The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
5. Reflections on the Relationship between Sovereignty and the Non-intervention Principle
146. The discussion of specific scenarios in Chapter 4 suggests that, in practice, activities that contravene the non-intervention principle and activities that violate sovereignty will often overlap in terms of the outcome. Just as the ICJ in Nicaragua noted that a single act may violate more than one of the prescriptive norms, so states’ cyber actions will sometimes do the same.250 Those that view sovereignty as a self-standing rule, violation of which can give rise to legal consequences, and those that view the non-intervention principle as the main tool for addressing states’ cyber actions, are therefore not as far apart as might at first appear. Both view much of states’ cyber activity below the use of force as a breach of international law, with the target state entitled to respond. But they reach this conclusion through different routes.
147. This paper argues that a violation of sovereignty occurs when one state exercises authority in another state’s territory without consent in relation to an area over which the territorial state has the exclusive right to exercise its state powers independently.251 The non-intervention principle is breached when a state uses coercive behaviour to deprive another state of its free will in relation to the exercise of its sovereign functions in order to compel an outcome or conduct with respect to a matter reserved to the target state.252 The main difference between the two principles is that coercive behaviour is required in relation to the non-intervention principle, which is not necessary in relation to a violation of sovereignty.253
148. How much overlap (or gap) exists between the two positions discussed in this chapter depends both on how coercive behaviour is interpreted, and on whether some form of de minimis threshold applies in relation to violations of sovereignty:
- If some form of de minimis threshold applies, the bar for violation of sovereignty is higher and thus closer to the non-intervention principle.
- Coercion is interpreted in this paper as ‘pressure on the victim state to deprive the target of its free will in relation to the exercise of its sovereign powers in order to compel conduct or an outcome with respect to a matter reserved to the target state’. The conduct or outcome could include simply hampering the target state in relation to the exercise of its sovereign functions in some way. This is not dissimilar to the conception of violation of sovereignty as one state’s exercise of unauthorized power that usurps the target state’s own independent authority; on the definition above, this too would often be likely to amount to coercive behaviour in practice.
149. If we can set on one side the position of the ‘pure sovereigntist’, which does not sit easily with the reality of states’ day to day interactions (especially in the intelligence context), there is indeed a significant overlap between those using the language of sovereignty and those referring only to non-intervention. It is not surprising that there is a good deal of overlap, as the principle of non-intervention protects sovereignty, and intervention violates sovereignty.
150. The difference of views between states on what constitutes a violation of sovereignty point to the value of states trying to first reach agreement on what kind of cyber activity they consider to constitute an internationally wrongful act, rather than focusing too much at the outset on the meaning of abstract terms.
Indiscriminate effects
151. Consideration should nevertheless be given to possible examples where the cyber activity in question is better viewed through the prism of general sovereignty than the specific non-intervention principle. These may include where the unauthorized exercise of authority by the state carrying out the cyber activity gives rise to indiscriminate knock-on effects in other states from a cyberattack directed elsewhere. These knock-on effects are unintended, without the perpetrating state caring about the consequences for other states, rather than as a result of deliberately coercive behaviour.
In the case of the WannaCry ransomware cyberattack, which affected 300,000 computers in 150 countries, the perpetrating state attempted to extract hard currency from users, rather than to deprive the state(s) on whose territory users were affected of free will in relation to the exercise of sovereign functions.
152. For example, in the case of the WannaCry ransomware cyberattack mentioned above,254 which affected 300,000 computers in 150 countries, the perpetrating state attempted to extract hard currency from users, rather than to deprive the state(s) on whose territory users were affected of free will in relation to the exercise of sovereign functions. The attack on individual users had ripple effects in other states, including on critical infrastructure in the UK, where GP surgeries and hospitals linked to NHS Trusts that had not updated their software were affected.255 But the facts suggest that the disruption to the services affected was a side effect of the original criminal enterprise, rather than coercive behaviour specifically directed at subordinating the UK’s sovereign will in relation to the exercise of its government functions. If so, then the intervention threshold would not have been met. Could the cyberattack still be considered an unauthorized exercise of authority in relation to the sovereign functions of another state? The Tallinn Manual 2.0 suggests that in certain circumstances it could.256
153. But if this were the case, the scope of application of the sovereignty principle in the cyber context would expand quite significantly. The nature of the internet is such that malware and viruses can easily proliferate beyond borders with indiscriminate effect. In the WannaCry example, it could mean that the sovereignty of each of the 150 states affected was violated (in the case of relative sovereigntists, this would of course depend on the scale of the effects in the state concerned). Note that the joint statement by the UK, US and Australia attributing the attack to North Korea suggests that they did not consider sovereignty to be violated in this case; the attack was referred to as a ‘criminal use of cyber space’ rather than a violation of international law.257 Similarly, in relation to the NotPetya attack (attributed to Russia by a number of states),258 which targeted the Ukrainian government, but also generated indiscriminate damage in countries across Europe,259 the UK government stated that the attack showed ‘continued disregard for Ukrainian sovereignty’ but did not refer to the sovereignty of other states affected by the virus.260
154. There is a need for caution when drawing insights from government statements (collective or individual) given that thus far there have been relatively few. There may be reasons other than the law for states to choose not to frame state-sponsored cyber activity as a violation of sovereignty, for example political caution; fear of retaliation; operational tactics;261 or lack of certainty about how international law applies. The state concerned may prefer to handle the activity as an unfriendly act with diplomatic consequences; through covert counter cyber operations of their own;262 prosecutions under domestic law,263 or sanctions.264 But nevertheless, it is clear from the public statements available that states have not thus far characterized knock-on effects in other countries as violations of sovereignty.
Non-intervention principle or sovereignty?
155. If the significant overlap identified above is accepted, one might ask: what is the point of the non-intervention principle? The value of the principle, as with the rules on the use of force, is that it provides an established customary rule for dealing with these issues. It has a firm existential foundation, content that is reasonably well understood, and is an emanation of the principle of sovereignty. Just as the use of force has its own set of rules even though it is also a derivative of the sovereignty principle, so the non-intervention principle is a clearly established part of international law with its own constituent elements.
156. The lack of clarity as to when a violation of sovereignty has been committed in the cyber context may be one of the reasons that the UK government and some academic experts have argued that there is no cyber-specific rule on sovereignty. This paper has argued that there is a (perhaps small) gap between violation of the non-intervention principle and violation of sovereignty, but that it is not clear where the limits are in relation to sovereignty. There are two potential approaches to sovereignty that may avoid capturing all unauthorized intrusions in another state including mere trespass (whether physical or remote). One relates to the interpretation of the notion of inherently sovereign powers. The other encompasses a threshold based on scale and/or effects in the victim state. As we have seen, both issues are currently disputed.
157. On the issue of independent state powers, given that some states appear to conceive their inherently sovereign powers to include sovereignty over their citizen’s data, placing greater reliance on sovereignty in the cyber context risks bolstering a position (‘cyber sovereignty’) in which individuals’ freedoms online are undermined, contrary to international human rights law. As the definition of inherently sovereign functions in international law concerns the regulation of a state’s political, economic, social and cultural systems, it does not seem credible to categorize any kind of state-sponsored interference in the matters of private companies or citizens as an internationally wrongful act. In the absence of agreement on how sovereignty applies in the cyber context, the non-intervention principle provides a more objective basis for assessing international wrongfulness than the sovereignty principle.
158. On the second issue, some suggest that where there is interference by one state in another state’s affairs but no coercion, this should be considered to be a violation of sovereignty only in circumstances where there are certain quantitative or qualitative effects. This position has the virtue of striking a middle ground between those that consider sovereignty to be an unauthorized exercise of authority, whether physical or remote, which does not sit with reality of states’ daily interactions, and those that deny that sovereignty has any legal consequences at all in the cyber context. But this position is lex ferenda rather than established international law. In due course, as further state practice and opinio iuris emerge, a cyber-specific understanding of sovereignty may develop, much like that developed for other domains of international law. In the meantime, because it is unclear whether there is a limit or threshold to violations of sovereignty, states may prefer to use the more clearly established framework of non-intervention where that is possible.
159. Ultimately, it may be that what matters is the substance of the rights and obligations and not how they are labelled (whether a violation of sovereignty or the prohibition on intervention). Nevertheless, it is important to be able to reach common understandings on these issues, especially when there is so much else in the cyber context on which states fundamentally disagree.