The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
2. The Application of Sovereignty in Cyberspace
18. The use of cyber operations by states to harm, to disrupt, to influence or even simply to irritate citizens and institutions in other states is a phenomenon that fits, but not without controversy, into existing paradigms of international law. While there was formerly some dispute about whether the existing rules of international law were applicable to cyberspace at all, states agreed at the UN GGE in 2013 and 2015 that international law, including the principles of sovereignty and non-intervention, does apply to states’ activities in cyberspace, as it does in the non-cyber context:
State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory.
19. The experts also agreed that the principles of the UN Charter applied:
(b) In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States.
As well as individual states, numerous international bodies have recognized this. In brief, the principle of state sovereignty encapsulates the supreme authority of a state to territorial integrity, sovereign equality and political independence within its territory to the exclusion of all other states. The rule prohibiting intervention in another state’s internal affairs derives from the sovereignty principle, and consists of coercive behaviour by one state in relation to the inherently sovereign powers of another state.
20. In the West at least, there are two schools of thought about how international law applies to state-sponsored cyber activity that takes place below the threshold of use of force. One is that the non-intervention principle applies to certain state-sponsored cyber intrusions, and that below the threshold of that principle, the activity may be unfriendly but will not constitute a breach of international law giving rise to state responsibility. On this view, sovereignty is a principle of international law that may guide state interactions, but it does not amount to a standalone primary rule, at least not in the cyber context.
21. Another view holds that cyber operations below the non-intervention threshold may be unlawful as violations of the target state’s sovereignty. This is the approach adopted in the Tallinn Manual 2.0, which draws rules from both sovereignty and non-intervention and applies them to operations in cyberspace.
22. Since the publication of the Tallinn Manual 2.0, the ‘sovereignty as a rule’ debate has been much discussed among commentators in the cyber context, but until recently there has been little public state practice to help inform that debate. States have chosen to adopt a ‘policy of ambiguity and silence’ about how international law applies in cyberspace. Some states have commented generally on the application of international law in cyberspace but without stating how they consider the principles of sovereignty and non-intervention to apply. Estonia’s statement on cyber and international law, for example, addressed a number of aspects of the application of international law to cyberspace, but did not explicitly address sovereignty and non-intervention. Iran has stated that ‘malicious use of ICTs [is] a serious and impending threat of violating States’ sovereignty and internal affairs’ but without specifying how these principles apply in practice.
23. The UK have put on record their view that the non-intervention principle applies to states’ cyber operations and have provided specific examples of situations in which they consider that the principle may apply. The UK have also stated that in their view, there is no additional prohibition on cyber activity to be extrapolated from the sovereignty principle. A 2017 Memorandum issued by the outgoing General Counsel of the US Department of Defense took a similar position on sovereignty, although this is in tension with other statements by US government officials, which have foreseen a role for sovereignty in the application of international law to cyberspace. Other states have commented that the non-intervention principle applies, but have not commented on whether a more general principle of sovereignty applies in cyberspace, perhaps preferring to adopt a position of ‘wait and see’, or of strategic ambiguity.
24. China’s International Strategy for Co-operation in Cyberspace of March 2017 provides that the principle of sovereignty applies in cyberspace, and that ‘No country should pursue cyber hegemony, interfere in other countries’ internal affairs, or engage in, condone or support cyber activities that undermine other countries’ national security’. However, as violations of sovereignty can cover a spectrum of activity, including in the context of specific rules on the use of force and non-intervention that derive from the principle of sovereignty, the extent to which China or other states consider activity below the non-intervention threshold to be a violation of sovereignty is unclear. Government statements about sovereignty in general terms also need to be read with care since sovereignty is a word that can be used in different senses in both the non-cyber and cyber contexts.
As violations of sovereignty can cover a spectrum of activity, the extent to which China or other states consider activity below the non-intervention threshold to be a violation of sovereignty is unclear.
25. In the past year, certain states have started to publish their positions on sovereignty in more detail. In July 2019, the Netherlands set out its view that both the internal and external aspects of sovereignty apply in full in the cyber domain and that states are not permitted to perform cyber operations that violate the sovereignty of another state. In September 2019, France set out in some detail its views on the application of international law to cyberspace, including that unauthorized state cyber intrusions into French systems, or any production of effects on French territory caused by cyber means, may constitute a violation of sovereignty. The notion that cyber operations below the non-intervention threshold may be unlawful as violations of the target state’s sovereignty appears to be the unpublicized view of certain other governments too.
26. To date, relatively few states have been prepared to put on record how they think these principles apply in practice; nor are there any treaties in this regard. In the meantime, as with any other state activity, existing principles and rules of customary international law are applicable to state activities in cyberspace, unless there is state practice with opinio iuris to indicate that a relevant principle or rule is not applicable.
27. This chapter and the following look afresh at the relevance of sovereignty and non-intervention to states’ cyber operations below the level of use of force. This chapter starts by discussing the international law concept of sovereignty and then considers how it can apply to states’ actions in cyberspace. The following chapter then discusses the principle of non-intervention, which reflects and protects sovereignty, and considers how the non-intervention principle applies to state-sponsored cyber intrusions.
I. General rules on sovereignty
28. Sovereignty is fundamental to statehood. Oppenheim refers to the different aspects of sovereignty thus:
Inasmuch as it excludes subjection to any other authority, and in particular the authority of another state, sovereignty is independence. It is external independence with regard to the liberty of action outside its borders. It is internal independence with regard to the liberty of action of a state inside its borders. As comprising the power of a state to exercise supreme authority over all persons and things within its territory, sovereignty involves territorial authority.
29. Sovereignty encompasses a bundle or package of rights. Judge Alvarez in the Corfu Channel case stated that, by sovereignty ‘we understand the whole body of rights and attributes which a State possesses in its territory, to the exclusion of all other states, and also in its relations with other States’. The Friendly Relations Declaration refers to the ‘rights inherent in full sovereignty’, and this language is reflected in other international instruments. The Helsinki Final Act, for example, records that participating states will:
respect each other’s sovereign equality and individuality as well as all the rights inherent in and encompassed by its sovereignty, including in particular the right of every State to juridical equality, to territorial integrity and to freedom and political independence. They will also respect each other’s right freely to choose and develop its political, social, economic and cultural systems as well as its right to determine its laws and regulations.
30. Distilling the sources cited above, the three core rights inherent in sovereignty (with correlative duties on other states) may be characterized as:
- the right to territorial integrity and territorial authority (territorial sovereignty);
- the right to independence of state powers; and
- the equality of states in the international order, sometimes referred to as ‘external sovereignty’.
The rights that are embodied in the concept of sovereignty will be the basis of any claim a state makes that another state has engaged in a violation of its sovereignty.
31. Within this aspect of sovereignty are encompassed a state’s rights in relation to its land territory and boundaries, aerial space, territorial sea and other maritime zones. Treaty provisions and customary law duties regarding land and maritime and aerial zones reflect and safeguard a state’s territorial integrity; so too does the law on the prohibition of the use of force.
32. Breaches of territorial sovereignty are not always accompanied by the use of force. In Certain Activities carried out by Nicaragua in the Border Area (Costa Rica v. Nicaragua), the International Court of Justice (ICJ), without finding it necessary to consider the separate allegation that there had been an unlawful use of force, found that ‘Nicaragua carried out various activities in the disputed territory since 2010, including excavating three caños and establishing a military presence in parts of that territory. These activities were in breach of Costa Rica’s territorial sovereignty.’
33. The principle of territorial sovereignty includes the right of a state to exercise jurisdiction within its own territory. Jurisdiction here can usefully be divided into powers of prescription, enforcement and adjudication. A state’s right to exercise all forms of jurisdiction within its territory may also be regarded as one of the rights flowing from the aspect of sovereignty relating to the independence of state powers.
Independence of state powers
34. A related aspect of the bundle of sovereign rights is the freedom of states to conduct their own affairs independently as regards their own territory. This element of sovereignty, tied in with territorial sovereignty, is referred to in the Island of Palmas case: ‘Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State’. The ILC Draft Declaration on the Rights and Duties of States provides in Article 1 that, ‘Every State has the right to independence and hence to exercise freely, without dictation by any other State, all its legal powers, including the choice of its own form of government’. The right is reflected in Article 2(7) of the UN Charter, with its reference to matters ‘essentially within the domestic jurisdiction of any state’.
35. The powers and rights of states that come within this aspect of sovereignty include the right of a state to political independence, including the right freely to choose and develop its political, social, economic and cultural system, and the right to exercise jurisdiction. While these governmental powers are quite wide, states must act within the framework of international law. In addition to any applicable treaty obligations, states must also abide by rules of customary law, such as those in relation to non-intervention and respect for sovereignty, alongside obligations relating to the status and protection of the individual under international humanitarian and human rights law.
36. A further aspect of sovereignty is the equality of states in the international order, sometimes referred to as ‘external sovereignty’. The principle refers to recognition in the international order of the absolute equality of all states in terms of their rights and duties in international law, rather than to their equality in power or in fact. The principle reinforces the notion that each state enjoys the rights inherent in sovereignty while being bound to respect the independence and authority of other states. The principle reflects the fact that sovereignty must be applied in an objective manner, as opposed to sovereignty simply being what a state says it is.
Each state enjoys the rights inherent in sovereignty while being bound to respect the independence and authority of other states.
37. It is clear from the above that while the various elements of sovereignty can be separated out and are sometimes referred to individually, in practice they are inextricably linked and work together. The right of a state to exercise jurisdiction on its territory involves both territorial sovereignty and the right of a state to exercise independent state powers. The independent and exclusive nature of that right derives from the principle of sovereign equality. Oppenheim treats breaches of internal independence and territorial sovereignty together, without distinguishing which aspect is breached.
Sovereignty as an all-embracing principle
38. There are some specific rules that reflect the general principle of sovereignty and that regulate or prohibit the exercise of authority by one state in another’s territory. These include the rules on the use of force, which are to be found in the UN Charter and customary international law; the principle of non-intervention into the internal affairs of other states; and the law of the sea and air law, as incorporated in the UN Convention on the Law of the Sea and the Convention on International Civil Aviation (Chicago Convention), as well as customary international law. There are also treaties giving consent to or regulating specific activities within a state’s territory, such as Status of Forces Agreements and the Vienna Conventions on Diplomatic Relations and on Consular Relations.
39. These rules and other specific rules may apply as lex specialis in relation to the exercise of a state’s authority in relation to an area over which that state has exclusive state powers. Where there is no lex specialis in place, the exercise of state power by one state in relation to another state continues to be governed by the general rules on sovereignty discussed above.
II. Sovereignty as it applies to states’ activity in cyberspace
40. There has been some debate about the extent to which the notion of territorial sovereignty applies to cyberspace at all. Violation of a state’s territorial sovereignty is typically associated with some physical incursion into a state’s territory, whether by land, sea or air. But while states’ cyber activities have a physical, tangible aspect (for example in the form of computer hardware and infrastructure), interactions in cyberspace also have a ‘virtual’ dimension, through the transmission of data, signalling, and sending of content between physical devices.
41. Further, cyberspace as such has no fixed territorial boundaries. There are many varieties of network architecture and numerous ways in which data is stored, which may cross territorial boundaries. Cyber infrastructure such as internet servers may be located in a particular territory, but interactions in cyberspace are often deterritorialized, and sometimes subject to greater regulatory control by global technological corporations, such as Google and Facebook, than states. Some academics have pointed out that network frontiers do not map directly to geographical borders.
42. Nevertheless, cyberspace does have a physical aspect, which consists of computers, integrated circuits, cables and communications infrastructure. It also has a logical layer, which consists of software logic, data packets and electronics; and a social layer, which includes human beings. This physical equipment is located within the territory of a state, and is owned by governments and companies. Thus, cyberspace does not exist independently from the physical world but is instead rooted in it. Transactions in cyberspace involve real people in one territorial jurisdiction either transacting with real people in other territorial jurisdictions or engaging in activity in one jurisdiction that causes real-world effects in another territorial jurisdiction.
43. A state can exercise its sovereignty over cyber infrastructure within its territorial borders (and in relation to satellites, within its jurisdiction), and over persons within its territory and with regard to its citizens, outside. The principle of sovereignty therefore does apply in relation to states’ cyber activities, through the ability of a state to regulate such matters within its territorial borders and to exercise independent state powers. As noted above, the principle has legal consequences.
44. States have the right to exercise their sovereign powers over cyber infrastructure in their territory exclusively and independently, as in the non-cyber context. These powers over cyber infrastructure are subject to states’ obligations under international human rights law. Some states choose to regulate certain aspects of cyber activity in their territory, for example through laws about the processing of personal data and permissible content on the internet. Some authoritarian states exert tighter controls over access to the internet and personal data, a concept that has been referred to as ‘cyber sovereignty’. States that adopt a wide approach to the existence of their powers over all aspects of citizens’ behaviour take a similarly wide view of the duties of other states to respect their sovereignty and may invoke violations of sovereignty or the non-intervention principle more regularly than others. But the powers that states choose to assume under domestic law in relation to cyber activity (whether or not compatible with international human rights law) are a separate issue from the scope of a state’s inherently sovereign functions.
The principle of sovereignty therefore does apply in relation to states’ cyber activities, through the ability of a state to regulate such matters within its territorial borders and to exercise independent state powers.
45. The content of ‘inherently sovereign powers’ or ‘inherently governmental functions’ is established in international law; the rules on state immunity provide one context. Such functions are understood as activity at the very core of state authority, including the activities of the authorities responsible for foreign and military affairs; legislation and the exercise of police power; and the administration of justice. These functions do not include a state’s regulation of the activities of private citizens or commercial matters. This approach is reflected in the Nicaragua case, in which the ICJ cited ‘the choice of a political, economic, social and cultural system, and the formulation of foreign policy’, as examples of matters in which a state could decide freely under the principle of state sovereignty. Thus, the term ‘inherently sovereign functions’ has to be given an objective reading.
III. Violation of sovereignty
46. When a state exercises its authority in another state’s territory without consent in relation to an area over which the territorial state has the exclusive right to exercise its state powers independently, that constitutes a violation of sovereignty. This formulation is reflected in the international jurisprudence. The Permanent Court of International Justice (PCIJ) said in the Lotus case that the ‘first and foremost restriction imposed by international law upon a State is that – failing the existence of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another State’.
47. In Certain Activities carried out by Nicaragua in the Border Area (Costa Rica v. Nicaragua), the ICJ considered violation of territorial integrity and sovereignty to involve the exercise of authority in another state. The court held that Nicaragua had violated the territorial sovereignty of Costa Rica by conducting certain activities on its territory without consent. In Military and Paramilitary Activities in and against Nicaragua, the ICJ referred to ‘the duty of every State to respect the territorial sovereignty of others’. In the Corfu Channel case, the ICJ held that the UK violated Albania’s sovereignty by routing warships and conducting demining operations in Albania’s territorial waters without consent. In each of these cases, the court considered violation of sovereignty separately from the rules on use of force and intervention, and considered it to have legal consequences.
Remote violations of sovereignty
48. Many examples of infringement of a state’s sovereignty involve intrusions on physical space such as airspace, territorial waters, or exercise of political powers such as law enforcement. But a state can also violate another state’s sovereignty by activity that the perpetrating state conducts outside the territory of the victim state and without physical effects in the affected territory. For example, FBI agents interrogate bankers in Switzerland by telephone without the consent of Switzerland by forcing them to complete a questionnaire under threat of subpoena if they do not. This is an exercise of authority in an area over which Switzerland has the exclusive right to conduct law enforcement activity. It could thus amount to interference in the exercise of Switzerland’s independent state powers on its own territory, and thus a violation of Switzerland’s sovereignty.
49. A state may also conduct activity from outside the territory with physical effects in the target state’s territory. For example, a state allows its territory to be used for a factory that emits fumes into a neighbouring state polluting the latter state’s rivers. The neighbouring state is unable to stop the fumes entering its territory and has to divert significant financial resources to provide alternative sources of water. Such harm is now dealt with generally under the separate head of environmental law, but duties in environmental law to avoid causing environmental harm in another state (however those are framed) have their roots in the principle of sovereignty. In Certain Activities carried out by Nicaragua, the ICJ found that Nicaragua was responsible for a breach of sovereignty by reason of its physical incursions and then in a subsequent case fixed the amount of damages for environmental harm caused in Costa Rica by that breach.
50. It may be more difficult in practice to establish violations of sovereignty that are conducted from outside the territory with effects in the territory, as the activity will be less tangible than the physical presence of an agent on the territory and may be harder to prove. Regardless of these potential differences in application and proof, the same rules regarding violation of sovereignty apply whether the exercise of authority by the perpetrating state is carried out through a physical presence on the territory of the affected state or remotely from outside the affected territory. In practice, remote violations with a coercive element have tended to be considered through the lens of the non-intervention principle or via specific rules of international law that have developed.
Is there a threshold to violations of sovereignty?
51. Some scholars consider sovereignty to be a ‘catch-all’ principle capturing any interference with a state’s exclusive internal and external authority not included in more specific rules such as those on non-intervention or non-use of force. Those taking this position assert that any non-consensual incursion by a state agent into the territory of another state can amount to an exercise of state authority sufficient to violate the territorial state’s sovereignty, regardless of whether that incursion produces damage or otherwise breaches international or national law, and regardless of whether the exercise of authority is manifested through a physical presence on the territory or remotely.
52. Others consider that not all exercises of authority carried out without consent that are not included in specific rules will amount to a violation of sovereignty. One area where the question of what is unlawful is not clear is in relation to the acts of states’ intelligence agencies, which routinely operate on the territory of other states without being officially disclosed to the authorities. Certain scholars argue that territorially intrusive forms of espionage violate the principle of territorial sovereignty. A major counterpoint to this argument is the ubiquity of states’ intelligence agents in other states, usually without comment by the latter states. While states routinely outlaw forms of espionage under their domestic law, and while specific activities may provoke protest, for the most part the activities of intelligence agencies have not been treated by states or commentators as internationally unlawful per se. Espionage is considered more fully in Chapter 4.
53. The idea of a threshold for violation of sovereignty appears more obvious in the context of remote exercises of power by one state in relation to the sovereignty of another state’s territory. The remote exercise of authority by one state usually affects the political independence of the victim state – as in the case of political or economic interference in another state’s affairs, or the exercise of extraterritorial enforcement jurisdiction. Oppenheim observes that, ‘independence is a question of degree’, and whether or not this aspect of sovereignty is violated will also be a question of degree. For example, diplomatic protests or mere criticism of a foreign government, or the issue of propaganda about another state’s government, will not violate the principle of sovereignty, but the clandestine provision of financial and logistical support to another state’s opposition party in an attempt to force the government from power may well do. The line between lawful diplomacy and violation of sovereignty is difficult to draw and it will be a fact-specific enquiry in each case.
The limits of the sovereignty rule are not established. It is not clear whether there is some form of de minimis rule in action, as evidenced by the way that states treat the activities of other states in practice.
54. In sum, the limits of the sovereignty rule are not established. It is not clear whether there is some form of de minimis rule in action, as evidenced by the way that states treat the activities of other states in practice. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
Violations of sovereignty in the cyber context
55. In the cyber context, some scholars argue that there is no specific rule of sovereignty with legal consequences. In their view, the differences in how sovereignty is reflected in international law with respect to the domains of space, air and the seas support the view that sovereignty is a principle, subject to adjustment depending on the domain and the practical imperatives of states rather than a hard and fast rule. But it is clear from the case law above that it is possible for a state’s sovereignty to be violated without reference to rules of international law dealing with specific areas, and that such violation amounts to the commission of an internationally wrongful act with legal consequences. As Specter has argued, ‘Whether one chooses to call it sovereignty, or territorial sovereignty, or territorial integrity, or something else entirely, an overwhelming and unavoidable body of treaties, jurisprudence, and scholarly opinion stands for the proposition that there is a primary rule of international law that requires one state to refrain from taking public act or exercising authority in the territory of another state, in the absence of consent or another provision of international law to the contrary.’
56. Rule 4 of the Tallinn Manual 2.0 states that ‘A State must not conduct cyber operations that violate the sovereignty of another State’. This invites the question of when a state-sponsored cyber operation is in breach of a state’s sovereignty.
57. One scenario is that unauthorized cyber activity is carried out by an agent of one state while physically present on the territory of another state. A recent example is the attempted hack of the Organisation for the Prevention of Chemical Weapons (OPCW), based in The Hague in the Netherlands, by Russia’s military intelligence agency, the GRU. In April 2018, Russian intelligence officers had moved to a location close to the OPCW headquarters and were making preparations to hack into OPCW networks. In order to protect the integrity of the OPCW, the Netherlands Defence Intelligence and Security Service pre-empted the GRU cyber operation and escorted the Russian intelligence officers out of the Netherlands the same day. In this case, the non-intervention principle would appear not to be applicable, since the activity does not meet the requirement of coercion. The Dutch minister of defence stated that ‘GRU cyber operations such as this one are at odds with the international rule of law’, suggesting that the government considered the GRU’s activity to be internationally wrongful, without specifying in what way.
58. More often, state cyber intrusions are conducted remotely from outside the territory of the target state rather than by agents physically present within the affected state’s territory. As in the non-cyber context, the perpetrating state’s remotely conducted cyber intrusion (for example, an agent hacking into and shutting down a state’s national power grid from outside the victim state’s territory) could be considered to be ‘accessing’ (without consent) the victim state’s sovereign territory, if the affected server is located on the victim state’s territory. Sometimes the remotely caused cyber intrusion will have physical effects on the territory, for example physical damage to a computer. Similarly, in the non-cyber context, transboundary environmental harm caused remotely can have physical effects in the affected state’s territory. Sometimes there will be no physical footprint at all on the territory, for example, a state simply sitting on another state’s server, gathering information; or using malware to alter data on a computer’s hard drive without leaving a trace. The cyber intrusion nevertheless accesses infrastructure on the victim state’s territory without the victim state’s consent. As long as the servers affected are located in the victim state’s territory (or in the case of satellites, within the jurisdiction of the affected state), then an unauthorized exercise of authority by one state by cyber means in another state’s territory could constitute a violation of the victim state’s sovereignty.
More often, state cyber intrusions are conducted remotely from outside the territory of the target state rather than by agents physically present within the affected state’s territory.
59. This analysis proceeds on the basis that sovereignty is a bundle of rights that are inextricably linked. Cyber intrusions into another state’s cyber infrastructure can involve interference with the affected state’s exercise of its independent state powers in some way (for example disruption of the target state’s ability to control its critical infrastructure or other independent state functions), but they also have a territorial dimension as the intrusions take place on the territory of the victim state. There seems to be no reason in principle to distinguish physical violations (i.e. activity carried out by a state agent physically on the territory of the victim state) and remote violations (i.e. activity carried out from outside the affected state’s territory). Indeed, it would be strange to say that if a state agent shuts down another state’s power grid while on the latter state’s territory, that is a violation of sovereignty, but that the same would not be true if the perpetrating state did so by operating remotely.
Limits on the application of the sovereignty rule in the cyber context
60. As in the non-cyber context, there remains the question of whether any unauthorized exercise of authority in the affected state constitutes a violation of sovereignty or whether there is some form of de minimis threshold in operation. If one adopts the position of sovereignty as a ‘catch-all’, that makes the potential for violations very large indeed. On this view, it would technically be a violation of sovereignty and thus an internationally wrongful act for a state to install an access mechanism on another state’s infrastructure without any interference with the functionality of the target state’s cyber infrastructure; or to gather information for espionage purposes; or to undertake exploratory cyber activity by states looking to identify a weakness within the system that may be useful for a future attack.
61. This open-ended, maximally protective approach to violation of sovereignty in the cyber context appears to be at odds with the reality of states’ day to day interactions in cyberspace. As Egan has observed, ‘the very design of the internet may lead to some encroachment on other sovereign jurisdictions’. The reality of the interconnected online world is that states constantly transit through each other’s portals, often without explicit authorization, especially states’ intelligence agencies. State cyber activity may ‘access’ other states’ territory in a variety of ways including for ‘virtuous’ purposes such as the urgent defeat of a counterterrorism attack, without other states being aware, at least in real time. Under an open-ended approach to sovereignty, which we might term that of the ‘pure sovereigntist’, the sovereignty of states would technically be in a constant state of violation, with violations taking place with no response by states.
62. The pure sovereigntist might argue that in practice states have discretion as to whether they wish to frame such activity in the language of violation of sovereignty, or to deal with them in other ways, for example diplomatically or through domestic criminal law. But if such activities could indeed constitute violations of sovereignty, this could increase the risk of confrontation and escalation, since violation of sovereignty gives the affected state the right to take countermeasures in response if the perpetrating state fails to remedy the situation. It is also to be expected that states that claim a wide concept of sovereignty, including powerful cyber active states such as Russia and China, will invoke violations of sovereignty against other states’ international activity of any kind more frequently than others. This is one of the problems of relying on an open-ended conception of sovereignty in this context. International law must be applied objectively, rather than sovereignty simply meaning whatever a state says it is, but the lack of any specific criteria for violations increases the risk of states interpreting sovereignty subjectively.
63. Where states have made statements regarding state cyber intrusions, they have not usually framed these intrusions as violations of sovereignty. It is not clear whether this is because the states concerned do not want to elevate the situation to this level (with the implication that the victim state is then entitled to take countermeasures) or because they do not view the activity as a violation of sovereignty in the first place. The notion that all unauthorized exercises of state authority by cyber means constitute violations of sovereignty is not easily reconcilable with the day to day workings of states. Nor does it appear to correspond with current state practice. On the other hand, the position that violation of sovereignty has no legal consequences at all in the cyber domain (below the threshold of the non-intervention principle) is difficult to reconcile with the judgments of international courts on the principle of sovereignty, which seem in principle capable of application to all unauthorized exercises of state authority, cyber or otherwise.
Criteria to delineate violations of sovereignty
64. Perhaps recognizing the difficulties of a ‘purist’ approach to sovereignty, some commentators favour a kind of half-way house position, under which some state cyber activity violates another state’s sovereignty but only if it reaches a certain threshold. The question then becomes what the criteria are for such a threshold – is it a de minimis threshold based on quantitative factors such as the scale of the harm in the target state, the number of citizens affected, or the geographic reach of the attack; or is it based on qualitative factors such as the nature of the attack – or both?
65. The international group of experts involved in the Tallinn Manual 2.0 explored whether it is possible to identify criteria for infringements of the target state’s ‘territorial integrity’, whereby remote cyber intrusions will only reach the level of violation of sovereignty where a certain level of harmful effects are caused on the territory of the victim state. They did so by reference to a hierarchy of scenarios, as follows:
- physical damage or injury (e.g. malware that causes the malfunctioning of the cooling elements of equipment, rendering components inoperable, as in the Stuxnet operation);
- loss of functionality of cyber infrastructure (e.g. hacking into a computer and spreading a powerful virus that disables functionality, potentially also resulting in the need to replace computers, as in the ‘Shamoon’ cyber operation against the Saudi oil company, Aramco); and
- activity below loss of functionality, e.g. the slowing down of a computer; causing the cyber infrastructure or programmes to operate differently; or altering or deleting data without physical or functional consequences.
66. This idea of a violation of sovereignty based on varying levels of harmful effect appears to have been at least partially inspired by discussion of an ‘effects doctrine’ in the context of the rules on the use of force, which the international group of experts also considered in the context of state-sponsored cyberattacks. In practice, physical damage to cyber infrastructure as a result of a cyber intrusion is much less common than loss of functionality or some effect below that, so the latter two criteria above will be the most important for the purpose of low-level cyber interventions. But drawing the line for a de minimis threshold based on the effects in the target state raises a number of challenges. The international group of experts took differing positions on where the line should be drawn, both in relation to the proposed criterion of ‘loss of functionality’ and in relation to damage below loss of functionality. The scenarios above mingle effects and the object/nature of the interference. They could be taken to imply a descending scale of severity, but in practice it is not so straightforward. The deletion of one state’s critical government data by an outside state does not necessarily cause physical effects or loss of functionality but may be capable of having a more serious effect on the ability of the target state to exercise its state functions. Should ‘harm’ caused by cyber interference be measured in quantitative or qualitative terms, or both?
Certain states have posited that as well as severity, the scale of the effects on society may be a factor that they take into account when considering whether the cyberattack could constitute a violation of sovereignty.
67. It is currently unclear what most states think of the idea of an ‘effects-based’ approach to violations of sovereignty in cyberspace (beyond the UK position of not recognizing a rule of sovereignty in cyberspace) since, as noted above, few states have put their views on record. The French government, in its report of September 2019, as well as stating that any unauthorized cyber intrusions into the French system would constitute a violation of sovereignty, also indicated that sovereignty can be violated by ‘any production of effects by cyber means on French territory’. France’s national cyber incident classification system is based on a technical and effects-based assessment of the cyber operation, graded according to gravity. There are indications that other states are also seriously considering an effects-based approach. The government of the Netherlands alludes to limits to sovereignty in its recent statement on the application of sovereignty to cyberspace, and notes that ‘in general’ it endorses Rule 4 of the Tallinn Manual 2.0 ‘for determining the limits of sovereignty in the cyber domain’. Certain states have posited that as well as severity, the scale of the effects on society may be a factor that they take into account when considering whether the cyberattack could constitute a violation of sovereignty. Others have focused on the practical effects on the victim state’s ability to regulate its sovereign functions on its territory.
68. The idea of an effects-based approach in relation to state cyber activity from outside the territory with harmful effects in another territory is also one that the EU has recently adopted in relation to its newly enacted cyber sanctions regime. The sanctions are aimed at cyberattacks that have a (potentially) ‘significant effect’, and which constitute an external threat to the EU or its member states. The EU decision lists the following as the factors determining whether a cyberattack has a significant effect:
- the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety;
- the number of natural or legal persons, entities or bodies affected;
- the number of Member States affected;
- the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;
- the economic benefit gained by the perpetrator, for himself or for others;
- the amount or nature of data stolen or the scale of the data breaches; or
- the nature of commercially sensitive data accessed.
69. While the EU decision does not refer to sovereignty or intervention, it is an interesting example of states creating criteria for the wrongfulness of cyber activity based on a wide-ranging list of factors, both quantitative and qualitative. Note that the reference to ‘scope, scale, impact or severity of disruption caused’ is linked, in (a) above, to the carrying out by the state of inherently state functions, such as economic and societal activities; essential services; critical state functions; public order; or public safety. This causal link between behaviour that has a certain scope, scale, impact or severity and the carrying out by the state of its exclusive and independent state functions is quite close to the idea of violation of sovereignty (i.e. the unauthorized exercise of authority regarding another state’s sovereign functions) being subject to certain effects. However, the EU criteria are clearly broader, going beyond scale and effect to encompass, for example, economic loss and the type of data stolen.
70. An approach based on quantitative and/or qualitative effects in the target state, or some other form of de minimis threshold, is attractive from a practical and pragmatic point of view as it enables states to take action in relation to cyber intrusions that may not reach the threshold of intervention but that nevertheless cause harmful effects within the territory. It has the merit of being neither too restrictive (as the pure sovereigntist position arguably is) nor too permissive (in catching activity that does not require the establishment of coercive behaviour as in the non-intervention principle).
71. The difficulty is that as noted above, outside the cyber context it is hard to define parameters or criteria for what constitutes a violation of sovereignty, beyond the general formula of an exercise of authority by one state in another’s territory without consent in relation to an area over which the territorial state itself has the exclusive right to exercise state powers independently. A pure sovereigntist would argue that scale and effects may inform norms such as those regarding intervention and use of force but have no place in relation to sovereignty, and that effects are rather a matter related to enforcement and the proportionality of remedies. On the other hand, it has been noted that remote violations are often analysed as a matter of degree. But the matter is not clear or settled, and the lack of agreement on whether there is a de minimis threshold for violations of sovereignty in the non-cyber context is just as apparent in the cyber context.
72. As yet, there also appears to be no agreement as to what kinds of effects would be required under a de minimis threshold. The Tallinn Manual 2.0 formula, which imports a doctrine based on severity of effects derived from the rules on use of force, is one version; another is the practical effects on the victim state’s ability to exercise its independent state powers over society (which is close to how the non-intervention principle operates in practice). The EU’s restrictive measures offer a range of other factors to consider in the context of regulating remotely conducted cyberattacks based on significant effect. Even those that argue that breach of sovereignty is subject to some threshold (whom we might term for the purposes of this paper ‘relative sovereigntists’) concede that agreement on the criteria for delineating violations is currently lacking. Until such agreement is reached between states, determination of when a violation of sovereignty occurs risks becoming a subjective exercise as opposed to one based on a mutually agreed interpretation of the application of sovereignty in cyberspace.
Proving violation of sovereignty in the cyber context
73. Establishing whether sovereignty has been violated in a particular case is complicated by the fact that states have differing views as to what constitutes a violation. Even if an approach based on some kind of threshold is accepted, the analysis is more challenging still because of the peculiar attributes of cyberspace. As the government of the Netherlands has pointed out, it is possible that a single cyber operation is made up of different components or actions that are initiated from different countries or that run through different countries, often simultaneously, in a way that cannot always be traced. There are various options for masking both the identity of the perpetrator and the geographical origin of the cyber activity, especially now that data is often stored in a cloud system in different locations. In practice, it is therefore not always possible to determine whether a cyber operation has a cross-border element, such that it may violate the sovereignty of a particular state.
III. Due diligence
74. International law requires that a state may not knowingly allow its territory to be used for mounting hostile, including terrorist, activities against another state. In the cyber context, it has been argued that this obligation applies so as to require a state to exercise due diligence to prevent harmful cyber activities emanating from that state’s territory. The contrary argument is that in the cyber context there is no legal obligation but that applying due diligence would be good practice. Since the latter argument is contained in the UN GGE, it is indicative of at least some states’ opinion that in the cyber context there is no legally binding obligation. At the same time, there is state support for the desirability of its application, and some states are beginning to take the view that it is indeed now a binding principle in the cybersphere.
75. Crucially, though, the difference between ‘shall’ and ‘should’ is not yet of great practical importance. This is because it is currently unclear what the application of the due diligence principle to cyberspace would in fact require. For its application to a particular context, the principle in effect must be comprised of a number of smaller duties, and, in relation to cyberspace, states are yet to elucidate what those ‘sub-duties’ would be. For example, would due diligence involve obligations to undertake investigation or simply to respond to identified activity, to review and secure use of cyberspace from within the state’s territory, to share information with other states? It should also be stressed that the principle is one of conduct, not result: it is not a duty to prevent harmful cyber activity, but to take reasonable steps to attempt to do so.
76. Nonetheless, there are potential advantages in the application of due diligence to cyber activities, both in terms of developing a preventive rather a than merely responsive approach, and in lessening the issues associated with the attribution of cyber activity to a state. Due diligence therefore is an area where the development of principles as to what might be expected of a state in applying the principle would be welcome, and further work is needed before the principle can be called in aid.