyber operation is conducted, rather than the effects of the cyber operation on the targeted State’s ICT infrastructure. It is not clear why a close-access cyber operation resulting in the installation of malware on a computer in the targeted State should be regarded as a violation of that State’s sovereignty, while a remote-access cyber operation producing exactly the same result should not. To be fair, though, neither the Tallinn Manual nor the Dutch statement are much more specific on this matter. Another peculiarity in example D is that the Czech Republic views only close access cyber operations conducted by “a physically present organ of another State” as a violation of sovereignty, thereby seemingly excluding operations conducted by non-state actors under the instruction or direction or control of another State (for example, organs of a State are covered by article 4 of the Articles of State Responsibility, while non-state actors under the control of a State are covered separately under article 8). In contrast, the Tallinn Manual uses almost the exact same language as D but refers to actions by “an organ of a State, or others whose conduct may be attributed to the State.” One must hope that this point will be further addressed (or redressed) in a forthcoming detailed statement on the applicability of international law to cyber operations.
The DoD General Counsel’s Statement on Sovereignty in Cyberspace
Three weeks after Austria and the Czech Republic delivered their statements during the OEWG session, U.S. Department of Defense (DoD) General Counsel Paul Ney gave a speech at the U.S. Cyber Command Legal Conference, in which he addressed, among other issues, the question of sovereignty in cyberspace (the full statement can be found here, see also commentary and analysis on Ney’s statement by Robert Chesney, Michael Schmitt and Russell Buchan). With respect to sovereignty, Ney said:
For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. (…)
The DoD [Office of the General Counsel] OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).
On plain reading, the General Counsel seems to endorse the British sovereignty-as-a-principle approach, albeit cautiously, as the reference to “shared similarities” suggests. However (as observed by Schmitt and Buchan), the DoD OGC seems to leave open a backdoor for a sovereignty analysis, reflected in Ney stating further that:
As a threshold matter, in analyzing proposed cyber operations, DoD lawyers take into account the principle of State sovereignty. States have sovereignty over the information and communications technology infrastructure within their territory. The implications of sovereignty for cyberspace are complex, and we continue to study this issue and how State practice evolves in this area, even if it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law.
The reference to all infringements of sovereignty seems to reject the French penetration-based approach, while leaving open the possibility of accepting that some infringements of sovereignty may constitute violations of international law, if certain additional (and hereto unspecified) factors are met. Nevertheless, the DoD’s current position is that:
For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory.
The main reason for this view is a perceived absence of sufficiently widespread and consistent State practice, paired with opinio juris, which would establish such a customary rule. Ney puts forth two arguments in support of this conclusion. The first argument is that “many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks,” which Ney interprets as suggesting that those States do not support the existence of an obligation to respect sovereignty in cyberspace. The second argument is the absence of a customary international law norm prohibiting espionage per se, “even when it involves some degree of physical or virtual intrusion into foreign territory.” In the latter case, the similarity between certain cyber espionage operations and other cyber operations constituting virtual intrusions into foreign ICT systems would speak against the existence of a rule of sovereignty.
I see three main problems with General Counsel Ney’s arguments.
First, as to the supposed silence of other States on this matter, it has to be noted that since July 2019, four States (the Netherlands, France and more recently, Austria and the Czech Republic) have come out in favor of the sovereignty-as-a-rule approach. These statements are part of an emerging trend of States adopting clear positions on issues of cyber operations and sovereignty, with hopefully even more States addressing this issue in the near future (for instance, Finland has announced that it is working on a position on international law in cyberspace). More importantly, however, silence on a particular issue does not always signify acceptance of the existence or non-existence of a specific rule of international law. As the International Law Commission observed (pp. 141-142) in its work on the identification of customary international law, two requirements must be satisfied for a lack of open objection to be considered evidence of an acceptance of a certain practice as law:
First, it is essential that a reaction to the practice in question would have been called for: this may be the case, for example, where the practice is one that affects—usually unfavourably—the interests or rights of the State failing or refusing to act. Second, the reference to a State being “in a position to react” means that the State concerned must have had knowledge of the practice (which includes circumstances where, because of the publicity given to the practice, it must be assumed that the State had such knowledge), and that it must have had sufficient time and ability to act.
Accordingly, silence on the question whether there exists an obligation to respect the sovereignty of another State in cyberspace can be counted as opinio juris in support of the non-existence of such a rule only with respect to those States whose sovereignty would have been affected by a cyber operation and only provided that they were in a position to react. This proviso is especially important in the cyber context, given the difficulties of reliably attributing a cyber operation to a State and the tradeoff States must make in revealing what they know about another States’ cyber activities which is usually highly sensitive information. Moreover, it has to be noted that in its statement Austria specifically referred to being a target of a severe cyber operation. Similarly, Georgia, which suffered a large-scale cyber attack at the hands of the Russia’s Main Intelligence Directorate (GRU) in October 2019, condemned such attack as going “against international norms and principles, once again infringing Georgia’s sovereignty.” Thus, affected States give their views on this matter when it is appropriate to do so.
Second, General Counsel Ney’s cyber espionage argument is similarly open to objections. While many indeed argue that peacetime espionage operations do not per se violate international law, the Tallinn Manual points out (in Rule 32) that “the method by which it is carried out might do so.” Thus, the lack of a general prohibition of espionage in peacetime international law does not by way of analogy indicate that States accept non-consensual cyber espionage operations which breach the cybersecurity of ICT systems under their jurisdiction. Given that silence can indicate opinio juris only in cases where a State has active knowledge of a fact, the clandestine nature of cyber espionage operations in my view precludes reading too much into a general silence of States on this matter. Moreover, scholars point out that there is evidence of States protesting and invoking their sovereignty when they discover that they have been the target of a cyber espionage operation. For instance, certain members of the South American trade bloc MERCOSUR issued a note verbale to then-U.N. Secretary-General Ban Ki-moon in July 2013 protesting against U.S. espionage activities which, they say, “constitute[d] unacceptable behaviour that violate[d] [their] sovereignty” (for further references, see Russel Buchan’s book starting at p. 54).
Third, more generally, General Counsel Ney’s argument seems to rely on the assumption that the existence of an obligation to respect the territorial sovereignty of another State in cyberspace must be inductively proven by sufficiently widespread and uniform State practice and opinio juris, rather than being deduced from the general applicability of existing rules of international law in cyberspace. However the U.N. Group of Governmental Experts Reports of 2013 and 2015 affirm that “international law” – and not only a particular set of rules – is applicable to State conduct in cyberspace. Thus, it is not necessary to prove the applicability of every pre-existing rule of international law – such as the obligation to respect the territorial sovereignty of another State – by way of new extensive and consistent State practice and opinio juris. The Czech Republic’s statement makes this point clear:
For obvious historical reasons, none of the existing international law instruments explicitly refer to cyber issues. However, this does not mean these instruments somehow cannot be applied to cyberspace. On the contrary, in its advisory opinion of 1971 the International Court of Justice found that an international instrument has to be interpreted and applied within the framework of the entire legal system prevailing at the time of the interpretation. This concept of dynamic, or evolutionary interpretation is also implied in Article 31(3)b of the Vienna Convention on the Law of Treaties.
The Czech Republic further elaborated upon this point in its comments to the initial “pre-draft” report of the Open-ended Working Group, where it stated:
In particular, the OEWG could highlight the following principles, which should guide the applicability of international law in the context of ICTs:
(i) technology-neutral approach to regulating ICTs, which provides a safeguard against rapidly evolving nature of ICT technologies;
(ii) interpretation and application of existing international instruments to ICTs in compliance with Article 31(3)b of the Vienna Convention on the Law of Treaties (and the so-called dynamic or evolutive interpretation of international law);
(iii) interpretation and application of existing international instruments to ICTs “within the framework of the entire legal system prevailing at the time of such interpretation” (see the 1970 ICJ Advisory Opinion on the Legal Consequences for States of the Continued Presence of South Africa in Namibia).
This reasoning also applies to customary international law. Were this not the case, the applicability of the customary rules of State responsibility or international humanitarian law in cyberspace (which the United States strongly supports) might similarly be put into question. Thus, the question should not be whether an obligation to respect the sovereignty of another State exists in cyberspace, but exactly how such obligation applies in the technical context of cyber operations.
Conclusion: More Clear Statements Needed
The Austrian and Czech submissions are important voices in the ongoing debate about the status of sovereignty in cyberspace and expand upon the State practice and opinio juris in this field. What’s more, they show that not only the “big players” with advanced cyber capacities can contribute to the debate, and hopefully the Austrian and Czech examples will be followed soon by other members of the international community. At the same time, General Counsel Ney’s remarks bring much needed clarity to the current U.S. position and offer a legal underpinning for the “defending forward” and “permanent engagement” doctrines the United States has adopted in its cyber operations. With now five States openly supporting the sovereignty-as-a-rule position, the U.K. and United States (or at least the U.S. Department of Defense) find themselves in the minority, and the weight of international opinion might potentially be slowly turning toward the opposite view. Of course, it is still too early to tell how the debate will develop and most certainly the issue of sovereignty will remain contentious for some time. But it is important in the interests of international peace and security that States present their views and discuss this issue, even if consensus may not be achievable in the short term.