A recent United Nations event gave States new opportunities to announce their position on how international law applies to cyberspace, and the position of Austria and the Czech Republic was prominent. UN Open Working Group on developments in information and telecommunications in the context of international security (OEWG) held its second substantive session February 10-14. In their statement, the two States take a firm position in the ongoing debate over whether sovereignty is only a principle, or also the rule of international law, with both supporting the latter view by recognizing the existence of an independent obligation to respect sovereignty in cyberspace.
Austria has recently become a target of severe cyber operations. In that context, we want to refer to the principle of state sovereignty. Violation of this rule is an internationally wrong action – if it is associated with a country – in which the target country can request reparations based on state responsibility law. The target country can also react through proportional countermeasures. But it is clear that the reference to state sovereignty should not be misused to justify violations of human rights within national borders. In other words, state sovereignty should not function as an excuse to tighten control over citizens which weaken their human rights such as the right to privacy and freedom of expression.
Likewise with Czech representatives is stated:
The Czech Republic agrees with those who consider the principle of sovereignty as an independent right and respect for sovereignty as an independent obligation.
The Czech Republic strongly believes that based on this principle, the State can freely do without interference in any form by other countries both aspects of sovereignty in cyberspace, both internal, with exclusive jurisdiction over ICT. [Information and Communication Technologies] located in its territory, or outside, including the determination of its foreign policy, is only subject to obligations under international law.
These statements are important contributions to the ongoing discussion about the status of the principle of sovereignty in cyberspace (for an overview of different views, see previous work by Michael Schmitt, Harriet Moynihan and self, but also Colonel (Retired) Gary Corn and Corn with Robert Taylor and Corn with Eric Jensen). Some countries, especially great Britain (and maybe United States of America, which will be discussed later), holds that sovereignty is only a principle of international law and does not create autonomous and separate legal obligations, but is protected by other established international legal rules, such as a ban on the use of force or the principle of non-intervention. Other countries, like France, German and Netherlands, has come out to support the position of sovereignty as a rule and argues that cyberspace operations can, under certain conditions, also violate the sovereignty of the intended State.
That was the last, the camp of sovereignty as a rule that Austria and the Czech Republic now joined. Importantly, the two statements do not doubt the nature of the law of sovereignty in cyberspace which underlines that sovereignty “is an independent right” and respect for sovereignty “is an independent obligation” (Czech Republic) and “violation of this rule is an international error of action” (Austria) This clarity is very welcome, because it eliminates the possibility of (mis-) interpreting statements to argue that references to “violations of sovereignty” may yet only refer to “the principle of sovereignty,” rather than binding legal obligations.
The Threshold of Violation of Sovereignty in the Virtual World
Among proponents of the position of sovereignty as a rule, there are two different views about when violations of sovereignty can occur (a more detailed analysis of these differences can be found in policy summary I have written and deep Chatham House Report). Under the French-based “penetration” approach, “[a]Penetration without permission by the French State system or the production of any effect on French territory through digital vectors can constitute, at the very least, a violation of sovereignty. “
This follows from this approach which violates the confidentiality, integrity or availability of the ICT system can be considered by France as a violation of sovereignty.
Under the opposite “de minimis” approach, it is recommended for example by Tallinn Manual 2.0 and Netherlands, not every violation of cyber security will automatically constitute a violation of sovereignty, but only violations carried out with a certain degree of violation of the territorial integrity of the target State, or through interference or seizing inherent governmental functions. While Austria has not expressed its views on the proper threshold of violations of sovereignty, the Czech Republic supports the de minimis approach, as is clear from examples of cyber operations, which they consider to be violations of state sovereignty. The Czech Republic registers as follows:
A. cyber operations that cause death or injury to people or significant physical damage;
B. cyberspace operations that cause damage or disruption to cyberspace or other infrastructure with significant impacts on national security, the economy, public health or the environment;
C. cyber operations that interfere with any data or service that is essential for the implementation of inherent government functions, and thus significantly interfere with the implementation of those functions; for example, distributing ransomware that encrypts computers used by the government and thereby significantly delaying pension payments;
D. cyberspace operations against a State or entity or person located therein, including international organizations, which are carried out by organs that are physically present from another State.
Examples A, B and D reflect the first alternative formulated by Tallinn Manual 2.0 and are also found in the Dutch position, while example C speaks with the second alternative.
In relation to example A, it appears that cyber operations that cause death or injury to people or significant physical damage may also qualify as the use of force, especially if the Czech Republic supports a “scale and effect” test for comparison of cyber. attacks on the use of “traditional” power, which is currently favored by most countries who have put forward their views on this issue (for comparative analysis, see policy summary).
Example D reflects the position that sovereignty protects the right of a State to control the access of another State agent to its physical territory or airspace. Unfortunately, the Czech position does not explain why the determining factor must be the physical presence of other State agents within the targeted Country’s territory when cyber operations are carried out, rather than the effect of cyber operations on the targeted State ICT infrastructure. It is not clear why near-access cyber operations that result in installing malware on computers in the targeted country must be considered a violation of the country’s sovereignty, while remote-access cyber operations that produce exactly the same results should not. To be fair, both the Tallinn Manual and the Dutch statement are not more specific in this regard. Another uniqueness in example D is that the Czech Republic views only closing access to cyber operations carried out by “physical organs in other countries” as a violation of sovereignty, thus apparently not including operations carried out by non-state actors under instructions or directives or control of another State (for example, organs of a State are protected by article 4 of the Articles of State Responsibility, while non-state actors under the control of a State are discussed separately under article 8). In contrast, the Tallinn Manual uses language that is almost exactly the same as D but refers to actions by “State organs, or others whose behavior might be related to the State.” We should hope that this point will be discussed further (or redeemed) in a forthcoming detailed statement on the application of international law to cyber operations.
Statement of the Consul General of Sovereignty regarding Sovereignty in Cyberspace
Three weeks after Austria and the Czech Republic made their statements during the OEWG session, US Department of Defense (DoD) General Counsel Paul Ney gave a speech at the US Cyber Command Law Conference, where he discussed, among other matters, the question of sovereignty in cyberspace (full statements can be found here, see also comments and analysis on Ney’s statement by Robert Chesney, Michael Schmitt and Russell Buchan). With regard to sovereignty, Ney said:
For cyber operations that are not prohibited interventions or the use of force, the Department believes there is no broad and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits non-consensual cyber operations in the territory of other Countries. (…)
DoD [Office of the General Counsel] The OGC’s views, which we have adopted in the legal review of military cyber operations to date, have similarities to the views expressed by the British Government in 2018. We recognize that there are differences of opinion among countries, which indicate that state practices and opino juris does not currently solve this problem. In fact, the public silence of many countries in the face of innumerable publicly known cyber intrusions into foreign networks precludes a conclusion that countries have united in the general view that there is an international ban on all such operations (regardless of any punishment which may be handed down domestically) law).
In a simple reading, the General Counsel seems to support the British sovereignty approach as a principle, though cautious, as referred to by the reference to “commonality”. However (as observed by Schmitt and Buchan), the DoD OGC seems to leave a back door for sovereignty analysis, reflected in Ney who further stated that:
As a threshold problem, in analyzing the proposed cyber operation, DoD lawyers consider the principle of State sovereignty. Countries have sovereignty over information and communication technology infrastructure within their territories. The implication of sovereignty for cyberspace is complex, and we continue to study this issue and how developing countries practice in this field, even if there are no rules that all violations of sovereignty in cyberspace must involve violations of international law.
Reference to all violations Sovereignty seems to reject a French penetration-based approach, while allowing the possibility of accepting that some violations of sovereignty can constitute violations of international law, if additional additional factors (and to date not determined) are met. However, the current DoD position is:
For cyber operations that are not prohibited interventions or the use of force, the Department believes there is no broad and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits non-consensual cyber operations in the territory of other Countries.
The main reason for this view is that there is no state practice that is broad and consistent, paired opino juris, which will set the customary rules. Ney put forward two arguments to support this conclusion. The first argument is that “many countries secretly face innumerable publicly-known cyber intrusions into foreign networks,” which Ney interprets as stating that they do not support the obligation to respect sovereignty in cyberspace. The second argument is the absence of customary international legal norms that prohibit espionage alone, “Even when it involves some level of physical or virtual intrusion into foreign territory.” In the latter case, the similarity between certain cyber espionage operations and other cyber operations which constitute virtual intrusion into foreign ICT systems will speak out against the existence of sovereignty rules.
I see three main problems with the argument of General Counsel Ney.
First, Regarding what is considered to be the silence of other countries on this issue, it must be noted that since July 2019, four countries (the Netherlands, France and more recently, Austria and the Czech Republic) have supported US Sovereignty. a-rule approach. These statements are part of an emerging trend of countries adopting a clear position on the issue of cyber operations and sovereignty, hopefully more and more countries will overcome this problem in the near future (for example, Finland was announced that he works in a position on international law in cyberspace). More importantly, however, silence on certain matters does not always indicate acceptance of the existence or absence of special rules of international law. As an International Law Commission observed (pp. 141-142) in his work on the identification of customary international law, two conditions must be met because there are no open objections to be considered as evidence of acceptance of certain practices as law:
First, it is important that a reaction to the practice in question will be needed: this may occur, for example, where the practice is affecting – usually unfavorable – the interests or rights of the State that fails or refuses to act. Second, reference to a State that is “in a position to react” means that the State concerned must have knowledge of the practice (which includes circumstances where, due to the publicity given to the practice, it must be assumed that the State has such knowledge), and that he must have enough time and ability to act.
Thus, silence on the question whether there is an obligation to respect the sovereignty of other countries in cyberspace can be counted as opino juris to support the absence of such rules only with respect to countries whose sovereignty will be affected by cyberspace operations and only on the condition that they are in a position to react. This provision is very important in the context of cyberspace, given the difficulties that can be relied upon to link cyberspace operations to a State and the trade-offs that States must make in expressing what they know about the cyber activities of other countries which is usually very sensitive information. In addition, it should be noted that in his statement Austria specifically referred to as a target of severe cyber operations. Likewise, Georgia, which experienced a large-scale cyber attack at the hands of Russia’s Main Intelligence Directorate (GRU) in October 2019, cursed attacks such as “against international norms and principles, once again violating Georgian sovereignty.” Thus, affected countries give their views on this issue when it is appropriate to do so.
Second, General Counsel Ney’s cyber espionage argument is equally open to objection. While many indeed argue that peacekeeping operations are not alone in violation of international law, the Tallinn Manual points out (in Rule 32) that “the method carried out might do it.” As such, the absence of a general prohibition against espionage in peacetime international law does not by analogy show that States accept non-consensual cyber espionage operations that violate the cyber security of the ICT system under their jurisdiction. Given that silence can show opino juris only in cases where a country has active knowledge of a fact, the secret nature of cyber espionage operations in my view prevents reading too much into the general silence of the state regarding this matter. In addition, scholars point out that there is evidence of States protesting and invoking their sovereignty when they discover that they have become targets of cyber espionage operations. For example, certain members of the South American trading bloc MERCOSUR issue a pay attention to verbale for then-U.N. Secretary General Ban Ki-moon in July 2013 protested against US espionage activities which, according to them, “regard as[d] unacceptable behavior that violates[d] [their] sovereignty ”(for further reference, see Russell Buchan Book starting from thing. 54).
Third, more generally, the argument of General Counsel Ney seems to depend on the assumption that the existence of an obligation to respect the territorial sovereignty of other countries in cyberspace must be proven inductively by the practice of the State which is quite broad and uniform and opino juris, rather than deduced from the general application of international law rules in cyberspace. But the US Government Expert Group Report for 2013 and 2015 emphasizing that “international law” – and not just a specific set of rules – applies to State behavior in cyberspace. As such, it is not necessary to prove the application of any pre-existing international law – such as the obligation to respect the territorial sovereignty of other countries – by means of the practice of the new State which is broad and consistent and opino juris. The Czech Republic statement explains this:
For obvious historical reasons, there are no existing international legal instruments that explicitly refer to cyberspace problems. However, this does not mean that this instrument cannot somehow be applied to cyberspace. On the contrary, in his 1971 advisory opinion, the International Court of Justice found that international instruments must be interpreted and applied within the framework of the entire legal system in force at the time of interpretation. The concept of dynamic or evolutionary interpretation is also implied in Article 31 (3) b of the Vienna Convention on Agreement Law.
The Czech Republic further elaborates on this in his comments on the “pre-draft” initial report The Open Working Group, which states:
Specifically, OEWG can highlight the following principles, which should guide the application of international law in the context of ICT:
(i) a technology neutral approach to regulating ICT, which provides protection against the rapidly evolving nature of ICT technology;
(ii) interpretation and application of existing international instruments for ICT in accordance with Article 31 (3) b of the Vienna Convention on Agreement Law (and what is called dynamic interpretation or evolution of international law);
(iii) interpretation and application of existing international instruments for ICT “within the framework of the entire legal system in force at the time of interpretation” (see ICJ Advisory Opinion 1970 on Legal Consequences for Countries with Continued Presence in South Africa in Namibia).
This reason also applies to customary international law. If this is not the case, the adoption of customary rules on State responsibility or international humanitarian law in cyberspace (which is strongly supported by the United States) may also be questioned. So, the question shouldn’t be is the obligation to respect the sovereignty of other countries exists in cyberspace, but precisely How the obligation applies in the technical context of cyberspace operations.
Conclusion: A Clearer Statement is Needed
The Austrian and Czech submission is an important voice in the ongoing debate about the status of sovereignty in cyberspace and expanding the practice of the State and opino juris in this field. What’s more, they show that not only “big players” with advanced cyber capacity can contribute to the debate, and hopefully the Austrian and Czech examples will soon be followed by other members of the international community. At the same time, Ney’s General Counsel’s statement brought much-needed clarity to the current US position and offered a legal basis for the doctrines of “forward defense” and “permanent involvement” that the United States had adopted in its cyber operations. With five States openly supporting the position of sovereignty as a rule, the United Kingdom and the United States (or at least the US Department of Defense) find themselves in the minority, and the weight of international opinion may potentially slowly turn towards the opposite view. Of course, it is still too early to say how the debate will develop and surely the issue of sovereignty will remain debated for some time. But it is important for the interests of international peace and security that States express their views and discuss this issue, even if consensus may not be reached in the short term.
Image – Source: iStock / Getty Images Plus, Grafissimo, Image # 1140346323
to request modification Contact us at Here or [email protected]