On December 29, 2022 Poland published its position on how international law applies to cyberspace. The 8-page document delivers a well-crafted and nuanced position on the current issues regarding the applicability of international law to cyber operations and puts Poland firmly into the mainstream of opinion on many of them, while offering useful examples to further the debate. The paper also includes bold propositions and arguments on issues such as third-party countermeasures and non-intervention, which will push the discussion forward on contested areas of law. This article offers a brief overview and discussion of main points of the position paper.
Sovereignty at the core of international obligations in cyberspace
The position paper starts with reiterating Poland’s position that international law applies to cyber operations and that respect for international law and norms is a necessary precondition for the preservation of international peace and security in cyberspace. Furthermore,
[i]n In Poland’s view, the practice of publicly presenting positions in key matters concerning international law increases the level of legal certainty and transparency, at the same time contributing to strengthening respect for international law commitments, and offers an opportunity to develop customary law.
In this spirit, the paper’s discussion of legal issues opens with sovereignty, which Poland regards as a fundamental principle of international law, giving rise to other rights and obligations such as the principle of non-intervention, as well as norms on jurisdiction and immunities. Referring to the Palmas case, Poland sees the core of sovereignty in independence, equality and the inviolability of a State’s territorial integrity and political independence. Consequently, States exercise supreme authority over their own territory, which includes persons and objects, such as information and communication technology (ICT) infrastructure. From this supreme authority also stems the right to protect persons and objects within a State’s territory.
As a result, the Republic of Poland takes the position that the violation of a state‘s sovereignty may occur both in the event of an attack against state infrastructure and against private infrastructure. A mere fact that IT infrastructure is linked in a number of ways with an international network does not result in the state‘s losing any of its rights with respect to such infrastructure.
At the same time, external sovereignty implies that
a state is independent in its external relations and is capable of freely engaging in any actions in cyberspace, also outside its own territory, subject to restrictions under international law.
Here, Poland explicitly affirms the view that sovereignty is not only a principle of international law, but a right in itself, requiring States to respect the boundaries of sovereignty both offline and online.
The principle of sovereignty requires other states to refrain from any actions that would violate sovereignty, and in particular states are obliged not to knowingly make their territory available for the purposes of acts that would violate the rights of other states. Poland is of the opinion that in the event of a hostile operation conducted in cyberspace, causing serious adverse effects within the territory of a state, such actions should be considered a violation of the principle of sovereignty, irrespective of whether such effects are of kinetic nature or are limited to cyberspace.
This passage is notable for two reasons. First, Poland argues that cyber operations causing “serious adverse consequences” within a State’s territory would qualify as violations of sovereignty. This would imply that non-consensual cyber operations conducted in foreign networks might not violate another State’s sovereignty if they are low-intensity and do not produce any or only negligible effects. Such a position would reject the French penetration-based approach, whereby any penetration of a State’s ICT infrastructure qualifies as a violation of sovereignty, and be more in line with the Tallinn Manual 2.0 approach, which finds support with States such as the Netherlands or Germany. However, the examples Poland gives to show which cyber operations it would qualify as sovereignty violations do not fully square with the Manual’s approach either:
The violation of the principle of sovereignty may be exemplified by a conduct attributable to a third country that consists in interfering with the functioning of state organs, for instance by preventing the proper functioning of ICT networks, services or systems of public entities, or by a theft, erasure or public disclosure of data belonging to such entities.
The Tallinn Manual 2.0 and its supporters argue that a remote cyber operation may violate sovereignty in two situations: (1) where there is a significant infringement of the target State’s territorial integrity that causes damage or a serious loss of functionality; and (2) when there is an interference with or usurpation of a State’s inherently governmental functions. Poland’s example of “preventing the proper functioning of ICT networks” would fall into the first category as a “loss of functionality,” consistent with the view of the Tallinn experts, although they could not find consensus on the precise threshold. Here, Poland seems to position itself on the progressive side of the argument, as it does not specifically require the loss of functionality, to include the necessity to repair or replace physical components, to find a violation of sovereignty.
At the same time, the example of “theft, erasure or public disclosure of data” belonging to State organs goes much further than “interference with or usurpation of inherently governmental functions,” as data theft usually is clandestine and does not impact the targeted State’s ability to exercise its governmental authority or produce serious adverse effects. This, in turn, brings Poland closer to the French penetration-based approach.
There is, therefore, an unresolved tension in Poland’s position and further clarification would be highly welcome. By way of background, it should be added that in June 2021 Poland was hit by a hack-and-leak operation targeting, amongst others, minister Michał Dworczyk, then head of the Office of the Prime Minister. The revelations from his e-mails, which have been published on Telegram and continue to be leaked up to this day, shook the Polish political scene. Poland has subsequently attributed the hack to the “Ghostwriter” campaign allegedly conducted from the territory of the Russian Federation by hackers from UNC1151 group. This may help to explain why the current administration in Poland would want to qualify such operations as violations of sovereignty.
Cyber due diligence
Second, Poland elegantly links the core of sovereignty (exclusive control and authority over territory) to the question of cyber due diligence, i.e., the obligation not to knowingly allow one’s territory to be used for internationally wrongful acts which violate the rights of other States. A logical consequence of the exclusive authority over territory is the obligation to prevent its malicious use. As such, cyber due diligence already exists as an obligation under international law as a corollary of sovereignty and does not require new and extensive State practice to emerge, as is for instance the position of the United Kingdom (here and here, at p. 117), the United States (here at p. 141) and Israel (here).
In Poland’s view
States should exercise due care to ensure that the IT infrastructure located within their territory is not used for unauthorised actions targeted at third countries. The same applies to persons staying within the territory of the state. An assessment of whether the state exercised due care or not should be contingent upon its technological advancement, expertise/resources and knowledge about actions in cyberspace initiated within its territory.
Thus, Poland implicitly agrees that due diligence is an obligation of conduct, not of result, and the extent of the obligation depends on actual knowledge and capacities and capabilities of the territorial State. This is again generally consistent with the approach taken by the Tallinn experts, which concluded that a rule of due diligence requires a territorial state to take “feasible” measures to terminate ongoing hostile cyber operations “that are causing serious adverse consequences for another state’s legal right.” It is also generally consistent with views expressed by Germany and Japan. Unfortunately, Poland does not address the question whether there is a threshold of severity of the malicious cyber operation for the cyber due diligence obligation to be triggered, as has been proposed for instance by Japan.
On the duty not to interfere in the internal affairs of other States, Poland places itself in the mainstream of opinion, affirming the International Court of Justice’s definition of intervention:
The threshold for considering a specific operation in cyberspace to be in breach of the principle of non-intervention is higher than in the case of deeming it solely a violation of the principle of sovereignty. To be in breach of international law, an intervention must include the element of coercion that aims at influencing the state’s decisions belonging to its domaine réservé, i.e. the area of state activity that remains its exclusive competence under the principle of sovereignty.
The position paper does not dive into a dogmatic discussion of the concept of coercion, simply noting that there is no universally applicable definition, but nevertheless gives some useful examples of what Poland would consider as constituting a prohibited intervention.
In particular, any action in cyberspace that would prevent the filing of tax returns online or any interference with ICT systems that would prevent a reliable and timely conduct of democratic elections would be a violation of international law. Similarly, depriving the parliament working remotely of the possibility of voting online to adopt a law or modifying the outcome of such voting would also be such a violation.
In furthering a line of argumentation first developed by Germany, the paper also notes that
a wide-scale and targeted disinformation campaign may also contravene the principle of non-intervention, in particular when it results in civil unrest that requires specific responses on the part of the state.
In its national position, Germany argued that “spreading disinformation via the internet, may deliberately incite violent political upheaval, riots and/or civil strife in a foreign country, thereby significantly impeding the orderly conduct of an election and the casting of ballots [and thus] may be comparable in scale and effect to the support of insurgents and may hence be akin to coercion.” Germany thus used a scale-and-effects test to compare the results of online disinformation campaigns to other examples held to constitute coercion (support for insurgents) in order to apply the non-intervention rule.
Poland offers a slightly different route, instead looking at the type of actions a State may be forced to undertake in response to the unrest caused by disinformation campaigns. If a disinformation campaign forces a State to undertake actions or make choices on matters falling within the domain reserve, then these choices are no longer free, but coerced.
Use of force and self-defence
Just as most other States, Poland affirms that cyber operations may, under certain circumstances, qualify as a use of force and even an armed attack, thereby triggering the right of self-defence. Consistent with the mainstream view, Poland applies an effects-based test to the question when a cyber operation crosses the force-threshold:
Perceiving a cyberattack as the use of force is supported by the possibility of it causing similar effects to those caused by a classic armed attack executed with the use of conventional weapons. […] An action in cyberspace that leads to: a permanent and significant damage of a power plant, a missile defence system deactivation or taking control over an aircraft or a passenger ship and causing an accident with significant effects may be considered the use of force.
On self-defence, the position paper stresses that the attacked State is not limited to actions in kind, i.e., to the cyber realm when responding to a cyber operation. Such a limitation would effectively deprive the State of its right to self-defence, if it were attacked by a State with a lesser degree of dependence on ICTs.
The Polish position paper is very brief on international humanitarian law, simply noting that “[t]he requirements of international humanitarian law apply also to actions carried out in cyberspace during an armed conflict.”
State responsibility and third-party countermeasures
The last parts the Polish position paper are devoted to issues relating to the law of State responsibility and contain perhaps the most interesting and novel, albeit contentious, proposition. First, Poland affirms the applicability to cyber operations of the customary rules on State responsibility as laid down in the International Law Commission’s (ILC) Articles. This applies both to the question of attribution, as well as countermeasures, which the paper discusses under the topic of “response options.”
Second, on the issue of countermeasures the paper follows the established position that any action taken as a countermeasure must in essence be limited to the non-performance of international obligations, be limited in time, aimed at inducing the responsible State to fulfil its obligations, be proportionate, and must not affect norms pertaining to fundamental human rights, IHL obligations, and peremptory norms. Sadly, Poland does not address the issue of procedural preconditions for the taking of countermeasures, especially whether a State is required to call upon the responsible State to cease its violating conduct and announce the intent to take countermeasures.
Next, the position paper addresses the issue of third-party countermeasures, that is countermeasures taken by a State other than the State which had been the target of the malicious cyber operation. It should be recalled that under the law of State responsibility measures of redress against violations of legal obligations are usually confined to bilateral action. Typically, only the injured State may, for example, institute legal proceedings against the responsible (perpetrator) State or take countermeasures. Whether and to what extent third States, which have not been injured by the primary violation, may also take action against the responsible State has long been a matter of intensive debate, with many States and academics saying that collective action should be limited to action through the UN Security Council.
With regard to the question of collective action against cyber operations, it was Estonia who first proposed that “States which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation.” As explanation, it argued that it is important for States to “respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists.” However, this view has been rejected by France and Canada due to a lack of sufficient State practice and opinio iuris to support this position, while New Zealand professed to be “open to the proposition.”
In its national position Poland makes a short but powerful argument in support of the notion of third-party countermeasures:
the Republic of Poland expresses the view that the evolution of customary international law over the last two decades provides grounds for recognising that a state may take countermeasures in pursuit of general interest as well. In particular, the possibility of taking such measures materialise itself in response to states’ violations of peremptory norms, such as the prohibition of aggression.
In its 2001 Articles on State Responsibility, the ILC concluded that third States (other than the injured one) may invoke the responsibility of the perpetrator State if the obligation that has been breached is established for the protection of a collective interest of a group of States or is owed to the international community as a whole (Article 48). However, it left open whether this would also include the right to take countermeasures (Article 54). Poland now argues that since the drafting of the 2001 ILC Articles on State responsibility, international law has now evolved to a point where there is sufficient State practice and opinio iuris to argue for the emergence of a customary right to collective – or third-party – countermeasures in those cases where the norm that has been violated protects not only the rights of the injured State, but also the interests of a group of States or the international community as a whole. This argument is not new and has already been put forward in academic studies (for instance here and here), while others even argue that “no clear prohibition on collective countermeasures has crystallized to unequivocally preclude a state position, such as the one Estonia took” (here).
Furthermore, recent events such as Russia’s aggression against Ukraine have once again highlighted the limits of the United Nations as the forum for collective action to protect community interests. If the Security Council cannot fulfil its responsibility to protect international peace and security and to act against violators of peremptory norms, such as the prohibition of aggression, then it falls to collectives of like-minded States willing to protect the international rules-based order by way of, inter alia, countermeasures. The Polish position paper will therefore surely prove a valuable contribution to the debate surrounding third-party countermeasures in cyberspace and beyond.
Summing up, Poland’s national position on the application of international law to cyber operations is a welcome and necessary addition to the growing list of States’ views on this issue. It reflects the existing consensus on the use of force and non-intervention, strengthens the arguments of those States arguing that Sovereignty is a rule, rather than only a principle of international law, and gives strong arguments for the international discussion on third-party countermeasures, disinformation campaigns and cyber due diligence.