Last week, Germany released an impressive, legally granular position paper on international law’s application in cyberspace. An inter-ministerial document prepared by the Foreign Office, Ministry of Defense, and Interior Ministry, it sets out firm positions on many key issues. Germany’s timing could not have been better, for the paper arrives in the final year of the United Nations’ Open-Ended Working Group and sixth Group of Governmental Experts (GGE) processes, and as the Biden administration pledges to “renew our commitment to international engagement on cyber issues, working alongside our allies and partners to uphold existing and shape new global norms in cyberspace.” (Interim National Security Strategic Guidance)
In this two-part series, I will examine the German positions, highlighting especially contentious issues on which the position paper weighs in and pointing out where it has plowed fresh ground. Part I considers general rules of international law, such as sovereignty, intervention, and the law of state responsibility, including legal response options to malicious cyber activity. Part II will address the rules governing the use of force and self-defense (jus ad bellum) and international humanitarian law.
Arguably, the German position paper’s treatment of sovereignty will prove its most influential stance, for the obligation to respect other states’ sovereignty is the international law rule most likely to be violated by a state’s cyber operations (see Tallinn Manual 2.0, Rules 1-4 and accompanying commentary). There are two generally recognized grounds for violation, both drawn from the definition of sovereignty in the 1928 Island of Palmas arbitral award: “Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.”
First, a remotely conducted cyber operation that causes certain effects on another state’s territory violates the latter’s sovereignty based on territoriality. Unfortunately, beyond physical damage or injury, there is no consensus among states about which effects qualify a cyber operation as a breach. Second, a remotely conducted cyber operation that interferes with, or usurps, “inherently governmental functions,” such as crisis management during a pandemic or conducting elections, also violates sovereignty. This is so regardless of whether physical damage or injury occurs.
Until March 2018, most discussions regarding the sovereignty rule’s application in cyberspace revolved around the territorial breach threshold. However, in that month, then United Kingdom (UK) Attorney General Jeremy Wright delivered a speech at Chatham House in which he announced that the UK viewed sovereignty as a principle from which other rules of law, like intervention, derived, but not as a rule capable of being violated in its own right.
That statement provoked confusion and concern among states. Sovereignty had long been recognized as a rule of international law that is indeed capable of being breached, including by the UK. Moreover, the sovereignty rule allows states to condemn other states’ hostile cyber operations as unlawful and opens the door to the taking of countermeasures (action that would be unlawful but for the fact that it is designed to terminate the “responsible” state’s unlawful activity; see Articles on State Responsibility, art. 22). In the cyber context, hack backs can sometimes be justified as countermeasures.
NATO allies France and the Netherlands soon thereafter issued statements taking a contrary view. Last year, NATO itself did so in its Cyber Doctrine, although the UK reserved on that point. Every other state that has issued an official statement on the matter has confirmed the existence of a rule of sovereignty (e.g., Austria, Bolivia, China, Czech Republic, Finland, Guatemala, Guyana, Iran, New Zealand, Republic of Korea, and Switzerland). The United States and Israel have avoided taking on the issue directly.
The debate has been an unfortunate detour from the real task at hand – working to identify the threshold for breach. This is why Germany’s official written stance on the matter, which it had earlier previewed in a 2015 speech, is of such significance; it helps force the discussion back to the real issue.
Germany begins by emphasizing that state sovereignty “is limited only by the relevant rules of international law, including international humanitarian law and international human rights law.” It then confirms both bases for violation described above. For instance, with respect to inherently governmental functions, it correctly observes that “foreign interference in the conduct of elections of a state may under certain circumstances constitute a breach of sovereignty.”
As to breaches of territoriality, “Germany essentially concurs with the view proffered, inter alia, in the Tallinn Manual 2.0 that cyber operations attributable to a State which lead to physical effects and harm in the territory of another State constitute a violation of that State’s territorial sovereignty.” It goes on to embrace the approach proposed by the Tallinn Manual experts, according to which a cyber operation affecting the functionality of cyber infrastructure may violate sovereignty, even if it does not cause physical damage to the system itself or to systems that depend on it (Tallinn Manual 2.0, Rule 4 commentary). In such situations, an evaluation of all relevant circumstances of the individual case will be necessary.
Notably, Germany rules out treating every hostile cyber operation against “critical infrastructure (i.e. infrastructure which plays an indispensable role in ensuring the functioning of the state in its society) or of a company of special public interest in the territory of the state” as a sovereignty violation. This is a useful clarification because states do not apply the “critical infrastructure” designation uniformly as a legal term of art, which Germany notes in its paper. Thus, whether a hostile cyber operation targeting such infrastructure violates the sovereignty of the state in which it is located depends on application of the two bases mentioned above, just like, as noted by Germany, operations directed at infrastructure that is neither critical nor of particular public interest. It is the effect of a cyber operation, not the target, that usually determines whether a territorial sovereignty violation has occurred. Relatedly, Germany concludes that “negligible physical effects and functional impairments below a certain impact threshold” are not sovereignty violations even if they materialize on critical infrastructure, a proper use of international law’s de minimis standard.
In international law, rights are typically accompanied by obligations. One such obligation that accompanies territorial sovereignty is due diligence. Citing the International Court of Justice’s first case, Corfu Channel, Germany asserts, properly in my opinion, that “States are under an ‘obligation not to allow knowingly their territory to be used for acts contrary to the rights of other States.’” It interprets this rule as applying to cyber operations by both States and non-state actors mounted from the territorial state.
The Tallinn Manual 2.0 experts agreed that due diligence is a rule of international law (Rules 6-7), a position numerous states have likewise embraced (e.g., Brazil, Estonia, Finland, France, Republic of Korea, the Netherlands, Chile , Ecuador, Guatemala, Guyana, and Peru. But it is not a universal view. For example, Argentina and Israel have opined that due diligence, at least as applied in the cyber context, has yet to achieve the status of a binding rule of international law. Because of the lack of unity on this issue, the UN GGE 2015 report treated due diligence as a “voluntary, non-binding rule of responsible state behavior,” rather than binding law.
The inability to achieve consensus on the due diligence rule’s status is unfortunate in two regards, the first relating to concerns states may have about the practical burden the rule imposes and the second relating to the practical implications of the availability of the rule for responding to hostile cyber operations. With respect to the first of these issues, it appears that some opposition may be based on a misunderstanding of the rule’s very limited scope. As interpreted by its supporters, the rule only applies when hostile cyber operations mounted through or from the territorial state’s territory affect the legal rights of the target state in a serious and adverse manner, the operations are ongoing or temporally imminent, the territorial state knows of the operations, and it is feasible for that state to terminate them (Tallinn Manual 2.0, Rule 7). It imposes no duty to take preventive measures that will minimize the chance of the state’s territory being used as a base of hostile cyber operations. Overall, the limited scope of the rule means that the burden imposed on states is no greater than a responsible state would otherwise carry.
Second, the territorial state’s failure to comply with the due diligence obligation opens the door to countermeasures by the victim state into that territory, including against non-state actors (see explanation here). This is of practical significance because countermeasures are generally impermissible in response to hostile operations by non-state actors unless those operations are attributable to a state.
Unlike the rule of sovereignty, consensus exists among states that cyber operations may sometimes run afoul of the prohibition of intervention into other states’ domaine reserve, that is, internal or external affairs left to states by international law (see, e.g., the 2015 UN GGE report that the General Assembly endorsed). Germany joins the list of states expressly confirming this conclusion (e.g., Australia, Finland, France, Israel, Netherlands, New Zealand, United Kingdom, United States here and here). In doing so, it relies directly on the International Court of Justice’s Paramilitary Activities judgment (para. 205), which held that unlawful intervention consists of: (1) interference with another state’s domaine réservé that is; (2) coercive in nature (see also Tallinn Manual 2.0, Rule 66).
Germany’s observation in the position paper that “cyber measures may constitute a prohibited intervention under international law if they are comparable in the scale and effect to coercion in the non-cyber contexts” is particularly interesting. The International Court of Justice proffered the scale and effects test in its Paramilitary Activities judgment (para. 195) as a means of assessing whether a use of force rises to the armed attack level, the condition precedent to acting in self-defense pursuant to Article 51 of the UN Charter and customary international law. The Tallinn Manual experts adapted that approach to evaluations of whether a cyber operation qualifies as a use of force (Rule 69). States have begun to do likewise (e.g., Australia, Finland, the Netherlands, New Zealand). The German adoption of the approach in the context of intervention is further evidence that it is gaining widespread acceptance as a means of assessing international law thresholds more generally when applied to cyber operations. In my view, that is an appropriate use of the scale and effect standard. The question is, of course, what scale and effects suffice to reach any particular rule’s threshold.
The most challenging aspect of applying the intervention prohibition is determining whether a cyber operation is coercive. Germany addresses the issue with noteworthy granularity. It describes coercion as a situation in which a state’s “will is manifestly bent by the foreign State’s conduct” but cautions that coercion is more than mere criticism or an attempt to influence.
Germany illustrates this distinction with the paradigmatic example, election interference (see my analysis here). The clearest example of coercive election intervention involves “the disabling of election infrastructure and technology such as electronic ballots.” In such cases, the will of the electorate is directly altered. Mere dissemination of disinformation, by contrast, may influence votes but is not coercive because the voters still retain the ability to vote as they wish. Germany applies this distinction surgically when it concludes that “it is conceivable that a State, by spreading disinformation via the Internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots.” In other words, coercion is determined by the effects caused, not solely the domaine réservé being targeted.
Additionally, Germany perceptively points out that “the acting State must intend to intervene in the internal affairs of the target State – otherwise the scope of the non-intervention principle would be unduly broad.” This is an important caveat. It means that cyber operations lacking a coercive mens rea do not qualify as intervention, as in the case of those motivated by criminal or purely malicious purposes. For instance, it is unclear that North Korea’s WannaCry operation qualified as intervention since it did not seem to have been inspired by any desire to change another state’s policies, even though health care, which North Korea targeted in the case of the UK, clearly falls within the UK’s domaine réservé.
Attribution of Cyber Operations
“Attribution” is a term used to describe technical, political, and legal concepts. Germany looks to the customary international law rules of state responsibility for the standards applicable to legal attribution, relying heavily on the International Law Commission’s restatement of that law in its Articles of State Responsibility. It serially walks through those bases, beginning with cyber operations conducted by state organs (art. 4) and persons or entities empowered by law to exercise elements of governmental authority (art. 5). Significantly, Germany emphasizes that even ultra vires cyber operations are attributable to the state in these two cases.
Importantly, and unlike other states that have spoken to the issue so far, Germany takes on the situation in which there is “remote use of cyberinfrastructure located in the territory of a State (forum State) by another state (acting State) for the implementation of malicious cyber operations by the latter.” Although concluding that this fact alone does not lead to attribution of the acting state’s operations to the forum state, Germany perceptively warns that if the “forum State actively and knowingly provides the acting State with access to its cyber infrastructure and thereby facilitates malicious cyber operations by the other State,” the former will be responsible for its “aid and assistance.”
This dynamic is sometimes misunderstood. In such cases, the forum state will generally, absent deeper involvement in the operation, be responsible under the law only for its aid and assistance, not for the harm caused by the acting state’s hostile cyber operation (art. 16). And it must be remembered that even if a state has not breached its obligation to refrain from aiding or assisting another state’s unlawful cyber operation, it might be responsible for a due diligence violation if it fails to take measures to terminate significant, known malicious cyber operations from its territory. The recent Department of Justice indictment of three North Korean military hackers who were at times stationed in Russia and China indicates that this remains a live issue to which states should be paying attention if they hope to hold responsible states to account.
Perhaps the most challenging attribution situation arises when a state encourages, supports, or turns to non-state actors. In such cases, the state is responsible for the cyber operations of the non-state actor if the latter acted “on the instructions of, or under the direction or control” of the state (art. 8). This standard is difficult to apply, for the degree of control necessary to reach that threshold remains ambiguous and is often hard to establish factually. According to Germany, “while a sufficient degree or intensity of such control is necessary [over a ‘specific cyber operation or set of cyber operations’], the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation.”
The International Court of Justice took a seemingly stricter approach in its Genocide Convention judgment (para. 400), where it stated, “It must … be shown that this ‘effective control’ was exercised, or that the State’s instructions were given, in respect of each operation in which the alleged violations occurred, not generally in respect of the overall actions taken by the persons or groups of persons having committed the violations.” In light of the pervasiveness of state involvement with non-state actors conducting hostile cyber operations, the Court’s interpretation of the customary rule seems overly restrictive, at least to be effectively applied in the cyber context.
Germany is of the view that “the act of formally attributing malicious cyber operation to a state under international law is first and foremost a national prerogative”; there is no requirement to make public the facts upon which attribution is based (see also Finland, Israel, New Zealand, Tallinn Manual 2.0 Rule 17). That said, it asserts that attribution should only occur once “a sufficient level of confidence” is reached and “all relevant information” has been considered. And despite the absence of a legal obligation to “submit for public scrutiny detailed evidence on which an attribution is based,” Germany argues that it “should be substantiated.” The UN GGE, which includes the P5 members, took this position in its 2015 report, which the General Assembly subsequently endorsed.
The German position paper addresses the three key options available to respond to malicious cyber operations below the use of force level – retorsion, countermeasures, and the plea of necessity.
Retorsion: Noting that acts of retorsion (unfriendly but lawful acts, such as denying access to cyber infrastructure on the state’s territory) are primarily political in character, the position paper points out that they are useful when other responses are unavailable (as in the case of a countermeasure that would be disproportionate) or politically ill-suited to the circumstances. Retorsion can also supplement countermeasures “as part of a state’s comprehensive multi-pronged response to malicious cyber activities.” A sophisticated example of retorsion as a response option is the European Union’s Cyber Diplomacy Toolbox.
Countermeasures: More legally significant are countermeasures, acts by a victim state (the “injured state” in the law of state responsibility) that would be unlawful but for the fact that they are designed to put an end to another state’s (“responsible state”) unlawful cyber operations or secure any reparations that may be due (Articles on State Responsibility, arts. 22, 49-54). The German position paper draws on Tallinn Manual 2.0 to emphasize that “cyber-related as well as non-cyber-related breaches of international obligations may be responded to by both cyber and non-cyber countermeasures” (Tallinn Manual 2.0, Rule 20). This is an essential operational point that commentators sometimes miss. For instance, advocates of the “no sovereignty rule” position sometimes claim that hostile cyber operations need not be labeled a breach of sovereignty before responding because the injured state’s in-kind response would be lawful by the same interpretation, and therefore not need to qualify as a countermeasure. Although this is generally true, if the attacking state’s cyber operation is lawful, non-cyber countermeasures are off the table for the target state because countermeasures are only available in the face of unlawful conduct (see discussion of in-kind cyber responses here).
Although Germany acknowledges the right to take proportionate countermeasures, it sagaciously warns, “cyber countermeasures are specifically prone to generating unwanted or even unlawful side effects.” This being so, injured states should take particular care in assessing whether a proposed countermeasure can comply with the various requirements and limitations that bound countermeasures. In particular, Germany suggests that “A State may–a maiore ad minus–engage in cyber reconnaissance measures in order to explore options for countermeasures and assess the potential risk of side effects.” By suggesting this precautionary step, Germany necessarily acknowledges that espionage as such is not a violation of international law.
Germany does not address the unsettled issue of collective countermeasures. There is no consensus among states as to whether an injured state that is taking countermeasures may be assisted or ask another state to take countermeasures on its behalf. France takes the position that collective countermeasures are impermissible, whereas Estonia is of the opposite view (see also the uncertain position of New Zealand). To an extent, the capabilities of the states concerned will drive their positions. Those unable to effectively resort to cyber countermeasures on their own will understandably embrace the notion. By contrast, states that field robust cyber capabilities might hesitate to do so, lest they find themselves under pressure to become involved in politically (or legally) delicate situations. In my estimation, collective countermeasures are supportable under international law (see forthcoming article with Sean Watts in Harvard National Security Journal), but the question remains open among states.
Germany also fails to address whether an injured state must notify the responsible state before taking countermeasures. According to one view, the customary law of state responsibility requires an injured state to call upon the responsible state to stop its unlawful activity and offer to negotiate except when “urgent countermeasures are necessary to preserve its rights” (Articles on State Responsibility, art. 52). Most states that have addressed cyber countermeasures are opposed to a strict application of the urgent countermeasures provision because cyber operations can unfold rapidly, and prior notice may afford the responsible state an opportunity to defeat their cyber countermeasures (e.g., France, Israel, Netherlands, New Zealand, the United Kingdom, the United States).
The Plea of Necessity: Lastly, Germany acknowledges the right to respond to hostile cyber operations based on the plea of necessity, which applies when the malicious cyber operations pose a grave and imminent peril to an essential interest of the state. As a “circumstance precluding wrongfulness” in the law of state responsibility, the plea applies when the response would otherwise be unlawful but is the only means of putting an end to the peril in question (Articles on State Responsibility, art. 25, Tallinn Manual 2.0, Rule 26).
Germany’s position paper usefully points out that whether targeted cyber infrastructure is “essential” depends on the circumstances. In particular, “essential interest may, inter alia, be explained by reference to the type of infrastructure actually or potentially targeted” or “the type of harm actually or potentially caused as a consequence of the foreign State’s cyber operation.” It offers critical infrastructure as an example of the former and serious physical harm to individuals as illustrating the latter. Similarly, the Netherlands has cited the electricity grid, water supply, and banking system as essential interests.
The critical point is that the mere fact that a hostile cyber operation has targeted an essential interest does not alone justify acting on the basis of necessity; the peril must be grave. An example of failure to satisfy this element would be pure espionage involving critical infrastructure, as in the SolarWinds incident. Correspondingly, grave and imminent peril to a non-essential interest, such as a cyber operation that results in the inability to hold a major entertainment event, would not suffice. Despite these limitations, and unlike countermeasures, the plea of necessity is available in situations in which the hostile cyber operations cannot be attributed to a state or do not violate international law; it is a “break glass” remedy.
Germany concludes its statement with a reminder that “uncertainties as to how international law might be applied in the cyber context can and must be addressed by having recourse to the established methods of interpretation of international law.” It expresses support for the work of the UN working groups on cyber and international security, not only in their effort to identify binding rules of international law applicable in cyberspace, but also when elaborating so-called “voluntary, non-binding norms for responsible state behavior in cyberspace.” Such norms are essential temporary measures while states sort out the precise parameters of international cyber law. To some extent, they can also serve to fill any lacuna left during that process.
Demonstrating its commitment to viewing the matter with an open mind, Germany also “highlights the importance of States’ reflecting and taking heed of the multifold and rich academic and civil society debates worldwide on the role and function of international law in the cyber context.” Germany has adopted a very mature, responsible, and sophisticated approach to international law’s role in cyberspace and is to be applauded for doing so.
In Part 2 of this series, I will address how Germany has dealt with jus ad bellum issues and international humanitarian law.
IMAGE: The Garmin Connect software, unsuccessfully attempting to contact the company’s servers, is seen on a mobile phone in this photo illustration on July 25, 2020 in Berlin, Germany. GPS and wearable device company Garmin said a widespread blackout, now in its third day, has left its fitness devices, website and call centers offline in what may be a ransomware attack. (Photo by Adam Berry/Adam Berry/Getty Images)