Rule Meaning

1 Sovereingty The states are free to regulate

their internal and external affairs
in matters relating to cyber
operations because of the
general principle of sovereignty.
2 Internal Sovereignty States are free to regulate their
internal cyber operations without
interference from other states.
They are however, bound by
domestic and international laws
in doing so.
3 External Sovereignty States are free to conduct their
cyber operations in international
relations.
4 Violation of States cannot violate the
Sovereignty sovereignty of other states in the
exercise of their own right of
sovereignty.
5 Sovereign immunity This grants sovereign immunity
and inviolability to certain objects used for non-
commercial purposes regardless
of their location.
6 Due diligence States are to exercise due
diligence in not allowing their
territories to be used for cyber
operations that affect the right of
other states. However, not every
use of a state’s territory that
produces negative effects for a
target state implicates the due
diligence principle.
7 Compliance with due States are required to comply
diligence principle with due diligence principle.
8 Jurisdiction State may exercise territorial and
extra territorial jurisdiction over
cyber activities in civil,
administration and criminal
matters.
Rule Meaning

9 Territorial jurisdiction States have territorial jurisdiction

over all cyber activities taking
place within their territory.
10 Extra-terrritorial States have extra-territorial
prescriptive jurisdiction prescriptive jurisdiction over
activities conducted by its
nationals, on its board vessels
and aircrafts, activities in
contravention of the state’s
interests and in case of
international crimes.
11 Extra-terrritorial In case of specific allocation of
enforcement authority under International Law
jurisdiction or valid consent given by foreign
government to exercise
jurisdiction on its territory.
12 Immunity of states A State may not exercise
from exercise of enforcement or judicial
jurisdiction jurisdiction in relation to persons
engaged in cyber activities or
cyber infrastructure that enjoy
immunity under international law.

13 International co- States are not obliged to

operation in law cooperate in the investigation
enforcement and prosecution of cyber crime,
such cooperation may be
required by the terms of an
applicable treaty or other
international law obligation.

14 Internationally State bears an international

wrongful cyber acts responsibility for its cyber-
related acts that constitutes a
breach of an international
obligation.
Rule Meaning

15 Attribution of cyber State organs are empowered by

operations by state domestic law to exercise
organs elements of govern- mental
authority.
16 Attribution of cyber Cyber operations conducted by
operations by organs an organ of a State that has
of other states been placed at the disposal of
another State are attributable to
the latter when the organ is
acting in the exercise of
elements of governmental
authority of the State at the
disposal of which it is placed.

17 Attribution of cyber Generally, cyber operations of

operations by non- private persons or groups are
state actors. not attributable to
states.However, Article 8 of the
Articles on State Responsibility
provides that the conduct of a
person or group of persons shall
be considered an act of a State
under inter- national law if the
person or group of persons is in
fact acting on the instructions of,
or under the direction or control
of, that State in carrying out the
conduct. Non-State actors
include both individuals and
groups.

Rule Meaning

18 Responsibility in A State is responsible for its acts

connection with cyber related to an internationally
operations by other wrongful act by another State in
States
the three circumstances set forth
in this Rule. This is so whether
that act is cyber or non-cyber in
nature.State that aids or assists
(the ‘assisting State’) the
commission of an internationally
wrongful act by another (the
‘assisted State’) will bear
responsibility for such aid or
assistance if: (1) the assisting
State does so knowing the
circumstances surrounding the
unlawful act; (2) the aid or
assistance is provided with the
intention of facilitating the
internationally wrongful act (and
it does so facilitate the act); and
(3) the act would have been
wrongful if committed by the
assisting State.

Rule Meaning

19 Circumstances In the following cases, the

precluding wrongfulness of an act involving
wrongfulness of cyber cyber operations is precluded in
operations
the following cases:

• a State’s consent to a cyber

operation by another State
(consent may be express or
implied)

• cyber operations that qualify

as self-defence against an
armed attack, whether
executed by cyber or kinetic
means, in the jus ad bellum
context do not amount to
internationally wrongful acts.

• the qualification of a cyber

operation as a countermeasure
precludes the wrongfulness of
the operation

• Situations in which the

wrongfulness of a State’s act is
precluded by virtue of
necessity.

• ‘force majeure’ situations

(unforeseeable circumstances
and is different from
supervening impossibility)

• in distress situations.
Rule Meaning

20 Countermeasures A state may be entitled to take

countermeasures (whether cyber
in nature or not) in case of
breach of an international legal
obligation by another state.
Countermeasures are different
from belligerent reprisals. Also,
countermeasures are not avail-
able in response to a cyber
operation conducted by a non-
State actor unless the operation
is attributable to a State (Rules
15 and 17).

21 Purpose of The purpose of countermeasures

countermeasures is to induce the responsible or
defaulting state to comply with
the legal obligation that it owes
to the injured state in order to
compensate for the loss caused
due to the default, that is, to
incentivise the resumption of
lawful interactions

22 Limitations on Countermeasures may not

countermeasures include the following actions:

• actions that affect fundamental

human rights.

• Belligerent reprisals

• Actions that violate a

peremptory norm.

Also, a state taking

countermeasures must fulfill its
obligations with respect to
diplomatic and consular
inviolability.
Rule Meaning

23 Proportionality of Countermeasures must always

countermeasures be proportionate to the injury to
which they respond.A
countermeasure that is
disproportionate to the injury
suffered amounts to punishment
or retaliation and is therefore
contrary to the object and
purpose of the law governing
countermeasures

24 States entitled to take Only an injured state has the

countermeasures right to take countermeasures.If
a State’s cyber operation
breaches an obligation owed to
multiple States, each may
respond with countermeasures.

25 Effect of A countermeasure (whether

countermeasures on cyber in nature or not) that
third parties violates a legal right of a third
state or other party is prohibited.
An injured State must
immediately end a
countermeasure that is violating
the rights of third States or other
parties once it becomes aware
of this effect

Rule Meaning

26 Necessity The wrongfulness under

international law of an act is
precluded if the operation is
undertaken in a situation of
‘necessity’, whether caused by
cyber means or not. Necessity
refers to a circumstance in which
a State’s ‘essential interest’
faces ‘grave and imminent peril’
and the sole means of averting
that peril is temporary non-
compliance by the State with its
international obligations of
‘lesser weight or urgency’.States
may act pursuant to the plea of
necessity even if its response to
the peril in question violates the
rights of non-responsible States.

Rule Meaning

27 Cessation, assurances When a State’s cyber operation

and guarantee has ‘injured’ another State
through commission of an
internationally wrongful act, the
injured State or States may
invoke the international
responsibility of the responsible
State and demand cessation,
assurances and guarantees of
non-repetition, subject to a
number of limitations.A
responsible State is legally
obliged to cease an ongoing
inter- nationally wrongful cyber
operation (or rectify an

omission). The obligation of

cessation also applies in
situations of repeated conduct,
as in a series of cyber
operations, each of which
breaches an obligation owed.

Rule Meaning

28 Reparation A responsible state is required to

make full reparation for the injury
suffered by an injured state as
the result of an internationally
wrongful act committed by cyber
means. Reparation includes
restitution in kind and where this
is not possible, payment of a
sum corresponding to the value
which restitution in kind would
bear. ‘Injury’ here refers to any
material or moral damage
caused by an internationally
wrongful cyber operation.

29 Forms of reparation The various forms of reparation

are restitution, compensation
and satisfaction, either
individually or in combination,
based on circumstances. The
obligation to make reparation is
a distinctly legal obligation of the
responsible state.
30 Breach of obligations All States may invoke the
owed to the responsibility of a State that has
international breached an erga omnes norm.
community as a whole. Obligations erga omnes are
‘obligations of a State towards
the international community as a
whole’. Any State may invoke
State responsibility with regard
to breach of an obligation that ‘is
owed to the international
community as a whole’.

Rule Meaning

31 Responsibility of This Rule reflects an established

International principle of the international law
organisations governing international
organisations, according to
which international organisations
are responsible for their
internationally wrongful
acts.Cyber operations or other
cyber activities must be
attributable to an international
organisation under international
law for that organisation to bear
international responsibility for
them.

32 Peacetime cyber This rule is applicable only to

espionage cyber espionage conducted
outside the context of an armed
conflict.The term ‘cyber
espionage’ refers to any act
undertaken clandestinely or
under false pretences that uses
cyber cap- abilities to gather, or
attempt to gather,
information.Cyber espionage
involves the use of cyber
capabilities to surveil, monitor,
capture, or exfiltrate
electronically transmitted or
stored communications, data, or
other information. This rule is
limited to cyber espionage by or
otherwise attributable to States.

Rule Meaning

33 Non-state actors Cyber operations by non-state

actors are regulated by
international law in limited cases.
Those cases involve cases of
human right law, law of armed
conflict and international criminal
law. Thus, only those operations
of non-state actors that can be
attributed to states are governed
by international law.
34 Applicability of Applicable to cyber-related
International Human activities.States bear
Rights Law responsibility for international
human rights law violations that
they themselves commit.
Experts have agreed that
international organisations, as
legal persons, may be bound by
customary international human
rights law.

35 Rights enjoyed by Individuals are entitled to the

individuals same international human rights
in cyber-related activities which
they otherwise enjoy, like
freedom of expression, privacy,
freedom of opinion, and due
process.This Rule incorporates
no obligation of States to fulfil
human rights

Rule Meaning

36 Obligations to respect International human rights law

and protect requires states to respect as well
international human as protect human rights.States
rights must refrain from activities that
violate the human rights
individuals enjoy in cyberspace.
The obligation extends to human
rights that apply extraterritorially

37 Limitations International human rights law

allows States to limit the
enjoyment or exercise of certain
human rights in order to protect
other rights and to maintain
national security and public

order, including with respect to

activities in cyberspace.This
Rule extends to both the
obligations to respect and to
protect. International human
rights that are absolute in nature
are not subject to the limitations
set forth in this Rule. For e.g.:
freedom to manifest one’s
religion.

Rule Meaning

38 Derogation Some human rights treaties

permit States to derogate, that
is, to temporarily release
themselves, in full or in part,
from the binding nature of
certain obligations contained
therein in times of public
emergency. Conditions under
which derogation is permitted is
defined in the concerned treaty
and is generally narrow.The
treaty in question may explicitly
exempt certain human rights
obligations contained therein
from derogation

39 Inviolability of The premises of a diplomatic

premises in which mission may not be entered
cyber infrastructure is without consent. Also, property
located
on the premises of a diplomatic
mission is immune from search,
requisition, attachment, or
execution by the receiving
State’s agents without the
sending State’s consent.

Rule Meaning

40 Duty to protect cyber A receiving State has a ‘special

infrastructure duty’ to protect the premises of
a diplomatic mission or consular
post against intrusion or
damage, irrespective of the
source of the operation in
question. However, this
obligation is not absolute. Only
“all appropriate steps” need to
be taken by the receiving
state.The receiving State enjoys
the discretion to select the
particular measures it will take to
fulfil this duty.

41 Inviolability of The Archives, documents and

electronic archives, official correspondence of a
documents, and diplomatic mission or consular
correspondence
post that are in electronic form
are inviolable. It is to be noted
that only states are bound by
this rule.It is not violated by the
actions of private entities unless
said actions are attributable to a
State

Rule Meaning

42 Free communication International law provides that a

receiving State must permit and
protect the ‘free communication’
on the part of a sending State’s
diplomatic mission or consular
post for all official purposes.The
term ‘permit’ and the reference
to ‘freedom’ mean that receiving
States may not impede the
capability of a diplomatic
mission or consular post to
communicate through cyber or
other electronic means.

43 Use of premises and The premises of a diplomatic

activities of officials mission may not be used in any
manner that is incompatible with
the diplomatic or consular
functions.Similarly, consular
posts may not be used in any
manner incompatible with
consular functions.For instance,
a sending State may not use the
premises of its diplomatic
mission to engage in cyber
espionage against the receiving
State

Rule Meaning

44 Privileges and The immunities enjoyed by

immunities of diplomatic agents in respect of
diplomatic agents and civil, administrative and criminal
consular officers jurisdictions are also enjoyed
with respect to cyber
activities.Such immunities may
always be waived by the sending
State.Consular officers are
entitled to more limited immunity
from the criminal and civil
jurisdiction of the receiving State
for their cyber activities

45 Cyber operations on This rule states that cyber

the high seas operations on the high seas may
be conducted only for peaceful
purposes except as otherwise
provided under international law.
‘High seas’ refers to ‘all parts of
the sea that are not included in
the exclusive economic zone, in
the territorial sea, or in the
internal waters of a State, or in
the archipelagic waters of an
archipelagic State’. The term
‘peaceful purposes’ restates the
prohibition of the threat or use of
force

Rule Meaning

46 The right of visit and Due to the principle of exclusive

cyber operations flag State jurisdiction, warships
or other duly authorised vessels
may generally not interfere,
without flag State consent, with
vessels that are not of their
nationality on the high seas.
However, in certain specified
situations they may do so. This
rule provides warships or other
duly authorised vessels the legal
authority to board foreign non-
sovereign immune vessels that
they encounter on the high seas
when there is a ‘reasonable
ground for suspecting’ that any
of the five situations set forth in
this Rule is present – the vessel
is engaged in piracy, slave
trading, or unauthorised
broadcasting; the vessel appears
to be without nationality; or the
vessel is of the nationality of the
visiting vessel, even when flying
a foreign flag or refusing to show
its flag.The term ‘duly authorised
vessel’ denotes a vessel
authorised by the flag State to
engage in enforcement action
and clearly recognisable as
such.

Rule Meaning

47 Cyber operations in Within the EEZ, the coastal State

exclusive economic has sovereign rights and
zone jurisdiction for all purposes.In
their EEZ, States may also
exercise jurisdiction over the
establishment and use of
artificial islands, installations,
and structures having economic
purposes; marine scientific

research; and certain incidents

of vessel source pollution. For

example, cyber activities that

interfere with energy production
facilities lying within the EEZ,
such as wind farms or tidal
current turbines, would be within
the jurisdictional competence of
the coastal State.This rule states
that vessels and aircraft of all
nationalities enjoy those high
seas freedoms in the EEZ that
do not unduly impinge upon any
of the enumerated sovereign
rights of the coastal State
therein, or that otherwise violate
its rights.

Rule Meaning

48 Cyber operations in States enjoy sovereignty over

territorial sea territorial sea that extends up to
12 nautical miles from
baselines.In parallel with coastal
State sovereignty over the
territorial sea, vessels of all
States, including warships, enjoy
the right of innocent passage
through that area. The innocent
passage regime requires
continuous and expeditious
transit through the territorial
sea.It also encompasses transit
through those waters when
proceeding to or from that
coastal State’s internal or
archipelagic waters.Submarines
must transit on the surface and
show their flag in order to claim

the right of innocent passage.

Aircraft do not enjoy the right of
innocent passage

Rule Meaning

49 Cyber operations in During periods of international

territorial sea during armed conflict, the laws of naval
armed conflict warfare and neutrality overlay
the peacetime law of the sea
regime.The law of neutrality
prohibits belligerents from using
neutral ports and waters as a
base of operations against their
adversaries. But, neutral coastal
states may permit and are not
obligated to allow "mere
passage” through their territorial
sea by belligerent warships.

Rule Meaning

50 Exercise of jurisdiction As a general matter, authorities

in relation to foreign of the coastal State may not
vessels in the territorial arrest individuals or conduct
sea
investigations on-board a vessel
flagged by another State whilst
that vessel is in the coastal
State’s territorial waters. The
Rule sets forth four well-
accepted peacetime exceptions
to this prohibition. The
exceptions are:

• State may exercise

enforcement jurisdiction on-
board a vessel in its territorial
sea if cyber operations or
activities emanating from it
violate the criminal law of the
coastal State and manifest on
that State’s territory, including
its territorial waters.

• Any cyber operation

conducted from a foreign
vessel in the territorial sea that
has widespread effects and is
therefore disruptive in the
coastal State would also entitle
that State to exercise
enforcement jurisdiction
aboard the vessel concerned.

• Cyber activity related to illegal

narcotic drug trafficking
provides a further basis for the
exercise of criminal
enforcement jurisdiction

• If a crime involving cyber

activity occurs on-board an
offending non-sovereign
immune vessel before it
departs the coastal State’s
internal waters, the State may
Rule Meaning

51 Cyber operations in States may claim a contiguous

the contiguous zone zone that extends from the limit
of the territorial sea up to
twenty-four nautical miles from
their baselines. In case of
vessels located in a coastal
state’s contiguous zone, the
coastal state enjoys two
extensions of authority.The first
is the sovereign right to enforce
its fiscal, immigration, sanitary,
and customs laws (the ‘FISC’
powers) against vessels that are
suspected of having breached
them while in the coastal State’s
internal waters or territorial
sea.The other authority accorded
the coastal State in relation to
FISC issues in the contiguous
zone is that of prevention.This
authority allows the coastal
State to use cyber means to
warn and prevent a vessel in the
contiguous zone from carrying
out a FISC-related breach that it
is reasonably suspected of being
about to commit in the State’s
territory or territorial sea.

Rule Meaning

52 Cyber operations in International straits are those

international straits routes through a State’s
territorial sea, or through the
overlapping territorial seas of
two or more States, that connect
one area of the high seas or an
EEZ to another area of the high
seas or an EEZ, and that are
used for international
navigation.The seabed and
waters in an international strait
are subject to the sovereignty of
the bordering State or States
and those states generally enjoy
the rights and bear the
obligations subject to the right of
transit passage enjoyed by the
vessels and aircraft of other
States. The right of transit
passage exists throughout the
entire strait (shoreline-to-
shoreline) and its approaches.

53 Cyber operations in An archipelagic state is a state

archipelagic waters that is comprised wholly of one
or more group of islands.Waters
enclosed within the archipelagic
baselines are archipelagic
waters.A State enjoys
sovereignty over its archipelagic
waters, the airspace above the
waters, and the seabed and
subsoil lying below them.

Rule Meaning

54 Submarine This rule states that the rules

communication cables and principles of international
law applicable to submarines are
also applicable to submarine
communication cables.
55 Control of aircraft This rule states that a State has
conducting cyber the power to control and
operations in national regulate the operation of aircraft,
airspace
including those that conduct
cyber operations, in its national
airspace. Every state has
complete and exclusive control
over the airspace above its
territory.
56 Cyber operations in This rule states that a State is
international airspace allowed to conduct cyber
operations in international
airspace subject to the
limitations contained in the
international law in this regard.
International airspace is that
which does not qualify as
national airspace.Some States
have established ADIZs, the
authority for which flows from
the State’s sovereignty over its
national airspace. Such zones
extend into international
airspace and are designed to
ensure the security of the State
concerned. Both civil and State
aircraft that desire to enter a
State’s national airspace must
comply with the conditions and
procedures for entry set by that
State

Rule Meaning

57 Cyber operations A state is required to exercise

jeopardising the safety ‘due regard’ for the safety of
of international civil navigation of international civil
aviation aviation when issuing regulations
for the operation of their State
aircraft. This rule thus states that
a state may not conduct cyber
operations that jeopardise the
safety of international civil
aviation.