The vital role of international law in the framework for responsible state behaviour in cyberspace

ABSTRACT

This article explores the importance of international law in debates about responsible behaviour in cyberspace – in providing a rules-based framework, in legitimising states’ actions in response to unlawful activity in cyberspace by other states, and in lending normative force to statements calling out malicious cyber activity. At the same time, the article seeks to highlight the challenges involved in applying international law, and uses the application of two peacetime precepts of international law – the principle of sovereignty and the principle of non-intervention in other states’ internal affairs – to illustrate some of the doctrinal issues with which states are grappling. While acknowledging these challenges, the article concludes that even if the UN parallel processes in the form of the Open Ended Working Group and Group of Government Experts do not result in substantial agreement between states on issues of international law, the debates in themselves are valuable in encouraging states to deliberate on these issues and to make their views public. By publicising their views, states add momentum to the journey towards cyber-specific understandings of international law.

KEYWORDS:

• Cyberattacks
• international law
• sovereignty
• non-intervention

1. Introduction

The application of international law to cyberspace is a hot topic in discussions between states regarding a framework for responsible state behaviour in cyberspace. The mandates of both the Group of Government Experts on advancing responsible state behaviour in cyberspace in the context of international security (UN GGE) and the Open Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG) include examination of how international law applies to cyberspace. But currently states are at odds with each other on a range of international law issues – can cyberattacks by one state violate another state's sovereignty, and if so on what basis? Is there a legally binding rule on states not to knowingly allow their territory to be used for internationally wrongful acts in cyberspace? Can states take countermeasures in response to an international law violation by another state in cyberspace, and if so in what circumstances? Without agreement on these and other important international law issues, we risk a legal vacuum to be exploited by malicious actors. Yet the tense geopolitical climate, and divergent perspectives on how international law might apply in cyberspace, make the prospect of agreement in this area challenging.

This article argues that while states face an uphill struggle in reaching agreement on international rules in this area, the journey is in some ways as important as the destination. The debates at the UN, while fractured, nevertheless show a positive degree of engagement in a process that is increasingly transparent, inclusive and global. The agreement of what constitutes customary international law in the context of cyberspace will inevitably take time. But by encouraging a wide range of states to engage through the twin track processes at the UN, to put on record their views, and to build up their legal capacity in this area, the debate is making some kind of progress through the establishment of important building blocks that will ultimately assist in developing cyber-specific understandings of international law.

This article starts by highlighting the importance of international law in cyberspace. It then uses two particular areas of international law – the general international law principles of (i) sovereignty and (ii) the prohibition on intervention into other states’ internal affairs – to illustrate both the degree of engagement by states in these issues and the challenges involved in reaching agreement. Finally, the article discusses the prospect of states successfully reaching agreement on the international rules that govern responsible state behaviour in cyberspace.

2. Why is international law important in regulating states’ behaviour in cyberspace?

For some time, it has been widely acknowledged by states and international organisations that existing principles of international law apply to states’ cyber operations as they do in the physical space, unless there is state practice or opinio iuris (i.e. the belief that the action was carried out as a result of a legal obligation) to suggest otherwise. In 2013, the General Assembly adopted the consensus reports of the UN GGE, in which the member states agreed that:

International law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.

State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory. (Report of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security 2013)

In the 2015 GGE report, states also agreed that the principles of the UN Charter applied:

(b) In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States. A growing number of international bodies have also recognised this. (Report of the Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security 2015)

As well as individual states, numerous international bodies have recognised that existing international law applies to states’ activities in cyberspace, including NATO (2014, 2020), the OSCE (2016), the G7 (2017), the EU (2017) and the Commonwealth (2018).

There are many areas of international law that are potentially engaged by cyber activity carried out by one state in the territory of another state. These include primary rules that prohibit or permit certain types of state behaviour, including international criminal law, international humanitarian law, the law on the use of force, general principles of international law and international human rights law. Secondary rules of international law, which set out the circumstances in which states may be deemed internationally responsible for violations of international law and remedies for victim states in response to a violation of international law, also apply to states’ actions in cyberspace (the Draft Articles on the Responsibility of States for Internationally Wrongful Acts, adopted by the International Law Commission (ILC) in 2001).

International law also provides standards of conduct that states should follow to ensure they do not knowingly allow their territory to be used for acts contrary to the rights of other states. This principle of ‘due diligence’ is one of a series of measures indicated in the UN GGE Reports that states should follow to prevent and mitigate cyberattacks. International law also provides a framework for states to deal with grievances in the cyber realm: Article 33 of the UN Charter on the peaceful settlement of disputes applies equally to disputes in the cyber domain as it does to other areas of state activity. There is thus already a strong and well-established international law framework that applies to the cyber realm, just as it applies to other domains of state activity.

But while it is generally accepted that this existing body of international law can be applied to state behaviour in cyberspace in principle, some states have questioned its value in practice, and have proposed that new rules are needed. The member states of the Shanghai Cooperation Organization proposed a blueprint to the UN General Assembly, in the form of a draft International Code of Conduct for Information Security, submitted first in 2011 and then in revised form in 2015 (Letter dated 9 January 2015 from the permanent representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the secretary-general, UNGA A/69/723). The proposed code has not gained much traction, partly because of concerns about the lack of reference to international human rights law, but some states continue to question the value of existing international law in relation to state activity in cyberspace. It is therefore important to address head-on questions about the role and value that the existing international law framework can and does play in deterring, mitigating and punishing malicious state cyberattacks.

International law provides a framework for holding states responsible for malicious cyber activity and offers a framework for preventing escalation. As the then UK Attorney General noted in his speech on ‘Cyber and International Law in the twenty-first Century’ at Chatham House in June 2018, ‘the clearer we are about the boundaries of acceptable behaviour, the lower the risk of miscalculation and the clearer the consequences can be for transgressing them’ (Wright 2018). The Attorney General noted that while respecting international law entails some restrictions on a state's freedom of action, ultimately the rules-based international order makes the world a safer place through reciprocal rules on how states should behave in cyberspace, with the ability to call out states that break those rules. All states, however powerful, are at the mercy of cyberattacks from other states. As is well known, the US was targeted with a series of significant cyberattacks in the 2016 presidential election; China has stated that in 2017, it suffered nearly $60 billion in economic loss due to cybersecurity incidents, with 93.5 per cent of ransomware attacks in China conducted from overseas (Ministry of Foreign Affairs of the People’s Republic of China 2019). There is therefore an interest for all states in having a collective system with rules that apply to all.

International law also governs states’ responses to state-sponsored cyber activity that transgresses international law, by setting out the circumstances in which a state will be internationally responsible for a violation of international law, and by providing remedies for victim states. A victim state may choose to respond to an attack through lawful acts, such as the expulsion of diplomats. In certain circumstances, the victim state may also have the right to take acts which would otherwise be unlawful – countermeasures – against the perpetrating state (Article 22 of the ILC's Articles on State Responsibility).

International law assists states in attributing a cyber operation to a state by providing common rules and evidential standards. The ability of states to successfully identify the perpetrator of a cyberattack has increased considerably over the past few years, partly thanks to developments in technology and partnerships with the private sector, as has the speed at which states are able to attribute cyber activity and work with partners to call out the behaviour. Under the Articles on State Responsibility, cyberattacks by private persons or organisations can in certain circumstances be attributed to a state, for example if the non-state actor acts under the instructions, direction or control of a state when carrying out the cyberattack (Article 8). Until recently, even if a state possessed evidence to a high standard of proof that the cyberattack was carried out by another state, states did not make public statements attributing the activity to another state, and if they did so, did not invoke international law in doing so. But increasingly, states and international organisations attribute cyberattacks to other states in public. The attribution of a cyberattack to another state is much more powerful if it can be linked to a violation of international law, as it increases the ‘naming and shaming’ effect. The fact that states usually go out of their way to argue either that they were not responsible for a particular violation of international law, or that their activity was not a violation at all, shows that states generally care about being seen to comply with the rules.

Increasingly, states are acting in alliance with other states in response to malicious state cyberattacks, and invoking international law in doing so. In October 2018, seven states – the UK, US, Australia, Canada, New Zealand, the Netherlands and Germany – attributed a campaign of indiscriminate and reckless cyberattacks to a Russian military intelligence organisation, the GRU (UK National Cyber Security Centre 2018). The coordinated statements noted that the attacks were ‘in flagrant violation of international law’, having effects on people in many countries and costing millions. The international attribution was supported by a number of other states and organisations including the Czech Republic, Denmark, Estonia, Finland, France, Latvia, Japan, Norway, Poland, Romania, Slovakia, Sweden, Ukraine, the EU and NATO. The EU has agreed a framework for collective action against malicious state cyber activities through a cyber diplomacy toolbox, including a cyber sanctions regime (EU Council Decision 7299/19 concerning restrictive measures against cyberattacks threatening the Union or its Member States).

International law has also been invoked in response to the numerous cyberattacks carried out in the context of Covid-19, including the targeting of one of the Czech Republic's biggest Covid-19 testing laboratories, attacks on the World Health Organization and attempts to steal data from UK universities conducting research into a vaccine. In response to such attacks, the UK and the Netherlands specifically invoked international law (the Netherlands stating that ‘malicious cyber operations targeting healthcare systems or facilities could, depending on the specific circumstances, be qualified as a violation of international law’), while other states, including the US and Canada, referenced the framework for responsible state action in cyberspace. The European Union issued a statement in which ‘the European Union and its Member States call[ed] upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory, consistent with international law’ (Declaration by the High Representative Josep Borrell, on behalf of the European Union, on malicious cyber activities exploiting the coronavirus pandemic, 30 April 2020). Twelve other countries aligned themselves with this Declaration. Estonia, which occupied the Presidency of the Security Council in May 2020, convened an Arria-Formula meeting of the Council on responsible state behaviour in cyberspace in May, which included discussion of the protections accorded to healthcare under international law. On 26 August 2020, a further Arria-Formula meeting was convened on Cyber Attacks against Critical Infrastructure, including discussion of what measures member states should take to implement existing international law rules, as well as voluntary principles, which protect critical infrastructure. Thus both states and international organisations are becoming increasingly confident in invoking international law in the context of malicious state cyber activity against another state.

3. Challenges in applying international law in cyberspace

While coordinated international action to ‘call out’ malicious cyberattacks increasingly harnesses the normative force of international law, it is notable that in each case the statements are vague about precisely which international rules are at issue, referring to ‘international law’ in general, or to ‘norms’ of responsible state behaviour. This cloudiness to some extent reflects uncertainty within and between states as to how international law applies in practice, and in some cases also a desire to maintain a position of strategic ambiguity.

Cyber operations often consist of ‘hybrid warfare’, not easily fitting the war/peace paradigm on which international law is traditionally based. This blurring of boundaries has led to fears that certain types of cyberwarfare could unless and until agreement is reached on how the rules apply. As well as being the subjects of international law, states are also the authors of it – they make the rules. But as yet, there are no treaties in this area (beyond the Council of Europe's Budapest Convention, which is confined to cybercrime), so we are reliant on customary international law at this stage as the main source of international rules. Customary international law can be defined as a general state practice that is accepted by states as law.

Until recently, states were reluctant to opine publicly on how they consider existing customary international law to apply in relation to states’ activities in cyberspace, in part because cyberspace is an area in which states conduct sensitive operations including intelligence gathering. This lack of transparency made the application of existing rules in the cyber context much more challenging. The unique features of cyberspace – including the fact that it has a virtual layer that does not map easily onto territorial space and the fact that cyberattacks are typically conducted remotely from outside the victim state's territory – have also given rise to challenges of application. But in the last few years, a growing number of states have published their views on how they consider existing international law to apply in the cyber context. States and commentators, including the international group of experts involved in the preparation of the Tallinn Manuals (2017), have also had time to think through and debate how existing rules might be applied to the peculiar features of cyberspace.

A look at the application of two general rules of international law in the cyber context – the principles of sovereignty and non-intervention in the affairs of other states – illustrates some of the progress made, and some of the ongoing challenges faced, by states in their journey to agree rules governing their cyber activities. These two peacetime principles of international law have been chosen because they are highly relevant to most state cyber activity. The vast majority of state-to-state cyber operations do not give rise to death or serious injury, and thus in practice are unlikely to amount to a use of force or armed attack under the UN Charter. State cyberattacks are typically low-level, persistent intrusions into the target state, often without discernible physical effects, but capable of causing significant harm. As noted above, the application of these principles in the cyber context was also specifically cited by the UN GGE in the 2013 and 2015 consensus reports.

3.1. The principle of sovereignty

The principle of sovereignty in international law entails a bundle of rights: a state's right to territorial sovereignty, the right to independence of state powers, and the idea of equality of states in the international order (external sovereignty). When one state exercises its authority in another state's territory without the consent of the territorial state, in relation to an area over which the territorial state has the exclusive right to exercise its state powers independently, that constitutes a violation of sovereignty (Moynihan 2019). The same rules regarding violation of sovereignty apply whether the exercise of authority by the perpetrating state is carried out through a physical presence on the territory of the affected state or remotely from outside the affected territory.

There are some specific rules that reflect the general principle of sovereignty and that regulate or prohibit the exercise of authority by one state in another's territory. These include: the rules on the use of force, which are to be found in the UN Charter and customary international law; the principle of non-intervention in the internal affairs of other states; and the law of the sea and air law, as incorporated in the UN Convention on the Law of the Sea and the Convention on International Civil Aviation (Chicago Convention) as well as customary international law. Where there are no specific rules in place, the exercise of state power by one state in relation to another state continues to be governed by the general rules on sovereignty mentioned above.

In the last two years, a number of states – including the Netherlands (2019), France (2019), Austria (2020), the Czech Republic (2020) and Iran (2020) – have stated that they consider that an unauthorised cyber incursion by one state into another state could, in certain circumstances, lead to a violation of state sovereignty (see also NATO's Allied Joint Doctrine for Cyberspace Operations – 3.20, at footnote 20). But not all states agree. The UK has stated that it is not possible to ‘extrapolate from that general principle [sovereignty] a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK Government's position is that there is no such rule as a matter of current international law’ (Wright 2018). The US Department of Defense (DoD) recently stated that its view on sovereignty ‘shares similarities with the view expressed by the UK government in 2018’ (Ney 2020). At the same time, the DoD stated that ‘it does not appear that there exists a rule that all infringements on sovereignty in cyberspace necessarily involve violations of international law’, which implies that in the DoD's view at least some cyber operations may infringe state sovereignty and are internationally wrongful.

In principle, there seems no reason why the principle of sovereignty should not apply in the cyber context as in the non-cyber context. As long as the servers affected are located in the victim state's territory, then an unauthorised exercise of authority by one state by cyber means in another state's territory could constitute a violation of the victim state's sovereignty (Moynihan 2019, citing Watts and Richards 2018; para 16 of commentary to Rule 4 of Tallinn 2.0, 2017). The more difficult question is how sovereignty can be violated in the cyber context. Some consider sovereignty to be a ‘catch-all’ principle, which encompasses any interference by one state with another state's exclusive authority, where that interference is not included in more specific rules such as those on non-intervention or non-use of force (Tsagourias 2018; Watts and Richards 2018). Others consider that there exists a ‘de minimis’ threshold beyond which sovereignty can be violated – in other words, that some low level unauthorised state interference will not qualify as a violation of sovereignty.

Those taking the ‘catch-all’ position assert that any non-consensual incursion by a state agent into the territory of another state can amount to an exercise of state authority sufficient to violate the territorial state's sovereignty, regardless of whether that incursion produces damage or otherwise breaches international or national law, and regardless of whether the exercise of authority is manifested through a physical presence on the territory or remotely (Buchan 2018; Watts and Richards 2018). Taking this approach, the potential for violations is significant (Moynihan 2019). It would technically be a violation of sovereignty, and thus an internationally wrongful act, for a state to install an access mechanism on another state's computer infrastructure without any interference in the functionality of that infrastructure, to gather information for espionage purposes, or to undertake exploratory cyber activity to identify a weakness within the system that may be useful for a future attack. This open-ended, maximally protective approach to violation of sovereignty in the cyber context appears to be at odds with states’ day-to-day interactions in cyberspace. The reality of the interconnected online world is that states constantly transit through each other's portals, often without explicit authorisation, especially states’ intelligence agencies. With an open-ended approach to sovereignty, the sovereignty of states would be in a frequent state of violation, with such violations taking place with little or no response from most states. The French government appears to support this position on sovereignty, the Ministère des Armées having stated that, ‘Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ … constitutes a breach of sovereignty’ (Ministère des Armées 2019; see also Buchan 2020). A statement by the General Staff of the Iranian Armed Forces of 18 August 2020 appears to take a similar approach (Roguski, 3 September 2020).

For those taking the position that state cyber activity only violates another state's sovereignty where such activity reaches a certain threshold, the question then becomes what the criteria might be for such a threshold. Should the criteria be based on quantitative factors such as the scale of the harm in the target state, the number of citizens affected or the geographic reach of the attack, or qualitative factors, such as the nature of the attack, or both (Moynihan 2019)? The international group of experts involved in the Tallinn Manual 2.0 (2017) explored whether it is possible to identify criteria for infringements of the target state's ‘territorial integrity’, under which remote cyber intrusions will only reach the level of violation of sovereignty where a certain level of harmful effects are caused on the territory of the victim state. They did so by considering a hierarchy of scenarios: physical damage to the computer concerned; loss of functionality; and effects below loss of functionality, such as the temporary slowing down of a computer. But creating a threshold based on the effects in the target state raises a number of challenges. States are likely to take different positions on where the line should be drawn, just as the international group of experts involved in the Tallinn Manual 2.0 did (Commentary to Rule 4 of Tallinn Manual 2.0, 2017, paras 11–14). The deletion of one state's critical government data by an outside state will not necessarily cause physical effects or loss of functionality but may nevertheless be capable of having a more serious effect on the ability of the target state to exercise its state functions, as the Wiper virus did in Iran in 2012, targeting Iran's oil production, systematically scrubbing hard drives clean and deleting the malware's code with it (Moynihan 2019). So should ‘harm’ caused by cyber interference be measured in quantitative or qualitative terms, or both?

One of the challenges of debating the application of sovereignty in cyberspace is that the limits of ‘sovereignty’ as a general principle of international law are not established even outside the cyber context (for a more detailed discussion of this and the application of the sovereignty principle in cyberspace, see Moynihan 2019). But it is clear that states are increasingly engaging in detail on this difficult issue, and some have been prepared to put their thinking in the public domain. The government of the Netherlands alluded to limits to sovereignty in its statement on the application of sovereignty to cyberspace, noting that ‘in general’ it endorses Rule 4 of the Tallinn Manual 2.0 ‘for determining the limits of sovereignty in the cyber domain’ (Minister of the Netherlands 2019). The Czech Republic's statement at the OEWG in February 2020 restricted the scenarios in which the Czech Republic considers sovereignty could be violated to four specific circumstances, relating to remotely conducted cyberattacks causing significant effects in various ways (physical or otherwise), or a cyber operation carried out by an agent physically on the territory (Kadlcak 2020). Certain other states have posited that as well as severity, the scale of the effects on society may be a factor that they take into account when considering whether the cyberattack could constitute a violation of sovereignty (Moynihan 2019). Debates in this area currently remain at a relatively early stage. But in due course, as further state practice emerges about how states understand existing international rules to apply, a cyber-specific understanding of sovereignty may develop.

It is notable that the states cited above are almost all Western. China and Russia are proponents of a different understanding of sovereignty in the cyber context – what China has referred to as ‘cybersovereignty’. Under this concept, a state's inherently sovereign functions include sovereignty over their citizens’ data and access to the internet. This much broader notion of ‘sovereignty’ in the cyber context should be distinguished from the understanding of sovereignty in the international law sources. The definition of a state's ‘inherently sovereign functions’ in international law concerns the regulation of a state's political, economic, social and cultural systems (Nicaragua case, International Court of Justice, para 205), rather than the activities of individuals, which a state may choose to regulate under its domestic law. The distinction between state sovereignty in international law and a state's domestic powers, which may affect citizens’ human rights in the cyber context, was noted by Austria in its statement at the OEWG in February 2020:

Austria has recently been the target of a severe cyber operation. In that context, we would like to refer to the principle of state sovereignty. A violation of this rule constitutes an internationally wrongful act – if attributable to a state – for which a target state may seek reparation under the law of state responsibility. A target state may also react through proportionate countermeasures. It is clear, however, that references to state sovereignty must not be abused to justify human rights violations within a state's borders. In other words, state sovereignty must not serve as a pretext for tightening control over a state's citizens which undermines their basic human rights such as the right to privacy and the freedom of expression (Government of Austria 2020).

International law should be applied objectively, and sovereignty is always circumscribed by other rules of international law, such as obligations to accord human rights. The difficulty is that the current lack of any specific criteria for violation of sovereignty in the cyber context increases the risk of subjective interpretations by states.

States’ views on sovereignty may also be influenced by their own operational and strategic objectives. Cyber-active states will wish to safeguard their ability to use cyber operations, rather than setting the bar for unlawful activity too low. For example, the US military doctrine of ‘persistent engagement’ (the idea of continuously engaging and tracking adversaries in cyberspace, and taking action to thwart them) is in part designated to address US action on third state territory in response to a perceived aggressor state's actions. The US DoD General Counsel recently stated that ‘there is not sufficiently widespread and consistent state practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits […] non-consensual cyber operations in another state's territory’ (Ney 2020). While previous US legal advisers have stated that ‘States conducting activities in cyberspace must take into account the sovereignty of other States’ (Koh 2012; Egan 2016), the DoD's careful language suggests that the US is maintaining a position of strategic ambiguity when it comes to sovereignty in order to increase its operational flexibility.

3.2. The non-intervention principle

The prohibition on intervention in the internal affairs of other states is another general principle of international law that is highly relevant to states’ activities in cyberspace. Despite being codified in various international agreements and documents, the prohibition on non-intervention in another state's affairs has been described by scholars as vague and ‘elusive’ (Lowe 2007). But in the Nicaragua case the International Court of Justice provided some useful guidance. The ICJ held that the non-intervention principle (outside the context of use of force) applies to one state's actions in relation to another state where two elements are present:

1. coercion by one State;

2. in relation to ‘matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy’ (para 205).

Insofar as it concerns non-forcible interventions, the principle of non-intervention relates to the element of sovereignty under which states are entitled to exercise their state powers independently and free from interference from other states. This is also reflected in the Friendly Relations Declaration, which provides that ‘No State may use or encourage the use of economic, political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights’ (UN Doc A/Res/2625 1970). It follows that the main difference between violation of the non-intervention principle and other breaches of sovereignty is the element of coercion.

3.3. Coercion

There is no generally accepted definition of ‘coercion’ in international law. But the international law sources hint at its essence. The ICJ in the Nicaragua case stated that ‘Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones’. The Nicaragua case and the Friendly Relations Declaration suggest that in the international law context, coercion can be characterised as an act by one state that seeks to deprive the target state of its free will over its sovereign functions, in order to compel an outcome or conduct with respect to the target state's exercise of its sovereign functions (Moynihan 2019). This might take the form of ‘dictatorial’ behaviour, under which one state tries to force another to change its policy in some way (‘do x or else’). The Tallinn Manual (2017) gives the example of a distributed denial of service operation designed to force a state to reverse its decision on the state's official language after a referendum (para 18 of the commentary to Rule 66 on ‘Prohibition of intervention’ in the Tallinn Manual 2.0 (2017)). This conception of coercion appears to be reflected in the position of the Netherlands government, which has stated that,

The precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law. In essence it means compelling a state to take a course of action (whether an act or omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state (Government of the Netherlands, 2019, emphasis added).

If coercion is understood in the sense of dictatorial action by a state to force a change of policy in another state, this results in a narrow standard, with the consequence that the threshold for engaging the non-intervention principle is a high one that is hard to meet (Ziolkowski 2013; Schmitt and Vihul 2017). But in the international law context, coercion can include more subtle and indirect forms of behaviour, such as depriving a state of its control over critical national infrastructure like transport facilities, essential medical services or energy supplies. This is reflected in the Australian government's definition of a prohibited intervention as:

one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide upon or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely. Such matters include a state's economic, political and social systems, and foreign policy (Government of Australia 2017, 2, emphasis added).

The definition above closely follows the dicta of the ICJ in the Nicaragua case, in which the court described coercive behaviour as one state depriving the target state of its right to make free choices in relation to the exercise of its sovereign functions. Under this definition, coercive behaviour could encompass state cyberattacks aimed at forcing a change of policy, but also cyberattacks designed to retaliate more generally against another state by interfering with the target state's ability to govern effectively in some way (Moynihan 2019). The very inability of the target state to exercise control over its sovereign functions, with the harmful effects that are likely to ensue within the target state as a result, is the outcome that the perpetrating state is seeking to compel. Perpetrating states often use cyber operations in this way, for example a cyber incursion that deliberately seeks to deprive another state of control over its national power grid in order to punish or retaliate against that state.

Both the UK and Australia have stated that they consider that the use by a hostile state of cyber operations to manipulate the electoral system to alter the results of an election in another state, or to intervene in the fundamental operation of Parliament or in the stability of states’ financial systems, could constitute a violation of the principle of non-intervention. Former US legal adviser Brian Egan also stated that states’ cyber activities could violate this prohibition, citing a cyber operation by a state that interferes with another country's ability to hold an election or that manipulates another country's election results (Egan 2016).

Applying the non-intervention principle to a topical example – the recent cyberattacks on certain states’ healthcare infrastructure in the context of Covid-19 – if such activity can be attributed to a state, could such attacks violate the prohibition on interference? The UK has stated that the non-intervention principle may cover acts such as the ‘targeting of essential medical facilities’ (Wright 2018). That of course begs the question of which medical facilities fall into the category of ‘essential’. If the effects, as in the cyberattacks on the Czech Republic, were to force medical operations to be rescheduled and patients to be moved, should this be considered as coercive behaviour? As noted above, some would argue that in order to be so, the act in question must be designed to compel a targeted state to change its policy in some way. With this narrow understanding of coercion, the mere disruption of medical facilities may fall outside the scope of the non-intervention principle. But if coercion is understood as interference by one state that effectively deprives another state of its ability to control, decide upon or govern matters of an inherently sovereign nature, then it could include disruption of essential medical facilities. The target state would be deprived of its powers to protect the public through the provision of vital medical care. Similarly, a state using cyber means to deliberately disrupt another state's research into an effective Covid-19 vaccine could be argued to cross the threshold of intervention if it deprived the target state of its exclusive control over the vaccine, especially given the crucial importance of the vaccine to the target state's crisis management during the pandemic, in terms of both the health of its citizens and the state of the economy.

Could a cyber intrusion into another state's servers also violate international law if the effects are less disruptive, for example merely spying on a target state's vaccine research, undetected? This would not cross the threshold of intervention because the coercion element would not be satisfied. Whether or not such activity would violate the sovereignty principle is more complicated, since as per the above it will depend on one's view as to (i) whether there exists a stand-alone international legal rule of sovereignty in cyberspace capable of giving rise to legal consequences, and (ii) if so, whether the sovereignty rule is perceived as an open-ended concept (and thus violated by any unauthorised cyber incursion by one state into another's territory) or governed by some kind of de minimis threshold.

3.4. The relationship between sovereignty and the non-intervention principle

It is clear from the above that some states, such as the UK and Australia, see an important role for the non-intervention principle in the cyber context, whereas some other states – including France, Netherlands, the Czech Republic and Austria – place greater weight on the principle of sovereignty. In practice, there is some overlap between those using the language of sovereignty and those referring only to the prohibition on intervention (Moynihan 2019). This is not surprising, as the principle of non-intervention protects state sovereignty, as intervention violates sovereignty. The main difference between the two principles is that coercive behaviour is required in relation to the non-intervention principle, which is not necessary in relation to a violation of sovereignty. How much overlap exists between the two principles depends both on how coercive behaviour is interpreted, and on whether some form of threshold applies in relation to violations of sovereignty.

While the above discussion of two general principles of international law in the context of states’ cyber activities indicates some of the thorny doctrinal issues with which states are grappling, it also indicates considerable state engagement on these issues. Further discussion between states should focus on how the rules apply to practical examples of state-sponsored cyber operations and on identifying outcomes that are beyond the pale (Moynihan 2019). There is likely to be more commonality around specific applications of the law than there is about the meaning of abstract principles such as sovereignty. It is therefore particularly helpful if, in putting forward their views, states can outline concrete examples of the circumstances in which they consider that another state's cyber activity could violate a specific rule of international law, as for example the UK has done in relation to the non-intervention principle.

4. Prospects for states to reach agreement on the application of international law in cyberspace

The OEWG concludes its mandate in September 2020 and at the time of writing is preparing to present a Consensus Report at the 75th session of the General Assembly. In June 2020, delegations held informal meetings online to discuss ‘Rules, norms and principles’ in the cyber context, and states have submitted views to the Chair as to how these might be reflected in the final report. It is clear from both the debates in the OEWG and the written comments that the rash of serious state-sponsored cyber intrusions into other states’ healthcare systems in the context of Covid-19 have given new momentum to the debate. While causing significant harm in some cases, this malicious cyber activity has also provided useful case studies for states to consider internally what rules they think apply in situations where a fundamental public good which they have the independent and exclusive right as a state to provide – the provision of essential medical care for the state's citizens in the context of a pandemic – is severely compromised by another state through cyber means.

The initial pre-draft report prepared by the Chair reiterates that in their discussions at the OEWG, states reaffirmed that international law, and in particular the UN Charter, is applicable and essential to maintaining peace and stability in cyberspace (Lauber 2020). It is to be hoped that at a minimum, the final draft will reaffirm this so that the valuable consensus reflected in the reports of the UN GGE of 2013 and 2015 is maintained. The Pre-Draft Report also notes that while some states advocate that efforts should be directed to reaching common understanding on how the already agreed normative framework applies and can be operationalised, others have proposed the development of a legally binding instrument ‘as the quickly evolving nature of the threat environment and the severity of the risk necessitates a stronger, internationally agreed framework’ (para 27 of the Initial ‘Pre-Draft’ report). There is a certain irony in the proposal of a treaty as a response to a quickly evolving threat environment, given that multilateral treaties typically take many years to negotiate. As cyber issues are a sensitive area of inter-state relations and are being discussed in a challenging geopolitical climate, there seems no reason to suppose that the negotiation of a cyber treaty would be any different. The reality is that the prospect of states agreeing a treaty on these issues is a long way off. Above all, the process would take political will, which is currently lacking in this area. There is also a risk that negotiations over new legal instruments in this area could ‘put into question the applicability and legally binding character of customary international law, general principles of law and treaty obligations with regard to ICTs’, as Austria observed in its comments on the OEWG's Pre-Draft Report (31 March 2020).

The GGE's mandate expires in September 2021. In the meantime, the GGE's meetings will continue to provide a forum for states to put on record their views on how international law applies, both through debates and through the forthcoming Annex setting out national views on how international law applies in the cyber context, to be prepared by the Chair of the GGE. The Annex is a valuable exercise in encouraging many countries that have yet to opine on these issues to put their views on record. It is hoped that sharing these views will promote common understandings, as well as increase trust and predictability. At the same time, smaller and middle-sized states with fewer resources face the challenge of making informed decisions in a complex area on a range of different international law issues and in a relatively short time frame. Beyond the Annex, which in any event only applies to the 25 member states of the GGE, governments of all countries will also need to consider these issues carefully. Legal capacity-building can be valuable in enabling smaller states in particular to develop their thinking in this area further and to ensure a more inclusive debate. This is reflected in the recommendation of the Rapporteur to the Inter-American Juridical Committee that the Committee might consider whether the Organization of American States (OAS) should engage in more legal and technical capacity-building, since some OAS states lack ‘familiarity with the underlying international legal rules and the particular questions their applications generate in the cyber context’ (Hollis 2020).

4.1. ‘Norms’

Agreement on voluntary principles or ‘norms’ is another way for states to make progress on how international law applies, in instances where those principles reflect legally-binding obligations under international law. Eleven voluntary principles were agreed at the 2015 GGE, including norm (f) that, ‘A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operations of critical infrastructure to provide services to the public’ (Report of the Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security 2015). This norm does not of course specify the circumstances in which cyber incursions into another state's critical infrastructure will violate international law. As is clear from the discussion on the principles of sovereignty and non-intervention above, that issue remains unresolved. At the meeting of the OEWG in February 2020, the International Committee of the Red Cross (ICRC) attempted to go deeper into norm (f) by relating it specifically to attacks on the healthcare sector. The ICRC called for a new norm that ‘states should not conduct or knowingly support ICT activity that would harm medical services or medical facilities, and should take measures to protect medical services from harm’ (ICRC 2020). This norm reflects legally-binding obligations under international humanitarian law. This call on states to protect medical services and facilities from harmful cyber operations was supported in June 2020 by the Oxford Statement on the International Law Protections in Relation to Cyber Operations Targeting the Health Care Sector (2020), signed by 133 public international lawyers. The statement sets out the rules and principles of international law that protect medical facilities against harmful cyber operations and calls on all states to consider these rules and principles when developing national positions as well as in the relevant multilateral processes and deliberations.

The proposal of new norms needs careful scrutiny to ensure that they do not undermine existing norms or existing international law. Norm (f) avoids this risk by directly referencing states’ obligations under international law. But some of the proposals made in the OEWG have amounted to alternate wording to existing norms, which risks undoing the valuable consensus achieved in the General Assembly's endorsement of the 2015 GGE Report.

Whatever emerges in the final reports of the OEWG and GGE, the meetings in themselves so far have been a valuable exercise. The OEWG process has made the debates on these issues more inclusive by enabling non-state actors, including civil society and tech companies, to participate in informal multi-stakeholder consultations. Members of the international legal community, including academics, legal practitioners and the legal advisers of individual states and international organisations, are also playing an important role in the debates, both within and outside the UN processes. As is reflected in the Tallinn Manuals (2017) and the Oxford Statement referred to above, there is increasing collaboration between international lawyers from around the world to help develop effective and practical standards by which states should conduct their activities in cyberspace, both through articulating the rules of international law and pushing for progress in states reaching agreement on them.

The GGE has provided a platform for increasing regional understanding of the role and application of international law in cyberspace, through a series of consultations that the GGE is holding between 2019 and 2021 with regional groups (the African Union, EU, Organization of American States, OSCE and the ASEAN Regional Forum). The opportunity to deepen the dialogue between states about how international law applies in cyberspace is in itself a form of confidence-building measure, as greater understanding of the rules and how they apply encourages states to be more transparent and communicative with each other. International law is thus inextricably bound up with other elements of the framework for responsible state action in cyberspace, including cyber capacity-building and confidence-building measures.

5. Conclusion

It will take some time for states to progress their understanding and agreement as to how international law applies in cyberspace, and even then, the precise application of the law will always depend on the specific facts in question. But already, through the growing invocation of international law in statements attributing malicious cyberattacks to state actors and the deepening of discussions on international law in the GGE, we can see states increasingly engaging with these important issues. As more states develop their national positions and put those views on record, the momentum for cyber-specific understandings of existing international rules will continue to grow.

Acknowledgements

This article draws on a Chatham House Research Paper, ‘Application of International Law to State Cyberattacks: Sovereignty and Non-Intervention’, November 2019. The author would like to thank Elizabeth Wilmshurst, Distinguished Fellow, Chatham House, for her invaluable support in the writing of that paper. The author is also grateful to the anonymous peer reviewers for their comments on this article.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Harriet Moynihan

Harriet Moynihan is a Senior Research Fellow in the International Law Programme, where she leads the Programme’s cyber work, and a project on China and Global Governance. As part of her research in these areas, Harriet was a visiting research fellow at the Bonavero Institute of Human Rights, University of Oxford in 2019, and speaks regularly on these issues, including on the application of sovereignty and non-intervention to state cyber operations at a side meeting of the UN Group of Government Experts on Responsible State Behaviour in Cyberspace in Geneva in February 2020.

Prior to joining Chatham House, Harriet was a legal adviser in the UK Foreign and Commonwealth Office from 2002 to 2012, where she advised on a wide range of public international law issues. Before that, Harriet was an associate solicitor at Clifford Chance LLP.