The Petya ransomware cyberattack hit computers of Russian and Ukrainian companies on 27 June 2017. Photo by Donat Sorokin/TASS/Getty.
7. Conclusions and Recommendations
172. Until governments are more transparent about their views on how international law applies to their cyber activities, and explain their practices, the conclusions below about the application of international law to states’ cyber operations are necessarily cautious. The following conclusions and recommendations are a result of extensive research and discussions, including at roundtables attended by states’ representatives.
I. Conclusions on the law
- International law is applicable to states’ activities in cyberspace.
- In the absence of relevant treaties other than the UN Charter, existing customary international law must be looked to as a basis for the law applicable in cyberspace. Publicly available state practice relating specifically to cyberspace is currently sparse. But as with any other state activity, existing principles and rules of international law are applicable to state activities in cyberspace, unless there is state practice with opinio iuris to indicate that a relevant principle or rule is not applicable.
- The principle of sovereignty applies in relation to states’ cyber activities, as it applies in the non-cyber context. The principle has legal consequences.
- A state’s authority and jurisdiction apply in relation to cyber infrastructure and operations within its territory, as they do to other matters. Territorial sovereignty and the independence of a state’s powers vis-à-vis other states are therefore applicable.
Violation of sovereignty
- A state with an agent physically present in another state’s territory who is exercising state powers within the territory of that other state without consent may be committing a violation of the latter state’s sovereignty. Similarly, the remote carrying out of such an act by a state agent without consent, which has a harmful effect on another state’s territory may also be a violation of sovereignty in certain circumstances. This rule applies equally in relation to activities in cyber operations as it does in relation to other state activities.
- The precise limits of the application of this rule are not established in international law. It is not clear, for example, whether there is some form of de minimis rule in action, as evidenced by the way that states treat the activities of other states in practice. While some would like to set limits by reference to the scale or severity of effects of the cyber activity, at this time there is not enough state practice or opinio iuris to say that such limits are reflected in customary international law. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
- Before a principle of due diligence can be invoked in the cyber context, further work is needed to agree upon rules as to what might be expected of a state in this context. This should be discussed and agreed upon by states.
The non-intervention principle
- The principle of non-intervention is the corollary of the principle of sovereignty, by prohibiting a state from intervening by coercive means in matters within another state’s sovereign powers. This principle applies to a state’s cyber operations as it does to other state activities.
- The coercive behaviour is carried out by a state or by a non-state actor whose actions are attributable to a state under the rules on state responsibility.
- The element of coercion in the non-intervention principle describes pressure on the victim state to deprive the target of its free will in relation to the exercise of its sovereign powers in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
- The coercive behaviour can consist of a range of techniques: direct and indirect; overt and covert.
- It is the fact of the coercive behaviour applied in relation to the sovereign functions of another state that is the key to the non-intervention principle. The coercive behaviour does not need to succeed in depriving the target state of its free will in relation to its sovereign functions. Nor does the state need to know of the interference at the time it takes place.
- Where there are state cyber operations affecting another state’s powers, but there is no coercion, the principle of non-intervention does not apply. In such circumstances it will be necessary to ascertain whether a cyber operation has violated the target state’s sovereignty in another way.
Overlap between non-intervention and sovereignty
- In practice, activities that contravene the non-intervention principle and activities that violate sovereignty will often overlap. How much overlap or gap exists between the two depends both on the interpretation of coercion and on whether or not a form of de minimis threshold applies in relation to violations of sovereignty.
- In view of the overlap, it is perhaps not surprising that states refer to violations of international law in general rather than specifying a particular branch of the law.
- Because it is unclear whether there is a limit or threshold to violations of sovereignty, states may prefer to use the more clearly established framework of non-intervention, where that is possible.
- In due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.
II. Recommendations to governments
- States need to make an informed decision as to where their own position lies on the application of international law to cyber activity. Intelligence agencies and foreign services within a state need to speak with one voice.
- Once they have decided on their legal position, states should indicate publicly what it is, where possible giving examples of when an obligation may be breached, as states such as the UK, the Netherlands and France have done.
- States that disagree on how the law applies must discuss these issues in a more open way.
- The UN offers one forum for discussion. Further dialogue between separate groups of states, academics, private-sector organizations and civil society on these issues would also be valuable, building on the work in the Tallinn Manual 2.0 and other initiatives.
- Discussion of sovereignty and non-intervention in the cyber context should be divorced from consideration of the law on use of force and armed conflict.
- States should not seek to undo the valuable consensus on the application of international law to cyberspace that has been reached at past UN GGEs.
- Instead, further discussion should focus on how the rules apply to practical examples of state-sponsored cyber operations. There may be more commonality about specific applications of the law (‘is this behaviour an internationally wrongful act, and why?’) than there is about abstract principles (‘is sovereignty a rule or a principle and how does it relate to intervention?’).
- The prospects of a general treaty in this area are far off. There may be benefit in looking for agreement on limited rules, for example on due diligence and a prohibition on attacking critical infrastructure, before tackling broad principles.