As claims that cyberspace is a normative Wild West fade, the task at hand for the international community is to identify and interpret the rules of international law that govern cyber operations. Last week, with the Ministry of Foreign Affairs and Trade’s (MFAT) release of its position, New Zealand joined the growing list of states that have publicly set forth their views on how international law applies in the cyber context.
New Zealand’s statement is important for several reasons. Most importantly, it addresses a number of controversial issues that are occupying international discourse, including the topics of sovereignty and collective countermeasures. Timing also matters. New Zealand’s statement comes as the UN Group of Governmental Experts and Open-Ended Working Group are underway. Its formal release by MFAT will yield greater influence during those proceedings than oral statements or written submissions standing alone. And the fact that New Zealand is one of the so-called “Five-Eyes” (with Australia, Canada, United Kingdom and United States) cannot be ignored, for these states, which as a group are highly cyber-capable, cooperate and collaborate closely in security affairs. Statements by a Five-Eyes state can sometimes shed light on the attitudes of the group, at least with respect to positions they are willing to tolerate among close allies.
This article puts a critical eye on the statement from the legal perspective. It considers those topics that New Zealand considered to be sufficiently significant to be included: use of force, intervention, sovereignty, due diligence, responses to hostile cyber operations (countermeasures), international humanitarian law, and international human rights law.
Use of Force
That Article 2(4) of the UN Charter and customary law’s prohibition on the use of force applies to cyber operations is today beyond dispute. Expressly confirmed in the 2015 GGE Report that was subsequently endorsed by the General Assembly, all states that have issued statements on international law in cyberspace have endorsed this position. New Zealand has followed suit.
Clearly, a cyber operation that causes significant injury, illness, death or physical damage qualifies as a use of force. The unsettled question is whether cyber operations that are neither injurious nor physically destructive can reach the legal threshold of a use of force, and, if so, when. The clear trend, one first fully conceptualized by the experts who drafted Tallinn Manual 2.0 (Rule 69), is in the direction of an affirmative answer. For instance, the Netherlands has raised this possibility with respect to cyber operations affecting its economy, while France has expressly endorsed that characterization.
Most states that have spoken to the issue have not provided specific examples of non-injurious or non-destructive operations that they believe would qualify as a use of force. Instead, they appear to take an approach that would leave this to be decided on a future case-by-case basis, as does New Zealand. According to its statement, whether a cyber operation qualifies as a use of force
…depends on an assessment of the scale and effects of the activity. State cyber activity will amount to a use of force if it results in effects of a scale and nature equivalent to those caused by kinetic activity which constitutes a use of force at international law. Such effects may include death, serious injury to persons, or significant damage to the victim state’s objects and/or state functioning. In assessing the scale and effects of malicious state cyber activity, states may take into account both the immediate impacts and the intended or reasonably expected consequential impacts.
Three points are noteworthy in this extract. First, New Zealand will look to the “scale and effects” of a hostile cyber operation when assessing its qualification as a use of force. This standard derives from the International Court of Justice’s Nicaragua judgment (para. 195), where the Court looked to “scale and effects” to assess whether an action rose to the level of an “armed attack,” the threshold for the right to use force in self-defense. The Tallinn Manual 2.0 experts adapted that standard for use in assessing uses of force, an approach that has found favor among states. In addition to New Zealand, variants have been adopted by, among others, Australia, Finland and the Netherlands.
Second, in assessing effects, New Zealand will look by analogy to those actions that qualify as a use of force when caused by non-cyber means. This is likewise a trend (e.g., see France, Australia, Netherlands, United States). However, it is one that will require highly contextualized application. In particular, it is sometimes unclear from national statements regarding the use of force in cyberspace whether the loss of functionality of targeted cyberinfrastructure, which the Tallinn Manual 2.0 experts treated as “damage,” may amount to a use of force if of sufficient severity and in light of the attendant circumstances. Presumably, New Zealand would take this position since it notes that a cyber operation that affects “state functioning” could qualify as a use of force.
Third, the inclusion of state functioning is interesting, although it is unclear whether it refers to interference with the functions of the government or interference with key sectors of activity in the state, such as transportation or commerce. Interference with so-called “inherently governmental functions” violates the targeted state’s sovereignty, while coercive interference with a state’s “domaine réservé,” which includes a wide range of state functions, constitutes unlawful intervention (see Tallinn Manual 2.0, rules 4 & 66). For instance, some forms of foreign election meddling violate one or both of these primary rules (see here and here). Yet, such interference generally is not considered in terms of the use of force prohibition. Moreover, specifically in the use of force context, functionality is generally understood as referring to a genre of damage, as in damage necessitating repair of affected cyberinfrastructure. It is not thought of in the guise of abstract interference with activities.
Yet, if the scale and effects approach is used as the basis for assessment, there would be no reason to necessarily exclude operations that “interfere with state functions” from the reach of the prohibition. Indeed, France already has asserted that a cyber operation causing “consequences liable to paralyze whole swaths of the country’s activity” would qualify as an armed attack. Since all armed attacks are uses of force in international law, this bolsters New Zealand’s reference to state functioning as a potential use of force.
Importantly, the characterization may signal an emerging shift by states away from looking to the nature of harm caused by a cyber operation (physical damage or injury/death) to a more holistic consequence-based paradigm based on scale and effects. As proposed in Tallinn Manual 2.0 (rule 69), and as accepted by the aforementioned states as well as the United States, a wide variety of factors will influence the scale and effects assessment (e.g., severity, directness, immediacy, originating state and entity, target, etc.).
New Zealand also adopts the scale and effects approach when determining when a hostile cyber use of force amounts to an armed attack entitling a forcible response, an unassailable stance given its genesis in Nicaragua and subsequent acceptance by states. Thus, the statement notes that a cyber operation will so qualify “if it results in effects of a scale and nature equivalent to those caused by a kinetic armed attack.” Interestingly, it uses the same example as that offered by the United Kingdom in its espousal of its identical position ¾ “cyber activity that disables the cooling process in a nuclear reactor, resulting in serious damage and loss of life, would constitute an armed attack.” Since such an operation is self-evidently an armed attack, it would be useful if states would offer more examples, as France did, so as to better tease loose their understanding of the requisite scale and effects.
New Zealand’s formulation is also cleverly non-exhaustive. The statement tells us that a cyber activity will amount to a use of force or an armed attack if it results in effects of a scale and nature equivalent to those caused by an analogous kinetic use of force or armed attack – but it does not say whether actions that do not meet that equivalence could also count. This is yet another area where more clarity would be welcome.
New Zealand takes a conventional approach to the prohibition of coercive intervention into the internal or external affairs of another state. Application of the prohibition to cyber activity is uncontroversial, having been confirmed in the 2015 GGE report and appearing in all official statements by states on international law in cyberspace. In particular, New Zealand confirms that two elements cited by the ICJ in its Nicaragua judgment must be satisfied to breach the prohibition: 1) coercion into the 2) domaine réservé of another state (para. 205). The devil is in the details.
With respect to the latter, the statement draws directly on the Nicaragua judgment in explaining that the domaine réservé encompasses, inter alia, the “political, economic, social and cultural system” (para. 205). As examples, New Zealand cites taxation, national security, law enforcement, border control, and foreign policy. In that these are matters international law generally leaves to states, they clearly fall within the domaine réservé. The statement does appear to conflate “inherently sovereign functions,” a concept generally bearing on sovereignty, and domaine réservé. However, this minor point is of little practical significance except to international law experts because while the domaine réservé encompasses areas of activity that are not inherently governmental (medical care), almost all inherently governmental functions (e.g., national pandemic crisis management) fall within the domaine réservé.
As to the former element, coercion may be affected either by depriving the target state of its ability to make a choice regarding an aspect of its domaine réservé or so influencing the state’s will regarding such a choice that it effectively is left without meaningful options. New Zealand’s statement offers example of both. For instance, it highlights manipulation of a vote tally and “dictatorial threats” respectively. It also notes, as did the ICJ in its Nicaragua judgment (para. 205), that coercion may be direct or indirect. In that case, for instance, the financing of insurgents was found to be indirect coercion; by analogy, financing the cyber operations of such groups would likewise sometimes qualify as coercive.
Importantly, New Zealand highlights the issue of intent, one that is often missed in discussions of how the prohibition applies in the cyber context. It points out that the “coercive intention of the state actor is a critical element of the rule” and “may in some circumstances be inferred from the effects of cyber activity.” One example offered by New Zealand – “a prolonged and coordinated cyber disinformation operation that significantly undermines a state’s public health efforts during a pandemic” – is a clear illustration of intervention because the operation is designed to hobble the targeted state’s ability to execute is pandemic response plan.
But absent an intent to coerce the target state with respect to a choice involving the domaine réservé, there is no intervention, as with purely malicious or criminal cyber operations. Thus, the other scenario cited in New Zealand’s statement – “cyber activity deliberately causing significant damage to, or loss of functionality in, a state’s critical infrastructure, including – for example – its healthcare system, financial system, or its electricity or telecommunications network” – would only qualify as intervention if the state mounting it intended to coerce the target state’s choice regarding a facet of the domaine réservé. Depending on the circumstance, that might, or might not, be the case.
Most notably, New Zealand takes on the fraught issue of whether sovereignty is simply a principle of international law from which rules such as the prohibitions on the use of force and intervention derive, or a rule in itself, the breach of which by a state constitutes an “internationally wrongful act” (Articles on State Responsibility, art. 2). As is well known, in 2018 the United Kingdom counter-normatively adopted the former position when setting forth its views on international law in cyberspace.
That position has gained little traction in either the scholarly community or among states. On the contrary, every state that has opined publicly on the matter has confirmed that sovereignty is a primary rule of international law. They include, for instance, Bolivia, China, Czech Republic, Finland, France, Germany, Guatemala, Guyana, Iran, Netherlands, Republic of Korea, and Switzerland (see also here, here, and here). Indeed, the rule appears in NATO cyber doctrine, albeit with a reservation by the United Kingdom. Even the US Department of Defense recently displayed hesitancy with respect to its closest ally’s understanding of the law (see also here). This is sensible, for as Finland has warned, “Agreeing that a hostile cyber operation below the threshold of prohibited intervention cannot amount to an internationally wrongful act would leave such operations unregulated and deprive the target state of an important opportunity to claim its rights.”
New Zealand’s statement acknowledges that there are two bases for a violation of sovereignty, territoriality and inherently governmental functions (Tallinn Manual 2.0, rule 4). As to the first, it notes that “territorial sovereignty prohibits states from using cyber means to cause significant harmful effects manifesting on the territory of another state,” but perceptively observes that “further state practice is required for the precise boundaries of its application to crystallise.”
This is exactly where discussion should focus, on identifying those effects that qualify a remotely conducted cyber operation into another state’s territory, whether against private or public cyber infrastructure, as a sovereignty violation. Possible options range from limiting a sovereignty violation to operations that cause injury or physical damage to the more liberal French interpretation, which treats as a sovereignty violation any cyber operation attributable to a state that targets “French digital systems” or results in “any effects produced on French territory.”
New Zealand’s statement unfortunately sheds little light on its view of the requisite effects, beyond the well-accepted understanding that cyber espionage is not prohibited as such (Tallinn Manual 2.0, rule 32). On the contrary, it muddies the waters slightly with the somewhat unartfully expressed statement that “the rule of territorial sovereignty as applied in the cyber context does not prohibit states from taking necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors.” The lawfulness of such a response would be determined by whether the response amounts to an internationally wrongful act. If not, it is an act of retorsion and lawful. If so, there would have to be a circumstance precluding wrongfulness, such as qualification as a countermeasure or act of necessity, to be lawful (ASR, arts. 22 & 25). The mere fact that it is a response at the lowest feasible level is not, standing alone, any legal justification.
Like sovereignty there is disagreement as to the existence of a binding rule of due diligence. The rule would hold that states must take all feasible measures to put an end to hostile cyber operations that they know are mounted from or through cyberinfrastructure on their territory which cause serious adverse consequences with respect to a right of the target state. As generally understood, the obligation applies to the hostile cyber operations of both states and non-state actors. Such a rule has been endorsed by numerous states (e.g., Brazil, Estonia, Finland, France, Republic of Korea, and the Netherlands, but see Argentina), and was acknowledged by the ICJ in its first case, Corfu Channel (p. 22).
However, some states are hesitant to confirm that due diligence, which appears as only a so-called “voluntary non-binding norm of responsible state behavior” in the 2013 and 2015 GGE reports, has crystallized into a rule of customary international law. Much as Australia did in its International Engagement Strategy, New Zealand addresses the issue gingerly, neither confirming not denying its legally binding status, but discussing it in a manner that reflects accepted limitations.
New Zealand is not yet convinced that a cyber-specific “due diligence” obligation has crystallized in international law. It is clear that states are not obliged to monitor all cyber activities on their territories or to prevent all malicious use of cyber infrastructure within their borders. If a legally binding due diligence obligation were to apply to cyber activities, New Zealand considers it should apply only where states have actual, rather than constructive, knowledge of the malicious activity, and should only require states to take reasonable steps within their capacity to bring the activity to an end.
States endorsing the status of due diligence as a primary rule of international law likewise hold that it imposes no preventive obligations, such as monitoring, and only attaches vis-à-vis ongoing or, possibly, imminent operations. Moreover, they agree that knowledge is a condition precedent to breach, although the discussion has not reached the subject of constructive knowledge. Most significantly, there is consensus among them that a territorial state is only obligated to take measures that are feasible in the circumstances. In light of these and other limitations upon the rule as currently understood, it is likely that an increasing number of states will see it as a useful obligation imposed on states from or through whose territory hostile operations against them might be mounted, especially since the rule extends to non-state actor operations and imposes no obligation on states to do more than is reasonable.
Responses to Cyber Operations
With one exception, the discussion of response options in the face of hostile cyber operations is conventional. The section begins with an important, albeit sometimes forgotten point: “Regardless of whether the activity amounts to an internationally wrongful act, a state may always attribute political responsibility for malicious state cyber activity and may always respond with retorsion (i.e. unfriendly acts not inconsistent with international law).” Too often, analysis jumps to the prospect of countermeasures. But qualification of a response as a countermeasure is only necessary as a ground for the preclusion of the wrongfulness if the cyber operation to which it replies is an internationally wrongful act (ASR, art. 49). As noted, such acts must be attributable to a state and breach a legal obligation to another state.
With respect to attribution, New Zealand’s statement traverses the key bases set forth in the International Law Commission’s (ILC) Articles on State Responsibility, most of which reflect customary international law: organ of the state (art. 4), empowered by law to exercise elements of governmental authority (art. 5), acting on the instructions of, or under the direction or control, of the state (art. 8), and acknowledgement and adoption of the act as the state’s own (art. 11). A state may also incur responsibility for its role in aiding or assisting an internationally wrongful cyber operation by another state (art. 16).
New Zealand accurately notes that there is no obligation to disclose the evidentiary basis upon which attribution is made, although it observes that a policy decision to disclose such information could be in a state’s interest and that disclosure might be required in a legal proceeding. It further cautions that “any legal attribution should be underpinned by a sound evidential basis.” In this regard, the 2015 UN GGE also indicated that allegations of wrongful behavior should (not “must”) be substantiated and adopted a voluntary non-binding norm of responsible state behavior to the effect that states should consider “all relevant information” during cyber incidents.
If a breach of an international obligation, such as those discussed above, is attributable to a state (the “responsible state”), the “injured” state may engage in otherwise unlawful activity in order to cause the responsible state to desist. The injured state may also take countermeasures to secure any reparations due, a point not expressly made in New Zealand’s statement (Tallinn Manual 2.0, rule 21).
New Zealand joins all other states that have issued similar statements encompassing countermeasures in emphasizing that countermeasures may not be at the use of force level (see, e.g., US 2014 submission to GGE, p. 722). Suggestions that forcible countermeasures may sometimes be permissible, which derive from the separate opinion of Judge Simma in the ICJ’s Oil Platforms case, have been firmly rejected by states, as it was by the ILC in its Articles on State Responsibility (art. 50).
Interestingly, New Zealand’s statement does not address the purported obligation of an injured State to call upon the responsible State to desist, notify the latter of its intent to take countermeasures, and offer to negotiate before engaging in countermeasures (ASR, art. 52 (1)). Although this requirement is subject to the injured State’s need to take “urgent countermeasures as are necessary to preserve its rights” (ASR, art. 52 (2)), numerous states that have spoken to the issue of cyber countermeasures have emphasized that a notice requirement may not be required in time-sensitive situations or those in which notification either could dimmish the likely success of the countermeasures or reveal sensitive capabilities (see, e.g., France, Netherlands, United Kingdom, United States).
The most significant position taken by New Zealand with respect to response options is its potential acceptance, albeit somewhat tepid, of collective countermeasures.
Given the collective interest in the observance of international law in cyberspace, and the potential asymmetry between malicious and victim states, New Zealand is open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures to induce compliance by the state acting in breach of international law.
The President of Estonia argued in favor of such an interpretation in 2019, while France rejected that interpretation the same year. The Tallinn Manual 2.0 expert could not achieve consensus on the issue (Tallinn Manual 2.0, rule 24), and the commentary to the Articles on State Responsibility is unhelpful (commentary to art. 54). Although a fair argument can be offered in support of both positions, New Zealand’s position is sound legally and certainly advisable for states that do not wield sufficient capability to conduct their own effective cyber countermeasures.
As to other responses, no mention is made of resort to the plea of necessity in the face of “grave and imminent peril” to an “essential interest of the state” as a ground for the preclusion of wrongfulness (ASR, art. 25; Tallinn Manual 2.0, rule 26). Although available only in extreme cases in which no other option is available, it is an important tool in a “break glass” situations. The statement does acknowledge the right of individual and collective self-defense under Article 51 of the UN Charter, but does not develop it further, including with respect to New Zealand’s understanding of the “armed attack” threshold.
International Humanitarian Law and International Human Rights Law
New Zealand’s statement closes by emphasizing that international humanitarian law (IHL) and international human rights law (IHRL) apply in cyberspace. Although there are sometimes suggestions that IHL does not, they are indefensible (Tallinn Manual 2.0, rule 80). The same is true with regard to IHRL (2015 GGE Report, Tallinn Manual 2.0, Rules 34-38).
With respect to IHL, the one point of significance is New Zealand’s characterization of an “attack” under IHL as including not only operations that result in death, injury, or physical damage, but also loss of functionality. This so-called “functionality test” was developed by the Tallinn Manual 2.0 experts and is widely accepted (Tallinn Manual 2.0, rule 92). However, the threshold at which loss of functionality qualifies as an attack pursuant to Article 49 of Additional Protocol I to the 1949 Geneva Conventions is unsettled. New Zealand offers no indication of where it comes down on this matter.
As to IHRL, the MFAT statement recognizes that activities in cyberspace are subject to human rights obligations, singling out freedom of expression and the right to privacy (Tallinn Manual, ch. 6). Importantly, it highlights the critical question of when do human rights obligations apply extraterritorially. New Zealand notes that the subject is “currently unsettled and would benefit from further discussion in multilateral fora.” This is wise counsel. Indeed, a related subject that merits discussion during such normative efforts is that of the positive obligations states shoulder under human rights law to protect the enjoyment and exercise of such rights online (in the pandemic context, see here).
New Zealand is to be applauded, not only for offering its views on the applicability of international law in cyberspace, but also for doing so very constructively. Its effort to highlight where the law is unsettled and requires further consideration, as with due diligence and human rights extraterritoriality, advances the international dialogue by encouraging states to take on the tough topics. And New Zealand’s willingness to take a stand on contentious issues like sovereignty, due diligence, and collective countermeasures is particularly commendable. It should, indeed must, be emulated by other states.