The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
1. Introduction
1. Hostile cyber operations by one state against another state are increasingly common. It is estimated that over 22 states are responsible for sponsoring cyber operations that target other states, and the number and scale of these operations is growing.1 Cyber operations that cause injury or death to persons or damage or destruction of objects could amount to a use of force or armed attack under the UN Charter (although the threshold for what constitutes a use of force is itself an area of controversy).2 But in practice, the vast majority of cyber operations by states take place below the threshold of use of force, instead consisting of persistent, low-level intrusions that cause harm in the victim state but often without discernible physical effects.
2. To take just a few public examples, the NotPetya attack, an indiscriminate malware attack on companies and governments Europe-wide, was attributed to Russia by a number of states in February 2018.3 A global hacking campaign targeting universities was attributed to Iran by the US and UK in March 2018. An attack aimed at compromising specific routers to support espionage and theft of intellectual property (IP) was jointly attributed to Russia by the US and UK in April 2018.4 In December 2018, the so-called Five Eyes intelligence-sharing alliance5 attributed the activities of a Chinese cyber espionage group targeting IP and sensitive commercial property to China’s Ministry of State Security. China has also been targeted; the country stated that, in 2017, it suffered nearly $60 billion in economic loss due to cybersecurity incidents, with 93.5 per cent of ransomware attacks in China conducted from overseas.6 In October 2019, the UK’s National Cyber Security Centre revealed that the UK has been on the receiving end of almost 1,800 cyberattacks in the preceding three years (i.e. at least 10 a week), most carried out by state-sponsored hackers.7
3. In the past, the ability of states to attribute cyberattacks of this nature to specific perpetrators (whether a state, a proxy acting on behalf of a state or a non-state actor acting independently of a state)8 was very challenging, particularly in cases where the attackers are operating at speed from multiple servers in different jurisdictions, with the ability to hide their identity. However, developments in technology have provided states with a greater ability to accurately attribute cyber intrusions,9 including through working with private cybersecurity companies. Some non-governmental bodies also work on the attribution of cyber operations.10
4. In the last few years, states have become more willing to attribute cyberattacks to other states; something they were reluctant to do previously. The amount of public attributions has increased significantly, as has the number of states making those attributions.11 There is also a growing trend for states to work together to attribute malicious state-sponsored cyber operations. There are also discussions among states, academics and private-sector bodies about the feasibility of creating an international mechanism, perhaps under the auspices of the UN, with responsibility for attribution of state-sponsored cyber operations that interfere in another state.12
States have agreed that international law, including the principles of sovereignty and non-intervention, does apply to states’ activities in cyberspace.
5. States have agreed that international law, including the principles of sovereignty and non-intervention, does apply to states’ activities in cyberspace.13 But how the law applies is the subject of ongoing debate. Not only is the law in this area unclear; states are also often ambiguous in invoking the law or in how they characterize it.14 For example, in relation to the hacking of Sony Pictures Entertainment, which the US government attributed to North Korea, the then Secretary of State John Kerry stated that North Korea had ‘violated international norms’. But when President Obama was asked if the Sony hack was an act of war, he responded, ‘No, it was an act of cyber vandalism that was very costly… We will respond proportionately, and we will respond in a place and time and manner that we choose’. The reference to exercising a right to respond assumes an underlying breach of international law, but the precise nature of the breach remains unclear.15
6. The lack of agreement on how international law applies to states’ cyber activities has created legal uncertainty. Some states may prefer this state of affairs, as it may be thought that any agreed regulation of cyber operations could be contrary to their interests.16 But for states that adhere to the rules-based system of international affairs, a clear legal basis should be necessary both to carry out cyber operations and to make assertions that another state has violated international law. States that are the victim of cyberattacks by other states need to be able to identify which rules of international law have been breached in order to know what action they are permitted to take in response, including whether they are entitled to take countermeasures (action in response to an internationally wrongful act by another state, which would otherwise be unlawful but which is permissible under certain conditions).17 Similarly, states contemplating or undertaking cyber operations need to understand the parameters of the law in order to ensure that their actions do not violate it.
7. While states are still at a relatively early stage in deciding and voicing how they consider that the principles of international law apply to states’ cyber actions, there is a trend for states to be more vocal about their views on the law in this area. Even when states put their positions on record, there will inevitably be some differences and debates among states (and commentators) on how the law applies, as there are in many other areas of international law, including the rules on the use of force and international humanitarian law. It is also not unusual for states to adopt deliberately ambiguous positions about the application of the law, to give them greater flexibility to act. But progress can be made in analysing, and as far as possible agreeing, how existing concepts of international law apply in the cyber domain.
I. Purpose and scope of paper
8. The aim of this paper is to analyse the application of the sovereignty and non-intervention principles in relation to states’ cyber operations in another state below the threshold of the use of force (while accepting that the determination of when a state’s cyber operation constitutes a use of force raises its own challenges). In doing so, the paper seeks to address some of the questions and ambiguities in this area, and to offer interpretative possibilities at a time when a number of states are starting to form and publicize their views on how these principles might apply in relation to states’ actions in cyberspace. The paper takes into account state practice to date, including examples of states’ cyber operations in other states, in order to clarify where the limits of the law might lie with reference to specific scenarios in practice. It is hoped that by analysing applicable principles or rules in this area, and identifying gaps or disagreements, this may contribute to rule-making in this space, and even increase the prospects of states working towards common approaches or resolving differences.
9. The paper recognizes that this aspect of cyber and international law is just one part of the legal architecture that regulates cyberspace. Cyberspace has many different strands and is governed by a diverse set of norms that are developing in parallel to the issues discussed in this paper, for example in relation to digital rights, cybercrime and cyber terrorism.
10. The paper draws on the state practice available, including statements by certain governments about how they consider international law to apply, both in general and in relation to particular cyber intrusions. The paper has also had the benefit of considerable scholarly writing in this area. It has also been able to draw upon discussions at meetings with experts from states, international organizations, academics and practitioners.
11. The paper is divided into seven chapters, including this introduction. Chapter 2 discusses the application of the international law concept of sovereignty in cyberspace. Chapter 3 discusses the application of the non-intervention principle in cyberspace. Chapter 4 applies the conclusions reached in chapters 2 and 3 to examples of state-sponsored cyber operations. Chapter 5 reflects on the relationship between sovereignty and non-intervention. Chapter 6 considers the procedures available for states and other actors to reach agreement on the application of rules in this area. Chapter 7 offers conclusions on the law and recommendations for governments, the private sector and civil society working in this area.
12. Some areas are not covered. The paper does not address the application of the use of force or international humanitarian law to states’ cyber operations in another state. Nor does the paper address certain other aspects of international law that are potentially relevant to states’ cyber operations, such as international human rights law. In practice, states sometimes use non-state actors as proxies to carry out cyber operations in another state on their behalf. The activities of such non-state actors are covered by this paper only insofar as they can be attributed to a state under the international law of attribution (and in this paper, the term ‘state-sponsored’ refers to cyber operations that may be attributed to a state accordingly).18 Cyber activities that are performed by individuals or corporate entities whose actions are not attributable to a state are therefore outside the scope of this paper. The paper does not seek to address remedies, including countermeasures, in any detail.
13. States sometimes use cyber operations in response to what they consider to be an internationally wrongful act committed by another state (whether or not by cyber activity), and seek to justify them as countermeasures.19 If the operations in question meet the conditions for applying countermeasures, it will not be necessary to consider whether or not the activity violates sovereignty or any other rule of international law.
14. In seeking to apply existing rules of international law to cyber operations, researchers are hampered by a lack of publicly available evidence of state practice. States conduct cyber operations in secret, and to date few states have put on record how they think the law applies.20 But there is currently a great deal of activity, inter-governmental and otherwise, dedicated to attempts to reach agreement on the application of international law in this area.
II. Existing work in this area
15. There have been some significant developments at the inter-state level. In the UN, the Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has held a number of meetings since 2004 to discuss the application of international law to cyber activities. This group, whose membership started with 10 states and has now grown to 25, has been closely followed by other states. In 2013 and 2015,21 the UN GGE agreed that the principles of the UN Charter apply to states’ actions in cyberspace, but the 2017 GGE ended in deadlock without a consensus report. In 2018, the UN General Assembly established a new GGE to work on these issues from 2019–21, as well as an Open-Ended Working Group (OEWG), with a similar mandate, to report to the General Assembly in 2020.
16. At the academic level, the international group of experts involved in the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (the ‘Tallinn Manual 2.0’)22 looked at the applicability of the international law concepts of sovereignty and non-intervention to cyberspace, which are discussed in chapters 2 and 3. Tallinn Manual 2.0 provides a valuable reference point and platform for debate on these issues, while acknowledging that it does not answer all of the questions, and that there were disagreements among the experts on certain points. Tallinn Manual 2.0 was designed to be the beginning of a longer and more significant discussion about the application of international law to states’ cyber operations in peacetime23 and it is hoped that this paper will contribute to that discussion.
17. In applying the principles of sovereignty and non-intervention to cyber operations conducted by a state against another state, a fundamental question arises about the application of any principles of international law to the actions of states. Does a novel form of state act, such as cyber operations, need to have its own principles and rules of international law created for it, or is it appropriate to apply the existing rules of international law to all state acts? Not only does the common practice of the law lead to acceptance of the latter approach, but it also appears that the UN GGE opted for it, by saying that international law applies to the cybersphere – that is, that entirely new international legal principles do not have to be created for it. The assumption in this paper is therefore that the objective should be to ascertain how the existing principles apply – not whether they do. State practice, such as it is, will be useful in deciding how the principles apply, but not whether they apply at all.