June 2019

Cybercrimes: What Is and What Ought to Be? Rethinking the Role of Recklessness and Negligence in the International Criminal Court

By: Adi Libsker-Hazut.

Read More

A. Background

Methods and means of warfare have been evolving since the dawn of history. Attempts to develop new weapons or improve existing ones have often led to technological break-throughs. While the primordial man sharpened stone spears and arrowheads, nowadays, warfare develops and adopts online technological tools – cyber warfare.

Over the past few years, developments in the field of cyber warfare have led many experts to estimate that states will use their cyber means of warfare more and more over future conflicts, especially as they realize that cyber-attacks may bear more significant results. Unlike other weapons, the production and manufacturing costs of a cyber-attack is affordable, and available to most states. It goes without saying that developed countries increasingly rely on technological means to operate their infrastructure. Therefore, they expose themselves to harm and increase the potential for damage. [1]

The complexity in defining cyberspace and cyber warfare does not mean that this domain is lawless and out of control. Over the years, interested international parties have made efforts towards expanding, adjusting and renewing traditional legal doctrines in order to deal with the difficulties cyberspace and cyber warfare pose.[2] Few agreements and understandings were made in the international arena over the past decade, regarding cyber-attacks. Yet there are fundamental difficulties in the application of international Law to cyberspace. Most of the difficulties stems from the physical uniqueness of cyberspace. For example, can "cyber warfare" constitute an "armed conflict"?[3] The means of cyber warfare vary in many ways from traditional weapons, and are very difficult to define in physical terms. These are usually computer programs, or even just a part of a code designed to cause harm. [4] They do not exist outside the cyber dimension, cannot be seen, smelt, touched, heard or tasted. Therefore, at first sight we may be able to accept the claim that cyber operations are unarmed. [5] In the following section I wish to point out another fundamental difficulty in the application of International law to cyberspace, which surprisingly stems from the mental elements of the crimes.

B. The current legal situation (in International Criminal Law)

On 17 July 1998, 120 states passed the International Criminal Court Statute (also referred to as the 'Rome Statute').[6] On 1 July 2002, following the UN decision, the court’s statute entered into force, and, for the first time in the history of international law, the criminal court (ICC) was established as permanent.[7] Article 5 of the court’s statute decided which crimes would be within its jurisdiction. Article 5(1) limits the court authority to try only the most serious crimes.[8] This article also defines four categories of the crimes that fall under the court’s jurisdiction, as stated in article 5(1):

(a) The crime of genocide;

(b) Crimes against humanity;

(c) War crimes;

(d) The crime of aggression.[9]

Article 9 of the statute set a mechanism that determines what elements may constitute crimes within the court’s jurisdiction.[10] In September 2002, the “Elements of Crimes” were published.[11]

The International Criminal Court statute has, for the first time in international criminal law, defined the mental element required for imposing criminal liability. Until then, no international law, nor any international charter, included a definition of the mental element.[12]

In a nutshell, according to Article 30 of The Rome Statute, all crimes included in the statute are crimes whose mental element is a 'guilty mind'. That is, knowledge of the nature of the action, the existing circumstances, and the possible consequences, as detailed in the particulars of the crime; As for the consequences, if included in the definition of the crime, an intent to cause those consequences, or, at the least, an awareness of their probability.[13]

Indeed, the most obvious lacunas are:

  • Recklessness – that is, indifference to the possible consequences; or care-less-ness – taking an unreasonable risk with the intention of preventing such consequences from happening.
  • Negligence – that is, an unawareness of behavior, circumstances or the possible consequences.
  • Strict or Absolute Liability – that is, crimes that do not rely on evidence of guilty mind or negligence.

It is worth mentioning that a definition of recklessness was included in the court statute draft, under Article 29.[14] In the final text of the statute, however, the definition of recklessness was removed, because it was redundant.[15]

During the discussions, the issue of negligence, unlike that of recklessness, did not come up at all. It seems all parties agreed that international criminal law should not deal with crimes of negligence. Such crimes are simply not severe enough.

The perception of crimes of negligence and recklessness as less severe offences is based on a deontological idea, emphasizing one’s unintentional act and not the consequences of his act. However, from a teleological viewpoint that focuses on the consequences, negligent acts may be just as severe, or even worse than unintentional acts.[16]

Very little attention was given to how the Elements of Crimes ignore the element of negligence and recklessness. Many of the crimes in international criminal law have horrible consequences.[17] Don't these consequences justify giving precedence to teleological considerations over deontological ones? Is it not right and just to determine negligent genocide a crime?

In my humble opinion, the international community should consider crimes of negligence more seriously. However, this is not the aim of my study. My argument is of a more modest nature – I want to know whether the unique characteristics of cyber warfare justify and even necessitate an acknowledgement of the element of negligence and recklessness.

C. The Proper Legal Condition in Light of Technological Advances

In the following section I wish to examine whether the unique characteristics of cyber warfare justify expanding international criminal law to also include crimes of negligence and crimes of recklessness.

It is important to keep in mind that this is a work in progress, and that some of the following ideas have not yet fully ripened and are still incomplete.

1. The pace of developments and innovations – Unlike the physical world – which we are equipped to know and deal with – the cyber dimension is a new manmade dimension. The physical world has barely changed since the very beginning of human history, but the rate of change and innovation in the cyber dimension is very high.[18] In the physical world, each action may have unexpected consequences, but we know and can predict their absolute majority. In contrast, the consequences of a cyber-dimension action are unpredictable and very hard to anticipate.[19] Therefore, in order to uphold a higher standard of conduct within cyberspace, the international criminal law ought to ensnare those who were unaware of conduct, circumstances, or the possible consequences of their actions.

2. Internet of Things – In the near future, we will be able to see our cars communicate with the air conditioner and fridge in our homes, the shutters interact with the alarm clock on our cellphones, and our grandfather’s pacemaker will communicate with emergency services and his doctor's laptop.[20] We expect the network will expand as more and more objects can gather and exchange information.[21]

This communication may be very beneficial, but it carries with it an enormous potential for damage. A cyber weapon that infiltrates an appliance may cause massive damage by interacting with another appliance that wasn’t even a target.[22] Should we exempt the warring parties from taking a closer look at the possible consequences of whatever means of cyber warfare they use, we will not be able to prevent the terrible catastrophes that may be the result of negligent or reckless acts.

3. The Various Violated Rights – if someone was to point a missile, gun, knife or grenade our way, the possible consequences would be immediately obvious both to them and to us – we would know that our lives, health or property could come to harm.[23]

However, imagine a case in which a cyber weapon erases you from all governmental systems of information. You no longer exist, cannot leave the state, open a bank account, own a credit card, purchase a car, get married, work, file a legal complaint, and even your children are no longer yours.[24] Now imagine something like that happening to millions of people across the state simultaneously.

In fact, a well-planned and well-executed cyber-attack can damage every possible human right we can think of. With the press of a button, an attacker may violate over thirty such rights. Unless we include recklessness and negligence in international bans, criminals could easily defend themselves with the claim that they only meant to violate a non-protected right, and unintentionally violated protected rights as well.

4. Artificial intelligence – is, in fact, independent,[25] and therefore we cannot lay the blame with its programmer, even if it commits a crime against humanity.[26] Programmers allegedly had no intention that their actions would result in such terrible consequences. Let’s say, for example, that a state develops artificial intelligence that can independently identify an existential threat, and then launches weapons of mass destruction against its enemy. The AI misevaluates the situation as war, and independently launches weapons of mass destruction. Would we want and expect international law to capture the AI’s programmers and operators, who relinquished all human judgement by setting off weapons of mass destruction? Without including recklessness and negligence in the law, it would hardly be possible.

5. Fog of battle – Cyber warfare allows its “combatants” to fight from the comfort and safety of an airconditioned room, far from the battlefield, far from the Fog of War, and its stress and anxiety.[27]

In such cases, the implementation of International Criminal Law may also be applied to crimes of negligence and recklessness for two central reasons:

  1. This situation justifies a less forgiving approach toward errors and mistakes that result in damages.
  2. This situation may also cause an emotional disconnect between the combatant and the outcomes of the warfare itself, and thus increase risk and cause unnecessary suffering and needless harm.[28]

Adding the elements of negligence and recklessness to International Criminal Law will set a higher moral bar and reduce the potential danger that lies in emotional disconnect.

D. Conclusion

History teaches us that International Criminal Law oftentimes cannot realize its aspirations. This powerlessness is the result of the contractual components of international law, the absence of any real investigation and enforcement, and the dependency on strong countries and their budgets. It is hard not to surmise that International Criminal Law is often used as a tool by the winning sides of any war, and oftentimes international law is harshly criticized – albeit not always justly – for its levels of objectivity and neutrality. [29]

Despite the impotence of International Criminal Law, I do believe that its declarative values still rise in this age of globalization. The internet, global communication, and international culture lessen the national effects. Incompliance with the norms of international law incurs criticism from both within and without the state, and may have significant effects on its economic and national and international political fields. Thus, impotence within a limited legal framework does not equate to impotence in the field of culture.

Under these circumstances, I do believe that the practical difficulties of locating criminals and proving their actions in the cyber-dimension should not discourage regulation in this matter. Especially now, as this field gains momentum, it is important that criminal law pay attention to cyber warfare.[30] Additionally, we should examine whether the existing toolset (norms and laws) of International Criminal Law are sufficiently satisfactory and clear in light of the unique characteristics of cyber warfare, which includes innovative technology.[31] In my humble opinion, and as I have tried to show so far, in this context it is highly important to include crimes involving the mental element of recklessness and negligence. Though such a step may be strictly declarative, its influence over the future war field and the actions of the warring sides cannot be understated.

 


[1] Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow's Battlefield, 9.1 Duke L. & Tech. Rev. i, v (2010); Arie J. Schaap, Cyber Warfare Operations: Development and Use under International Law, 64 A.F.L. Rev. 121, 149 (2009); Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int'l L. 525, 531 (2012).

[2] Tom C.W. Lin, Financial Weapons of War, 100 Minn. L. Rev. 1377, 1420 (2016).

[3] Tom C.W. Lin, Financial Weapons of War, 100 Minn. L. Rev. 1377, 1417-1418 (2016); Michael N. Schmitt, Peacetime Cyber Responses and Wartime Cyber Operations under International Law: An Analytical Vade Mecum, 8 Harv. Nat'l Sec. J. 239, 264 (2017).

[4] Lior Tabansky, Basic Concepts in Cyber Warfare, 3 MIL. & STRATEGIC AFF. 75, 79-81 (2011); Stefano Mele, Legal Considerations on Cyber-Weapons and Their Definition, 3 J.L. & Cyber Warfare 52, 57 (2014); Herbert Lin, Cyber Conflict and International Humanitarian Law, 94 INT'L REv. RED CROSS. 515, 515-531(2012).

[5] Michael Schmitt, Classification of Cyber Conflict, 17(2) J. Conflict & Sec. L. 245,250 (2012).

[6] Eve La Haye, War Crimes in Internal Armed Conflicts 139 (2008).

[7] Lijun Yang, Some Critical Remarks on the Rome Statute of the International Criminal Court, 2 Chinese J. Int'l L. 599, 599 (2003).

[8] Joshua H. Joseph, Gender and International Law: How the International Criminal Court Can Bring Justice to Victims of Sexual Violence, 18 Tex. J. Women & L. 61, 69-70 (2008-2009).

[9] Rome Statute of the International Criminal Court, art. 5, July 17, 1998, 2187 U.N.T.S. 98 (entered into force 1 July 2002). [hereinafter Rome Statute of the International Criminal Court] Available at: https://www.icc-cpi.int/NR/rdonlyres/ADD16852-AEE9-4757-ABE7-9CDC7CF02886/283503/RomeStatutEng1.pdf [Accessed: 16 February 2019].

[10] Knut Dormann, Elements of War Crimes under the Rome Statute of the International Criminal Court: Sources and Commentary 8 (2003).

[11] Preparatory Commission for the Int'l Criminal Court, Finalized Draft Text of the Elements of Crimes,U.N. Doc. PCNICC/2000/I/Add.2 (Nov. 2, 2000), Available at :http://www.icc-cpi.int/NR/rdonlyres/ADD16852-AEE9-4757-ABE79CDC7CF02886/283503/RomeStatutEng1.pdf [Accessed: 16 February 2019]. 

[12] Sarah Finnin, Mental Elements Under Article 30 of the Rome Statute of the International Criminal Court: A Comparative Analysis, 61 INT'L & COMP. L.Q. 325, 325-326 (2012); Mohamed Elewa Badar, The Mental Element in the Rome Statute of the International Criminal Court: A Commentary From A Comparative Criminal Law Perspective, 19 Crim. L. Forum. 473, 473-474 (2008).

[13] Mohamed Elewa Badar, The Mental Element in the Rome Statute of the International Criminal Court: A Commentary From A Comparative Criminal Law Perspective, 19 Crim. L. Forum. 473, 474-475 (2008); Mohamed Elewa Badar, Doluseventualis and the Rome Statute Without It? 12 New Crim L.R. 433, 438 (2009).

[14] Report of the Preparatory Committee on the Establishment of an International Criminal Court' UN Diplomatic Conference of Plenipotentiaries on the Establishment of an International Criminal Court (Rome 15 June-17 July 1998) Draft Statute for the International Criminal Court and Draft Final Act, 55-56 (14 April 1998) UN Doc A/CONF.183/2/Add.1, Available online: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N98/101/05/PDF/N9810105.pdf?OpenElement [Accessed: 16 February 2019]; 2 The Legislative History of the International Criminal Court 285 (Cherif M.Bassiouni & William A. Schabas eds., 2016).

[15] Kai Ambos, General Principles of Criminal Law in the Rome Statute, 10 Criminal Law Forum. 1, 21(1999):"Certainly, reckless conduct cannot be the basis of responsibility since a corresponding provision was deleted"; Gerhard Werle & Florian Jessberger. ‘Unless Otherwise Provided’: Article 30 of the ICC Statute and the Mental Element of Crimes Under International Criminal Law, 3 J. Int'l Crim. Just. 35, 35-36(2005).

[16] A.p. Simester & G.r. Sullivan, Criminal Law Theory and Doctrine 1-20, 144-145, 151-152 (3rd ed., 2007).

[17] Cryer Robert, Hakan Friman, Darryl Robinson & Elizabeth Wilmshurst, An Introduction to International Criminal Law and Procedure 1 & 23-30 (2010).

[18] Ross M. Rustici, Cyberweapons: Leveling the International Playing Field, 41(3) Parameters 32, 39 (2011).

[19] See: Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int'l L. 421, 431 (2011):"cyber-attacks also have unique characteristics and are evolving rapidly and in unpredictable ways"; Noah Simmons, A Brave New World: Applying International Law of War to Cyber-Attacks, 4 J.L. & Cyber Warfare 42, 51 (2014):"[…] cyber-attacks are unpredictable in their effects"; Reese Nguyen, Navigating JusAd Bellum in the Age of Cyber Warfare, 101 Calif. L. Rev. 1079, 1099 & 1102 (2013).

[20] See overviewing types of internet of Things devices: Scott R. Peppet, Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent, 93 Tex. L. Rev. 85, 98. (2014): "health and fitness sensors, automobile black boxes, home monitors and smart grid sensors, devices designed specifically for employee monitoring, and software applications that make use of the sensors within today's smartphones"; Hartzog Woodrow & Selinger Evan, The Internet of Heirlooms and Disposable Things, 17 N.C. J.L. & Tech. 581, 583 (2016).

[21] Evans Dave, The Internet of Things How the Next Evolution of the Internet Is Changing Everything, Cisco Int'l. Bus. Solutions Grp. (IBSG) 1, 3-4 (2011), Available online: https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf [Accessed: 16 February 2019]; Kevin Werbach, The Song Remains the Same: What Cyberlaw Might Teach the Next Internet Economy, 69 Fla. L. Rev. 887, 894 (2017).

[22] loT products have ample notice that these devices might have significant security defects and that insecure devices are frequently used to carry out damaging cyberattacks.

[23] Maayan Y. Vodovis, Look Over Your Figurative Shoulder: How to Save Individual Dignity and Privacy on the Internet, 40 Hofstra L. Rev. 811, 813-814 & 822-823 (2011).

[24] See, for example: Helen Nissenbaum, Privacy as Contextual Integrity, 79 Wash. L. Rev. 119, 120 (2004).

[25] Tom Allen & Robin Widdison, Can Computers Make Contracts, 9 Harv. J. L. & Tech. 25, 27 (1996); Cristian-Vlad Oancea, Artificial Intelligence Role in Cybersecurity Infrastructures, 4 Int'l J. Info. Sec. & Cybercrime 59, 59 &61 (2015).

[26] See: Daniel Eszteri, Liability for Operation and Damages Caused by Artificial Intelligence-With a Short Outlook to Online Games, 153 Studia Iuridica Auctoritate Universitatis Pecs Publicata 57, 62 &66 (2015): "The question is that who should bear the legal responsibility for the actions of synthetic beings?".

[27] McGuffin Chris & Mitchell Paul, On Domains: Cyber and the Practice of Warfare, 69 Int'l J. 394, 410 (2014).

[28] Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int'l L. 525 ,532 (2012)

[29] Robert Cryer, Hakan Friman, Darryl Robinson & Elizabeth Wilmshurst. An Introduction to International Criminal Law and Procedure 36-39, 517-518 (2010).

[30] Geiss Robin, The Conduct of Hostilities in and via Cyberspace, 104 Am. SOC'Y INT'L L. PROC. 371, 374 (2010).

[31] David Weissbrodt, Cyber-conflict, Cyber-crime, and Cyber-espionage, 22 Minn. J. Int'l L. 347, 348-349 (2013).

Read Less

Estonia Speaks Out on Key Rules for Cyberspace

By: Michael Schmitt. First Published at Just Security.

Read More

The debate as to whether international law applies in cyberspace is fading away, for widespread agreement now exists that the rights, obligations and limitations of international law govern cyber activities. The UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) affirmed this conclusion in both its 2013 and 2015 reports, which were subsequently endorsed by the General Assembly (here and here). Indeed, the premise of international law’s applicability provides the foundation for continuing efforts at the United Nations in the guise of a sixth GGE and an Open-Ended Working Group, both of which will be convene this year to articulate consensus cyber norms. International organizations such as NATO, ASEAN, the EU and the OAS have taken the same stance, as have many States.

Attention is accordingly turning to the more difficult question of how international law’s existing rules should be interpreted in the cyber context. In the face of the understandably slow progress in multinational fora, as illustrated by the inability of the 2016-2017 GGE to issue a consensus report, headway is starting to be made in the form of statements by individual States as to their positions on the matter. Most have been rather anodyne – simply reaffirming, inter alia, the rules of jurisdiction; applicability of the UN Charter, including the prohibition of the use of force and the right of self-defense; or international humanitarian law’s role in governing cyber operations during armed conflict. Such statements are indispensable, although they do little to resolve the myriad grey zones that permeate questions of interpretation.

Estonia Stakes Out Practical Positions on Due Diligence in Cyberspace

Over the past year, a number of States have begun to address these zones of uncertainty. Last week, Estonia took a bold step in that regard. Speaking at the 2019 CyCon Conference, President Kersti Kaljulaid reaffirmed the applicability of international law in cyberspace before observing that “[s]overeignty entails not only rights, but also obligations.” She emphasized, drawing on the law of State responsibility, that States are responsible in law for “internationally wrongful cyber operations… whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state.” President Kaljulaid also powerfully stressed that “[i]f a cyber operation violates international law, this needs to be called out.” Doing so is crucial, for if interpretive efforts are to advance, States have to not only condemn other States for conducting hostile cyber operations, but also label them as violations of international law and specify the precise rule of law that they breached. Only with such specificity will condemnation yield meaningful normative value.

President Kaljulaid then turned her attention to two key grey zones of enormous practical importance, the obligation of due diligence and the right to take countermeasures. With regard to the former, she noted,

[S]tates must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively. Therefore, states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states. They should strive to develop means to offer support when requested by the injured state in order to identify, attribute or investigate malicious cyber operations. This expectation depends on national capacity as well as availability, and accessibility of information.

President Kaljulaid pointed out that “meeting this expectation [of due diligence] should encompass taking all feasible measures, rather than achieving concrete results.” Thus, by the Estonian interpretation, States are only required to take those measures that are practicable in the circumstances to put an end to harmful cyber operations launched from or through their territory, although they should strive as a matter of responsible State behavior to develop the capacity to ensure their territory is not misused. This rational and practical approach should alleviate much of the concern a number of States have about shouldering what they mistakenly see as an unduly heavy due diligence obligation. So too should the obligation’s limitation to adverse cyber operations that are “serious” and the fact that a State only breaches the obligation if it knows of the harmful cyber operations, conditions precedent that are widely recognized by those who style due diligence as a primary rule of international law.

A Bold Position on Collective Countermeasures

The most noteworthy aspect of the speech, however, was President Kaljulaid’s assertion that States have a right to engage in collective countermeasures pursuant to the law of State responsibility. She began by noting “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence.” She then delivered the highlight of the speech.

Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation.

Of course, that a State has the right to engage in collective defense upon the request of a State under armed attack is beyond question, for that right is specifically provided for in Article 51 of the UN Charter. Similarly, because diplomatic responses are acts of retorsion, and therefore lawful by definition, the right to take collective diplomatic responses is equally well-settled. However, the right to take collective countermeasures remains unresolved in international law, and therefore ripe for interpretation by States. Estonia was the first State to publicly speak to the issue, and it did so unequivocally.

The issue of collective countermeasures is not new. In Article 48(1) of its Articles on State Responsibility, the International Law Commission (ILC) provided that a State other than an injured State may invoke the responsibility of a State that commits an internationally wrongful act if “the obligation breached is owed to a group of States including that State, and is established for the protection of a collective interest of the group” (obligations erga omnes partes, as in the case of a breach of a multilateral treaty) or “the obligation breached is owed to the international community as a whole” (obligations erga omnes, as with aggression, genocide and self-determination). But in its Commentaries, the ILC left open the question of whether States other than the injured state may respond, in addition to invoking responsibility, with countermeasures.

The focus of the chapter is on countermeasures taken by injured States …. Occasions have arisen in practice of countermeasures being taken by other States…where no State is injured or else on behalf of and at the request of an injured State. Such cases are controversial and the practice is embryonic. This chapter does not purport to regulate the taking of countermeasures by States other than the injured State.

The Estonian President’s statement tackles the issue squarely. Indeed, it went further than the ILC in declaring that the right to take collective countermeasures is not limited to the two situations cited in Article 48(1).

From the perspective of countries lacking a robust cyber capability, as well as those that might come to their aid, the Estonian approach makes great sense. Countries like Estonia are often dependent on allies to ensure their security, as evidenced by the ongoing NATO air policing mission over Estonia, the enhanced forward presence of NATO troops in the country, and the recent defense cooperation agreement between Estonia and the United States. Thus, it is only logical that Estonia and other States that lack the capacity to confidently deal with hostile cyber operations on their own would want collective cyber countermeasures to be on the table in order to deter powerful opponents from targeting them in cyberspace and to respond effectively should deterrence fail. Those countermeasures could come in the form of assisting the injured State to conduct its own countermeasures or of cyber countermeasures on behalf of that State; both are presently subject to a degree of legal uncertainty. Of course, it is equally logical for States that might want to come to the injured State’s assistance in either way to clear the legal path of perceived obstacles to doing so.

Consider the alternative. Targeted by another State’s unlawful cyber operations, a State without significant cyber capabilities would be limited as a practical matter to taking countermeasures that are not in-kind, as in closing its territorial sea to innocent passage by vessels flagged in the responsible State or denying transit across national airspace by the responsible State’s aircraft contrary to a treaty obligation regarding aerial passage. Such measures would take much longer than cyber countermeasures to achieve their objective as the “cost” imposed would manifest much more slowly and, most importantly, cannot directly put an end to the offending hostile cyber operation. An ability to turn to allies who can either facilitate the injured State’s countermeasures or conduct cyber countermeasures for that State, especially taking down the cyber infrastructure involved in the harmful operations, affords victim States much more meaningful options for fending off hostile unlawful cyber operations.

Thus, the Estonian interpretation would be an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts by, or attributable to, other States. As noted by President Kaljulaid,

International security and the rules-based international order have long benefitted from collective efforts to stop the violations. We have seen this practice in the form of collective self-defence against armed attacks. For malicious cyber operations, we are starting to see this in collective diplomatic measures I mentioned before. The threats to the security of states increasingly involve unlawful cyber operations. It is therefore important that states may respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists. Allies matter also in cyberspace.

Some might counter that collective countermeasures are potentially escalatory. However, they are only available for two purposes — to put an end to on-going unlawful cyber operations and/or to secure reparations (restitution, compensation, satisfaction) when appropriate. Further, they may not be taken if they are unlikely to prove successful (for they would then amount to mere retaliation) and, as emphasized by President Kaljulaid, “should follow the principle of proportionality and other principles established within the international customary law.” If the law is followed, their effect will be stabilizing, not escalatory.

There was one shortcoming in the President’s statement, a failure to unambiguously address the issue of whether respect for sovereignty is a primary rule of international law that cyber operations can violate. As explained below, the United Kingdom claims that it is not. The problem is that countermeasures are only available in response to an internationally wrongful act, the most likely by far being violation of the injured State’s sovereignty. This is because the element of coercion in the case of prohibited intervention, which is the likeliest alternative to a breach of sovereignty, sets the bar for unlawfulness quite high. In other words, if respect for sovereignty is not a rule that can be violated, the collective countermeasures response option will seldom arise. That being so, it would have been logical for Estonia to articulate its position on collective countermeasures in tandem with a recognition of sovereignty as a rule, the violation of which would trigger the right to countermeasures.

A Trend?

Estonia is not the first State to begin chipping away at the grey zone. Other States have also issued important statements on key unsettled issues. Especially noteworthy in this regard was the June 2018 statement by the Dutch Minister of Defense, AnkBijleveld, in which she stated, “if a cyber-attack targets the entire Dutch financial system or if it prevents the government from carrying out essential tasks such as policing or taxation…it would qualify as an armed attack. And it would thus trigger a state’s right to defend itself, even by force.” Minister Bijleved made it quite clear that the prohibition of the use of force and the right to respond to an armed attack in self-defense are, in the view of the Netherlands, not limited to hostile cyber operations that are physically destructive. Depending on the nature, severity, scale and scope of the attack, this is a reasonable reading of the use of force and armed attack thresholds, one likely to be embraced by other States as they grow increasingly dependent on digital capabilities.

Also notable was a Chatham House speech a month earlier by then UK Attorney General Jeremy Wright setting forth the United Kingdom’s views on attribution, intervention, countermeasures, the use of force and self-defense in the cyber context. Importantly, Attorney General Wright rejected the ILC’s suggestion in the Articles on State Responsibility of a requirement to notify the “responsible” States before responding with cyber countermeasures directed at it. As he sensibly opined, “it could not be right for international law to require a countermeasure to expose highly sensitive capabilities in defending the country in the cyber arena.”

Controversially, however, he stated that the United Kingdom does not agree that there is a primary rule of international law prohibiting the violation of sovereignty. By this view, a State may conduct cyber operations against another State’s private or public cyber infrastructure with relative impunity until those operations reach the level of unlawful intervention or a use of force, both very demanding thresholds. Unfortunately, the United Kingdom has offered no legal explication of the position, which is problematic both legally and practically. For instance, when in October 2018 the UK’s National Cyber Security Centre, a division of the GCHQ, accused Russia of having conducted cyber operations that violate international law, many in the international law community wondered how that could be if sovereignty violations are off the table. And for States that lack the impressive cyber capabilities of the United Kingdom, there is no logical rationale for discarding the rule, one supported by decades of expert commentary, judicial findings, and State practice and opinio juris. Nevertheless, the United Kingdom is to be commended for setting forth its positions on many other key aspects of international law’s applicability in cyberspace, thereby sharpening the essential interpretive dialogue among States. It remains a leader among States in this regard.

The path forward is clear. If the international law governing cyberspace is to ever to be clarified, an important goal in enhancing the law’s deterrent effect and avoiding unintended escalation, States have to embrace their responsibility for addressing the grey zones. Estonia, as well as numerous other States that have begun to openly set out their views, are to be applauded for taking stands on unsettled issues of great practical import to international security and stability in cyberspace. It is time for those that have not embarked on the interpretive journey to do likewise.

Read Less