
The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
Hostile cyber operations by one state against another state are increasingly common. This paper analyzes the application of the sovereignty and non-intervention principles in relation to states’ cyber operations in another state below the threshold of the use of force.
77. The non-intervention principle is the corollary of every state’s right to sovereignty, territorial integrity and political independence.131 It derives from and safeguards the general principle of sovereignty. The members of the UN GGE accepted that the prohibition on non-intervention applies in principle to states’ cyber operations in another state below the threshold of use of force. This chapter analyses the principle and considers how it applies to states’ cyber operations.
The members of the UN GGE accepted that the prohibition on non-intervention applies in principle to states’ cyber operations in another state below the threshold of use of force.
78. The 1970 Declaration on Principles of International Law concerning Friendly Relations and Cooperation among States in accordance with the Charter of the UN (Friendly Relations Declaration) provides that:
No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of another State. Consequently, armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements, are in violation of international law.132
79. The prohibition on intervention is an inter-state doctrine, and does not apply to intervention by or in relation to the activities of non-state groups unless the activities of the non-state groups can be attributed to a state under the rules of attribution in international law.133 The principle is set out in many international law sources,134 and is grounded in Article 2(7) of the Charter, which prohibits the UN from intervening in ‘matters which are essentially within the jurisdiction of any state’. The ICJ said in Nicaragua that the non-intervention principle is ‘part and parcel of customary international law’, notwithstanding the fact that ‘examples of trespass against this principle are not infrequent’.135
80. Despite being codified in various international agreements and documents, the prohibition on non-intervention has been described by scholars as vague and ‘elusive’.136 It applies both to interventions by force and non-forcible interventions, but its content is not clearly defined outside the context of use of force.
81. Nevertheless, the ICJ in Nicaragua provided some useful guidance. The ICJ held that the non-intervention principle (outside the context of use of force) applies to one state’s actions in relation to another state where two elements are present:
82. The ICJ’s dicta on the non-intervention prohibition in Nicaragua should not be read prescriptively since the ICJ was clear that, ‘the Court will only define those aspects of the principle which appear to be relevant to the resolution of the dispute’.138 Since the dispute in question primarily concerned forcible intervention, the court did not opine in any detail on how intervention and coercion might be defined outside the use of force context. Outside the area of use of force, ‘it is often unclear what is, and what is not, prohibited under customary international law. Much depends on context, and even on the state of relations between the states concerned’.139
83. The terms ‘interference’ and ‘intervention’ are sometimes used interchangeably; for example, China’s Five Principles of Peaceful Co-Existence include ‘mutual respect for sovereignty and territorial integrity’ and ‘non-interference in each other’s internal affairs’.140 This paper uses the term ‘intervention’ in the sense of coercive intervention in the internal or external affairs of another state.141 The two elements of the non-intervention principle are analyzed below.
84. Under the non-intervention principle, the coercion must take place in relation to ‘matters of an inherently sovereign nature’, i.e. those over which the state has exclusive authority, including a state’s political, economic, social and cultural systems. The non-intervention principle, insofar as it concerns non-forcible interventions, thus relates to the element of sovereignty under which states are entitled to exercise their state powers independently and free from interference from other states.142 It follows that the main difference between violation of the non-intervention prohibition and other breaches of sovereignty is the element of coercion. This accords with the judgment of the ICJ in Nicaragua, in which the court noted that:
Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones… the element of coercion… defines, and indeed forms the very essence of, prohibited intervention.143
85. Coercion regulates the line between minor interference and unfriendly acts on the one hand, and intervention sufficient to breach the prohibition on non-intervention on the other.144 The line between the two is not always easy to identify, particularly because there is no generally accepted definition of ‘coercion’ in international law.145 Nevertheless it is possible to identify certain features of what is meant by ‘coercion’ from the international law sources.
86. The requirement of coercion involves an element of pressure or compulsion on the part of the coercing state. Without this requirement for a degree of pressure, the line between coercion and mere attempts to influence would become blurred. The degree of pressure that is required to deprive the target state of control of its state functions will vary in each case according to the facts, and cannot be quantified.146 But clearly a certain amount of pressure is required, and Jamnejad and Wood note that ‘if the pressure is such that it could be reasonably resisted, the sovereign will of the target state has not been subordinated’.147 As a result, ‘Only acts of a certain magnitude are likely to qualify as coercive’.148
87. An example of concern that attempts merely to influence should not be regarded as coercion can be seen in the statement made by the UK on adoption of the Friendly Relations Declaration in the UN General Assembly:
In considering the scope of ‘Intervention’, it should be recognized that in an interdependent world, it is inevitable and desirable that States will be concerned with and will seek to influence the actions and policies of other States, and that the objective of international law is not to prevent such activity but rather to ensure that it is compatible with the sovereign equality of States and self-determination of their peoples.149
88. Coercion is sometimes associated with dictatorial behaviour by one state in relation to another: ‘do x or else’. Oppenheim for example states that, ‘… to constitute intervention the interference must be forcible or dictatorial, or otherwise coercive, in effect depriving the state intervened against of control over the matter in question’.150 Outside the international law context, coercion is often characterized as a threat that is used in order to change the conscious behaviour of the target.151 The power of the threat is predicated on the fact that the target knows that it is being coerced, and will suffer consequences if it does not respond as the coercer wishes, rather like blackmail. But the international law sources discussed above suggest that coercion in the international law context is framed rather differently, in the sense of the application of pressure by one state to influence an outcome in, or conduct with respect to, a matter reserved to the sovereign state. This characterization of coercion is derived from the overarching principle of sovereignty in international law, and the notion of an unauthorized exercise of authority in relation to the target state’s exercise of independent and exclusive powers on its territory. Analogies with coercion outside the international law context therefore need to be treated with care.
In practice, the means and techniques used by a state to coerce another state in relation to the exercise of the latter’s state powers can be various and nuanced.
89. In practice, the means and techniques used by a state to coerce another state in relation to the exercise of the latter’s state powers can be various and nuanced. Damrosch argues that, ‘The traditional formulation of intervention as “dictatorial interference” resulting in the “subordination of the will” of one sovereign to another is … unsatisfactory, because some subtle techniques of political influence may be as effective as cruder forms of domination’.152 Oppenheim, when referring to intervention as interference that is forcible or dictatorial, adds ‘or otherwise coercive’, implying that the nature of coercion can in fact take a range of forms.153
90. The Friendly Relations Declaration provides that ‘No State may use or encourage the use of economic, political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind’.154 This suggests that the pressure must be directed towards affecting the behaviour of the target state in some way to the benefit of the perpetrating state. There are different formulations of what the coercive behaviour is designed to achieve. Is it the application of pressure:
91. The international law sources on the non-intervention principle do not specifically refer to a requirement for the intervention to be directed towards a change of policy or government. The Friendly Relations Declaration refers to the ‘securing of advantages’;155 Oppenheim refers to ‘…interference in the affairs of another State for the purpose of maintaining or altering the actual condition of things’,156 including the right of a state to ‘adopt any Constitution it likes, arrange its administration in a way it thinks fit, and make use of legislature as it pleases’.157 The ICJ in Nicaragua stated that intervention is wrongful ‘when it uses methods of coercion in regard to such choices… which must remain free ones’.
92. The language in each of the above sources suggests that the coercive behaviour could extend beyond forcing a change of policy to other aims, such as preventing the target state from implementing a policy or restraining its ability to exercise its state powers in some way. At the same time, as noted above, the attempt to deprive the target state of its free will over its sovereign powers is carried out for the benefit of the perpetrating state in some way: the unauthorized exercise of authority is not incidental. The benefit sought need not relate to a specific policy issue; it may suffice for the target state’s control over the underlying policy area to be impaired in a way that adversely affects the target state.158 In light of this, the coercive behaviour is perhaps best described as pressure applied by one state to deprive the target state of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
93. The Nicaragua case suggests that coercive behaviour can be direct as well as indirect.159 The ICJ determined that US funding of the contras constituted intervention, notwithstanding that a series of intervening events were required after the US transfer of funds took place and before coercion of the Sandinista regime of Nicaragua occurred. The court adopted a more nuanced approach to understanding both coercive behaviour and intervention than simply direct, dictatorial behaviour.
94. Some scholars writing in the cyber context have understood coercion in the sense of dictatorial action by a state to force a change of policy and on the basis of this ‘narrow coercion standard’ have concluded that the threshold for the non-intervention principle is a high one160 that needs reformulating in the cyber context.161 Others have argued that the non-intervention threshold is seldom reached, and advocate that as a result greater reliance should be placed on the sovereignty principle.162
95. But there seems no reason why a flexible approach to coercion should not apply in the cyber context, as in the non-cyber context. Several scholars writing in the cyber context have supported the idea of coercion as meaning coercive behaviour aimed at seeking an advantage of some kind by depriving the target state of its free will over the exercise of its sovereign powers. Watts, for example, argues that ‘actions merely restricting a state’s choice with respect to a course of action or compelling a course of action may be sufficient to amount to violations of the principle of non-intervention’.163 Gill defines intervention as ‘[A]ction aimed at coercing a State to do or abstain from doing something it is entitled to do under international law’.164
96. The examples of non-intervention in the Tallinn Manual 2.0 involve forcing a particular policy decision on the target state, for example ‘the use by one State of non-cyber coercive means to compel another State to adopt particular domestic legislation related to Internet server liability’, or using such means to compel another state ‘to refrain from becoming Party to a multilateral treaty dealing with cyber disarmament or human rights online’.165 But the Tallinn Manual 2.0’s definition of coercion in fact supports a broader understanding of coercion, which could include restraining a state from exercising its state functions more broadly, as well as forcing it to act in a particular way: ‘an affirmative act designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way’.166 The majority of the international experts involved in the Tallinn Manual 2.0 were also of the view that ‘the coercive effort must be designed to influence outcomes in, or conduct with respect to, a matter reserved to a target state’.167
Coercive behaviour is perhaps best described as pressure applied by one state to deprive the target state of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
97. The Australian government’s position on the application of the non-intervention principle in the cyber context reflects this more nuanced understanding of coercive behaviour, defining a prohibited intervention as:
…one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely. Such matters include a state’s economic, political and social systems, and foreign policy.168
98. Coercive behaviour may thus be understood as pressure applied by one state to deprive the target state of its free will in relation to the exercise of its sovereign rights in an attempt to compel an outcome in, or conduct with respect to, a matter reserved to the target state. This could have quite significant implications when applied in the cyber context. It would capture the use by a state of covert cyber operations with the aim of disrupting or undermining the exercise of another government’s sovereign functions. The very inability of the target state to exercise control over its sovereign functions, with the harmful effects that are likely to ensue within the target state as a result, is the outcome that the perpetrating state is seeking to compel. There are many examples where states have used cyber operations in this way, for example attacks on another state’s critical infrastructure in order to punish or retaliate against that state.
99. The formula for coercion suggested above reflects the fact that states will usually have a reason for applying pressure to another state in relation to the exercise of its sovereign functions. But it does not go so far as to require a specific intent, motive or purpose on the part of the coercing state in seeking to compel an outcome or conduct in the target state. In the Nicaragua case, the ICJ noted evidence that the US intended to overthrow the government of Nicaragua and intended to inflict economic damage. But the court declined to make findings with respect to the intentions or motives of the US, observing that:
in international law, if one State, with a view to the coercion of another State, supports and assists armed bands in that State whose purpose is to overthrow the government of that State, that amounts to an intervention by the one State in the internal affairs of the other, whether or not the political objective of the State giving such support and assistance is equally far-reaching.169
100. The court’s ruling suggests that the motive of the intervening state is of little relevance. It is the fact of coercive behaviour with respect to the victim state’s free will over its sovereign functions that establishes a prohibited intervention.170 The coercive behaviour on the part of the perpetrating state will, by its nature, be intentional, and thus the description of coercion discussed above necessarily involves an intention to compel an outcome or conduct.171
101. A violation of sovereignty usually involves actual usurpation of a state’s sovereign powers by another state without consent.172 But under the non-intervention principle, it is the fact of the coercive behaviour itself, in relation to another state’s sovereign powers, that matters. This suggests that if the hostile state carries out coercive cyber operations against another state but does not succeed, it would still be caught by the non-intervention principle, just as an act involving a use of force that misses its target would still constitute a use of force. Potential as well as actual effects are therefore relevant when assessing the coercion element. Otherwise, a state that was targeted but, being well prepared, was not affected, could not claim a violation of international law, whereas a state that had not invested in such protections could.173
102. Since actual harmful effects are not a prerequisite for the non-intervention principle to be engaged, the element of coercion is better understood as the fact of ‘coercive behaviour’ by a state in relation to another state’s sovereign functions, which does not presuppose the success of the behaviour, rather than ‘coercion’. Some argue that coercion is essentially about the conduct on the part of the perpetrating state rather than the effects that such behaviour produces.174 Others, in assessing whether the non-intervention principle has been breached, place greater weight on the effects (actual or potential) of the behaviour on the target state’s inherently sovereign functions.175 In a sense, both conduct and effects are relevant: it is the fact of the coercive behaviour that is important, but (based on the definition at para 92 above) there is a close causal link between the coercive behaviour and its actual or potential effects on the target state’s free will to exercise control over its sovereign functions. To the extent that harmful effects do ensue, they may also provide evidence of the coercive behaviour, and will be relevant in assessing the proportionality of any response by the target state under international law. It is also worth noting that although potential rather than actual effects may suffice, it will be harder to evidence intervention where it is not possible to show practical effects on the ability of the target state to carry out its sovereign functions.
103. In the cyber context, the coercive behaviour of the perpetrating state is usually covert. The question arises as to whether the target state needs to know that it is being coerced in order for the coercion element to be established. If it is the fact of the coercive behaviour by the perpetrating state that establishes coercion, and if the coercion does not have to succeed in order to be unlawful, then it is not necessary for the target to know about it. The coercive behaviour is in itself enough.176
104. For the non-intervention principle to be breached, there must be a causal nexus between the coercive behaviour on the one hand and the deprivation, or attempted deprivation, of the victim state’s authority in relation to the exercise of its state functions on the other. This connection is reflected in the ICJ’s dicta in Nicaragua that:
A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones.177
105. The Tallinn Manual 2.0 and some scholars writing in the cyber context have equated the concept of a state’s inherently sovereign functions, for the purposes of the non-intervention principle, with what is known as domaine réservé,178 i.e. a state’s internal affairs, or a sphere of activity that is ‘not, in principle, regulated by international law’.179 The Tallinn Manual 2.0 states that ‘usurpation of an inherently government function’ (discussed in the context of violation of sovereignty) differs from intervention in that the former deals with inherently governmental functions, whereas the latter (intervention) involves the domaine réservé, ‘concepts that overlap to a degree but that are not identical’.180 It has been argued that the scope of a state’s domaine réservé is increasingly limited because there are hardly any topics or policy areas today that are inherently removed from the international sphere.181 This has contributed to a perception by some that the non-intervention principle has a relatively narrow application.
106. Even if international law has some bearing on the policy area in which a state exercises its state functions, the state may still retain ultimate authority over the area in question. Thus, international regulation of a subject does not remove it entirely from the domaine réservé; states retain independent authority to make choices among various lawful courses of action on a subject regulated by international law. For example, while international human rights law has had an impact on how states must interpret their policies on asylum, this does not mean that the conduct of these activities does not – to some extent – fall within the state’s sovereign powers. Even when a state is found to be in breach of its human rights obligations, for example, it retains the prerogative of implementing that adverse decision – the prerogative of responsibility – and thus the initiative in the matter.182
107. In any event, since the non-intervention principle derives from and is a reflection of the principle of sovereignty, the better view is that there are not two different standards of matters reserved to a state.183 The notion of domaine réservé is not particularly helpful in the non-intervention context. It concerns a state’s domestic jurisdiction, which, as noted above, is to be distinguished from a state’s inherently sovereign functions.184 It also does not include a state’s external affairs, which, as the ICJ made clear in Nicaragua, form part of the scope of the non-intervention principle.185 A better understanding of a state’s sovereign functions for the purposes of the non-intervention principle can be derived from the Nicaragua case and the Friendly Relations Declaration, in which state functions are characterized as including a state’s choice of political, economic, social and cultural system, as well as the formulation of foreign policy.186 The scope of a state’s inherently sovereign functions is thus quite broad, extending to the making of state policies in these areas through its organs and agencies of a legislative, executive and judicial kind.
108. While the scope of a state’s sovereign powers may be quite broad, state-sponsored cyber operations with effects on individuals or companies will not (without more) engage the non-intervention principle; it is only if the attack in question has an effect on the state’s exclusive exercise of its independent sovereign functions. This approach corresponds with the public statements issued by states to date in relation to unauthorized state cyber activity in another state’s territory. States have so far only invoked a violation of international law where there are practical effects on the ability of the victim state to exercise its inherently sovereign powers. A GRU campaign of indiscriminate and reckless cyberattacks above disrupted (among other targets) transport systems in Ukraine and was described by the UK as being ‘in flagrant violation of international law’.187 Likewise, in relation to the NotPetya attack, attributed by multiple states to Russia in February 2018,188 the UK said that it ‘showed a … disregard for Ukrainian sovereignty’ in targeting the Ukrainian government, financial and energy sectors.189 By contrast, the UK and US did not mention violation of international law in relation to the spear phishing190 campaign aimed at private universities, private companies and NGOs, which they attributed to Iran in March 2018.191 In relation to the WannaCry ransomware attack attributed to North Korean actors in December 2017, the UK, US and Australia stated this to be a ‘criminal use of cyber space’ rather than a violation of international law.192
States have so far only invoked a violation of international law where there are practical effects on the ability of the victim state to exercise its inherently sovereign powers.
109. These recent statements suggest a developing distinction between activities that affect a state’s ability to run its core state ‘systems’ generally (e.g. parliament; financial sector; energy; transport) and those activities that target individuals or private companies. This distinction is also reflected in the EU’s recent issue of restrictive measures against cyberattacks threatening the EU or its member states. In describing which cyberattacks fall within the scope of the measures, the EU refers to ‘financial market infrastructure’; ‘digital infrastructure’; ‘critical infrastructure’ and ‘any other sector’, as well as ‘critical State functions’,193 all of which suggest that the measures are directed at cyber operations that affect whole sectors, as opposed to cyberattacks on private individuals and private companies.
110. In order to determine whether the non-intervention principle has been breached, the target state will need to assess whether it has been the victim of an attempt by another state to deprive it of its free will in relation to the exercise of its sovereign rights with a view to compelling an outcome in, or conduct with respect to, an inherently sovereign matter. In doing so, the target state will need to consider whether there is evidence of the application of pressure by the hostile state.
111. As with violation of sovereignty, the particular features of cyberspace make it challenging to make these assessments as the activity is usually covert, with the perpetrator hiding their identity, and conducted remotely from outside the territory. The evidence of who is carrying out the attack (non-state actor or state agent; and if the former, whether the non-state actor is acting on behalf of a state), for what purpose, and the relationship if any between the perpetrating state’s activity and the affected state’s government’s functions may not at first be evident. It will require careful investigation and, if the activity is conducted outside the target state, may require cooperation with international partners. In assessing whether a state is applying pressure in order to compel an outcome or conduct, the circumstances, including the political context, the history and relationship between the target state and alleged perpetrating state, and the wider circumstances are all likely to be relevant.
112. Certain other factors may also assist in identifying whether coercive behaviour is present, including the intensity of the attack and nature of the state interests affected by the cyber intrusion. The scale and severity of the effects of the cyber intrusion may also be relevant, including the reach in terms of the number of actors involuntarily affected by the cyber operation at issue.194 If the cyber intrusion concerns the disabling of critical state infrastructure for example, it may be more likely to be coercive because such an attack would necessarily have a practical effect on the free will of the target state to exercise its sovereign functions exclusively and effectively over that infrastructure. Given the link between coercion and sovereign powers, arguably the more ‘inherently sovereign’ the area under attack, the easier it will be to establish intervention overall.
113. While the non-intervention principle is well established in international law, and clearly applicable to cyber activities as it is to other state activities, there does not appear to be complete agreement, as we have seen, on the criteria for its application. Case studies, which are increasingly prevalent now that states are becoming more vocal about state-sponsored cyber intrusions, are useful in discussing the application of the principle.195 The next chapter considers specific scenarios in order to explore how the law discussed in chapters 2 and 3 can be applied to state-sponsored cyber intrusions in practice.