Professional Documents
Culture Documents
Tsagourias 2015
Tsagourias 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
26/3
JOBNAME: Tsagourias PAGE: 2 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 2 / Date:
26/3
JOBNAME: Tsagourias PAGE: 3 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Edited by
Nicholas Tsagourias
Professor of International Law, University of Sheffield, UK
Russell Buchan
Senior Lecturer in International Law, University of Sheffield, UK
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
26/3
JOBNAME: Tsagourias PAGE: 4 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical or photocopying, recording,
or otherwise without the prior permission of the publisher.
Published by
Edward Elgar Publishing Limited
The Lypiatts
15 Lansdown Road
Cheltenham
Glos GL50 2JA
UK
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 2 / Date:
26/3
JOBNAME: Tsagourias PAGE: 5 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Contents
Introduction 1
Michael Schmitt
v
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
8/5
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Index 491
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 2 / Date:
26/3
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Contributors
Louise Arimatsu has been an Associate Fellow with the International Law Programme
at Chatham House since 2009. Dr Arimatsu’s areas of expertise include International
Humanitarian Law, international Criminal Law, Refugee Law and International Human
Rights Law. Between 2006 and 2011, she taught International Law at University
College London and the London School of Economics. She was the Managing Editor
of the Yearbook on International Humanitarian Law from 2009 until 2012.
vii
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
6/5
JOBNAME: Tsagourias PAGE: 8 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Paul Ducheine (Colonel) LL.M., MSc (Army Legal Service) is Professor of Cyber
Operations at the Netherlands Defence Academy (Faculty of Military Sciences) and
Professor of the Law of Military Cyberoperations at the University of Amsterdam, and
researcher at the Amsterdam Centre of International Law.
David P. Fidler is the James Louis Calamaras Professor of Law at the Indiana
University Maurer School of Law, a Senior Fellow at the Indiana University Center for
Applied Cybersecurity Research, and Chair of the International Law Association’s
Study Group on Cybersecurity, Terrorism, and International Law.
Terry D. Gill (1952): BA 1982, LLM 1985, PhD (cum laude) 1989, is Professor of
Military Law at the University of Amsterdam and the Netherlands Defence Academy
and was first Assistant and later Associate Professor of Public International Law at
Utrecht University from July 1985 until February 2013. He is Director of the Research
Program on the Law of Armed Conflict and Peace Operations at the Amsterdam Centre
for International Law and of the Netherlands Research Forum on the Law of Armed
Conflict and Peace Operations (LACPO). Professor Gill is editor in chief of the
Yearbook of International Humanitarian Law and a member of the editorial boards of
the The Military Law Review (Militair Rechtelijk Tijdschrift), the Journal of Conflict &
Security Law and the Journal of International Peacekeeping and Chairman of the Study
Group of the International Law Association (ILA) on the Conduct of Hostilities in the
21st Century. He was a member of the expert group on ‘Direct Participation in
Hostilities’ convened by the ICRC and TMC Asser Institute between 2003–2008, and
the Manual on International Law Applicable to Cyber Warfare (also known as The
Tallinn Manual), drafted with support of NATO’s Cooperative Cyber Defence Centre of
Excellence (CCDCOE) between 2010–2013, and has contributed to several military
manuals in use by the Netherlands armed forces. He co-edited and co-authored the
Handbook of the International Law of Military Operations, published by Oxford
University Press in 2010.
Kathleen Heath is a researcher at the Sydney Centre for International Law. She has a
Bachelor of Laws with First Class Honours and the University Medal (2013) from the
University of Sydney.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 2 / Date:
6/5
JOBNAME: Tsagourias PAGE: 9 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
Contributors ix
Uta Kohl received her University Law/Arts education in the UK and Australia and has,
since then, been teaching and researching at Aberystwyth University, Wales. She is a
Senior Lecturer at the Department of Law and Criminology with interests in Internet
Governance and Corporate Governance as well as Internet Corporate Governance. She
has presented papers and written a number of articles on these themes and is the author
of Jurisdiction and the Internet: Regulatory Competence over Online Activity (2007) as
well as co-author of Human Rights in the Market Place (2008) and Information
Technology Law (2011). Uta Kohl organised a multi-disciplinary symposium on
internet jurisdiction, sponsored by Google Inc, in September 2014.
Eric Myjer is a Professor of Conflict and Security Law, School of Law, Utrecht
University, the Netherlands and the Director of the Centre for Conflict and Security
Law. He has published widely on issues in the area of conflict and security law with
special emphasis on arms control law, most recently serving as one of the editors of
The Chemical Weapons Convention, A Commentary published by Oxford University
Press in 2014. He is also co-editor in chief of the Journal of Conflict & Security Law.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 3 / Date:
15/5
JOBNAME: Tsagourias PAGE: 10 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Hitoshi Nasu is a Senior Lecturer in law and LLM International Security Law stream
Convenor at the Australian National University. He holds BA and MA in Political
Science (Aoyama Gakuin) and a Master of International Law and a PhD in law
(Sydney). He is the author of International Law on Peacekeeping: A Study of Article 40
of the UN Charter (Martinus Nijhoff, 2009) and a co-editor of Human Rights in the
Asia-Pacific Region: Towards Institution Building (Routledge, 2011), Asia-Pacific
Disaster Management (Springer, 2013) and New Technologies and the Law of Armed
Conflict (TMC Asser, 2014). He is currently the lead investigator of an Australian
Research Council Discovery Grant Project, A Legal Analysis of Australia’s Future
Engagement with Asia-Pacific Security Institutions, under which the research for this
volume’s chapter is supported.
Marco Roscini has a PhD from the University of Rome ‘La Sapienza’ and is Reader in
International Law at the Westminster Law School. Dr Roscini has published widely in
the field of International Conflict and Security Law. In particular, he is the author of
Cyber Operations and the Use of Force in International Law (Oxford University Press,
2014) and of several articles on the international law aspects of cyber operations.
Neil C. Rowe, Ph.D., is Professor of Computer Science at the U.S. Naval Postgraduate
School where he has been since 1983. His main research interests are the modeling of
deception, information security, surveillance systems, image processing, and data
mining. Recent work has focused on Cyberwarfare, Digital Forensics, and the problems
of large-scale data analysis. He is the author of a book on artificial intelligence and 160
technical papers.
Ben Saul is Professor of International Law and an Australian Research Council Future
Fellow at The University of Sydney, and a barrister. He is the author of Defining
Terrorism in International Law (2006), co-author of The International Covenant on
Economic, Social and Cultural Rights: Commentary, Cases and Materials (2014), and
editor of Research Handbook on International Law and Terrorism (2014).
Michael Schmitt is the Charles H. Stockton Professor and Director of the Stockton
Center for the Study of International Law at the United States Naval War College in
Newport, Rhode Island. He is also Professor of Public International Law at Exeter Law
School and a member of Exeter University’s Strategy and Security Institute, a Fellow at
Harvard Law School’s Program on International Law and Armed Conflict, Senior
Fellow at the NATO Cyber Defence Centre of Excellence, and Editor-in-Chief
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 4 / Date:
6/5
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Contributors xi
Helen Trezise is a fourth year Arts/Law student at the Australian National University.
She is currently a research assistant to Dr Hitoshi Nasu on his Australian Research
Council Discovery Grant Project, A Legal Analysis of Australia’s Future Engagement
with Asia-Pacific Security Institutions, under which the research for this volume’s
chapter is supported.
David Turns is Senior Lecturer in International Laws of Armed Conflict at the Defence
Academy of the United Kingdom (Cranfield University). He was previously a Lecturer
in Law at the University of Liverpool (1994–2007) and taught at the London School of
Economics & Political Science (1990–94). He has been on the Visiting Faculty of the
International Institute of Humanitarian Law (San Remo, Italy) since 1997 and has also
taught on legal courses at the NATO School (Oberammergau, Germany) and the Centro
Alti Studi per la Difesa (Rome, Italy). In 2002 he was a Visiting Professor at the Institut
für Völkerrecht und Internationale Beziehungen (University of Vienna, Austria). In
2004 he was one of the founders of the Vienna Course on International Law for
Military Legal Advisers, in collaboration with the Austrian Federal Ministry of Defence
and Sport and the International Committee of the Red Cross. Since 2008 he has been
the Chairman of the UK National Group of the International Society for Military Law
and the Law of War and is a Member of the Society’s Board of Directors.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 5 / Date:
6/5
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Hague; editor-in-chief and founder of the International Organizations Law Review and
of the Netherlands Yearbook of International Law; editor of Nijhoff Studies in
European Union Law and member of a number of other editorial boards. Ramses
Wessel graduated in 1989 at the University of Groningen in International Law and
International Relations and subsequently worked at the same university (1989–91) and
at the Department of International and European Institutional Law at Utrecht University
(1991–2000). He wrote and co-edited several books, including: The European Union’s
Foreign and Security Policy: A Legal Institutional Perspective (Kluwer Law Inter-
national, 1999), Multilevel Regulation and the EU (Martinus Nijhoff Publishers, 2008),
International Law as Law of the European Union (Martinus Nijhoff Publishers, 2011),
Informal International Lawmaking (Oxford University Press, 2012), Between Autonomy
and Dependence: The EU under the Influence of International Organizations (TMC
Asser Press/Springer, 2013), EU External Relations Law (Cambridge University Press,
2014) and other publications in the field of international and European law. His general
research interests lie in the field of International and European Institutional Law, with
a focus on the law of International Organisations, Issues of Global Governance, the
Relationship between International and EU law, European Foreign, Security and
Defence Policy and EU External Relations in general.
Katharina Ziolkowski (Dr) is Legal Adviser to the German Armed Forces, currently
serving at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn,
Estonia.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 6 / Date:
6/5
JOBNAME: Tsagourias PAGE: 13 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Preface
The idea for a research handbook on international law and cyberspace emerged from
our own research and discussions in different fora about the applicability of inter-
national rules to cyberspace and to various cyber activities and the realisation that the
range of issues and problems involved pose various challenges to international law. For
this reason, we endeavoured to bring together an array of experts to offer original and
insightful analysis of a host of legal issues pertaining to cyberspace and to various
cyber activities.
The handbook starts with an examination of the legal status of cyberspace and of the
way certain international law principles apply to cyberspace. These include sovereignty,
jurisdiction, state responsibility, intellectual property rights, human rights, and indi-
vidual criminal responsibility. Part II proceeds by setting out and analysing the legal
rules that apply to cyber terrorism, cyber espionage, and cyber crime. Part III examines
the rules that apply to cyber attacks whereas Part IV considers the application of
international humanitarian law principles to cyberwar. Part V examines international
and regional cyber security policies such as those of the EU, NATO, Asia-Pacific
nations and of the United Nations.
This research handbook thus serves as a guide to academics, practitioners, research-
ers and students on the international law principles and rules that apply to cyberspace
and to certain cyber activities. The handbook also serves as a basis for further research
in this area by identifying a number of important issues that require more detailed and
specialised treatment.
We are grateful to various people who have contributed in different ways to this
research handbook. First, we are indebted to all the authors for their excellent
contributions. We are also grateful to Professor Michael Schmitt for writing the
introduction. Professor Schmitt has almost single-handedly placed cyber on the
academic and policy agenda. Finally, we want to thank Andraz Kastelic, our research
assistant, Robin Morris for his help with editing and proof-reading as well as Ben
Booth, Jennifer Stanley and the Edward Elgar team for facilitating the production of
this research handbook.
Nicholas Tsagourias and Russell Buchan
October 2014
xiii
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
8/5
JOBNAME: Tsagourias PAGE: 1 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
Table of cases
INTERNATIONAL
Accordance with International Law of the Unilateral Declaration of Independence in respect of
Kosovo, Advisory Opinion of 22 July 2010, (Declaration of Judge Simma), [2010] Rep.
403 ICJ ................................................................................................................................. 65
Air Service Agreement of 27 March 1946 between the United States and France (Award),
[1978] 18 Reports of International Arbitral Awards 417 .................................................. 274
Argentina v. Uruguay (Pulp Mills on the River Uruguay), [2010] ICJ Rep. 14 ................ 69, 279
Bosnia and Herzegovina v. Serbia and Montenegro (Application of the Convention on the
Prevention and Punishment of the Crime of Genocide), [2007] ICJ Rep. 43 ...... 57, 59, 60,
68, 70, 278, 334, 335
Costa Rica v. Nicaragua (Dispute Regarding Navigational and Related Rights) (Judgment),
[2009] ICJ Rep 213 ........................................................................................................... 246
Democratic Republic of Congo v. Belgium (Arrest Warrant Case) (Joint Separate Opinion of
Judges Higgins, Kooijmans and Buergenthal), [2002] ICJ Rep 3 ...................................... 19
Democratic Republic of Congo v. Belgium (Arrest Warrant Case), [2002] ICJ Rep 3 ............. 20
Democratic Republic of the Congo v. Uganda (Armed Activities on the Territory of the
Congo), [2005] ICJ Rep. 168 .............................................................................. 68, 270, 276
Federal Republic of Germany v. Denmark; Federal Republic of Germany v. Netherlands
(North Sea Continental Shelf Cases) [1969] ICJ Rep. 3 .......................................... 151, 268
France v. Turkey (The ‘S.S. Lotus’), [1927] PCIJ Rep Series A No 10 18 ..... 18, 19, 20, 21, 36,
37, 48, 51, 65, 181, 344
Germany v. Poland (Claim for Indemnity) (The Factory at Chorzów), [1928] PCIJ Ser A
No. 17 .................................................................................................................................. 57
Hungary v. Slovakia (Gabčíkovo-Nagymaros Project) (Judgment), [1997] ICJ Rep 7… 279, 355
Interlocutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide, Perpetration,
Cumulative Charging, (UN Special Tribunal for Lebanon, Appeals Chamber),
STL-11-01/I (16 February 2011) ...................................................................................... 155
Islamic Republic of Iran v. United States (Oil Platforms) (Judgment of 6 November 2003),
[2003] ICJ Rep. 161 ......................................................................... 265, 266, 267, 273, 275
Jurisdictional Immunities of the State, ([2012] ICJ Rep. 99 .................................................... 266
Legal Consequences for States of the Continued Presence of South Africa in Namibia
(South West Africa) notwithstanding Security Council Resolution 276 (1970)
(Advisory Opinion), [1971] ICJ Rep 16 ........................................................................... 246
Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory
(Advisory Opinion), [2004] ICJ Rep. 2005 .............................................................. 233, 276
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226
(Nuclear weapons) ...... 235, 238, 265, 267, 272, 279, 293–6, 299, 301, 343, 344, 356, 367
Lichtenstein v. Guatemala (Nottenbohm Case), [1955] ICJ Rep 4 23 ....................................... 19
Nicaragua v. United States (Military and Paramilitary Activities in and Against Nicaragua)
(Merits) (Nicaragua Case), [1986] ICJ Rep. 14 ... 60, 64, 65, 126, 175, 180, 181, 186, 233,
237, 238, 243, 250, 252, 253, 254, 255, 266, 267, 270, 273, 274,
275, 278, 301, 334, 355, 356
Prof. Allain Pellet (Independent Objector) v. Afilias Ltd, Case No EXP/409/ICANN/26
(November 2013) ............................................................................................................... 116
xiv
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
1 / Date: 15/5
JOBNAME: Tsagourias PAGE: 2 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
Table of cases xv
WTO
United States – Import Prohibition of Certain Shrimp And Shrimp Products – Report of the
WTO Appellate Body, 12 October 1998, WT/DS58/AB/R ............................................... 355
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services, WTO Panel, 10 November 2004, WT/DS285/R ........................................... 42, 52
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services, WTO Appellate Body, 7 April 2005, WT/DS285/AB/R................................ 42, 52
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services, WTO Panel, 30 March 2007, WT/DS285/RW .............................................. 42, 52
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
2 / Date: 15/5
JOBNAME: Tsagourias PAGE: 3 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
EUROPEAN
Anheuser–Busch Inc. v. Portugal, App No 73049/01, [2007] EHCR 40, (2007) 45 EHHR, 36,
[2007] ETMR 24 ................................................................................................................. 77
Balan v. Moldova, App No 19247/03, [2008] ECHR 81; [2009] ECDR 6 .......................... 72, 77
Perrin v. United Kingdom, App No 5446/03, 18 October 2005 ................................................. 39
Smith Kline and French Laboratories Ltd. v. Netherlands, App No 12633/87, (1990)
66 ECDR 70 ........................................................................................................................ 77
Yildirim v. Turkey, App No 3111/10, [2012] ECHR 3003 ................................................. 53, 101
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
3 / Date: 15/5
JOBNAME: Tsagourias PAGE: 4 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
NATIONAL
Australia
Bulgaria
Canada
Cyprus
Supreme Court of Cyprus Appeal Case Nos. 65/2009, 78/2009, 82/2009 and
15/2010-22/2010, 1 February 2011 .................................................................................... 167
Czechoslovakia
France
LICRA & UEJF v. Yahoo! Inc & Yahoo France, Tribunal de Grande Instance de Paris,
22 May 2000, affirmed Tribunal de Grande Instance de Paris, 20 November 2000 ... 38, 98
Fondation Carl Zeiss Stiftung v. Fondation Carl Zeiss Heidenheim, Cour de Cassation,
15 March 1965...................................................................................................................... 78
Germany
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
4 / Date: 15/5
JOBNAME: Tsagourias PAGE: 5 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
The Netherlands
Holland Casino v. Paramount Holdings et. al, District Court, Utrecht (27 February 2003) ....... 41
National Sporttotaliser Foundation v. Ladbrokes Ltd, District Court, The Hague
(27 January 2003) ................................................................................................................ 41
United Kingdom
Baigent v. Random House Group Ltd, [2006] EMLR 16 (High Court), [2007]
FSR 24 (CA) ........................................................................................................................ 88
Berezovsky v. Michaels and Ors, [2000] UKHL 25 ................................................................... 32
BT (and others) v. One in A Million and others, [1999] 1 WLR 903 ........................................ 92
Cantor Fitzgerald International v. Tradition, (UK) Ltd. [2000] RPC 95 .................................... 89
DPP v. Stonehouse, [1978] AC 55 .............................................................................................. 48
Harrods Ltd v. Dow Jones Co Inc, [2003] EWHC 1162 (QB) ................................................... 43
Ibcos Computers v. Barclays Mercantile, [1994] FSR 275 ........................................................ 89
John Richardson Computers Ltd v. Flanders, [1992] FSR 497 .................................................. 89
Jones v. Ministry of Interior Al-Mamlaka Al-Arabiya AS Saudiya (Kingdom of Saudi
Arabia), [2006] UKHL 26 ................................................................................................. 265
Kuwait Airways Corp v. Iraqi Airways Co, [2002] 3 All ER 209 .............................................. 32
Lewis and Ors v. King, [2004] EWHC 168 (QB); [2004] EWCA Civ 1329 ............................. 43
McGrath and Anor v. Dawkins and Ors, [2012] EWHC B3 (QB) ............................................. 43
Navitaire Inc. v. EasyJet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725
(Ch), [2006] RPC 111 ......................................................................................................... 89
Nova Productions Ltd. v. Mazooma Games Ltd, [2007] EWCA Civ 219 ................................. 89
Peer International Corporation v. Termidor Music Publishers Ltd, [2002] EWHC 2675
(Ch) ...................................................................................................................................... 79
R v. Mohammed Gul, [2012] EWCA Crim 280 ....................................................................... 156
R v. Markus, [1975] 1 All ER 958 .............................................................................................. 48
R v. Perrin, [2002] EWCA Crim 747 .................................................................................... 39, 50
R v. Sheppard and Anor, [2010] EWCA Crim 65 ...................................................................... 19
R v. Treacy, [1971] AC 557 ......................................................................................................... 48
Ravenscroft v. Herbert, [1980] RPC 193 .................................................................................... 88
SAS Institute v. World Programming Ltd, [2010] EWHC 1829 (Ch), [2012] RPC 31 ....... 89, 90
The ‘Vishva Ajay’, [1989] 2 Lloyd’s Rep 558 ............................................................................ 32
Twentieth Century Fox Film Corp and Ors v. British Telecommunications plc, [2011]
EWHC 1981 ........................................................................................................................ 52
University of London Press v. University Tutorial Press, [1916] 2 Ch 601 ............................... 86
Vidal -Hall and Ors v. Google Inc, [2014] EWHC 13 (QB) ...................................................... 44
United States
Cable News Network LP v. cnnews.com, 162 F Supp 2d 484 (ED Va.2001) and 177 F
Supp 2d 506 (ED Va 2001), affirmed in 56 Fed Appx 599 (4th Cir 2003) ................. 47, 52
CompuServe, Inc v. Patterson, 89 F 3d 1257 (6th Cir1996) ................................................ 19, 20
Computer Associates Inc. v. Altai Inc, 982 F 2d 693 (1992), 20 USPQ 2d 1641 (1992) ......... 89
Dow Jones & Co. v. Harrods Ltd, 237 F Supp 2d 394 (2002) ................................................... 43
Hartford Fire Insurance Co v. California, 509 US 764 (1993) ................................................... 49
International Shoe Co v. Washington, 326 US 310 (1945) .................................................. 20, 45
ITC Ltd. v. Punchgini, Inc, 482 F 3d 135 (2d Cir 2007) ............................................................ 80
Kiobel v. Royal Dutch Petroleum Co, 569 US (17 April 2013), affirmed 621 F3d 111
(2d Cir 2010) ....................................................................................................................... 32
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
5 / Date: 15/5
JOBNAME: Tsagourias PAGE: 6 SESS: 11 OUTPUT: Mon May 18 10:36:31 2015
People v. World Interactive Gaming Corp, 714 NYS 2d 844 (1999) ......................................... 47
Reno v. American Civil Liberties Union, 521 US 844 ............................................................. 256
Smith v. Maryland, 442 US 735 (1979) .................................................................................... 103
T-Mobile West Corp. v. Crow, No. CV08-1337-PHX-NVW, (D Ariz Dec 16, 2009) ............... 19
The Exchange v. McFaddon, 11 US (7 Cranch 116) 116 (1812) ............................................... 17
U.S. v. Yousef, 327 F.3d 56, 112 (2d Circ 2003) ........................................................................ 20
US v. $734,578.82 in US Currency, 286 F 3d 641 (2002) ......................................................... 47
Wedding v. Meyler, 192 US 573 (84 1904) ................................................................................ 19
Yahoo! v. La Ligue contre le racisme et l’antisémitisme, 433 F 3d 1199 (9th Cir 2006) ....... 193
Young v. New Haven Advocate, 315 F 3d 256 (2002) ............................................................... 47
Zippo Mfg Co v. Zippo Dot Com Inc, 952 F Supp 1119 (WD Pa 1997) .................................. 20
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
6 / Date: 15/5
JOBNAME: Tsagourias PAGE: 1 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Table of legislation
xx
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 1
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 2 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 2
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 3
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 4 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 4
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 5 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 5
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 6
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 7 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 7
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 8 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 8
/ Date: 15/5
JOBNAME: Tsagourias PAGE: 9 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 9
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Introduction
Michael Schmitt
Since the digital revolution, the exponential growth of information and communication
technology has created a complex web of networked systems. This is the new and
vibrant environment that we know as cyberspace. More specifically, cyberspace is the
‘global domain within the information environment consisting of the interdependent
network of information technology infrastructure, including the Internet, telecommuni-
cations networks, computer systems, and embedded processors and controllers’.1
Over the course of the last three decades, cyberspace has been ‘woven into the fabric
of daily life’2 and now permeates all aspects of modern society. Millions of people,
organisations, governmental and public institutions, corporations and businesses use
cyberspace every day to communicate, gather or exchange information, bank, shop, do
business, distribute energy, govern and exert influence. By December 2013, 39 per cent
of the world population used the internet (with usage in Europe being 68.6 per cent and
in North America 84.9 per cent), an increase of 676.3 per cent since 2000.3
Notwithstanding the enormous benefits and advantages it offers, cyberspace has also
become a repository for various threats, vulnerabilities and insecurities. They may
originate from governments, organised groups, individuals, or businesses, be intentional
or accidental and have financial, military, political or other aims. For instance,
conventional crime is metastasising to the cyber domain with criminals using networks
and cyber tools. Cyber theft, cyber fraud, the sale of illegal products, blackmail,
pornography and copyright and intellectual property theft are common occurrences that
can generate deleterious financial, personal, and even political consequences.4 State
security can be compromised by military-like and non-military-like cyber attacks
targeting critical national infrastructure and other essential assets and activities.
1
Joint Chiefs of Staff, Joint Publication 1-02, DOD Dictionary of Military and Associated
Terms (8 November 2010) (as amended through 15 June 2014) 64. The International Tele-
communications Union describes cyberspace as ‘systems and services connected either directly
or indirectly to the internet, telecommunications and computer networks’; ITU, ITU National
Strategy Guide (Geneva: ITU, 2011) 5, http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-
national-cybersecurity-guide.pdf accessed 13 October 2014.
2
69th Session of the UN General Assembly A/69/112 (30 June 2014) 4, foreword by the UN
Secretary-General, http://undocs.org/A/69/112 accessed 13 October 2014.
3
Internet World Stats: Usage and Population Statistics (26 September 2014), http://
www.internetworldstats.com/stats.htm accessed 13 October 2014.
4
In the UK, the cost of cybercrime to the UK has been estimated to be around £27bn per
annum of which £3.1 is the cost to citizens, £2.2 the cost to government and £21bn to business;
UK Cabinet Office and Detica, The Cost of Cyber Crime: A Detica Report in Partnership with
the Office of Cyber Security and Information Assurance in the Cabinet Office (Guildford, Surrey:
Detica Limited, 2011), 18–24.
1
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Terrorists may begin to use cyberspace to perpetuate terrorist acts; they already use it
for recruitment, training, propaganda and funding purposes.5
The unique characteristics of cyberspace magnify both its potential benefits and
risks. At its core, cyberspace is a virtual environment; it is not subject to a time-space
continuum and is thus unconstrained by the limitations that these characteristics
impose. In this virtual environment, no physical action takes place. Instead, information
is transferred instantly through interconnected networks that transcend physical, legal
or political borders. In cyberspace actors can often maintain their anonymity. For
instance, efforts to trace cyber attacks encounter serious legal and technical obstacles
because they may operate through different networks.
Its unique characteristics make cyberspace a challenging environment for legal
regulation. Important questions arise about the role and efficacy of law, particularly
international law, in regulating cyber activities and cyberspace. In the immediate years
that followed the advent of cyber activities, some legal commentators claimed that
existing legal frameworks – whether it be national, regional or international law – are
inapplicable to cyberspace.6 The argument was that existing legal frameworks were
designed to regulate physical, geographically defined territories. In contrast, cyberspace
is a virtual domain that is global in scope but technically borderless. It was thus
proposed that cyberspace should be governed by a sui generis regulatory framework,
one devised and shaped by its users according to the specific features and needs of this
new domain. What they anticipated was the emergence of a subject-specific ‘law of
cyberspace’.
In recent years, states have made it clear that existing legal frameworks continue to
apply to cyberspace. For example, the UN Group of Governmental Experts established
by the UN Secretary-General to review existing and potential threats from cyberspace
stated in its 2013 report that ‘[i]nternational law, and in particular the Charter of the
United Nations, is applicable and is essential to maintaining peace and stability and
promoting an open, secure, peaceful and accessible ICT environment’ and that ‘State
sovereignty and international norms and principles that flow from sovereignty apply to
State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure
within their territory’.7 Similarly, in 2014 NATO’s heads of state agreed ‘[o]ur policy
also recognises that international law, including international humanitarian law and the
UN Charter, applies in cyberspace’.8
This is not to say however that the application of these legal frameworks is
uncontested or unproblematic. Indeed, this is particularly the case with international
5
See generally UN Office on Drugs and Crime: The Use of the Internet for Terrorist
Purposes (2012), http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_
Purposes.pdf accessed 13 October 2014.
6
D Johnson and D Post, ‘Law and borders – The rise of law in cyberspace’ (1996) 48
Stanford Law Review 1367.
7
Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security UN Doc, A/68/98 (24 June 2013)
paras 19–20, http://www.mofa.go.jp/files/000016407.pdf accessed 13 October 2014.
8
Wales Summit Declaration, Issued by the Heads of State and Government participating in
the meeting of the North Atlantic Council in Wales (5 September 2014), para 72, http://
www.nato.int/cps/en/natohq/official_texts_112964.htm accessed 13 October 2014.
Introduction 3
law because it very much adopts a state-based structure that is preoccupied with
notions of territory. With this in mind, the objective of this research handbook is to map
out the international rules and regulatory frameworks that apply to cyberspace in
general and to specific activities in cyberspace in particular. For this reason it brings
together leading international law scholars and practitioners to critically assess the
application of various international law principles and regimes to cyberspace.
Before I proceed to provide an overview of the contents of the book, allow me to
offer a few words about the originality and importance of this project. As a result of the
widespread media attention dedicated to the topic of cyber war, a great deal of
scholarly attention has been directed towards examining whether and how international
law applies to cyber attacks that is, military-like attacks on states by other states or
non-state actors. The Tallinn Manual on the International Law applicable to Cyber
Warfare, for example, has made a significant contribution to clarifying the application
of international laws relating to cyber uses of force and armed conflict involving cyber
operations.9 The present collection builds upon that research with chapters addressing
both the jus ad bellum and jus in bello.
However, much less attention has been focused upon the role of international law in
addressing other threats in and from cyberspace, such as cyber terrorism, cyber crime
and cyber espionage. The present research handbook responds to such a need. The
handbook also assesses the cyber security policies of a number of international
organisations, such those of the EU, NATO, and the UN, and assesses Asian approaches
to achieving and maintaining cyber security. This research handbook thus makes a very
important contribution in the field of cyber security by assessing the application of
international law to these different types of cyber threats.
The normative scope of the handbook is likewise broad. It examines the status as
well as the governance structures that apply to cyberspace. Accordingly, it contains
chapters on the legal character of cyberspace and the application of general principles
of international law to cyberspace, such as the law of state responsibility, international
human rights law, international criminal law and intellectual property law.
The result is a handbook that for the first time provides a comprehensive account of
the international legal rules that apply to cyberspace, engages in a systematic analysis
of how they do so, and provides an assessment of their suitability and effectiveness.
Moreover, where the regulatory functions performed by international law in cyberspace
are found lacking, this handbook offers suggestions for new regulatory regimes or
interpretations of existing rules that can deal more effectively with cyber activities. In
sum, the present research handbook contributes to the creation of a common base of
knowledge in this field.
As such, it is essential reading for policy makers, lawyers, political scientists, the
military and police, technologists, researchers or students who want or need to know,
understand or apply the international regulatory framework governing cyberspace and
cyber activities. I heartily congratulate the individual authors and both editors for their
efforts in bringing this important project to successful completion. It is a work that will
influence and shape this complex, but increasingly central, facet of international law.
9
M Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare
(CUP, 2013).
Introduction 5
In Chapter 5, David Fidler addresses the relationship between cyberspace and human
rights. For him, cyberspace challenges certain principles of international law central to
the protection of human rights, such as the principle of sovereignty and jurisdiction.
For instance, it raises questions as to whether internet access is a human right and how
the concept of, and debate over, the extraterritoriality of human rights law applies in the
cyber context. The cyberspace-human rights relationship also evokes questions as to
national and international policies on internet governance and cyber security, an
important issue given Edward Snowden’s revelations concerning the United States
National Security Agency’s massive cyber surveillance campaign. Fidler concludes that
cyberspace is subject to international politics that have historically affected human
rights protection. Examples include the resilience of sovereignty, national security
concerns and shifting balances of power. He concludes that this means the potential of
cyberspace to significantly enhance the enjoyment of fundamental human rights may
never be fully realised.
In Chapter 6 Kai Ambos considers the question of whether the commission of cyber
attacks can give rise to individual criminal responsibility, with particular reference to
the provisions of the Rome Statute. Ambos examines the conditions by which
individuals may be held criminally responsible for war crimes and crimes against
humanity and applies them in the cyber context. He also asks whether cyber aggression
can fall within the definition of the crime of aggression under the Rome Statute and
whether criminal jurisdiction can be exercised over cyber aggression.
Part II of the handbook assesses the extent to which international law adequately
deters and suppresses threats that emerge in and from cyberspace. In Chapter 7 Ben
Saul and Kathleen Heath evaluate whether international terrorism conventions apply to
cyber terrorism. Although they conclude that certain terrorism conventions can be
interpreted in such a manner, they assert that gaps remain in legal regulation, not the
least of which is that there is no definition of terrorism (and, for that matter, of cyber
terrorism). They query whether cyber terrorism would be better addressed through the
negotiation and conclusion of a direct and specific international treaty on cyber
terrorism.
In Chapter 8 Russell Buchan assesses the permissibility of cyber espionage under
international law. Buchan argues that accessing and collecting confidential information
resident in cyberspace that falls under the sovereignty of another state is an intrinsically
pernicious practice that breeds distrust and hostility between states. This reality is
exemplified by the international response to the Snowden revelations. Buchan asserts
that in such an environment states are unable to act in a collaborative and coordinated
manner to address issues that threaten international peace and security, such as
international terrorism, environmental degradation and human rights abuses. Buchan
thus concludes that cyber espionage represents a threat to international peace and
security. Moreover, he argues that because states exercise sovereignty in cyberspace,
when a state accesses and copies (without authorisation) confidential information
falling under the jurisdiction of another state such conduct constitutes an unlawful
intervention in that state’s sovereign authority and is therefore violative of international
law.
Chapter 9 focuses upon cyber crime and the role of national, regional and
international law in combating this activity. Philipp Kastner and Frédéric Mégret argue
that many crimes committed in cyberspace are regulated by domestic criminal legal
systems. They illustrate this by reference to specific crimes committed in cyberspace.
The application of domestic criminal law notwithstanding, Kastner and Mégret suggest
that in order to achieve adequate criminal law enforcement multilateral initiatives such
as the Council of Europe’s Convention on Cyber Crime are essential, for they lay the
foundations for greater cooperation between states. Indeed, they conclude that a
multilateral treaty achieving global cooperation, beyond state or regional boundaries,
and across the state/non-state divide, is needed to deal with many forms of cyber crime
In Part III, the relationship between hostile cyber operations and the jus ad bellum is
examined. To provide background, Paul Ducheine explores the notion of cyber
operations in Chapter 10. He argues that, at the state level, there are broadly five
distinct paradigms that can be used to describe cyber operations: governance, protec-
tion, law enforcement, intelligence and military operations. Ducheine asserts that it is
the last paradigm that constitutes the most far-reaching framework for governmental
action and therefore suggests that the proliferation of concepts such as cyber attacks,
cyber targeting and cyber war are indicative of the growing militarisation of cyber-
space.
Chapter 11 considers whether cyber attacks constitute an unlawful use of force under
Article 2(4) UN Charter. Marco Roscini argues that force within the meaning of Article
2(4) requires the use of a weapons accompanied by a coercive intention and effects.
Roscini concludes that in the context of cyber attacks this occurs when the attack
against computer systems results in physical damage to property or loss of life or injury
to people, as in the case of an attack against computer systems that subsequently causes
planes to crash. He also advocates a reading of Article 2(4) that extends to cyber
attacks that, whilst not manifesting real-world damage, nevertheless render ineffective
or unusable computer systems that sustain critical infrastructures and thus cause
significant disruption to the delivery of essential services.
Following on from this assessment of Article 2(4), in Chapter 12 Carlo Focarelli
examines the circumstances by which a cyber attack can amount to an armed attack
pursuant to Article 51 of the UN Charter and thus trigger a state’s right to use force in
self-defence. In particular, and with reference to state practice and recent literature,
Focarelli debates whether an armed attack can only be said to occur where the cyber
attack produces sufficiently serious physical damage or instead whether its application
extends to sufficiently serious non-physical damage. An attack that affects the function-
ality of computer systems sustaining critical national infrastructure illustrates the latter.
In addition, Focarelli considers how the principles of necessity and proportionality
apply to cyber uses of force that are committed in accordance with to Article 51 UN
Charter.
States may seek to protect their cyber infrastructure against military threats from
cyberspace by recourse to the language of cyber deterrence by asserting that it will
respond to cyber attacks with a devastating cyber attack of its own. In Chapter 13 Eric
Myjer compares deterrent strategies in the nuclear realm with deterrence in the cyber
arena. He argues that because of the unique features of cyberspace, cyber deterrence is
not comparable with nuclear deterrence and that therefore cyber deterrence is unlikely
to be effective. Perhaps more importantly, Myjer concludes that deterrence by the threat
Introduction 7
Introduction 9
cyber issues. Additionally, issues of cyber security have surfaced in the UN Security
Council, the Economic and Social Council and other subsidiary organs and specialised
agencies. Henderson concludes that although the decision of these UN agencies to
address cyber security is to be welcomed, the next challenge for these agencies is to
cooperate more closely in order to ensure an integrated and concerted response to the
maintenance of cyber security.
CONCLUSION
Although it is by now fairly well settled that international law applies to activities in
cyberspace, the jury is still out on how to apply such law. This book engages that
dialogue in a sophisticated and insightful manner. I admit to disagreeing with some of
the reasoning and conclusions reached by individual contributors. Nevertheless, even in
such cases, I find the analysis highly incisive and intellectually provocative. I again
congratulate my friends Nicholas Tsagourias and Russell Buchan on bringing together
such a talented group to so usefully examine one of the most complex topics being
grappled with by the international law community.
PART I
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
INTRODUCTION
Cyberspace is often presented as a purely non-legal domain. According to John
Barlow’s Declaration of the Independence of Cyberspace ‘legal concepts do not apply
to cyberspace’.1 This view of cyberspace as a non-legal domain is based on a number
of assumptions. The first assumption is that cyberspace is different from real spaces: its
a-territorial, borderless and ubiquitous character differentiates it from the physical and
bounded spaces that are subject to legal regulation.2
The second assumption is that cyberspace, true to its original conceptualisation and
design, should remain an open, decentralised and participatory space, not hampered by
legal regulations.3
Yet, the view that cyberspace is subject to law and indeed to international law is not
in dispute anymore.
For example, a report of the United Nations Group of Governmental Experts on
developments in the field of information and telecommunications in the context of
international security affirmed that international law, especially the United Nations
(UN) Charter, applies to cyberspace and that State sovereignty and international norms
and principles that flow from sovereignty apply to State conduct of ICT-related
activities4, and to jurisdiction over ICT infrastructure within a State’s territory.5 As the
UN Secretary-General also noted in the Foreword to the report, ‘[t]he recommendations
point the way forward for anchoring ICT security in the existing framework of
international law and understandings that govern State relations and provide the
foundation for international peace and security’.6
This view is often supplemented by a qualification: namely, that international law
should adapt its rules in order to grapple with the particularities of cyberspace. As the
US President opined in the 2011 International Strategy for Cyberspace:
1
John P Barlow, ‘A Declaration of Independence for Cyberspace’ (Davos, 1996) <https://
projects.eff.org/~barlow/Declaration-Final.html> accessed 22 July 2014.
2
David R Johnson and David G Post, ‘Law and borders: The rise of law in cyberspace’
(1996) 48 Stanford L Rev 1367. Contra Jack L Goldsmith, ‘Against cyberanarchy’ (1998) 65 U
Chi L Rev 1199.
3
Tim Wu and Jack Goldsmith, Who Controls the Internet? Illusions of a Borderless World
(OUP 2006) 23.
4
Information and Communication Technology.
5
UNGA ‘Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security’ (24 June 2013) UN Doc A/68/98
paras 19–20.
6
Ibid., 4.
13
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 1
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 4 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The development of norms for state conduct in cyberspace does not require a reinvention of
customary international law, nor does it render existing international norms obsolete.
Long-standing international norms guiding state behavior – in times of peace and conflict –
also apply in cyberspace. Nonetheless, unique attributes of networked technology require
additional work to clarify how these norms apply and what additional understandings might
be necessary to supplement them.7
WHAT IS CYBERSPACE
Questions as to what cyberspace is, and more specifically whether cyberspace is a
corporeal entity, an intangible entity or a bundle of functions have technical, philosoph-
ical, political, sociological and legal origins and ramifications. For example, Koepsell,
in his book on the ontology of cyberspace, set himself the task of answering the
following questions:
7
The White House, ‘International Strategy for Cyberspace’ (May 2011) 9 <http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf> accessed at
23 July 2014; Harold H Koh, ‘International Law in Cyberspace’ (U.S. Department of State,
USCYBERCOM Inter-Agency Legal Conference, 18 September 2012) <http://www. state.gov/s/l/
releases/remarks/197924.htm> accessed 25 February 2014.
8
David Koepsell, The Ontology of Cyberspace: Law, Philosophy, and the Future of
Intellectual Property (Open Court Publishing 2003) 10. Julie Cohen spoke of the representations
of cyberspace as ‘utopia’ that is, as a separate space; as ‘isotopia’ that is, as a space that
continues existing space and as ‘heterotopia’ as a space where ordinary rules of behaviour or
conduct are suspended or transformed. Heterotopia preserves its relational aspect which, with
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 2
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 5 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
I will not engage here with the various debates concerning the ontology of cyberspace
due to lack of expertise, but I will offer a basic description of cyberspace in order to
grasp the object of enquiry and because it is its features and attributes that shape the
way law understands and consequently treats cyberspace.
Cyberspace has been defined as ‘a global domain within the information environ-
ment consisting of the interdependent network of information technology infrastruc-
tures and resident data, including the Internet, telecommunications networks, computer
systems, and embedded processors and controllers’9. Although this is not the most
exact definition of cyberspace as it does not mention, at least explicitly, software
programmes, yet it is a starting point because it identifies certain common traits that
most academic or institutional definitions of cyberspace contain. A more comprehen-
sive definition is that offered by Kuehl according to which cyberspace is ‘a global
domain within the information environment whose distinctive and unique character is
framed by the use of electronics and the electromagnetic spectrum to create, store,
modify, exchange, and exploit information via interdependent and interconnected
networks using information-communication technologies’.10
It transpires from the above that cyberspace has three layers: a physical layer which
consists of computers, integrated circuits, cables, communications infrastructure and
the like; a second layer which consists of the software logic; and, finally, a third layer
which consists of data packets and electronics.11
What also transpires is that, whereas the core of cyberspace may form a virtual
space, it is nonetheless supported by physical objects such as computers, which connect
the irreducible part of cyberspace to the physical world;12 and interactions in cyber-
space are independent of time or space constraints and are conducted through logistics
rather than through physical acts.13
Having provided a basic decription of cyberspace and of its features, in the
remainder of the chapter I will focus on the legal representation of cyberspace and
more specifically on its status in international law.
For international lawyers, their conception of cyberspace is influenced by their
understanding of how spaces are represented in international law. For this reason, they
regard to cyberspace, refers to its connection to ‘real’ space. Julie E Cohen, ‘Cyberspace as/and
space’ (2007) 107 Columbia L Rev 210.
9
US Department of Defense, ‘Department of Defense Dictionary of Military and Associ-
ated Terms’, Joint Publication 1-02 (8 November 2010, as amended through 15 March 2014),
64; II.9. See also ‘The UK Cyber Security Strategy Protecting and promoting the UK in a digital
world’ (2011) 11 <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/
60961/uk-cyber-security-strategy-final.pdf> accessed 11 October 2014.
10
Daniel T Kuehl, ‘From cyberspace to cyberpower: Defining the problem’ in Franklin D
Kramer, Stuart H Starr, Larry K Wentz, Cyberpower and National Security (National Defense
University Press 2009) 28 [italics in the original].
11
Lior Tobanksy, ‘Basic concepts in cyber warfare’ (2011) 3(1) Military and Strategic
Affairs 75, 77–78.
12
Rebecca Bryant, ‘What kind of space is cyberspace?’ (2001) 5 Minerva – An Internet J of
Philosophy 138.
13
Lawrence Lessig, ‘The path of cyberlaw’ (1995) 104(7) Yale L J 1743, 1745–6; William S
Byassee, ‘Jurisdiction of cyberspace: Applying real world precedent to the virtual community’
(1995) 30 Wake Forest L Rev 197, 207–8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 3
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
not only look for analogies with physical spaces but also apply certain fundamental
international law principles such as that of sovereignty to cyberspace pondering at the
same time on how this principle applies in cyberspace and how it models its status.
I will now explore the question of whether the principle of sovereignty applies to
cyberspace and, if it does, what are the implications for the status of cyberspace. These
are important questions because sovereignty is a fundamental principle of international
law; it is in fact the basic organising principle of international law.14 In its traditional
definition, sovereignty denotes summa potestas.15 It denotes authority and control
which in legal terms is translated as the power to promulgate laws and the power to
enforce these laws.16
The two pertinent questions to ask then with regard to cyberspace are, first, whether
cyberspace can be subject to sovereignty and, secondly, whether cyberspace can itself
be sovereign.
Regarding the first question, there are those that maintain that cyberspace should be
free from sovereignty. According to Johnson and Post, for example, cyberspace cannot
be subject to sovereignty but instead, cyberspace should be subject to its own distinct
system of legal regulation based on self-regulation.17 For them, it is not only the
borderless and a-territorial nature of cyberspace that make it adverse to the standard
systems of territorially based international legal regulation but also the fact that
sovereignty’s principles of validity exhibited in territorially based entities in the form of
power, legitimacy, effects and notice are impossible or at best diluted in cyberspace.18
More specifically, the lack of borders in cyberspace deprives sovereigns of the ability to
exercise their power over defined peoples and territories and deprives sovereign power
from the legitimising effect of consent. It also deprives users from notice when entering
a different jurisdiction. It is because of these features and of the need to have an
effective regulatory system appropriate to cyberspace that cyberspace should develop
its own legal system based on self-regulation.19 All in all, the no-sovereignty thesis is
based on a concept of cyber-exceptionalism.
The descriptive and normative premises of the no-sovereignty thesis have been
challenged by Jack Goldsmith in his article ‘Against cyberanarchy’. For him, the
jurisdictional and enforcement inadequacies of sovereign power in cyberspace identi-
fied by Johnson and Post have been exaggerated. In fact, sovereigns can regulate the
local effects of extraterritorial activities.20 Moreover, traditional legal tools can resolve
14
Alan James, Sovereign Statehood (Allen & Unwin 1986) 267–9.
15
Samantha Besson, ‘Sovereignty’ in Rüdiger Wolfrum (ed.), Max Planck Encyclopedia of
Public International Law (OUP 2012).
16
‘In short, authority concerns rule-making and control, rule-enforcement.’ Janice E
Thomson, ‘State sovereignty in international relations: Bridging the gap between theory and
empirical research’ (1995) 39 Intl Studies Quarterly 213, 223.
17
Johnson and Post (n 2).
18
Ibid., 1370–76.
19
Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) 3.
20
Goldsmith (n 2).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 4
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
21
Corfu Chanel Case (UK v Albania) (Separate Opinion of Judge Alvarez) [1949] ICJ Rep
43.
22
Jens Bartelson, A Geneology of Sovereignty (CUP 1993) 26. See also Montevideo
Convention on the Rights and Duties of States (signed 26 December 1933, entered into force 26
December 1934).
23
Island of Palmas Case (or Miangas) (United States v Netherlands) [1928] Reports of
International Arbitral Awards 839.
24
‘The state is the land, the people, the organization of coercion and a majestic idea, each
supporting and even defining the other, so that they [become] indivisible.’ Nicholas G Onuf,
‘Sovereignty: Outline of a conceptual history’ (1991) 16(4) Alternatives: Global, Local, Political
425, 437.
25
Joel P Trachtman, ‘Cyberspace, sovereignty, jurisdiction and modernism’ (1998) 5(2)
Indiana JGLS 560, 567. As was said in The Exchange v McFaddon, 11 U.S. (7 Cranch 116) 116
(1812):
The jurisdiction of a nation within its own territory, is exclusive and absolute. It is susceptible
of no limitation not imposed by itself. Any restriction deriving validity from an external
source would imply a diminution of its sovereignty to the extent of that restriction, and an
investment of that sovereignty to the same extent in that power which could impose such
restriction.
26
Stephen D Krasner, Sovereignty: Organized Hypocrisy (Princeton University Press 1999)
1–42.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 8 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
have an equal claim to external sovereignty, the exercise of sovereign power outside the
allocated territory by one of them will encroach on the sovereignty of the others. Thus,
external manifestations of sovereignty are coordinated and managed through consent.
Consent is a sovereign act of voluntary acquiescence. As the Permanent Court of
International Justice opined in the Lotus case ‘international law governs the relations
between independent States. The rules of law binding upon States … emanate from
their own free will’.27
That having been said, it is important to disentangle sovereignty as a concept from
territory. Territory as an element of sovereignty is a lego-political construct: it is ‘about
organising space for political [or legal] purposes’.28 With that I mean that the carving
of territories upon which sovereignty is exercised is a political act; it is the end result of
a political process involving claims, counterclaims and successful assertions of power.
The Peace of Westphalia, for example, which is treated as the foundation of the modern
territorially-bound sovereignty was in fact about the redrawing of political bound-
aries.29 Thus, there is no inherent nexus between territory and sovereignty, although
territory offers a tangible space where sovereignty can manifest itself effectively in
political and legal terms. As was observed, ‘state territory can be regarded as a
container of power and not just as a place where powers are located’.30 Moreover, even
the territorially-based concept of sovereignty has an element of abstraction. As Ford
observed, territory ‘is abstractly and homogeneously conceived’ which means that ‘the
space of a jurisdiction is conceived of independently of any specific attribute of that
space’ and ‘[o]ne consequence of this abstract presentation of space is that it eliminates
the need for the specific enumeration and classification by kind’.31
If the essence of sovereignty is power and not territory, it can extend not only beyond
any allocated territory but also to non-territorial entities. Whether this will happen or
how this will happen, is a completely different question. Moreover, sovereignty as a
concept is not monolithic, but a ‘sponge concept’32 that can manifest itself in different
forms.
These observations can assist us in answering the question of whether sovereignty
can be asserted in cyberspace which, as was said, has a physical as well as a virtual
component and where activities may defy space or time constraints but nonetheless
have real effects on spaces, humans, or institutions. In this regard and since the focus of
this chapter is law and in particular international law, we should speak of jurisdiction.33
Jurisdiction is a concomitant of sovereignty and in fact it is the legal instantiation of
27
The Case of the S.S. “Lotus” (Judgement) [1927] PCIJ Rep Series A No 10 18.
28
Thomas Forseberg, ‘Beyond sovereignty, within territoriality: Mapping the space of
late-modern (geo) politics’ (1996) 31(4) Cooperation and Conflict 355, 362; John G Ruggie,
‘Territoriality and beyond: Problematising modernity in international relations’ (1993) 47 Intl
Organization, 139.
29
Daniel Bethlehem, ‘The end of geography: The changing nature of the international
system and the challenge to international law’ (2014) 25(1) EJIL 9, 13.
30
Peter J Taylor, ‘The state as container: Territoriality in the modern world-system’, (1994)
18 Progress in Human Geography 151.
31
Richard T Ford, ‘A history of jurisdiction’ (1999) 97 Michigan L Rev 843, 853–4.
32
Bartelson (n 22) 237.
33
For jurisdiction in cyberspace see Kohl (Ch 2 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 6
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
34
‘Jurisdiction is an aspect or an ingredient or a consequence of sovereignty,’ James
Crawford, Brownlie’s Principles of Public International Law (8th edn, OUP 2012) 456–7.
35
Michael Akehurst, ‘Jurisdiction in International law’ (1972) 46 (145) BYIL 9197 15. And
Wedding v Meyler, 192 U.S. 573 (84 1904).
36
Frederick A Mann, ‘The doctrine of international jurisdiction revisited after twenty years’
in Academie De Droit International De La Haye, Recueil Des Cours 1984 (Martinus Nijhoff
Publishers 1984) 9.
37
Nottenbohm Case (Lichtenstein v Guatemala) [1955] ICJ Rep 4 23.
38
T-Mobile West Corp. v Crow, No. CV08-1337-PHX-NVW, (D. Ariz. Dec. 16, 2009)
15–16); CompuServe, Inc v Patterson 89 F. 3d 1257 (6th Cir.1996); The Case of the S.S. “Lotus”
(Dissenting Opinion by Judge Moore) [1927] PCIJ Rep Series A No 10.
39
R v Sheppard & Amor [2010] EWCA Crim 65; Sean Kanuck, ‘Sovereign discourse on
cyber conflict under international law’ (2010) 88(7) Tex L Rev 1571, 1573–5.
40
Arrest Warrant Case (Democratic Republic of Congo v Belgium) (Joint Separate Opinion
of Judges Higgins, Kooijmans and Buergenthal) [2002] ICJ Rep 3 para 47; Restatement of the
Law Third, The Foreign Relations Law of the United States (1986) para 402.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
A State may also exercise its jurisdiction when a certain cyber activity has effects
within that State’s territory.41 The effects doctrine was first enunciated by the
Permanent Court of International Justice in the Lotus case42 and has now been accepted
as a jurisdictional ground applicable in many different areas of law43 although there are
differing views about its scope. The controversy revolves around a number of issues,
for example whether the effects should have already been felt; whether they should be
substantial; whether they should be detrimental or whether foreseeable effects44 would
also suffice in order to trigger a State’s jurisdiction. A problem with applying the
effects doctrine to cyberspace is that effects may have been felt in a number of different
jurisdictions. If all affected States were to assert jurisdiction, the practical difficulties
become more than evident. Even if international law contains rules on conflicts of
jurisdiction, the assertion of jurisdiction in such situations may affect the principle of
fairness. In order to avoid jurisdictional overlaps and preserve jurisdictional fairness,
the threshold for the effects doctrine has been raised from ‘certain minimum contacts’45
to substantial contacts.46 Moreover, the principle of targeting has been developed,
according to which it is the State targeted by the impugned behaviour that can exercise
jurisdiction irrespective of any effects felt in other jurisdictions.47 As was said, targeting
is ‘something more than effects, but less than physical presence’.48
A State can also assert its jurisdiction over activities that endanger important national
interests regardless of where, or by whom, they have been committed.49 This refers to
the protective head of jurisdiction.50 A State for example can exercise jurisdiction over
cyber espionage if its security has been compromised.
In addition to the aforementioned bases for exercising jurisdiction, it is also
important to mention at this juncture the indirect exercise of jurisdiction over
cyberspace. States or private actors may partition cyberspace territorially by regulating
access to cyberspace on the basis of geolocation or by blocking websites. Secondly, a
41
For the effects doctrine see also Kohl (Ch 2 of this book).
42
The Case of the S.S. “Lotus” (n 27) 23.
43
Arrest Warrant of 11 April 2000 (n 40) para 47.
44
U.S. v Yousef , 327 F.3d 56, 112 (2d Circ, 2003).
45
International Shoe Co v Washington 326 US 310 [1945].
46
CompuServe v Patterson (n 38):
This court has repeatedly employed three criteria to make this determination: First, the
defendant must purposefully avail himself of the privilege of acting in the forum state or
causing a consequence in the forum state. Second, the cause of action must arise from the
defendant’s activities there. Finally, the acts of the defendant or consequences caused by the
defendant must have a substantial enough connection with the forum to make the exercise of
jurisdiction over the defendant reasonable.
See also Zippo Mfg Co v Zippo Dot Com Inc 952 F Supp 1119 (WD Pa 1997).
47
Thomas Schultz, ‘Carving up the Internet: Jurisdiction, legal orders, and the private/public
international law interface’ (2008) 19(4) EJIL 799, 816.
48
Ibid., 817.
49
The Case of the S.S. “Lotus” (n 27) (Dissenting opinion by Judge Loder) [1927] PCIJ Rep
Series A No 10 35–6: When the ‘offences […] are directed against the State itself or against its
security or credit [, t]he injured State may try the guilty persons according to its own law if they
happen to be in its territory or, if necessary, it may ask for their extradition.’
50
Cedric Ryngaert, Jurisdiction in International Law (OUP 2008) 96.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
51
Christoph B Graber, ‘Internet Creativity, Communicative Freedom and a Constitutional
Rights Theory Response to “Code is Law”’ (i-call Working paper no. 03, University of Lucerne
2010) 5 <http://ssrn.com/abstract=1737630> accessed 28 June 2014.
52
Goldsmith (n 2), 1240–42.
53
The Case of the S.S. “Lotus” (n 27) 19.
54
These terms have been used albeit differently in Geoffrey L Herrera, ‘Cyberspace and
Sovereignty: Thoughts on Physical Space and Digital Space’ (1st International CISS/ETH
Conference on “The Information Revolution and the Changing Face of International Relations
and Security” Lucerne, Switzerland, May 23–25, 2005) 30.
55
Catherine Brölmann, ‘Deterritorializing international law: Moving away from the divide
between national and international law’ in Janne E Nijman and André Nollkaemper (eds), New
Perspectives on the Divide between National and International Law (OUP 2007) 84–109.
56
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
57
https://www.icann.org/.
58
Timothy S Wu, ‘Cyberspace sovereignty? The Internet and the international system’
(1997) 10(3) Harvard J of L & Technology 648.
59
Cohen (n 8) 213 .
60
Lance Strate, ‘The varieties of cyberspace: Problems in definition and delimitation’ (1999)
63(3) Western J of Communication 382, 412.
61
Sue Barnes, ‘Cyberspace: Creating paradoxes for the ecology of self’ in Lance Strate,
Ronald L Jacobson, Stephanie B Gibson (eds), Communication and Cyberspace (Hampton Press
1996) 195.
62
According to Julie Cohen cyberspace ‘is constituted via the interactions between and
among practice, conceptualisation, and representation. It is a nexus of social practice by
embodied human beings; a site for the enactment of visions of the ideal organisation of social
and economic activity; and a catalyst for impressionistic re-imaginings of socio-spatial practice’.
Cohen (n 8) 236.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 10
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
63
See Article 1 of the ICCPR and ICESCR. See also principle 1 and 5 of the Declaration on
Principles of International Law concerning Friendly Relations and cooperation among States in
accordance with the Charter of the United Nations, UNGA Res 2625 (XXV) of 24 October
1970.
64
Rupert Emerson, Self-determination’ (1971) 65 AJIL 459, 462.
65
UNESCO ‘International Meeting of Experts on further study of the concept of the rights
of peoples’ (22 February 1990) SHS-89/CONF.602/7 para 22 <http://unesdoc.unesco.org/images/
0008/000851/085152eo.pdf> accessed 11 October 2014.
66
Dieter Grimm, ‘Does Europe need a constitution?’ (1995) 1 European L J 282.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 11
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Secondly, the inhabitants of cyberspace are embodied individuals who live in real
spaces. Cyberspace users even as inhabitants of that figurative space do not suddenly
lose physicality or become displaced figures. They live in real geographic and time
spaces and are under the jurisdiction of their respective States. Any decision to
proclaim the sovereignty of cyberspace and any laws or regulations they may
promulgate will be subject to the scrutiny of their own State.
Thirdly, even if they declare the sovereignty of cyberspace, the normative, institu-
tional, or legal structure needed to support sovereignty in cyberspace cannot be
independent of State structures. Cyberspace does not have any central authority to
promulgate or enforce laws. Instead it is the laws of real spaces that are projected in
cyberspace.
It transpires then that cyberspace does not have its own ‘people’ or its own
independent and self-generating mechanisms to declare and sustain a claim to internal
as well as external sovereignty.
That being the case, the next question is whether sovereignty can be attributed to
cyberspace by States. States as the original subjects of international law with plenary
sovereign powers can create other entities and attribute them with certain powers. They
can do so as far as cyberspace is concerned but it will not make it a sovereign entity
even if, in the process, it expands its powers. In international law, the only depositories
of sovereignty are the States. Their creations may be attributed with powers over issues
that hitherto belonged to States, however they do not have plenary sovereign powers
and any attributed powers can be recalled.
From the preceding discussion it can be concluded that cyberspace can never become
sovereign but can be subject to sovereignty. I have already explained how States can
assert their sovereignty in cyberspace but in what follows I will also discuss a different
legal representation of sovereignty in cyberspace.
67
Dan Hunter, ‘Cyberspace as place and the tragedy of the digital anticommons’ (2003) 91
California L Rev 439; Abraham M Denmark and James Mulvenon (eds), Contested Commons:
The Future of American Power in a Multipolar World (Centre for New American Century 2010);
Canada’s Cybersecurity Strategy: For a stronger and more prosperous Canada (Government of
Canada 2010) 4 <http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/index-eng.aspx>
accessed 28 July 2014.
68
Tim Berners-Lee and Mark Fischetti, Weaving the Web: The Original Design and Ultimate
Destiny of the World Wide Web (Texere 2000) 124.
69
UNEP, ‘IEG of the Global Commons: Background’ (United Nations Environment Pro-
gramme Division of Environmental Law and Conventions) <http://www.unep.org/delc/
GlobalCommons/tabid/54404/Default.aspx> accessed 28 July 2014; John Vogler, ‘Global
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 12
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
whole is greater than if broken down into smaller parts; second, States and non-state
actors with the requisite technological capabilities are able to access and use them for
economic, political, scientific and cultural purposes; and third, in most cases they are
governed collectively.70
International law has recognised a number of global commons such as the High Seas,
Antarctica and the Outer Space,71 which have been characterised as the ‘cyberspaces’
of a previous generation.72
With regard to the high seas, the mare liberum principle was first promulgated by
Grotius as reaction to the prevalent at the time theory of enclosed sea (mare clausum).
Grotius compared the sea with the air in the following terms:
the air belongs to this class of things [res communis] for two reasons: First it is not
susceptible of occupation; and secondly its common use is designed for all mankind. For the
same reasons the sea is common to all, because it is so limitless that it cannot become a
possession of anyone, and because it is adopted for the use of all, whether considered from
the point of view of navigation or of fisheries.73
the sea … cannot become subject to private ownership. The extent of the ocean is in fact so
great that it suffices for any possible use on the part of all peoples … the same thing would
need to be said, too, about the air. There is, furthermore, a natural reason which forbids that
the sea, considered from the point of view mentioned, should become a private possession.
The reason is that occupation takes place in the case of a thing which has definite limits.74
Commons revisited’ (2012) 3(1) Global Policy, 61; Mika Aaltola, Joonas Sipilä and Valtteri
Vuorisalo, ‘Securing Global Commons: A small state perspective’ (FIIA Working Paper 71, June
2011).
70
Denmark and Mulvenon (eds) (n 67) 11.
71
United Nations Convention on the Law of the Sea (signed 10 December 1982, entered into
force 16 November 1994) art 157(1); The Agreement Governing the Activities of States on the
Moon and Other Celestial Bodies (signed 18 December 1979, entered into force 11 July 1984)
art 11(7)(d); Tara Murphy, ‘Security challenges in the 21st century global commons’ (2010) 5(2)
Yale J of Intl Affairs 28.
72
United Nations Environment Programme (n 57); Paul S Berman, ‘The globalisation of
jurisdiction’ (2002) 151(2) U of Pennsylvania L Rev 311, 494.
73
Hugo Grotius, The Freedom of the Seas, or, the Rights Which Belongs to the Dutch to Take
Part in the East Indian Trade (edited by James B Scott, OUP 1916) 28.
74
Hugo Grotius, The Classics of International Law: De Jure Belli Ac Pacis Libri Tres: Vol.
II Book II. (translated by Francis W. Kelsey et al, Clarendon/Carnegie Endowment for
International Peace 1925) Ch II para III
75
Ibid., Ch III, VIII.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 13
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 16 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
It becomes thus apparent that Grotius’ designation of the high seas as global
commons was premised on the nature of the seas and on its public utility accompanied
by generous doses of natural law theory and by Grotius’ political support of free
trade.76
This principle has been confirmed in Article 2 of the Geneva High Seas Convention
(1958) as well as in Articles 87 and 89 of United Nations Convention on the Law of the
Sea. According to that Convention, ‘no State may validly purport to subject any part of
the high seas to its sovereignty’ and ‘no State shall claim or exercise sovereignty or
sovereign rights over any part’ of the seabed and ocean floor and subsoil thereof,
beyond the limits of national jurisdiction.’77
As far as the Outer Space is concerned, it ‘is not subject to national appropriation by
claim of sovereignty, by means of use or occupation, or by any other means’.78 The
Outer Space Treaty lays down a number of fundamental principles for the exploitation
and use of outer space by recognising outer space as a ‘province of all mankind’.79
More specifically, nations can only use the moon and other celestial bodies for peaceful
purposes, including scientific research, and should not launch any nuclear weapon or
other weapon of mass destruction into orbit.
The legal status of Antarctica is more complex. A number of States – Australia,
Argentina, Chile, France, New Zealand, Norway and the UK – have made conflicting
claims to parts of Antarctica.80 With the introduction of the Antarctica Treaty System,
States ‘agreed to disagree’ over territorial claims81 and compromised on the issue of
sovereignty over parts of Antarctica.82 According to the Antarctic Treaty ‘[n]o new
claim, or enlargement of an existing claim, to territorial sovereignty in Antarctica shall
be asserted while the treaty is in force’.83 Moreover, nations can only use the Antarctic
for peaceful purposes, including scientific research, and should not test nuclear
weapons or dispose nuclear waste in the Antarctica.84 The Antarctic Treaty also
76
Mireille Hildebrandt, ‘Extraterritorial jurisdiction to enforce in cyberspace?: Bodin,
Schmitt, Grotius in cyberspace’, (2013) 63 U of Toronto L J 196, 210–16; Nico Schrijver and
Vid Prislan, ‘From Mare Liberum to the Global Commons: Building on the Grotian Heritage’
(2009) 30(1) Grotiana 168, 173.
77
United Nations Convention on the Law of the Sea (n 71) art 89, 139.
78
Treaty on Principles Governing the Activities of States in the Exploration and Use of
Outer Space, including the Moon and Other Celestial Bodies (19 December 1966) art 2.
79
Treaty on Principles Governing the Activities of States in the Exploration and Use of
Outer Space, including the Moon and Other Celestial Bodies (n 78) arts 1, 2, 7, 8; Agreement
Governing the Activities of States on the Moon and Other Celestial Bodies (n 71) art 4(1). See
also UNGA Res 1962 (XVIII) (13 December 1963).
80
Elizabeth K Hook, ‘Criminal jurisdiction in Antarctica’ (1978) 33 U of Miami L Rev
(1978) 489.
81
The Antarctic Treaty (signed 1 December 1959, entered into force 23 June 1963) art IV;
Jill Grob, ‘Antarctica’s frozen territorial claims: A meltdown proposal’ (2007) 30 Boston College
Intl & Comparative L Rev 461, 468.
82
Rolph Trolle-Anderson, ‘The Antarctic scene: Legal and political facts’ in Gillian D Tiggs
(ed), The Antarctic Treaty Regime (CUP 2009) 57.
83
The Antarctic Treaty (n 81) art 4(2).
84
Ibid., art 5.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 14
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
defines global commons as ‘south of 60 [degrees] South Latitude, including all ice
shelves’.85
One may say that Antarctica is not a global commons stricto sensu but an
international commons in that a number of States enjoy certain rights over Antarctica.86
In a world of sovereignty, the concept of global commons appears to be an anomaly.
The idea however persists in legal and political thinking. Why this is so, can be
explained by the fact that it does not contradict basic international legal and political
principles such as the principle of sovereignty. If sovereignty connotes authority and
power, the res communis concept concerns the type and scope of authority and power
that is exercised over certain objects.
This will become evident if we recall the categorisation of objects in Roman law
from which the res communis concept derives. Roman law is broadly divided into the
law that pertains to persons and the law that pertains to objects (res). In Roman law res
included both corporeal and incorporeal objects and the law pertaining to objects
concerned the type of power that can be exercised over them in view of their nature and
function.87 More specifically, res in patrimonio were subject to ownership whereas res
extra patrimonium were divided into those subject to divine law and those subject to
human law but cannot be privately owned.
Those subject to human law were further divided into res communes – belonging to
all mankind, res publicae – belonging to a state for use of its citizens, and res
universatis –belonging to a city for use of its citizens.88
Applying the Roman law analogies but also historical analogies to cyberspace it
transpires that cyberspace even as a virtual space can be subject to law and that it
exhibits some of the characteristics of those objects that have been designated res
communis in Roman law. A historical account of the development of the res communis
concept going back to Grotius also reveals that the designation of certain areas such as
the sea or the air as res communis was due to the accumulated resources of these areas;
the indivisibility of assets and the benefits that their exploitation would deliver to each
and every State; and the difficulties in apportioning them due to their size and to the
fact that their boundaries are not clearly demarcated.
The designation of an area as res communis does not mean that States cannot extend
their authority over the designated area or that these areas are not subject to law; what
it means is that States agree to refrain from claiming ownership over that area, accept
that they will exercise their authority concurrently with that of other States and devise
a common regulatory regime to fulfil its designation of global commons. As was seen,
most of the current areas designated as res communis are subject to treaty regimes, the
product of State consent, which define the rights and obligations of States over such
areas. This shows that the res communis or global commons concept is a lego-political
85
Ibid., art 6.
86
Silja Vöneky and Sange Addison-Agyei, ‘Antarctica’ in Rüdiger Wolfrum (ed.), Max
Planck Encyclopedia of Public International Law (Max Planck Institute for Comparative Public
Law and International Law 2011) para 19. Susan J Buck, ‘The global commons: An introduc-
tion’ (Island Press 1998) 6.
87
Max Radin, ‘Fundamental concepts of the Roman law’ (1925) 13 California L Rev 207.
88
George Mousourakis, Fundamentals of Roman Private Law (Springer 2012) 119–21.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 15
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
construct89 which is not adverse to the principle of sovereignty. When States decide to
designate a certain area as res communis and consequently agree to abstain from
exercising their full sovereign power over such an areas is an act of sovereign authority.
Auto-limitation is an expression of sovereignty. As the PCIS said in the S.S. Wimbledon
case: ‘The Court declines to see, in the conclusion of any treaty by which a state
undertakes to perform or refrain from performing a particular act, an abandonment of
its sovereignty … the right of entering into international engagements is an attribute of
state sovereignty’.90
In order for cyberspace to be designated a global commons, States should consent
and agree on the rules and principles that will govern that area. At this point in time,
there is no political or legal impetus to designate cyberspace a legal commons and
whether such impetus develops depends on many variables crucial among which is
whether cyberspace warrants to be so designated if compared to existing ones.
That said, it should be noted that there are differences between cyberspace and other
global commons. First, whereas global commons refer to natural resources, cyberspace
is a technical man-made resource domain. Second, whereas global commons have some
physical and geographical boundaries, this is not the case in cyberspace where its
virtual part permeates all boundaries. Third, whereas global commons are created in
order to avoid depletion of natural resources, this is not the case in cyberspace where
resources cannot be depleted.91 Fourth, whereas global commons are non-excludable in
the sense that others cannot be excluded, to the extent that cyber infrastructure belongs
to States means that others can be excluded. Finally, the physical part of cyberspace
such a computers and the like is nationally owned which means that they should be
‘de-owned’ or that what will fall under the global commons domain will be the
‘un-owned’ part of cyberspace. Still, questions remain as to how this would affect the
owned part of cyberspace due to the interconnectedness of cyberspace.
It is for this reason that it has been claimed that cyberspace is an ‘imperfect
commons’.92
CONCLUDING THOUGHTS
It is apparent from the preceding discussion that cyberspace has not acquired any
special legal status in international law but instead existing legal categories and
principles have been applied to cyberspace. By doing so, a non liquet has been avoided;
a finding that is of a substantive or interpretative gap in international law.
Yet if cyberspace is a domain that offers possibilities but also contains risks and
dangers, a regulatory system based on common values, principles and rules of conduct
is needed to foster cooperation and good citizenship in cyberspace. This may require a
comprehensive and globally negotiated treaty to establish rules of behaviour and
89
Garrett Hardin, ‘The tragedy of the commons’ (1968) 3859 Science 1243.
90
S.S. ′Wimbledon′ (Jugement of 17 August 1923) [1923] PCIJ Rep Series A No 1 25.
91
This relates to Hardin’s ‘tragedy of the commons’. Hardin (n 89); Trachtman (n 25).
92
Joseph S Nye, The Future of Power (PublicAffairs 2011) 143.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 16
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
conduct, outlaw certain behaviours and provide rules on jurisdiction.93 Yet agreement
on a comprehensive legal framework for cyberspace faces huge challenges.
To mention just a few, certain characteristics of cyberspace such as anonymisation;
place shifting; and rapid technological development make any legal regulation imme-
diately inadequate or even redundant. Secondly, the technological disparities that exist
between States as well as between States and non-state actors, such as big enterprises,
affect participants’ choices and preferences of legal regulation or as to whether legal
regulation is needed at all. For example, because cyberspace as a growing environment
offers capabilities and opportunities, States or private actors may not want to limit their
future opportunities. Thirdly, cyberspace is used by governments and individuals for
different purposes therefore consensus and compromise is difficult to achieve. Fourth,
because of the nature and use of cyberspace, any agreement needs to involve
governments but also public and private sector bodies, a combination of stakeholders
that international law is not always capable of managing.
So the outlook for such a comprehensive regime is not auspicious. Instead existing
international rules and principles will continue to apply to cyberspace followed by calls
for responsible behaviour by States or non-state actors. Undoubtedly, international law
shapes State behaviours and interests in cyberspace and perhaps rationalises them but it
rarely pre-empts legislation.
93
Ahmad Kamal, The Law of Cyber-Space: An invitation to the table of negotiations (United
Nations Institute of Training and Research 2005) 1–4 <http://www.un.int/kamal/thelawofcyber
space/The%20Law%20of%20Cyber-Space.pdf> accessed 29 July 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 17
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
2. Jurisdiction in cyberspace
Uta Kohl
1. INTRODUCTION
Media critic and sociologist Herbert Schiller observed in the 1980s of the emerging
conflict between global information flows and State sovereignty:
The problem here is that the activities of the transnational corporations depend precisely on
the overcoming of national boundaries, and the opening up of the ‘free flow’ of information,
across the world market. The concerns of national governments, to regulate communications
in their own countries, therefore present an obstacle to the transnational corporations, and
these transnational corporations are increasingly concerned (and increasingly able) to
override national government policies, to the extent perhaps, of posing a threat to the very
sovereignty of individual nations.1
In the twenty-first century, this conflict between national authority and global media
activity is epitomised in the jurisdictional battles between States and online actors, in
particularly transnational corporations, across a wide spectrum of regulatory concerns.
States have argued that these transnational ‘stateless’ corporations need to respect
national legal expectations, while they in turn have asserted that they should only have
to comply with the laws of their home State (often the US) and anything else
undermines ‘free speech’. How are these conflicts resolved and how should they be
resolved? This chapter examines whether and, if so, how customary international law
on jurisdiction contributes to these resolutions and how the latter, in turn, have shaped
international law. The importance of the topic for the future contours of cyberspace, on
the one hand, and for national political and cultural spaces, on the other hand, cannot
be overstated.
Before examining internet jurisdiction cases, two preliminary observations ought to
be made. First, a critical feature of the internet that explains why its transnationality is
legally so much more problematic than the transnationality of the telephone, is that it
allows anyone connected to it to become a transnational publisher, e.g. through a blog,
Facebook post or YouTube video, potentially attracting a mass audience. It is this
potential mass audience that increases an activity’s legal significance, shifting it from
the private to the public sphere. As transnational activity is no longer the prerogative of
big business, neither is the problem of international jurisdiction, i.e. who must comply
with which foreign law in what circumstances. Yet, many recent cases on the issue of
1
David Morley and Kevin Robins, Spaces of Identity – Global Media, Electronic
Landscapes and Cultural Boundaries (Routledge 1995) 223, referring to Herbert Schiller,
‘Electronic Information Flows: New Basis for Global Domination’ in Phillip Drummond and
Richard Paterson (eds.), Television in Transition (British Film Institute 1985).
30
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 31
jurisdiction have involved not small online participants, but rather large internet
corporations. The reason for this apparent anomaly is that the vast bulk of regulation is
most efficiently enforced by channelling it through intermediaries as gatekeepers, and
cyberspace is no exception in this respect. Despite the internet’s decentralised under-
lying infrastructure and despite initial claims of online disintermediation, new inter-
mediaries have emerged and these have become natural targets for national regulators,
which partly explains why they are so often the defendants in transnational online
disputes. Also, of course, the interests of these powerful transnational corporations are
diametrically opposed to those of national authorities in so far as their ‘product’ is a
global one that ‘depend[s] precisely on the overcoming of national boundaries and the
opening up of the “free flow” of information, across the world market’ (see Schiller
above). Thus they only reluctantly assume the role of national regulatory gatekeeper
and only under intense pressure which foreshadows the issue of enforcement juris-
diction (discussed below).
Second (following the observation on who is implicated in disputes on cyber-
jurisdiction), the question is what is their underlying substance. Again, the internet is
peculiar in this respect vis-à-vis much transnational activity that preceded it, in that all
internet jurisdiction disputes concern the transnational exchange of information: the
activity itself is always information-based even if the underlying transaction (e.g.
buying a physical product) is not necessarily so. This frequently heightens the political
significance of these conflicts as they are about the control of information and by
implication also often about ‘image making and public opinion formation [that is] …
the quintessence of power’.2 In medieval Europe the papacy’s control over the church,
the then main agency of mass communications, meant that it dominated institutions of
ideological production and could thereby promote a construction of reality that
legitimised its supremacy.3 Today global online actors, large and small, are contesting
the control over information and ideological production which, before the internet, was
more or less exclusively enjoyed by national political authorities.
Before turning to the jurisdictional principles under customary international law, let us
briefly look at their ambit. Historically, there has been some debate whether public
international law governs the reach of civil law (i.e. imposes limits on private
international law) or whether the jurisdiction rules are solely concerned with criminal
jurisdiction. Akehurst in his seminal article on ‘Jurisdiction in International Law’ in the
early 1970s argued for the non-application of international law to civil disputes:
[a]re there any rules of public international law which limit the jurisdiction of a State’s courts
in civil trials? Some writers have answered this question in the affirmative. Brownlie even
2
Herbert Schiller, Mass Communications and American Empire (Beacon Press 1969) 1.
3
James Curran, Media and Power (Routledge 2002) 64f.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 2
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
says that ‘there is in principle no great difference between the problems created by assertion
of civil and criminal jurisdiction over aliens’. This is rather an extreme view; as John Bassett
Moore argued à propos of the Cutting incident, ‘the rules governing the jurisdiction in civil
and in criminal cases are founded in many respect on radically different principles, and … an
assumption of jurisdiction over an alien in the one case is not to be made a precedent for like
assumption in the other’; and one might add conversely that limitation in criminal cases
cannot be cited as authority for the existence of likely limitations in civil cases. Of course,
rejection of analogies drawn from criminal trials does not necessarily mean that international
law imposes no limitation whatever on jurisdiction in civil cases – the limitations might
simply be of a different kind. But … when one examines the practice of States … one finds
that States claim jurisdiction over all sorts of cases and parties having no real connection with
them and that this practice has seldom if ever given rise to diplomatic protests.4
There are numerous recent cases that confirm the continued validity of Akehurst’s
analysis.5 Yet, there are also those academics who have asserted the contrary6 and those
civil cases, such as US anti-trust treble-damages-awards cases and recent Alien Tort
Statute litigation that triggered protests from other States against the alleged excessive-
ness of the extra-territorial civil claims.7 (Note: State protest is an indicator of
illegitimacy under customary international law.8) In this chapter, it will be assumed that
international law on jurisdiction extends across the entire spectrum of national laws and
thus prima facie also imposes limits on private international law. This assumption is
made partly because this general application would in fact be desirable in terms of
creating an orderly international allocation regime of regulatory competence, according
to which the same general principle (e.g. targeting principle) govern the same online
activity (e.g. online gambling) in respect of different national laws (e.g. gambling
licencing requirements and consumers contract law). This assumption will also be
made because the existing jurisdictional division between civil and criminal law seem
artificial in respect of those legal obligations (e.g. data protection or copyright) that are
‘civil’, i.e. govern the relationship between private parties and breaches may result in
4
Michael Akehurst, ‘Jurisdiction in International Law’ (1972–73) 46 B.Y.I.L. 145, 170
[emphasis in the original, internal citations omitted]. See also Gerald Fitzmaurice, ‘The general
principles of international law’ (1970) 92 Recueil des Cours 1, 218; Gerfried Mutz, ‘Private
international law’ in Rudolph Bernhardt (ed.), Encyclopaedia of Public International Law (1987)
Vol 10, 330, 334; Malcolm Shaw, International Law (6th edn., CUP 2008) 652.
5
In the UK, Kuwait Airways Corp v. Iraqi Airways Co [2002] 3 All ER 209, the House of
Lords decided that it had jurisdiction, and would exercise it, in respect of a claim between two
foreign parties concerning a conversion that took place entirely abroad: ‘it is an action in tort
which has nothing whatever to do with England save that England has made itself available as
the forum for litigation.’ (Lord Scott of Foscote para. 174); see also Berezovsky v. Michaels and
Others [2000] UKHL 25 or The Vishva Ajay [1989] 2 Lloyd’s Rep 558.
6
Frederick A. Mann, The Doctrine of Jurisdiction in International Law (vol 111, Recueil
des Cours 111 series, Martinus Nijhoff Publishers 1964) 73ff; Frederick A. Mann, The Doctrine
of International Jurisdiction Revisited after Twenty Years (vol 186, Recueil des Cours, Martinus
Nijhoff Publishers 1985) 20ff, 67ff; Ian Brownlie, Principles of Public International Law (5th
edn., OUP 2001) 302.
7
See in particular the Amicus Briefs submitted in the US Supreme Court judgement in
Kiobel v. Royal Dutch Petroleum Co 569 US (17 April 2013), affirmed 621 F3d 111 (2d Cir
2010).
8
Cedric Ryngaert, Jurisdiction in International Law (OUP 2008) 31ff.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 3
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 4 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 33
compensation claims, but are also enforced by national regulatory authorities through
the imposition of criminal or administrative sanctions.9 It would seem perverse that
international law should govern the latter but not the former enforcement activity,
arising out of the same wrongdoing and requiring the same compliance actions by the
global online actor.
9
See, for example, the criminal copyright case of Donner (Free Movement of Goods)
[2012] EUECJ C-5/11 (21 June 2012); or Bogdan, ‘Google was fined by French and Spanish
Data Protection Authorities’ (15 January 2014) EDRi (European Digital Rights), <http://edri.org/
google-fined-french-spanish-data-protection-authorities/> accessed 11 August 2014.
10
On jurisdiction in cyberspace see Tsagourias (Ch 1 of this book).
11
Apart from the territoriality principle which, as shown below, is also heavily used in the
transnational context, the principal bases of jurisdiction are the nationality principle, the
protective principle, the universality principle and the passive personality principle. See Ryngaert
(n 8) Ch 4.
12
James L. Brierly, ‘The “Lotus” Case’ (1928) 44 L.Q.R. – 154, 161.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 4
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
arms of government.13 The first type concerns the question whether a court has the
right to hear a dispute (in private international law the ‘jurisdictional’ enquiry); the
second whether a State has the right to ‘legislate’ in relation to a transnational event or
more generally whether it can apply its substantive law to the case, also known as
prescriptive jurisdiction (in private international law the ‘choice of law’ inquiry). In
criminal cases, unlike civil cases, adjudicative jurisdiction and legislative jurisdiction
coincide in so far as a court that decides to go ahead with a criminal prosecution would
always apply local and never foreign law to the case. So under public international law,
generally no distinction is made between adjudicative and legislative jurisdiction – even
if some have argued that a sole focus on limiting adjudicative jurisdiction pays
insufficient regard to the effect of too expansive legislation on, e.g. transnational
corporate actors which may take overly defensive steps to pre-empt adjudication.14 In
light of the discussion below, it is submitted that any debate on possible differences
between these two types of jurisdiction would, at best, be cosmetic gloss. Finally, the
third type of competence concerns the question whether a State has the right to enforce
the judgment or conviction against the defendant or accused. Enforcement jurisdiction
is strictly territorial: a State can never enforce its law on the territory of another State
by, for example, sending its police officers there (except with the consent of the other
State). As Lombois put it: ‘The law may very well decide to cast its shadow beyond its
borders; the judge may well have a voice so loud that, speaking in his house, his
condemnations are heard outside; the reach of the police officer is only as long as his
arm … he is a constable only at home.’15 As this strict territoriality is not applicable to
adjudicative/legislative jurisdiction [hereafter, for the sake of simplicity, legislative
jurisdiction], the mismatch between the latter types of jurisdiction and enforcement
jurisdiction creates a significant enforcement gap which is felt particularly in the online
context.
13
See Akehurst (n 4); also Luc Reydam, Universal Jurisdiction – International and
Municipal Legal Perspectives (OUP 2003) 25f.
14
Ivan Shearer, ‘Jurisdiction’ in Sam Blay, Ryszard Piotrowicz and Martin Tsamenyi (eds.),
Public International Law – An Australian Perspective (2nd edn., OUP 2005) 154, 156.
15
Claude Lombois, Droit Penal International (2nd edn., Daloz 1979) 536, cited in Pierre
Trudel, ‘Jurisdiction over the Internet: A Canadian perspective’ (1998) 32 Int’l. L. 1027, 1047.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 35
other States to uphold legal standards vis-à-vis perpetrators on their territory when the
perpetrator’s conduct had an effect on the territory of a State. In that sense,
harmonisation presents an enforcement strategy but, as discussed below, at a cost that
is, at this stage, too high for most States in respect of most legal subject-matters. Thus
it is important to remember that the jurisdictional wranglings reflect each State’s or
community’s desire to uphold their legal standards as to what is good, just and fair on
their territories and these standards vary across a wide spectrum of regulatory concerns.
In addition there are strong economic interests as drivers behind jurisdictional disputes.
All jurisdictional issues in the online context, no matter which legal field, may be
reduced to one core question: to which laws / courts are actors legitimately answerable
by virtue of their global online activity or publication? Put differently from the State’s
perspective: which State has the right to regulate which online activity? For example,16
do Antiguan online gambling providers have to comply with US internet gambling
prohibitions? Does a Chinese news site with the domain name of cnnews.com (i.e. .cn
being the Chinese country domain) have to respect US trademark law? Is Google
Search subject to European data protection standards? Should US-based Yahoo! Inc
have to comply with French or German laws on Nazi memorabilia? Can a Dutch
pharmacy offer drugs online to German customers if not licenced in Germany? Does
the provider of a US pornography site have to ensure compliance with British obscenity
laws? Should a foreign music and film piracy site have to observe the laws of the States
where its users are? In each of these cases, the activity complained about is tolerated,
i.e. not illegal, and at times perfectly legitimate in the place where it is hosted or
uploaded, that is where the provider is established, and yet it is illegal in the place or
places where it is accessed or downloaded. Occasionally high-profile cases make the
headlines, such as the blocking of ‘The Innocence of Muslims’ video by YouTube in
Egypt and Libya17 or the blocking of foreign political material in China and these
incidents are decried as intolerable censorship by repressive political regimes. Yet, these
Islamic or Communists States do little more than Western democratic States also
routinely do, which is to apply their legal standards to the internet, including foreign
16
The examples are all based on real cases discussed below.
17
CNN, ‘Death, destruction in Pakistan amid protest tied to anti-Islam film’ (21 September
2012) <http://edition.cnn.com/2012/09/21/world/anti-islam-film-protests> accessed 11 August
2014. Previously, the most notorious example of cultural clashes over online content was the
controversy caused by the cartoons featuring the Prophet Muhammad in a Danish newspaper in
2005 and its subsequent publication on YouTube. Viewed as legitimate political debate on
criticism of Islam and self-censorship in Denmark, the cartoon was violently decried in the
Muslim world, leading to attacks on Danish embassies and Muslim leaders offering rewards to
anyone who killed the cartoonist. Peter Hervik, ‘The Danish Muhammad cartoon conflict’
(2012) No 13 Current Themes in IMER Research <http://www.mah.se/upload/Forsknings
centrum/MIM/CT/CT%2013.pdf> accessed 11 August 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
The starting point for the rules on legislative jurisdiction under customary international
law is the judgement of the Permanent Court of International Justice in Lotus (1927)19
where a French and a Turkish steamer collided on the high seas resulting in the death
of eight Turkish sailors and passengers. The issue was whether Turkey could institute
criminal proceedings against a French lieutenant for his acts on the French ship, based
on the effects of those acts on the Turkish steamer which, according to international
law, is an extension of Turkish territory. The case is important not just because of the
court’s interpretation of the territoriality principle, but also for commenting on the
jurisdictional discretion of States:
It does not, however, follow that international law prohibits a State from exercising
jurisdiction in its own territory, in respect of any case which relates to acts which have taken
place abroad, and in which it cannot rely on some permissive rule of international law. Such
a view would only be tenable if international law contained a general prohibition to States to
extend the application of their laws and the jurisdiction of their courts to persons, property
and acts outside their territory, and if, as an exception to this general prohibition, it allowed
States to do so in certain specific cases. But this is certainly not the case under international
law as it stands at present. Far from laying down a general prohibition to the effect that States
may not extend the application of their laws and the jurisdiction of their courts to persons,
property and acts outside their territory, it leaves them in this respect a wide measure of
discretion, which is only limited in certain cases by prohibitive rules; as regards other cases,
every State remains free to adopt the principles which it regards as best and most suitable.
This discretion left to States by international law explains the great variety of rules which
they have been able to adopt without objections or complaints on the part of other States …
In these circumstances all that can be required of a State is that it should not overstep the
limits which international law places upon its jurisdiction; within these limits, its title to
exercise jurisdiction rests in its sovereignty.20
18
See Adam Liptak, ‘A wave of the watch list, and speech disappears’ (4 March 2008) New
York Times <http://www.nytimes.com/2008/03/04/us/04bar.html?_r=0:> accessed 11 August
2014. Liptak notes the blacklisting of domain names occurs under the Trading with the Enemy
Act 1917, through a blacklist established by the Office of Foreign Assets Contract (OFAC) and
passed onto US domain name registrars.
19
The Case of the SS ‘Lotus’ (France v Turkey) [1927] PCIJ Reports, Series A, No. 10.
20
Ibid., para. 46f.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 7
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 37
This approach that ‘everything that is not prohibited is permitted’ (as opposed to
‘everything that is not permitted is prohibited’) is pervasive in the domestic legal
sphere. Yet it met with strong opposition at the international level.21 But more recently
it has been affirmed by the International Court of Justice in its Advisory Opinion on the
Declaration of Independence of Kosovo (2010)22 where it concluded that it only needed
to establish whether ‘international law prohibited the declaration’.23 The problem with
this approach in the jurisdictional context is that the principles of legislative jurisdiction
(e.g. territoriality or nationality) are expressed as permissive grounds and the only clear
express prohibitive rule is the non-interference rule governing enforcement jurisdiction;
per Lotus:
[T]he first and foremost restriction imposed by international law upon a State is that … it
may not exercise its power in any form in the territory of another State. In this sense
jurisdiction is certainly territorial … It does not however, follow that international law
prohibits a State from exercising jurisdiction in its own territory, in respect of any case which
relates to acts which have taken place abroad … Such a view would only be tenable if
international law contained a general prohibition to States to extend the application of their
laws and the jurisdiction of their courts to persons, property and acts outside their territory …
But this is certainly not the case under international law as it stands at present.24
In 1996 Johnson and Post in their seminal article ‘Law and borders – The rise of law in
cyberspace’25 argued that laws based on geographical location were not tenable on the
internet as all online activity is as much located in one State as in another and therefore
no one State had a greater entitlement than any other State to regulate any particular
21
Vaughan Lowe and Christopher Staker, ‘Jurisdiction’ in Malcolm D. Evans (ed.),
International Law (3rd edn., OUP 2010) 313, 318ff. See also Ryngaert (n 8) 36ff, for more
general commentary.
22
Accordance with International Law of the Unilateral Declaration of Independence in
Respect of Kosovo (ICJ Advisory Opinion) 22 July 2010 <http://www.icj-cij.org/docket/files/141/
15987.pdf> accessed 11 August 2014.
23
Ibid., para. 56.
24
The Case of the SS ‘Lotus’ (n 19) 18.
25
David R. Johnson and David G. Post, ‘Law and borders – The rise of law in cyberspace’
(1996) 48 Stan. L. Rev. 1367.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 8
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
online activity. This, in turn, undermined each State’s claim to do so. Any attempt by a
State to apply their law to the internet, particularly online activity originating from
abroad, would raise problems of democratic legitimacy, fairness to the individual and
enforceability. In many respects Johnson and Post were entirely correct and yet, States
have consistently asserted their right to regulate online activity from within or from
without. The link they have relied upon has invariably been a territorial link between
the online activity and the State: the site in question can be, or has been, accessed from
the State’s territory, even if its author and its server are located abroad. So based on a
site’s accessibility from within its territory, States have asserted their entitlement to
regulate online activity.
26
LICRA v. Yahoo! Inc & Yahoo France (Tribunal de Grande Instance de Paris, 22 May
2000), affirmed in LICRA & UEJF v. Yahoo! Inc & Yahoo France (Tribunal de Grande Instance
de Paris, 20 November 2000). An even earlier case was the German CompuServe (1995) 8340
Ds 465 Js 173158/95, where German police raided CompuServe’s German offices in an
investigation concerning online pornography and CompuServe responded by temporarily sus-
pending all of its 200 plus newsgroups (hosted in the US and accessible worldwide) for its 4
million users because it was technically incapable of blocking only Germans. Later its local
manager, Felix Somm, was convicted under German obscenity laws and received a two-year
suspended sentence; overturned on appeal as there was no blocking technology available to
CompuServe: R v. Somm (Amtsgericht München 17 November 1999).
27
Articles 808 and 809 of the French New Code of Civil Procedure.
28
R v. Töben BGH (12 December 2000) 1 StR 184/00, LG Mannheim; (2001) 8 Neue
Juristische Wochenschrift 624; discussed in Yulia A Timofeeva, ‘Worldwide prescriptive juris-
diction in internet content controversies: A comparative analysis’ (2005) 20 Conn. J. of Int’l. L.
199, 206f, and Irini E Vassilaki, ‘Anmerkung’ (2001) 4 Computer und Recht 262.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 9
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 39
would expose its author to criminal sanctions under the German Criminal Code,
although the court made a point of noting that the content of the site was objectively
closely connected to Germany. Töben was arrested, charged and convicted whilst on
holiday in Germany. The same approach of focusing on the effect of foreign online
activity on the State’s territory was taken by an English court in the pornography
context. In R v Perrin (2002)29 a French director of a US company operating a US
hosted website was convicted of the offence of publishing an obscene article contrary
to UK Obscene Publications Act 1959 in relation to the freely accessible preview site
of his pornography subscription site on the basis of the site’s accessibility in England –
regardless of the fact that it had been uploaded on a server abroad and that, arguably,
the ‘major steps’ in relation to the publication were taken abroad.30 While the above
cases are examples of different national laws reflecting varying moral standards on hate
speech and pornography and the resultant online clash of these laws, the diversity of
laws extends to many other morally less charged activities even within the relatively
homogenous European Union. For example, in Arzneimittelwerbung im Internet
(2006)31 a Dutch site advertising and selling drugs to Germans was held to be subject
to German licensing requirements even though the drugs were legal in the Netherlands.
The court affirmed the approach that focuses on the effects of the site, rather than
conceding regulatory control solely to the State from where the site ‘originated’. As the
Electronic Commerce Directive32 imposes the ‘origin rule’ on EU Member States
(discussed below), the German court had to exclude its application in this case: it held
that the Directive was not applicable to national legal requirements concerning the
physical delivery of goods.33 Implicitly this shows the rather blurred boundary between
the online and the offline space. The court also held that the ‘origin rule’ under the
Directive was not applicable where the regulation by the destination State was designed
for the protection of public health,34 signalling the importance of the topic of health
and safety to national law spaces. Finally, according to the court, a disclaimer that
products would not be delivered to certain States would only be effective to avert
accountability under the laws of the excluded States, if the disclaimer was unequivocal
29
R v. Perrin [2002] EWCA Crim 747. Perrin’s application to the European Court of
Human Rights, arguing that the UK regulation breached his right to freedom of expression, was
rejected: Perrin v. UK (ECHR 18 October 2005, No 5446/03).
30
Note: although Perrin was a resident in the UK at the time of wrongdoing, that fact was
not focused upon by the court. It appears that – as a matter of establishing personal
responsibility of the site – Perrin admitted being a director and majority shareholder of one or
more US companies involved in operating the website from the US.
31
Arzneimittelwerbung im Internet BGH (30 March 2006) I ZR 24/03, paras 27–30.
32
Directive 00/31/EC of the European Parliament and of the Council on Electronic
Commerce (Electronic Commerce Directive).
33
Electronic Commerce Directive (n 32) Recital 21 and Art 2(h)(ii).
34
Ibid., art 3(4)(a)(i). See also art 87(1) of the Community Code for Medicinal Products for
Human Use, Directive 2001/83/EC (prohibition on the marketing of drugs for which there is no
authorisation in accordance with Community law). Note too, that art 13(7) of the WHO
Framework Convention on Tobacco Control (Geneva, 2003) allows States to ban cross-border
tobacco advertising (including advertising via the internet).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
and the provider did not act contrary to his stated intentions.35 In other words, online
providers that effectively territorially ring-fence their sites (i.e. erect territorial cyber-
borders) can avoid the reach of foreign laws: the price paid for legal immunity is
foregoing the transnationality of the internet.
Another activity which has challenged State control head on, due to the internet’s
transnationality, is gambling, which most States seeks to control because of its
potentially high financial stakes. For the purposes of this chapter, the example of online
gambling is significant, first, because it shows that even the US with its strong,
free-speech tradition and concomitant tolerance of much online speech/activity that is
illegal elsewhere has its limits of acceptance. As online gambling is illegal in most US
states, it has struggled with foreign gambling sites and employed aggressive unilateral
enforcement strategies comparable to other States in other contexts. Second, gambling
is also insightful as it shows that jurisdictional conflicts are not always about national
legal / cultural differences: regulating gambling is essentially about controlling a
lucrative industry. Gambling is economically beneficial for the State where the provider
is established through the creation of employment and as a source of revenue. These
benefits are lost if the gambling services are provided by a foreign operator who, in
addition, may also undermine the local gambling industry (and this may be unavoidable
due to free trade commitments). On the other hand, gambling creates significant social
and economic problems flowing from addiction, and these in turn might be exacerbated
by foreign providers that are less regulated than local ones. As foreign providers offer
none of the economic advantages associated with gambling activity and all of its
disadvantages, they have received significant regulatory hostility and aggressive juris-
dictional responses by most States. In respect of the US attitude, one commentator
succinctly noted:
The fairly harsh approach to online gambling is a reversal of both the federal government’s
… receptivity to tribal gaming, and its acceptance of the recent liberalization of gambling
laws in most U.S. states. The fierceness … in this area is puzzling until one realises the one
factor at stake in … traditional gambling, but not at stake in Internet gambling: Money. …
Internet gambling, hosted by foreign operators, not only generates zero governmental revenue
and zero jobs, it also threatens traditional gambling.36
35
In Deutscher Apothekerverband eV v. 0800 Doc Morris NV C-322/01 [2003] ECR
I-14887 an injunction against an online Dutch pharmacy in respect of its supply of certain drugs
in Germany – based on a German legal requirement of presence sales, i.e. that certain drugs can
only be sold in pharmacies – was challenged as being inconsistent with the internal market rule
of free movement of goods. The European Court of Justice held that such requirement was only
justified for prescription drugs where confusion over language or labelling could lead to harmful
consequences, but not to over-the-counter drugs, the online sale of which could not be restricted
by the destination State. Since that case the Electronic Commerce Directive came into force and
prima facie the regulation of drugs is not excluded from the scope of the origin rule required by
art 3.
36
Christine Hurt, ‘Regulating public morals and private markets: Online securities trading,
internet gambling and the speculation paradox’ (2005) 86 B.U. L. Rev. 371, 375f.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
11 / Date: 6/5
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 41
Thus perhaps even in the absence of national differences to gambling activities, there
would be significant jurisdictional tensions simply because of the economic disadvan-
tages of competing foreign providers. These tensions have manifested themselves
widely. For example, a Dutch court in National Sporttotaliser Foundation v Ladbrokes
Ltd (2003)37 ordered the defendant, Ladbrokes, based in England and Gibraltar, to
make its gambling site inaccessible to Dutch residents as it did not comply with Dutch
licensing requirements. Australia prohibits anyone, whether local or foreign,38 from
offering online gambling services to people in Australia by virtue of the Interactive
Gambling Act 2001 (Cth), whilst local Australian providers are free to offer their
gambling services to punters abroad.39 Australia seeks to obtain the benefits derived by
gambling, without any of its losses. In New Zealand the Gambling Act 2003 prohibits
remote interactive gambling,40 but excludes ‘gambling by a person in New Zealand
conducted by a gambling operator located outside New Zealand’.41 However, the reach
of foreign providers is circumscribed by prohibiting local online and offline inter-
mediaries (e.g. ISPs, local sites and offline publishers) from advertising foreign
gambling services in New Zealand.42 Instead of seeking to control local gambling
through prohibitions on foreign gambling providers that are difficult to enforce, the
New Zealand legislation targets local intermediaries (that provide knowledge of, and
access to, the foreign services) over which full enforcement power is present.
That the wrangling about online gambling is far more centred on economic interests
than varying moral values is illustrated by two disputes that have brought online
gambling restrictions into conflicts with trade agreements, at EU and WTO level
respectively. In both cases, the attempt by one State to restrict foreign online gambling
services was challenged as being inconsistent with trade commitments.43 In Gambelli
(2003)44 the European Court of Justice [CJEU] was presented with a challenge to
37
District Court, The Hague (27 January 2003), see also Holland Casino v. Paramount
Holdings et. al., District Court, Utrecht (27 February 2003). For a comparable German
judgement, see Unzulässiges Online-Glücksspielangebot OLG Hamburg (19 August 2004) 5 U
32/04, (2004) 12 Computer und Recht 925; following Schöner Wetten BGH (1 April 2004) I ZR
317/01.
38
Interactive Gambling Act 2001 (Cth), s 14: ‘this Act extends to acts, omissions, matters
and things outside Australia’.
39
Ibid., ss. 8, 15 (unless the foreign country has been declared a ‘designated country’ see
ss 15A, 9A, 9B).
40
Ibid., s. 9(2)(b) and Gambling Act 2003, s. 19.
41
Gambling Act 2003, s. 4 on the definition of ‘remote interactive gambling’.
42
Ibid., s. 16.
43
In the EU gambling was specifically excluded from the Electronic Commerce Directive
and in particular the Directive’s origin rule (i.e. that online service providers should only be
regulated by their home State). See Electronic Commerce Directive (n 32) Recital 16 and art
1(5)(d).
44
Criminal Proceedings against Piergiorgio Gambelli C-243/01 [2003] ECR I-13031. In
Criminal Proceedings against Massimiliano Placanica and Others C-338/04, C-359/04 and
C-360/04 [2007] ECJ ECR I-0000 it was again held that Italy’s licencing regime which excluded
companies listed on a stock exchange from tendering for a betting licence violated the freedom
of establishment and the freedom to provide services as it went beyond what is necessary to
achieve the objective of preventing the exploitation of the industry for criminal purposes.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Italy’s attempt to impose criminal sanctions on Italian agencies which, contrary to local
licensing requirements, acted as online intermediaries for the UK bookmaker Stanley
International Betting Ltd. Effectively, Italy wanted to protect its very lucrative national
monopoly in the sports betting and gaming sector. This protectionist policy was
challenged as contrary to the freedom of establishment and freedom to provide services
of foreign providers (now Articles 49 and 56 of the Treaty on the Functioning of the
EU). These freedoms demanded, the CJEU held that Member States take a regulatory
hands-off approach to gambling providers from other Member States and regulated by
those other States, unless justifiable ‘for reasons of overriding general interest’, e.g. to
reduce the gambling, but not out of a fear of losing revenue.
Similarly, the WTO Appellate Body was presented with the same type of conflict in
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services (2005).45 Antigua and Barbuda lodged a complaint against the US with the
WTO in 2003, alleging that the US prohibition on the cross-border supply of gambling
and betting services was inconsistent with ‘market access’ commitments made by the
US under Article 16 of the General Agreement on Trade in Services (GATS). Antigua
blamed the increasingly aggressive US strategy (enforced with the help of local US
intermediaries) towards the operation of cross-border gaming activities in Antigua for
the significant decline of gambling operators in Antigua: ‘from a high of up to 119
licensed operators, employing around 3,000 and accounting for around 10 per cent of
GDP in 1999, by 2003 the number of operators has declined to 28, employing fewer
than 500’.46 The WTO Appellate Body rejected the US claim that by excluding sporting
services from its GATS commitments, it had also excluded gambling and betting
services, and held that various US Acts were inconsistent with its GATS commitments.
As in Gambelli, the Appellate Body held that ‘public moral’ or ‘public order’ may
exceptionally justify market access barriers, provided there were no other reasonable
alternative measures. Given that the US had exempted domestic providers from the
very prohibitions it sought to apply to foreign operators, it could not rely on these
exceptions. Online gambling activity shows how regulatory assertions by States over
foreign online providers based on its effect on the local territory may serve to protect
local economic interests. By the same token, ‘free trade’ commitments, if present, may
45
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services first heard by the WTO Dispute Settlement Panel (WTO Panel, 10 November 2004,
WT/DS285/R) and then by the Appellate Body (WTO Appellate Body, 7 April 2005,
WT/DS285/AB/R). In 2007 the WTO Panel concluded ‘that the United has failed to comply
with the recommendations and rulings of the DSB in this dispute’ (WTO Panel, 30 March 2007,
WT/DS285/RW) which paved the way for a compensation claim and then trade sanction by
Antigua.
46
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services (WTO Panel, 10 November 2004, WT/DS285/R) para. 3.5. A similar complaint against
the US was lodged in 2007 by the Remote Gambling Association with the European
Commission, which came to very similar conclusions as the WTO Panel. See Report to the
Trade Barriers Regulation Committee: Examination Procedure concerning an Obstacle to Trade,
within the Meaning of Council Regulation (EC) No 3286/94, consisting of Measures Adopted by
the United States of America Affecting Trade in Remote Gambling Services (Brussels, 10 June
2009).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
13 / Date: 6/5
JOBNAME: Tsagourias PAGE: 14 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 43
provide a defence to such regulatory assertions. If such commitments are not available,
‘free speech’ arguments have filled the gap and at times successfully so (see below).
In the civil context, jurisdictional tensions have most prominently been played out
in the context of defamation and data protection, particularly in Europe, as well as in
trademark and copyright law. Disregarding the technicalities of the legal analysis in
these different contexts, the overall jurisdictional approach is comparable to that taken
in criminal law cases, albeit at times more moderate. For example, in defamation, one
of the first high-profile international defamation cases was the Australian case of Dow
Jones & Co Inc v Gutnick (2002)47 where the High Court of Australia upheld the
application of Australian defamation law to Barrons Online, a subscription site
uploaded in the US by US publisher for a mainly US audience. The court justified the
focus on the location of the destination of the site on the basis that the defamatory harm
was suffered in the Australia where the claimant enjoyed a reputation, because of the
Australian subscriptions and despite their small number. The same approach was
endorsed in the English case of Harrods Ltd v Dow Jones Co Inc (2003)48 concerning
Harrods Ltd’s defamation claim again against Dow Jones. The offending article, which
appeared only in the US edition of the journal, not the European one, had been sent to
ten subscribers of the US edition in the UK and there were a few hits on the online
edition, in contrast to its US circulation of 1.8 million copies. Yet, as the claim was
restricted to the damage arising from UK subscriptions, the court allowed the claim to
proceed in England. A year later the English Court of Appeal upheld this destination
approach in Lewis & Ors v King (2004)49 and explicitly rejected a more moderate
version according to which sites should be only accountable under the substantive and
procedural laws of the State that are targeted by it.50 Also, according to McGrath &
Anor v Dawkins & Ors (2012),51 a local company with a local site may be responsible
for the content of a foreign site by a foreign partner if the local and foreign sites are
closely associated and their distinctiveness is not obvious to the local user.52 Unlike
Gutnick and Harrods, a German court held in Persönlichkeitsverletzungen durch
ausländische Internetveröffentlichungen (2010)53 that the New York Times was answer-
able to German courts for its online version where a defamatory article had clear points
of reference with Germany e.g. German surfers had a significant interest in the online
publication, that otherwise targeted a world-wide audience. The court made some
attempt to weight the German regulatory claim vis-à-vis other possible claims, rather
than see it in isolation of the wider context of the site.
These defamation decisions have – in the 2010s – been followed by multiple data
protection investigations and claims that have pitched European data protection
47
[2002] HCA 56, which affirmed Gutnick v. Dow Jones & Co. Inc. [2001] VSC 305.
48
[2003] EWHC 1162 (QB). In Dow Jones & Co. v. Harrods Ltd. 237 F Supp. 2d 394, the
New York District Court refused to grant to Dow Jones a declaratory judgment and an injunction
requiring Harrods Ltd to abstain from pursuing a defamation claim in the UK.
49
[2004] EWCA Civ 1329, affirming King v. Lewis & Ors [2004] EWHC 168 (QB).
50
Lewis & Ors v King [2004] EWCA Civ. 1329, 24–39.
51
[2012] EWHC B3 (QB).
52
[2012] EWHC B3 (QB) para. 26.
53
BGH (2 March 2010) Az. VI ZR 23/09.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
14 / Date: 6/5
JOBNAME: Tsagourias PAGE: 15 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
stakeholders against global internet businesses from the US.54 Again the issue of
jurisdiction has figured highly in some of these disputes. For example, in Vidal-Hall &
Ors v Google Inc (2014)55 an English court allowed the privacy and data protection
claim against Google Inc. – for collecting personal browser generated information
without the user’s consent – to go ahead in England, rather than California where
Google Inc. is headquartered, on the basis that the damage was suffered in England.
Similarly, according to the CJEU in Google Spain SL, Google Inc. v Agencia Española
de Protección de Datos (2013)56 Google Inc. and its search activity fell within the
territorial ambit of the Data Protection Directive,57 or in that case the Spanish
implementing legislation, even though the processing of search queries occurred in the
US. The Advocate General reasoned that Google Inc. had an ‘establishment’ in Spain
through its subsidiary, Google Spain SL, which promoted and sold keyword advertising
space on the search engine in Spain ‘which [in turn] is the source of income and, as
such, the economic raison d’être for the provision of a free information location tool in
the form of a search engine’.58 The Grand Chamber of the CJEU went along with this
reasoning, stressing that the ‘establishment’ requirement cannot be interpreted restric-
tively in light of the objective of the Directive which is ensure the right of privacy, with
respect to the processing of personal data, and allowing search engines those obliga-
tions would compromise that goal.59
The Article 29 Working Party has proposed that in future legislation relevant targeting of
individuals could be taken into account in relation to controllers not established in the EU. In
the Commission Proposal for a General Data Protection Regulation (2012) the offering of
goods or services to data subjects residing in the European Union would be a factor making
EU data protection law applicable to third country controllers. Such an approach, attaching
the territorial applicability of EU legislation to the targeted public, is consistent with the
54
For example, BBC News, ‘European data watchdogs target Google over privacy’ (2 April
2013) <http://www.bbc.co.uk/news/technology-22003551> accessed 11 August 2014. Note also
that the governments of Greece, Italy, Austria, Poland and the European Commission made
submissions in Google Spain SL, Google Inc v. Agencia Española de Protección de Datos (AEP)
C-131/12 CJEU (Grand Chamber) (13 May 2014).
55
Vidal -Hall & Ors v. Google Inc. [2014] EWHC 13 (QB).
56
Google Spain SL, Google Inc v. Agencia Española de Protección de Datos (AEPD)
C-131/12 CJEU Opinion of the Advocate General (25 June 2013); Google Spain SL, Google Inc
v. Agencia Española de Protección de Datos (AEPD) Case C-131/12 CJEU (Grand Chamber)
(13 May 2014).
57
Article 4(1) of the Directive 95/46/EC of the European Parliament and of the Council on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data (24 October 1995); see also art 29 Working Party, Opinion 8/2010 on
Applicable Law (WP 179).
58
Google Spain SL (n 56) para. 64 [emphasis in the original].
59
Google Spain SL (n 54) see answer to Question 1(a).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
15 / Date: 6/5
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 45
(i) sold by an economic operator through an online marketplace without the consent of the
trade mark proprietor to a consumer located in the territory covered by the trade mark or
(ii) are offered for sale or advertised on such a marketplace targeted at consumers located in
that territory … by virtue of the rules set out in Article 5 of Directive 89/104 [EU Trademark
Directive] or in Article 9 of Regulation No 40/94 [Community Trademark Regulation]. It is
the task of the national courts to assess on a case-by-case basis whether relevant factors exist,
on the basis of which it may be concluded that an offer for sale or an advertisement displayed
on an online marketplace accessible from the territory covered by the trade mark is targeted
at consumers in that territory.63
Emphatically, the court stated that ‘it must be made clear that the mere fact that a
website is accessible from the territory covered by the trade mark is not a sufficient
basis for concluding that the offers for sale displayed there are targeted at consumers in
that territory’.64 It followed its earlier decision in Pammer and Hotel Alpenhof (2010)65
on adjudicative jurisdiction in electronic consumer contracts – under Article 15(1)(c) of
the Jurisdiction Regulation66 – according to which consumers only get the benefit of
the protective provision if the online activities under dispute were ‘directed’ at them.
60
Google Spain SL (n 56) para. 56 [emphasis added, internal marks omitted].
61
In Donner (Free Movement of Goods) [2012] EUECJ C-5/11 (21 June 2012), interpreting
the Copyright Directive 2001/29/EC, the CJEU took the targeting approach in a criminal
copyright scenario: Donner, a German citizen and resident, unsuccessfully sought to avoid
German criminal law by setting up a company in Italy to offer copyright infringing furnishings
to German residents through a German language website, in circumstances where Italian
copyright law provided no remedy. Note: in circumstances where the targeting approach is used
to establish liability, rather than deny it, the forbearance it requires is not put to the test.
62
L’Oréal SA and Others v. eBay International AG and Others C-324/09 (2011) ECR
I-6011.
63
Ibid., para. 67 [emphasis added].
64
Ibid., para. 64.
65
Pammer v. Reederei Karl Schluter GmbH 8 Co KC C-585/08 and Hotel Alpenhof GmbH
v. Heller C-144/09 [2010] ECR 1-12527.
66
EU Regulation on jurisdiction and the recognition and enforcement of judgments in civil
and commercial matters (EC) No 44/2001.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Yet still neither EU legislation nor CJEU jurisprudence are uniform in this respect. In
Pinckney v KDG Mediatech (2013)67 the CJEU held that copyright claims fell under the
tort head in Article 5(3) of the Jurisdiction Regulation which:
does not require … that the activity concerned [is] to be ‘directed to’ the Member State in
which the court seized is situated … [Jurisdiction is established] if the Member State in
which that court is situated protects the copyrights relied on by the plaintiff and the harmful
event alleged may occur within the jurisdiction of court seized.68
The court followed this less moderate approach under Article 5(3) in Wintersteiger v
Products 4U Sondermaschinenbau GmbH (2012)69 where it upheld an Austrian court’s
jurisdiction to hear a trademark claim based on an Austrian trademark, where the
allegedly infringing advertising had solely occurred on google.de and not google.at and
the claimant held no registered trademark in Germany. Nonetheless, according to the
court, Austria, as the place of registration, satisfied the objective of foreseeability and
that of sound administration of justice and was best suited to assess whether any
damage had occurred.70 On the other hand, the Advocate General made a clear attempt
to bring the case within the targeting analysis. He noted that the mere accessibility of a
site would not be sufficient to justify jurisdiction under the Regulation71 and then
proceeded:
The fundamental factor or point is whether the information disseminated on the internet is
really likely to have an effect in the territory where the trade mark is registered. It is not
sufficient if the content of the information leads to a risk of infringement of the trade mark
and instead it must be established that there are objective elements which enable the
identification of conduct which is in itself intended to have an extraterritorial dimension. For
those purposes, a number of criteria may be useful, such as the language in which the
information is expressed, the accessibility of the information, and whether the defendant has
a commercial presence on the market on which the national mark is protected. It is also
necessary to establish the territorial scope of the market on which the defendant operates and
from which the information was disseminated on the internet. For that purpose, an assessment
must be made of facts such as, inter alia, the top-level domain, the address or other location
data supplied on the website, and the place where the person responsible for the information
has the place of business for his internet activities. As a result of that examination, the court
will conclude whether the case before it involves the means necessary for producing, a priori,
an actual infringement of a trade mark in another Member State via the internet.72
67
Peter Pinckney v. KDG Mediatech AG C-170/12 [2013] EUECJ (3 October 2013).
68
Ibid., paras 42 and 43.
69
Wintersteiger v. Products 4U Sondermaschinenbau GmbH C-523/10 [2012] ECR I-0000;
see also Joined Cases eDate Advertising and Martinez C-509/09 and C-161/10 [2011] ECR
I-10269.
70
Wintersteiger v. Products 4U Sondermaschinenbau GmbH C-523/10 (n 69) paras 27, 28.
71
Ibid. Opinion of the Advocate General para. 23.
72
Ibid., paras 28–30 [internal marks omitted].
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 47
73
Fifth and Fourteenth Amendment to the US Constitution, dealing with the right of ‘due
process’ as against the Federal government and state governments respectively.
74
International Shoe Co v. Washington 326 US 310 (1945).
75
Hanson v. Denckla 357 US 235, 253 (1958).
76
People v. World Interactive Gaming Corporation 714 NYS 2d 844 (1999).
77
Young v. New Haven Advocate 315 F3d 256 (2002).
78
US v. $734,578.82 in US Currency 286 F 3d 641 (2002).
79
15 USC § 1125(d)(2)(A).
80
See, for example, Cable News Network LP v. cnnews.com 162 F Supp 2d 484 (ED Va.
2001) and 177 F. Supp. 2d 506 (ED Va 2001), affirmed in 56 Fed. Appx 599 (4th Cir 2003).
81
The difference between the effects doctrine and the objective territoriality principle, if
there indeed is one, is that the former appears to have no explicit requirement that the effects on
the territory must be a ‘consistent element’ of the crime in question, although in fact this is
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
18 / Date: 6/5
JOBNAME: Tsagourias PAGE: 19 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Customary international law has – since Lotus (1927)82 – explicitly recognised that in
transnational wrongdoing, the State on the territory on which the ‘foreign’ wrong takes
effect enjoys the right to regulate that conduct, alongside the State from where the
wrong originates (subjective territoriality principle). The Permanent Court of Justice
stated:
[I]t is certain that the courts of many countries, even of countries which have given their
criminal legislation a strictly territorial character, interpret criminal law in the sense that
offences, the authors of which at the moment of commission are in the territory of another
State are nevertheless to be regarded as having been committed in the national territory, if one
of the constituent elements of the offence, and more especially its effects, have taken place
there.83
This principle has gone through different incarnations: it underlies the concept of
‘result’ crime (versus ‘conduct’ crime) traditionally used by common law courts;84 it
provides the basis of the US ‘effects doctrine’ in the antitrust context in the 1970s to
1990s85 and is, in the internet context, referred to as the destination or receipt rule (in
contrast to the origin rule).86 Common to all these concepts or labels is the focus on the
impact of a foreign act on the State’s territory and that impact provides the basis for
subjecting the foreign actor to the law of the land. Once it is understood that the
‘impact’ need not be physical (as in Lotus) and can include economic and other
intangible impacts, one may fathom the role of the objective territoriality principle in
contemporary globalised society.
As the discussion above may already have foreshadowed, the objective territoriality
principle has severe shortcomings in the online context. Most importantly, it gives rise
to too many concurrent claims and thus compounding obligations on online actors.
Indeed, it creates de facto universal jurisdiction which, as a head of jurisdiction, has
traditionally been limited to a handful of universally condemned crimes, such as piracy,
war crimes or crimes against humanity, and is clearly not meant to extend to the
numerous and varying legal standards applicable to online activity. This overregulation
is, to some extent, alleviated by the more moderate destination approach which only
gives targeted States the right to regulate the activity and requires forbearance by States
which are also affected by the site, but only marginally so. This approach has also some
precedent in international law, as even prior to the internet, the potentially huge
diffusion of economic effects of a single activity, e.g. a cartel, triggered numerous
overlapping and at times conflicting regulatory claims by various States. For example,
invariably established and can be provided for by framing the offence appropriately. See more on
legal status of cyberspace in Tsagourias (Ch 1 of this book).
82
The Case of the SS ‘Lotus’ (n 19) 1.
83
Ibid. 23.
84
DPP v. Stonehouse [1978] AC 55; R v. Treacy [1971] AC 557; R v. Markus [1975] 1 ALL
ER 958; Brownlie v. State Pollution Control Commission (1992) 27 NSWLR 78; R v. Toubya
[1993] 1 VR 226; discussed in Matthew Goode, ‘The tortured tale of criminal jurisdiction’
(1997) 21(2) Melbourne Uni. L. Rev. 411, 437ff.
85
Alan V. Lowe (ed.), Extraterritorial Jurisdiction (Grotius Publications Ltd 1983).
86
Graham Smith (ed.), Internet Law and Regulation (4th edn., Sweet and Maxwell 2007)
507f, Ch 12.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
19 / Date: 6/5
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 49
87
US Restatement (Third) of Foreign Relations Law (1986) § 403(1).
88
Ibid. § 403(2).
89
Even in the US, the moderate version was narrowly confined in Hartford Fire Insurance
Co v. California 509 US 764 (1993) to situations of a ‘true conflict’ between domestic and
foreign law, i.e. where the application of domestic law would entail the violation of the foreign
country’s law. This occurs very rarely. Most laws ‘conflict’ by imposing compounding duties on
the subject.
90
For alternative possibilities, see Dow Jones & Co Inc. v. Gutnick [2002] HCA 56 where
the editorial office was in New York and the server in New Jersey; see also para. 41, where the
court noted alternatives: the location where the material was initially composed or the place of
incorporation of the provider; Australian Law Reform Commission, Choice of Law (Report No
58, 1992) 57.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
20 / Date: 6/5
JOBNAME: Tsagourias PAGE: 21 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
of the regulating State. Nonetheless, but for a few exceptions, States have rejected it,
notably not in terms of foregoing their rights to regulate local online actors, but rather
in terms of leaving the regulation of foreign online actors solely to the State of origin.91
In other words, they have asserted their right to regulate local online providers but not
to the exclusion of regulating foreign online providers as well. This is consistent with
customary international law which, as shown above, has long recognised that the
territoriality principle gives concurrent regulatory rights to the origin State (subjective
territoriality principle) and destination States (objective territory principle). The core
reason for the general unacceptability of the exclusive origin approach is that it
undermines the regulatory control of States over their territories: there is very little
point in prohibiting a drug in the offline world, if it can be bought legitimately online
from a foreign providers whose State of origin does not prohibit it and who is not
subject to local rules. Thus the lowest common regulatory denominator becomes the
legal standard for every State.
The operation of the exclusive origin rule within Europe shows the particular
conditions that must be satisfied before it becomes politically acceptable. For example,
the Electronic Commerce Directive lays down the exclusive origin rule in Article 3(2)
by requiring Members States not to regulate providers of information society services
established in another Member States.92 This rule, however exceptional it may be in the
international context, relies on three prerequisites in the European context. First, it
requires relatively harmonised legal standards so much so that the foreign rule does not
significantly clash with local standards. Although the origin rule in the Electronic
Commerce Directive is not limited to the harmonised standards established in other
parts of the Directive, it works against the background of substantial long-term steps
taken towards more harmonisation or approximation within the European internal
market.93 Second, the exclusive origin rule in the Directive is not simply a rule
forbidding destination States to regulate providers from other Member States, but
imposes a duty on the origin State to regulate their local providers.94 Again, this
ensures that there is no regulatory vacuum. Last but not least, the rule requires
91
For example, R v. Perrin [2002] EWCA Crim 747.
92
Electronic Commerce Directive (n 32) art 2(c): ‘a service provider … pursues an
economic activity using a fixed establishment for an infinite period. The presence and use of the
technical means and technologies required … do not, in themselves, constitute an establishment
of the provider.’ Julia Hörnle, ‘Country of origin regulation in cross-border media: One step
beyond the freedom to provide services?’ (2005) 54 I.C.L.Q. 89, 113; and Commission v. UK
Case C222/94 [1996] ECR I-4025, concerning art 2(1) of the Television Without Frontiers
Directive 89/552/EC (later revised by 97/36/EC).
93
Electronic Commerce Directive (n 32) art 2(h). An earlier Directive that adopted the
approach is, for example, Television without Frontiers Directive 89/552/EEC (revised by
97/36/EC), see art 2a(1).
94
Electronic Commerce Directive (n 32) art 3(1): ‘Each Member State shall ensure that the
information society services provided by a service provider established on its territory comply
with the national provisions applicable in the Member State in question which fall within the
coordinated field.’ The destination State can first of all request the origin State to fulfil its duty
and then take measures to restrict incoming services, after notifying the Commission and the
origin State of its intention under art 3(40(b) of the Directive; it can also initiate infringement
proceedings under art 226 or art 227 of the EC Treaty.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
21 / Date: 6/5
JOBNAME: Tsagourias PAGE: 22 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 51
reciprocity (rather than being acceptable unilaterally): to the extent that States gain
economic advantages from being able to access foreign markets without the hurdles
presented by different regulatory requirements, they also lose by opening their market
to foreign providers.95 In the Directive’s context, there is reciprocity amongst the
Member States. In short, internationally an exclusive origin rule would not be
acceptable to States – bar the unlikely scenario that mutually trusting and respecting
States entered into an international convention that, first of all, harmonised the legal
standards to which it, then, applied the origin rule. Yet, as noted above, the jurisdic-
tional wranglings are principally caused by the significant differences in the legal
standards (and underlying cultural values) and thus the acceptability of the origin
approach presupposes the very solution to the crux of the jurisdictional problem.
4. ENFORCEMENT JURISDICTION
Enforcement jurisdiction is, unlike adjudicative and legislative jurisdiction, strictly
territorial, as stated by the Lotus court: ‘the first and foremost restriction imposed by
international law upon a State is that … it may not exercise its power in any form in
the territory of another State’.96 This strict territoriality is an essential aspect of the
non-interference rule under international law which, in turn, is part and parcel of the
concept of State sovereignty; in short it is a rock solid pillar of international law.
The strict territorial limit of enforcement jurisdiction has meant that, although States
have in principle extended their legal standards to foreign actors, they have struggled
with enforcing them. In effect, the internet’s legal landscape has been dominated by a
de facto origin rule, but this is highly problematic for the very reasons that make the
origin approach unacceptable in the first place.
How then can the limits of enforcement jurisdiction be overcome and how have they
been overcome? The answer is simple. First, there is the possibility of more or less
‘voluntary’ compliance by online actors. For example, some large corporate online
actors – keen to have the veil of respectability which requires minimum legal
compliance – can implement national regulatory requirements easily on their localised
platforms, (e.g. amazon.co.uk or google.fr or eBay.de), but this option is not so
obviously open to global social networking platforms (e.g. Twitter or Facebook). In
addition, States have looked towards avenues of preventing non-compliant legal content
from ‘entering’ their territory and this involves requiring local or localised inter-
mediaries, such as ISPs, search engines and social networking sites, to block legally
non-compliant foreign content. The OSCE [Organization for Security and Co-operation
95
Note, the UK the Gambling Act 2005 took a unilateral origin approach: the requirement
of an operating licence (s. 33) only applied to locally based gambling operators, that is ‘to the
provision of facilities for remote gambling only if at least one piece of remote gambling
equipment used in the provision of the facilities is situated in Great Britain …’ (s. 36). This
provision has been altered by the Gambling (Licensing and Advertising) Act 2014 which makes
all those who provide gambling services in the UK subject to the licencing requirement.
96
The Case of the SS ‘Lotus’ (n 19) 18a.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
22 / Date: 24/3
JOBNAME: Tsagourias PAGE: 23 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
new trend in Internet regulation [that] seems to entail blocking access to content if state
authorities are not in a position to reach the perpetrators for prosecution or if their request for
removal or take down of such content is rejected or ignored by foreign law enforcement
authorities or hosting and content providers.98
And those States were not just authoritarian States, such as Belarus or the Russian
Federation. For example, the report notes: ‘Some countries also started to develop
country-level, domain-name blocking or seizure policies (the Czech Republic, Mol-
dova, Switzerland, and the United Kingdom).’99 At times such blocks are judicially
ordered and at times they are executive requests. Throughout Europe courts have
granted injunctions against ISPs to block piracy sites. For example, in Twentieth
Century Fox Film Corp & Ors v British Telecommunications Plc (2011)100 BT, one of
the main ISPs in the UK, was ordered to prevent access to Newzbin, a foreign piracy
site. This order was followed by injunctions against other ISPs in relation to the same
and other piracy sites. Or, in another example, in German legislation, prohibiting
neo-Nazi material has been enforced by requiring networking sites such as YouTube
and Twitter to block offending content.101 But even in the US, where ‘free speech’
towers above many other competing values, blocking occurs e.g. when a court orders
the surrender of a generic top-level domain to enforce intellectual property, or when
gambling prohibitions are enforced by requiring local credit card providers to disallow
suspicious payments.102
Through such measures States effectively draw traditional territorial borders onto
cyberspace. The porosity of these cyber-borders undoubtedly varies, with the least
porous being in authoritarian States, such as China or Iran, that have put in place
wholesale blocks on domains as Facebook and YouTube. Sometimes these cyber-
borders are more porous when local users are ‘nudged’ toward existing national
normativity on localised sites e.g. eBay.co.uk, but can still access non-compliant online
content e.g. amazon.com is accessible in the UK. Nonetheless, the general trend is
clearly towards the territorial fragmentation of the internet, with the not illegitimate aim
97
OSCE (Yaman Akdeniz), Freedom of Expression on the Internet (15 December 2011)
<http://www.osce.org/fom/80723> accessed 12 August 2014.
98
Ibid. 6.
99
Ibid. 25.
100
[2011] EWHC 1981. But such blocks are not always based on judicial authority, with the
responsibility of censorship increasingly being shifted to intermediaries. See Juliette Garside,
‘Ministers will order ISPs to block terrorist and extremist websites’ (29 November 2013)
The Guardian <http://www.theguardian.com/uk-news/2013/nov/27/ministers-order-isps-block-
terrorist-websites> accessed 12 August 2014.
101
Kate Connolly, ‘Twitter blocks neo-Nazi account in Germany’ (18 October 2012) The
Guardian <http://www.theguardian.com/technology/2012/oct/18/twitter-block-neo-nazi-account>
accessed 12 August 2014.
102
See Cable News Network LP v. cnnews.co (n 80) and United States – Measures Affecting
the Cross-Border Supply of Gambling and Betting Services (n 45) (and accompanying discus-
sion) respectively.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
23 / Date: 24/3
JOBNAME: Tsagourias PAGE: 24 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Jurisdiction in cyberspace 53
of upholding national laws reflecting peculiar political and cultural values, and at times
economic interests, e.g. copyright. The most striking example of this emerging trend is
the discussion about the possibility of a Europe-only communication network in the
wake of the Edward Snowden revelations – the aim being to have the technical
infrastructure for online communications on European soil in order to ensure the legal
protection of that data against foreign abuse.103 While the desire to uphold national or
regional normativity online is legitimate, particularly in democracies, the attendant
fragmentation of the internet entails significant costs for freedom of (transnational)
expression. The European Court of Human Rights [ECtHR] in Case of Yildirim v
Turkey (2013)104 held that wholesale blocking by Turkish ISPs of Google Sites website
(which had included a third-party site that violated Turkish law on the protection of
Ataturk’s memory) was inconsistent with Yildirim’s right to freedom of expression as
the Turkish judges had failed to take into ‘consideration, among other elements, the fact
that such a measure, by rendering large quantities of information inaccessible,
substantially restricted the rights of Internet users and had a significant collateral
effect’.105 Yildirim’s site which was unrelated to the offending site had become
inaccessible due to this general block, but Turkey insisted that blocking access to
Google Sites was the only technical means of blocking the one offending foreign site;
there was no evidence that Google had been approached with a request to take down
the specific offending sites.106 Above all, this case illustrates that the topic of
jurisdiction on the internet has strong intersections with human rights law and it is in
the light of rights such as freedom of expression, but also privacy and freedom of
conscience and religion, that a discourse on the topic needs to be developed.
5. CONCLUSION
The internet has pushed the regime of international jurisdiction from the shadows of the
law into its limelight – given that transnationality of conduct is no longer the exception
but the rule. Every search on Google, every click on a Facebook Like triggers a
border-crossing event that challenges the rule of national law; considering the online
dominance of US corporations, its national law appears to be least threatened by the
internet. This limelight is undoubtedly uncomfortable given that traditional jurisdic-
tional regimes (under public international law and private international law) are
strongly location-centric and thus inherently ill equipped to ‘reconcile’ transnational
activity with national law. Thus any solutions they produce are, of necessity, a ‘botched
job’.
103
BBC News, ‘Data protection: Angela Merkel proposes Europe network’ (15 February
2014) <http://www.bbc.co.uk/news/world-europe-26210053> accessed 12 August 2014.
104
Case of Yildirim v. Turkey No 3111/10 ECtHR (18 March 2013).
105
Ibid., para. 66.
106
One question here is whether an expectation of self-censorship based on national legal
requirements as was the case prior to the internet vis-à-vis communication bottlenecks, such as
TV, radio and the press, is still legitimate vis-à-vis online intermediaries.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
24 / Date: 6/5
JOBNAME: Tsagourias PAGE: 25 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The discussion above shows how in particular the objective territoriality principle
under customary international law has been stretched to its maximum in order to extend
national law to online activity, which is in itself an entirely legitimate endeavour, even
if it comes at the expense of a coherent overall allocation system and an open internet.
Taking a State-internal perspective, each individual case is defensible in terms of
seeking to prevent the internet from undermining national legal standards, and thus on
the basis of upholding the ‘rule of law’ within each State’s territorial dominion. Yet,
from a global perspective, the blunt application of national law to the transnational
internet cannot but lead to the territorial fragmentation of the internet into national
cyberspaces with attendant costs for freedom of expression as well as for economic,
political, social and cultural exchange. Arguably, the transnational internet is suffering
the tragedy of the commons or a death by a thousand cuts: each time a State asserts its
right to apply its peculiar regulatory version of the ‘good life’ to the online world and
each times this assertion is enforced via voluntary compliance or border blocking,
transnationality is slightly impeded. This (enforced) fragmentation still appears to be at
its early stages. At the same time, there are also signs of a more moderate version of
the objective territoriality principle in form of the targeting / directing approach
emerging from the more private law spectrum of cross-border online disputes. This
version would go some way towards retaining, to some extent, the openness of internet
while also, largely, upholding national law on the internet. As this moderate approach
to territorial jurisdiction is – with respect to most legal areas – a more realistic option
than achieving substantive legal harmonisation at the global level, the future of an open
internet must lie in its hands.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
25 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
The terms Internet and Cyberspace are household words. They represent domains the
use of which is indispensable to the entire or at least a substantial part of the global
population. At the same time, as this author understands it, they are not identical in
meaning as a matter of computer science terminology. The Internet is a ‘global network
connecting millions of computers’; it is ‘decentralized by design’, subject to ownership
or control (unlike ‘online services’) by no single (or a plurality of) person or entity.1
The Internet has a physical dimension because of the interconnection of different
computer systems, their accessibility and the transmission of information to and from
such systems by using the standard Internet Protocol (IP).2 Cyberspace, however, is a
more abstract term; it is a non-physical domain created by computer systems that
allows people to communicate with each other, to exchange or to gather information.
Moreover, it refers to the ‘notional environment in which digitized information is
communicated over computer networks’.3 Be this as it may, it appears that there exists
a tendency to treat these two terms as synonyms and use them interchangeably. To give
an example, the US Government Cyber Policy Review 2009 defines cyberspace as ‘the
interdependent network of information technology infrastructures, and includes the
Internet, telecommunications networks, computer systems, and embedded processors
and controllers in critical industries. Common usage of the term also refers to the
virtual environment of information and interactions between people’.4 It appears
therefore, that apart from identity in terms, these two concepts have a dual role: they
refer to the domain as well as to the medium of conducting certain activities.
Furthermore, it would be an understatement to say that the Internet is important to
private individuals, corporations and States: the US Government has stated that
cyberspace / the Internet underlines every aspect of modern society and it is both the
1
Vangie Beal, ‘Internet’ (Webopedia) <http://www.webopedia.com/TERM/I/Internet.html>
accessed on 1 November 2013.
2
Bill Young, ‘Navigating Cyberspace: Introduction to Cyberspace’ (9 January 2013)
University of Texas <http://www.cs.utexas.edu/~byoung/cs329e/slides1–introduction.pdf>
accessed on 4 November 2013.
3
US Department of Defense, ‘Dictionary of Military and Associated Terms’ JP 1–02 (12
April 2001, as amended through 31 August 2005) 139.
4
The White House, ‘Cyberspace Policy Review: Assuring a trusted and resilient
information and communications infrastructure’ (2009) <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> 1, accessed on 4 November 2013.
55
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
domain where and the medium by which economic, public safety, civil society and
national security activities are pursued.5
While the usefulness of the Internet is universally acknowledged, the same is the
case with regard to its misuse or hostile use, in the form of cyber-crime and espionage.6
In particular, as nowadays private business and governments conduct most of their
functions and activities in cyberspace, safety and resilience are matters to be preserved.
In the words of the US Cyber Policy Review 2009 ‘to realize the full benefits of digital
revolution, users must have confidence that sensitive information is secure, commerce
is not compromised and the infrastructure is not infiltrated. Nation-states also need
confidence that the networks that support their national security and economic
prosperity are safe and resilient. …’7 It is, therefore, not inconceivable that the Internet
may be used in such a way as to cause harm to States or as to compel them to act in a
particular manner. There have been three episodes in State practice that have revealed
how the hostile use of the Internet may affect the orderly function of basic services in
a State or threaten its security. In 2007 Estonia was the object of massive and
coordinated computer hacking attacks that paralyzed its economy and the functioning
of government services for weeks. In 2008 Georgia was the target of similar attacks
during the conflict with the Russian Federation with respect to South Ossetia. Also, in
2009 a computer virus by the name of Stuxnet caused the progress of the nuclear
program of Iran to suffer significant delay.8 In this context the question arises whether
such use of the Internet may give rise to State responsibility. The answer must be in the
affirmative provided that a specific use of the Internet amounts to an ‘internationally
wrongful act’.9 As the Internet is an international domain, then States must conduct
themselves over this domain in accordance with international law10 and therefore the
use of cyberspace is subject to international law. As Harold Koh, the former Legal
Advisor of the US State Department has remarked ‘international law principles do
apply in cyberspace. …’11 However, there are substantive challenges facing the law on
international responsibility as it exists in contemporary international law by the
particularities of cyberspace since this body of rules is premised heavily on attribution
of acts of individuals to a State. Be as it may, the present author submits, that the
application of this area of international law to cyberspace is not impossible, mainly as
a result of establishing responsibility on the basis of the breach of the obligation of due
diligence on the part of States, which dispenses with the difficulty of attributing acts of
individuals to a State, while even attribution may in certain cases be established. To
5
Ibid.
6
Mary E O’Connell, ‘Cyber security without cyber war’ (2012) 17 J. Conflict & Sec. L.
187, 190.
7
The White House (n 4) 1.
8
On these episodes see O’Connell (n 6) 192–194; Russell Buchan, ‘Cyber attacks:
Unlawful uses of force or prohibited interventions?’ (2012) 17 J. Conflict & Sec. L. 211, 218–21.
9
The International Law Commission Articles on state responsibility [2001] in James
Crawford (ed.), The International Law Commission’s Articles on State Responsibility, Introduc-
tion, Text and Commentaries (CUP 2002) 61.
10
O’Connell (n 6) 189.
11
Harold H. Koh, ‘State Department legal adviser addresses international law in cyberspace’
(2013) 107(4) A.J.I.L. 243, 244.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 2
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
12
Ibid. Also see Hersch Lauterpacht, The Function of Law in the International Community
(first published in 1933, OUP 2011) 68–77.
13
See generally, Hersch Lauterpacht, Private Law Sources and Analogies of International
Law (first published in 1927, The Law–book Exchange 2002), Ch III, Sec VII.
14
The Factory at Chorzow (Claim for Indemnity) (Germany v. Poland) [1928] PCIJ Ser. A
No. 17, 29.
15
Case Concerning United States Diplomatic and Consular Staff in Tehran (USA v. Iran)
[1980] ICJ Rep. 3, 29.
16
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) [2007] ICJ Rep. 43,
115.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 3
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
adopted by the ILC in 2001.17 This text is not (or not yet) a treaty. However, since 2001
it has been so extensively cited by international courts and tribunals, as well as in State
practice, that it is considered as an authoritative statement of the customary inter-
national law on State responsibility.18 The legal regime introduced by ARS is premised
on the distinction introduced by ILC Rapporteur Roberto Ago between ‘primary
obligations’ and ‘secondary rules’. The very first paragraph of the Introduction of the
Commentaries to ARS states that:
The emphasis is on the secondary rules of State responsibility, that is to say, the general
conditions under international law for the State to be considered responsible for wrongful
actions or omissions, and the legal consequences which flow therefrom. The articles do not
attempt to define the content of the international obligations breach of which gives rise to
responsibility.19
[T]he term ‘international responsibility’ … covers the relations which arise under inter-
national law from the internationally wrongful act of a State, whether such relations are
limited to the wrongdoing State and one injured State or whether they extend also to other
States or indeed to other subjects of international law, and whether they are centred on
obligations of restitution or compensation or also give the injured State the possibility of
responding by way of counter-measures.21
17
[2001] Yearbook of the ILC, vol. II (Part Two).
18
UNGA Responsibility of States for Internationally Wrongful Acts – Compilation of
Decisions of International Courts, Tribunals and other bodies (Report of the Secretary-General)
A/65/76; [2010] UNGA Responsibility of States for Internationally Wrongful Acts – Comments
and Information received from Governments (Report of the Secretary-General) A/65/96; James
Crawford (ed.), Brownlie’s Principles of Public International Law (8th edn., OUP 2012) 540.
19
Draft Articles on Responsibility of States for Internationally Wrongful Acts, with commen-
taries [2001] A/56/10 31.
20
The International Law Commission Articles on State Responsibility (n 9) art 1.
21
Draft Articles on Responsibility of States for Internationally Wrongful Acts, with
commentaries (n 19) 33.
22
Ibid. 36.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 4
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
(a) De jure State agents or organs, irrespective of their hierarchical position in the
apparatus of the State or the constitutional structure or organization of the State
(namely, whether it is a unitary or federal State) (Art.4 ARS);
(b) De facto State organs, namely, non-State actors or entities that have been
‘elevated’ to de facto State agents or organs because they are under the absolute
dependence and control of a State. In Bosnian Genocide the issue before the ICJ
was whether the atrocities perpetrated by the Bosnian Serbs in Srebrenica in July
1995, which as the Court ruled amounted to commission of genocide under the
1948 Genocide Convention, could be attributed to Serbia. The Court ruled that:
[t]his question has in fact two aspects, which the Court must consider separately. First,
it should be ascertained whether the acts committed in Srebrenica were perpetrated by
organs of the Respondent [namely, Serbia], i.e., by persons or entities whose conduct is
necessarily attributable to it, because they are in fact instruments of its action. Next, if
the preceding question is answered in the negative, it should be ascertained whether the
acts in question were committed by persons who, while not organs of the Respondent,
did nevertheless act on the instruments of, or under the direction or control of, the
Respondent.24
The Court then proceeded to identify de facto States organs as;
persons, groups of persons or entities [that], may for purposes of international
responsibility, be equated with State organs even if that status does not follow from
internal law, provided that in fact the persons, groups or entities act in ‘complete
dependence’ on the State of which they are ultimately the instrument … .25;
(c) Delegation of Government Authority. In this contingency the conduct of a
non-State actor (i.e. ‘a person or entity which is not the organ of the State’) is to
be considered as an act of the State if the non-State actor ‘is empowered by the
law of that State to exercise elements of governmental authority’ and it ‘is acting
in that capacity in the particular instance’ (Art. 5 ARS);
(d) The situation where an organ of a State is placed at the disposal of another State.
The acts or omissions of this organ in the exercise of government authority on
behalf of the State at the disposal of which it has been placed give rise to this
State’s responsibility (Art. 6 ARS);
23
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 35.
24
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (n 16) (Merits) 201.
25
Ibid. 205 [emphasis added].
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
(e) Ultra Vires Acts. A State organ or entity gives rise to the responsibility of the
State even when acting in this capacity it exceeds its authority or against
instructions (Art.7 ARS);
(f) Instructions, Direction and Control of a State over acts of private persons. In the
jurisprudence of the ICJ this control must be ‘effective control’ in order to give
rise to the responsibility of the State. The Court reached this finding in Nicaragua
where it ruled that the US assistance to the contras and its general control over
them were not sufficient in default of further evidence to attribute their acts
violating human rights and humanitarian law to the US government. By contrast
‘[f]or this conduct to give rise to legal responsibility of the United States, it would
in principle have to be proved that that State had effective control of the military
and paramilitary operations in the course of which the alleged violations were
committed.’ 26 Moreover, in Bosnian Genocide the Court, having found that the
Bosnian Serbs did not constitute a de facto organ of Serbia, proceeded to
determine whether Serbia exercised effective control over them. The Court
explained that the:
test thus formulated differs in two respects from the test … to determine whether a
person or entity may be equated with a State organ even if not having that status under
internal law. First, in this context it is not necessary to show that the persons who
performed the acts alleged to have violated international law were in general in a
relationship of ‘complete dependence’ on the respondent State; it has to be proved that
they acted in accordance with the State’s instructions or under its ‘effective control’. It
must however be shown that this ‘effective control’ was exercised, or that the State’s
instructions were given, in respect of each operation in which the alleged violations
occurred, not generally in respect of the overall actions taken by the persons or groups
of persons having committed the violations.27
In this respect, the Court declined to uphold the ruling of the ICTY Appeals
Chamber in the Tadić case where the ad hoc Tribunal applied the test of ‘overall
control’ that dispenses with the need to evaluate control of a State over each
specific operation of a non-State actor;28 the Court took the view that the
determination of State responsibility on the part of Serbia did not constitute an
indispensable finding to determine individual criminal responsibility by an
international criminal tribunal29 (Art. 8 ARS);
(g) Exercise of elements of government authority in the absence of or inadequate
function of State authorities and in circumstances that warrant the exercise of this
authority. In Yeager v. Islamic Republic of Iran the Iran-US Claims Tribunal ruled
26
Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicara-
gua v. USA) (Merits) [1986] ICJ Rep. 14 64–5 [hereinafter Nicaragua Case].
27
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (n 16) 211–15.
28
Prosecutor v. Tadić, [1999] ICTY Appeals Chamber Judgment, IT–94–1–A, para. 145; but
cf. ibid. paras 118–122, where the Tribunal has drawn a distinction between acts performed by
private individuals to which the effective control test applies (as articulated in Nicaragua Case)
and organized military groups to which the overall control test applies.
29
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (n 16) 209–10.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
that the immigration, customs and other similar acts that had been carried out by
the Revolutionary Guards at the Tehran airport in the immediate aftermath of the
Islamic revolution were attributable to Iran. The Tribunal reasoned that even
though these functions were not authorized by the Iranian government they
objectively consisted in the exercise of elements of governmental authority in the
absence of official authorities of the State ‘in operations of which the new
Government must have had knowledge and to which it did not specifically
object.’30 (Art. 9 ARS);
(h) The ARS provides in particular that acts or omissions by an insurrectional or
other movement are attributed to a State in the event the insurrection is successful
and the movement become the government of the State (Art. 10 ARS);
(i) Approval and Adoption by a State of acts of private persons or entities. In US
Diplomatic and Consular Staff in Tehran the Court ruled that the act of
overrunning of the US Embassy in Tehran by demonstrators and the seizure as
hostages of the US diplomatic staff could not be as such attributed to the Iranian
Government because the demonstrators were neither State organs nor did they
carry out a specific government act on behalf of the State31. However, the
responsibility of Iran for the acts of the demonstrators was established at a later
stage when the Iranian government approved of and adopted the occupation of the
Embassy premises and the captivity of the US diplomatic staff as its own32
(Art.11 ARS).
30
[1987] 17 Iran–US Claims Tribunal Rep. (1987), 104.
31
Case Concerning United States Diplomatic and Consular Staff in Tehran (n 15) (Merits),
29–30.
32
Ibid. 33–36.
33
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 64.
34
Ibid.
35
On shared responsibility see generally André Nollkaemper and Dov Jacobs, ‘Shared
responsibility in international law: A conceptual framework’ (2013) 34(2) Michigan J. Int’l. L.
359.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
3. ATTRIBUTION IN CYBERSPACE
Cyberspace as a domain and the use of electronic devices as a medium of State conduct
raises difficulties with respect to ascribing particular acts to States. There is no reason
sweepingly to deny as a matter of principle the application of the rules of attribution
provided in ARS to conduct in cyberspace. However, the identification of individuals or
entities that use the Internet is characterized by considerable difficulty, for the Internet
guarantees, if not actually absolute, certainly a large measure of anonymity or
deniability. Thus, it is almost impossible to identify directly and with certainty the
person or entity operating a personal computer. Identification of persons, and by
consequence, attribution is only possible via the identification of a computer by way of
its IP that identifies its precise location.
Therefore, an internationally wrongful act in cyberspace appears to be ascribed to a
particular computer whereas the identity of the person operating it may only be
established either by way of presumption or on the basis of inside information
disclosed by government agents of the State perpetrating the internationally wrongful
acts in cyberspace.36 Thus, if a computer is identified by way of its location (in the
premises of a government department or a diplomatic mission) as a government
computer then the transmission of malware or denial of service interference may in
principle be attributed to a particular State. This appears to be established either on the
identity of the operator who is presumed to be a government agent or on the mere
location of the computer as this falls under the exclusive and complete control of a
State. Thus, in October and November 2013 the German Government launched strong
diplomatic protests with the US and UK Governments for allegations of electronic
surveillance of German governmental departments, including the German Chancellor’s
36
Viz. the information disclosed by the former US National Security Agency (NSA) Edward
Snowden on the NSA surveillance of many foreign government agencies; see Joshua Eaton,
‘Timeline of Edward Snowden’s revelations’, Al Jazeera America <http://america.aljazeera.com/
articles/multimedia/timeline–edward–snowden–revelations.html> accessed on 26 November
2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Office, from the US and UK embassies in Berlin. In particular, the German Govern-
ment warned the UK ambassador that the interception of German Government
information by intelligence services from a diplomatic mission constituted a breach of
international law.37
At the same time, the Tallinn Manual adopts a rather cautious approach to attribution
with respect to cyber wrongful acts by stating that the fact that a cyber operation has its
source in government cyber infrastructure is not sufficient to attribute these acts to a
State; it merely constitutes an indication that a particular State is associated with the
cyber operation. The Manual explains this approach by reference to the particular
features of cyber context and especially the likelihood that a government cyber
infrastructure may be ‘hijacked’ by non-State actors.38 Moreover, the former Legal
Advisor of the US Department of State has acknowledged the problem of attribution in
that cyberspace ‘significantly increases an actor’s ability to engage in attacks with
“plausible deniability”, by acting through proxies’ and suggested that this challenge is
‘as much [a question] of a technical and policy nature rather than exclusively or
predominantly’ a question of law.39 But attribution is predominantly a question of law
and it is not determined ‘on the mere recognition of a link of factual causality’.40
Furthermore, neither the Tallinn Manual nor the US Government propose an alternative
cogent framework of attribution but leave the whole issue surrounded in ambiguity
which suggests a wide margin of discretion on the part of an injured State to decide the
matter of attribution on the basis of extra-legal factors, such as the general political
climate between it and another State.41 In the absence of an alternative proposition it
appears that this position casts aside the current legal framework of attribution by
replacing it with a laissez faire approach by an injured State on a case-by-case basis.
Attribution of an injurious act to a State is a matter of evidence. As injurious acts in
cyberspace emanate from computers located in the territory of one or more States the
territorial location of computers may serve as a starting-point. State sovereignty entails
the expectation that every State exercises control over cyber infrastructure and activities
within its territory.42 However, as the ICJ ruled in Corfu Channel the mere fact of
existence of objects constituting a source of injurious acts (in this case computers
engaged in injurious cyber acts) within its territory is not sufficient to impute
knowledge of these acts to the State. At the same time, the victim State is permitted ‘a
more liberal recourse to inferences of fact and circumstantial evidence’.43 This lower
37
Nigel Morris et. al., ‘Germany calls in Britain’s ambassador to demand explanation over
“secret Berlin listening post”’ (6 November 2013) The Independent <http://www.independent.
co.uk/news/uk/politics/germany–calls–in–britains–ambassador–to–demand–explanation–over–secret–
berlin–listening–post–8923082.html > accessed 13 August 2014.
38
Michael N. Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) 39–40 [hereinafter Tallinn Manual].
39
Koh (n 11) 247.
40
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 38–9.
41
Cf. Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17 J. Conflict & Sec. L. 229, 233.
42
Tallinn Manual (n 38) 25–6.
43
Corfu Channel Case (UK v. Albania) (Merits) [1949] ICJ Rep. 4, 18; also see Tallinn
Manual (n 38) 34.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position: 9
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
standard of evidence was admitted in Corfu Channel because the UK did not have
direct access to evidence and this in the context of a dispute where there was no
controversy either over the territorial source of the injurious act (the territorial sea of
Albania) or the agency (the mines) through which this act materialized. In the cyber
context the establishment of the exact and actual source of the injurious act is
extremely difficult to locate, let alone establish the identity of the perpetrator.44 Thus, it
appears that a very liberal approach to evidence is called for by the very nature of
cyberspace that would combine expert technical knowledge, press reports45 (where
available) revelation by defector public officials of a State (the US NSA surveillance
activities were divulged by former NSA official Edward Snowden) even though the fact
of defection may diminish its probative value as evidence contrary to the interests of
his own State.46 The inherent difficulty in identifying a single State as the source of an
injurious cyber act47 appears to leave the victim State two possible avenues: either the
identification of the perpetrating State on the basis of the existing political climate
between it and the victim State or cooperation with other States whether in the context
of international organizations or not. The first avenue may entail a degree of
arbitrariness and ultimately it does not, and cannot by itself, establish responsibility in
the absence of more objective evidence. By contrast, the second avenue offers a better
potential of identifying the alleged wrong-doing State. The fact, however, remains that
such identification defies to a large extent the established legal framework of
attribution.
On the basis of the assumption that injurious cyber activity can be traced to the
territory of a single State it is submitted that the best approach in the cyber context is
to attribute hostile cyber acts to this State on the basis of a presumption of
responsibility which may be rebutted by the State on the basis of evidence. In other
words, attribution may rest on a presumption that introduces a reversal of the burden of
proof. This submission departs from the ruling of the ICJ in Corfu Channel but unlike
sea-mines, computers are ubiquitous and by their nature not injurious. Thus, all that has
to be established is their location in the territory of a particular State and the latter’s
alertness by the victim to the fact that injurious cyber acts emanate therefrom. Once
this takes place knowledge of the injurious activity is established. It is true that the
State from the territory of which the injurious acts emanate may not constitute their
actual source, as the computers on its territory may have been hijacked. But this is no
reason to deny the right of the victim to alert this State and demand measures on its
part for the cessation of the injurious activities. Such measures may entail, depending
on the circumstances, a degree of denial of Internet services throughout the territory of
that State, and it is a question of balancing the interests of both the victim State and the
State from the territory of which the particular cyber activity emanates on whether or
not this is feasible.48 However, this cannot be prima facie excluded as a possibility in
44
Tsagourias (n 41) 233–5.
45
Cf. Nicaragua Case (n 26) 40–41.
46
Ibid. 43.
47
Tsagourias mentions that the cyber attack on Estonia in 2007 ‘involved a large botnet of
approximately 85,000 hijacked computers from around 178 countries’: see: (n 41) 233.
48
Tallinn Manual (n 38) 33.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
view of the fact that States in other circumstances (for instance, when facing unrest by
dissident political groups) are all too prepared to adopt sweeping measures of Internet
service-denial even throughout their territories. Having said this, there appears to be
only one situation in which injurious cyber acts may not be imputed to the territorial
State, namely, where the acts emanate from a location that is under the exclusive
jurisdiction of another State, such as the premises of a diplomatic mission or the
installation of a military base. In the context of the US NSA electronic surveillance
practices it was reported that special units located on the rooftops of a number of US
embassies in Europe and Asia (such as the US embassies in Athens and Baku) collected
data.49 In these cases these acts would not be attributed to the host States (respectively,
Greece and Azerbaijan) but to the USA.
49
Morris (n 37).
50
On cyber espionage and international law see Buchan (Ch 8 of this book).
51
The Case of the ‘S.S. Lotus’ (France v. Turkey) [1927] PCIJ Ser. A No. 10, 18.
52
Tallinn Manual (n 38) 26, 36.
53
Accordance with International Law of the Unilateral Declaration of Independence in
respect of Kosovo, Advisory Opinion of 22 July 2010, (Declaration of Judge Simma) [2010] ICJ
Rep. 403, 478–9.
54
Anne Peters, ‘Surveillance without borders? The unlawfulness of the NSA–Panopticon,
Part I’, EJIL: Talk! (1 November 2013) <http://www.ejiltalk.org/surveillance–without–borders–
the–unlawfulness–of–the–nsa–panopticon–part–i/> accessed 7 November 2013.
55
Nicaragua Case (n 26) 107–8; Tallinn Manual (n 38) 26; Buchan (n 8) 221–6.
56
Tallinn Manual (n 38) 26, 45 et seq.; Koh (n 11) 244–5; Tsagourias (n 41) 230–33; cf.
O’Connell (n 6) 191–2, 198–203.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
57
Corfu Channel Case (n 43) 22.
58
Report of the International Law Commission on the work of its 51st session (Supplement
No 10, 3 May–23 July 1999) GAOR, A/54/10, 86; Jan A Hessbruegge, ‘The historical
development of the doctrines of attribution and due diligence in international law’ (2004) N.Y.U.
J. Int’l L. & Pol. 265, 275.
59
ILC Draft Articles on the Prevention of Trans–Boundary Harm from Hazardous Activities
[2001] A/56/10, 154.
60
Responsibilities and Obligations of States Sponsoring Persons and Entities with respect to
Activities in the Area (Advisory Opinion) [2011] ITLOS Sea Bed Disputes Chamber, para. 111,
117.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
their violation; this obligation to ‘ensure’ is not fulfilled solely by the existence of ‘a
legal system designed to make it possible to comply with this obligation – it also
requires the government to conduct itself so as to effectively ensure the free and full
exercise of human rights’.61
The ICJ has dealt with the duty of diligence in a number of disputes involving
alleged breaches of international obligations in a variety of contexts. In Corfu Channel
the Court ruled at the outset that the mere existence of the source of an injurious act (in
this case the mines) in the territory of Albania was not sufficient to attribute this act to
the State, for the control exercised by a State over its territory as a result of sovereignty
does not establish prima facie knowledge of every activity taking place therein.62 After
establishing knowledge by Albania of the laying of mines in its territorial sea,63 the
Court ruled that the responsibility of Albania lay in her failure to notify the existence of
a minefield in its territorial sea to third-State shipping. In the opinion of the Court, this
obligation rested on three general principles, namely, elementary considerations of
humanity, the freedom of maritime communication and ‘every State’s obligation not to
allow knowingly its territory to be used for acts contrary to the rights of other States’.64
But the Court also took account of the particular factual circumstances of the case in
order to confirm its legal finding: it acknowledged that if the mines had been laid at the
last possible moment, namely, less than 24 hours before the UK warships struck them
it would have been difficult or even impossible to issue a general notification to
third-State shipping. But, as the incident took place at a time by which the Albanian
authorities could have had knowledge of the existence of the mines as a result of their
close surveillance of the Corfu Strait, Albania did not observe its duty of due
diligence.65 In US Diplomatic and Consular Staff in Tehran the Court ruled that the acts
of the demonstrators who took over the premises of the US embassy and held its staff
hostage could not be imputed per se to the government of Iran. However, Iran bore
responsibility because of its failure to observe its obligation under the Vienna
Convention on Diplomatic Relations (1961) to protect the inviolability of the persons
and premises of another State’s diplomatic mission.66
In Congo v. Uganda the Court dealt in the context of the first counterclaim of
Uganda with the allegation that the Congo had violated its obligation of due diligence
(or duty of vigilance) by failing to prevent the action of dissident armed bands against
Uganda from its territory. The Court ruled that the existence and toleration of armed
groups on Congolese territory could not be assimilated with active support to these
groups; in addition, the Court took into account the inimical geographical terrain where
the groups operated and the material inability of the Congolese (as well as the former
Zairian) Government to effectively control that part of the territory of the State. Thus,
61
Velasquez–Rodriguez v. Honduras (Judgment of 29 July 1988) [1988] Inter–Am. Ct. HR
(Ser C), No. 4, paras 166–167.
62
Corfu Channel Case (n 43) 18.
63
Ibid. 18–22.
64
Ibid. 22.
65
Ibid. 22–3.
66
Case Concerning United States Diplomatic and Consular Staff in Tehran (n 15) 30–33.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
the Court concluded that it could not uphold the allegation of breach of the duty of
vigilance on the part of the Congo.67
Moreover, in Bosnian Genocide the Court dealt with the obligation to prevent
genocide that is enunciated in the 1948 Genocide Convention.68 In the course of its
reasoning the Court made some statements of principle regarding the duty to prevent
(due diligence) even though it made it clear that it did not intend to introduce a general
framework of universal application on the duty of due diligence; it observed that ‘the
content of duty to prevent varies from one instrument to another, according to the
wording of the relevant provisions, and depending on the nature of the acts to be
prevented’.69 Then the Court analysed the content of the duty to prevent in relation to
the crime of genocide. It stated at the outset that this duty was an obligation of conduct
and not of result; hence, a State did not have the obligation to succeed in preventing
genocide ‘whatever the circumstances’ but was under the obligation to ‘employ all
means reasonably available’ to it to prevent the commission of the crime.70 Thus,
failure to achieve the desired result does not give rise to responsibility; by contrast,
responsibility arises in case of manifest failure to take all steps within its power that
would contribute to preventing genocide because ‘in this area the notion of “due
diligence”, which calls for an assessment in concreto, is of critical importance. Various
parameters operate when assessing whether a State has duly discharged the obligation
concerned’.71 The Court proceeded to identify those parameters in relation to the
specific obligation to prevent genocide and found of particular importance the capacity
to influence (within the limits of the law) the perpetrators on the basis of: (a) the
geographical distance between the State concerned and the scene of the crime: and (b)
the strength of political or other links between the State and the perpetrators.72 The
essence of due diligence lies, therefore, in the application of all means at the disposal
of the State even though such application may be proved on the basis of evidence to be
futile; in other words a State must not be inert even in the knowledge that its measures
will in all probability be ineffective to prevent the injurious act.73 Even though the
Court found that the duty to prevent genocide would give rise to responsibility only
when the crime was actually committed (viz. Article 14(3) ARS) it recognized that a
State was not absolved from responsibility if it remains inactive until commission of
the crime commences where there is a serious risk of its commission; in such a
contingency the State is under the obligation to employ the means available to it to
prevent the crime, otherwise the substance of the obligation would be negated.74
67
Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v.
Uganda) (Merits) [2005] ICJ Rep. 168, 268.
68
Convention on the Prevention and Punishment of the Crime of Genocide (1948) 78 UNTS
277, art 1.
69
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (n 16) 220–21.
70
Ibid. 221.
71
Ibid.
72
Ibid.
73
Ibid.
74
Ibid. 222.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Finally, in Pulp Mills the Court ruled that both litigants (Argentina and Uruguay)
were under an obligation of due diligence to act through the Administrative Commis-
sion of the River Uruguay (CARU) with respect to adopting measures to preserve the
ecological balance of the river by virtue of Article 36 of the Statute of the River
Uruguay of 1975.75 The present author submits that State responsibility as a result of
breach of the duty of due diligence is consummated in the conduct of a State consisting
in its failure to act and it does not extend to the end result that occurred as a
consequence of this failure and that constitutes breach of a different primary rule (for
instance, the prohibition of the use of force). The latter contingency would require
further evidence that the ultimate outcome was the direct result of acts or omissions
amounting to the breach of this other primary rule and not simply the failure to adopt
preventative measures that even they might not guarantee beyond all doubt that the end
result would not occur.
On the basis of the preceding analysis it is submitted that the responsibility of a State
for internationally wrongful acts in cyberspace may be established in customary law on
the duty of due diligence in observing the obligation of not knowingly allowing its
territory to be the source of acts violating the rights of other States. The content of the
due diligence must be assessed by taking into account, first, that the use of the Internet
is not unlawful per se; secondly, that transmission from a computer or a host of
computers may or may not be the actual source of the injurious activity and; finally,
that the existence of thousands of computers on the territory of a State does not by and
of itself constitute knowledge of such injurious activity. Moreover, due diligence being
an obligation of conduct and not of result does not entail as a necessary outcome the
obligation to take steps to protect the rights of other States as this appears to go beyond
the requirement to employ all means that a State reasonably possesses to prevent an
unlawful act.76 Furthermore, knowledge of the cyber injurious act could be established
only upon the notification by the victim State that has the discretion to select the States
(they may be many) from the territories of which injurious transmissions occur.
The criteria for selection for notification are a matter of political decision, but once
notification takes place ‘knowledge’ exists and the State or States notified are under an
obligation to employ measures reasonably at their disposal to prevent the wrongful
cyber activity. Such measures appear to be commensurate with the possession of
technological capabilities to deny temporarily Internet service either to particular users
or throughout the State, even though the latter may disproportionately affect the
function of the governmental and economic infrastructure of the State. Thus, it appears
to be a matter of balancing the cost of Internet denial to the State of origin against the
effect of the injurious acts to the victim State and this is to be assessed in the particular
circumstances of each case. However, total denial of service may not, in principle, be
regarded as a reasonable response to injurious cyber acts; but it may not be excluded,
either in particular circumstances or even more so when States appear prepared to
resort to it to silence political opponents or contain internal unrest. What is important is
that a State that is established to have knowledge of injurious cyber acts emanating
from its territory is under a duty to act in a preventative manner irrespective of the fact
75
Pulp Mills on the River Uruguay (Argentina v. Uruguay) [2010] ICJ Rep. 14, 77.
76
Cf. Tallinn Manual (n 38) 33.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
that the said cyber activity also originates from the territories of other States. To say
that the failure to employ measures within that State’s capability is of no consequence
because the wrongful cyber activity also emanates from computers located in a
plurality of States does not absolve the former from responsibility under due diligence.
The ICJ ruled in Bosnian Genocide that such an assertion is irrelevant to the breach of
an obligation of conduct warranted by the duty of due diligence, especially when there
is a possibility of cooperation through concerted action in a situation where the
perpetrator of an injurious cyber act takes over a large number of computers situated in
a plurality of States.77 Indeed, it is because of this contingency, so frequent in practice,
that cooperation and concerted action is essential either on an ad hoc basis to counter
specific wrongful cyber activities or on a more permanent basis through institutional-
ized mechanisms or a pre-existing framework of good practices in cyber-space.78 Thus,
the NATO initiatives on information security are in principle steps in the right
direction79 as well as the initiative of China and the Russian Federation for the
introduction of an International Code of Conduct for Information Security.80
5. CONCLUSION
Cyberspace raises many challenges to the law on State responsibility as it has evolved
through State practice, judicial decisions and the work of the ILC culminating in the
2001 ARS. Cyberspace as a domain has international dimensions; therefore it is in
principle amenable to regulation by international law and the rules on State respons-
ibility, in particular, may be applied. While a breach of an international obligation may
be established without much difficulty in relation to certain types of cyber activity, it is
attribution of it to a specific State that raises difficulties that in practice appear
insurmountable and seem to defy the rules on attribution established in the ILC ARS.
These rules on attribution are centred on acts of persons and their imputation to a
particular State. Moreover, the process of attribution is a juridical one. However, the
nature of cyberspace as a domain, the freedom and the prima facie lawfulness of its
use, the transmission of information through computers and the anonymity of the users
of those computers leave very little scope for establishing with a relative degree of
certainty both the identity of the user and his/her link to a specific State. The only fact
that can be established with certainty is the location of a particular computer or
computers in the territory of one or more States. This gives rise to the presumption that
the State from the territory of which cyber injurious acts emanate could be the one that
may incur responsibility. However, this does not dispense with the specific rules of
77
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (n 16) 221.
78
O’Connell (n 6) 206–9.
79
NATO, ‘NATO and Cyber Defence’ (7 August 2014) <http://www.nato.int/cps/en/natolive/
topics_78170.htm?> accessed 13 August 2014.
80
Letter dated 12 September 2011 from the Permanent Representatives of China, the
Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary–
General, Annex, A/66/359.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
attribution and the fact that computers situated in the territory of a one or more States
are the actual source of wrongful cyber acts as they may have been ‘hijacked’ by the
real perpetrator. Hence there have been suggestions of overcoming this difficulty by
addressing attribution more flexibly or even by going beyond its existing legal
framework and establishing it on existing political relations between the States
concerned. Whereas political relations may constitute a factor for a victim State of
selecting another State or other States as the likely source of wrongful cyber activity, it
should not constitute a substitute for the existing rules on attribution and should not
dispense with the burden of proof of the grounds of attribution. This enterprise requires
evidence and as this is not possible to collect on the territory of a State from which
cyber activity occurs, circumstantial evidence may be admissible (for instance, the
revelation in the press by former government agents that a State has engaged in
wrongful cyber acts) as well as the reversal of the burden of proof upon the State
allegedly perpetrating injurious cyber acts.
The difficulty in applying the existing rules on attribution could be overcome by
focusing on the primary rule breached (namely, the specific international obligation) in
conjunction with the duty of due diligence either by reference to the substantive content
of the primary obligation or the general principle of international law that no State must
knowingly allow its territory to be used for injurious acts against other States. In this
manner, responsibility may be established on the fact that certain wrongful cyber acts
have their source in computers located in the territory of a State or a plurality of States
and it occurs with knowledge of the latter. This knowledge would be established on the
basis of alerting the territorial State (or States) to the fact of wrongful cyber activity
from its territory and its failure to act by employing measures within its capabilities to
curb that activity. The best course of action to achieve cessation of injurious cyber acts
appears to be through the adoption of good Internet practices and international
cooperation.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter3 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
1
See, for example, Catherine Easton, ‘ICANN’s core principles and the expansion of
generic top–level domain names’ (2012) 20(4) Int’l. J. L. & Information Technology 273–90 on
the ICANN regime.
2
For discussion, see Antony Taubman, ‘International Governance and the Internet’, in
Lilian Edwards and Charlotte Waelde (eds.), Law and the Internet (3rd edn., Hart Publishing
2009) 4–7 et seq. See also Tsagourias and Kohl (Chs 1 and 2 of this book respectively).
3
Taubman (n 2) 16.
4
Peter Drahos, A Philosophy of Intellectual Property (Ashgate 1996) 210.
5
Also for property choice of law rules according to Private International Law, see James J.
Fawcett and Paul Torremans, Intellectual Property and Private International Law (2nd edn.,
OUP 2011) 696.
6
For example by the European Court of Human Rights in Balan v. Moldova [2009] ECDR
6, paras 32, 34: ‘The concept of “possessions” referred to in the first part of Art 1 of Protocol 1
[of the European Convention on Human Rights] has an autonomous meaning which is not
limited to ownership of physical goods’ … ‘The Court reiterates that art 1 of Protocol 1 is
applicable to intellectual property …’
7
See, for example, the statutory rules declaring intellectual property rights as property
rights in the UK in Copyright, Designs and Patents Act 1988 (CDPA), s. 1 (copyright), s. 213
(unregistered designs), Trade Mark Act 1994 (TMA), s. 2 (trade marks), Patents Act 1977 (PA),
s. 30(1) (patents), Registered Designs Act 1949 (RDA), ss. 1(2), 2 (registered designs). The
status of (non–statutory) goodwill, protected by passing off, and of confidential information is
more difficult to ascertain.
72
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 1
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 2 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
But the position and recognition of (intellectual) property in international law is not so
straightforward, and that is not changed by the fact that intellectual property rights can
extend to the whole world, because they are legal concepts and do not attach to a finite
tangible object or reification. A plot of land cannot be taken out of the country and its
national jurisdiction.8 A trade mark can be created by (i.e. registered under) the national
law of the UK, but can have an effect worldwide. In this regard, intellectual property
rights share some similarity in practical terms with the naturally international quality of
the cyberspace. The cyberspace often acts as a carrier for objects of intellectual
property which then need protection in different countries, for example, a copyright-
protected text on the internet. Furthermore, electronic copying is extremely easy and
cheap and the copy corresponds exactly to the original. So an intellectual property right
attached to a digitally transmitted object is initially a product of a national law that can
spread internationally. This is effected by the international intellectual property
conventions.
8
That is also reflected by the rule of lex rei sitae or lex situs in private international law,
see Fawcett and Torremans (n 5) 665.
9
A useful brief overview of the international intellectual property law system for present
purposes can be found in Graeme B. Dinwoodie, ‘The international intellectual property law
system: New actors, new institutions, new sources’ (2006) 10 Marq. Intell. Prop. L. Rev. 205,
205.
10
Paris Convention for the Protection of Industrial Property 1883 (Stockholm text 1967,
amended 1979).
11
Ibid. art 4–art 5 quater.
12
Ibid. art 5 quinquies.
13
Ibid. art 6–art 9, art 10 ter.
14
Ibid. art 10 bis.
15
Berne Convention for the Protection of Literary and Artistic Works 1886 (Paris text 1971,
amended 1979).
16
Ibid. art 2 et seq.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
(national treatment).17 The Paris and Berne Conventions have been ‘absorbed’ by the
TRIPs Agreement (Agreement on Trade-related Aspects of Intellectual Property Rights)
1994, being Annex 1C of the Marrakesh Agreement establishing the World Trade
Organisation (WTO). According to Articles 2 and 9, respectively, ‘members [of TRIPs]
shall comply with’ the Paris and Berne Conventions.18 Since the TRIPs Agreement was
originally envisaged as a treaty securing the enforcement of (Western) intellectual
property rights in the rest of the world,19 the TRIPs Agreement is unusually detailed for
an international convention and could itself provide sufficiently comprehensive rules
for a national intellectual property regime in a country that does not already have one.20
Indeed, compliance with the TRIPs Agreement required almost no adaptation of the
national intellectual property systems in the Western world but prompted major changes
in many non-Western jurisdictions.21
Beside the Paris and Berne Conventions and TRIPs, other conventions and inter-
national standards are specifically relevant to the cyberspace, such as the World
Intellectual Property Organisation (WIPO) Copyright Treaty 1996. This treaty added to
the concept of the right of communication to the public of copyright-protected works
communication ‘by wire or wireless means, including the making available to the
public of their works in such a way that members of the public may access these works
from a place and at a time individually chosen by them’.22 In this way, the WIPO
Treaty moved away from the classical concept of publication (of a book, etc.) in
copyright law and catered for the uploading of texts and other works on the internet.23
Another regime is the Uniform Domain Name Dispute Resolution Policy (UDRP),
which is soft law, adopted by the Internet Corporation for Assigned Names and
Numbers (ICANN).24 There are also national laws, such as the US Digital Millennium
17
Paris Convention (n 10) art 2, Berne Convention (n 15) art 5. See e.g. Annette Kur and
Thomas Dreier, European Intellectual Property Law (Elgar 2013) 14, 19. The TRIPs Agreement
supplements the National Treatment Rules of the Paris and Berne Conventions by the Most
Favoured Nation Treatment Rule in art 3(1): Member States must extend trade benefits that were
granted to specific trading partners also to other Members of the Agreement.
18
However, the moral rights provisions in art 6 bis. of the Berne Convention are excluded
from the compliance requirement in the TRIPs agreement, see art 9(1), TRIPs Agreement.
19
Michael Blakeney, Trade Related Aspects of Intellectual Property Rights: A Concise
Guide to the TRIPS Agreement (Sweet and Maxwell 1996) 9.
20
TRIPs Agreement (n 18), Part II, sec 1: copyright; sec 2: trademarks; sec 3: geographical
indications; sec 4: industrial designs; sec 5: patents; sec 6: layout–designs (topographies) of
integrated circuits; sec 7: protection of confidential information; section 8: control of anti–
competitive practices in contractual licences.
21
Carlos M. Correa, Intellectual Property Rights, the WTO and Developing Countries (Zed
Books 2000) 3, 101, 111; Peter Drahos, ‘Developing countries and international intellectual
property standard–setting’ (2002) 5(5) J. World Intel. Prop. 765.
22
WIPO (World Intellectual Property Organisation) Copyright Treaty 1996, art 8.
23
Mihály Ficsor, The Law of Copyright and the Internet: The 1996 WIPO Treaties, their
Interpretation and Implementation (OUP 2002): The ‘making available’ right, is an ‘umbrella
solution’ because it contains a neutral description of interactive transmissions which in law is
neither to be characterised as distribution nor as communication to the public.
24
E.g. Taubman (n 2) 16–17; Easton (n 1) 273.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 3
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Copyright Act 1998 (DCMA)25 which initiated internet service providers’ (ISPs)
practices that have now become international norms,26 or the UK Digital Economy Act
2010.27 These provisions touch upon the enforcement of intellectual property rights
only and are outside the scope of this discussion.
One has to bear in mind here that the international intellectual property system is
designed to provide a regulatory framework in the context of trade and peaceful
activities. It is a part of international economic law, not of the law of war and peace. It
is therefore of no practical relevance to cyber attacks28 and cyber terrorism:29 persons
and countries engaged in such activities are naturally not concerned about private
intellectual property rights, they are more likely to flout them. The possibility of
redress for intellectual property infringements as a result of cyber attacks before a
(national) civilian court is usually remote (leaving aside the problem of jurisdiction),
and certainly has no deterrent effect. The question of cyber war has to be dealt with
according to rules of ‘classical’ international law, not under private law of which
intellectual property laws form a part.30
25
Most relevant is here §512 of the US Copyright Act 1976, introduced by the DCMA,
which provides that an internet service provider has no liability for damages for copyright
infringement where it hosts a web site containing infringing material and removes that material
without delay after having received a notification of the infringement from a copyright owner.
26
Dinwoodie (n 9) 207.
27
Relevant is here especially s. 17 which contains a power of the Secretary of State to make
a provision about a blocking injunction preventing access to locations on the internet that contain
copyright–infringing material.
28
See Roscini and Focarelli (Chs 11 and 12 of this book respectively).
29
See Saul and Heath (Ch 7 of this book).
30
See Part I – Cyberspace and General Principles of International Law of this book.
31
Mark A Lemley ‘Place and cyberspace’ (2003) 91 Cal. L. Rev., 521, 524 and references.
The ultimate intellectual root of that idea can be found in Jean–Jacques Rousseau, The Social
Contract, (Penguin 1968) 65–68 among other writings, although the Anglo–Saxon discussion
usually invokes John Locke, Second Treatise of Government, (Hackett Publishing 1980) Ch 5.
See also Tsagourias (Ch 1 of this book).
32
This is the effect of the concept of dematerialised property, see Andreas Rahmatian,
Copyright and Creativity. The Making of Property Rights in Creative Works, (Edward Elgar
2011) 1–25. See also Tsagourias (Ch 1 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 4
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
33
Keith Aoki, ‘Considering multiple and overlapping sovereignties: Liberalism, libertarian-
ism, national sovereignty, “global” intellectual property, and the internet’ (1998) 5 Ind. J. Global
Legal Stud. 443, 447–8.
34
Hugo Grotius, De jure belli ac pacis. Libri tres (Vol. II, ed. and trans. F. W. Kelsey et. al,
Oceana Publications 1964) 207.
35
Charles de Secondat Montesquieu, The Spirit of Laws (1st edn. 1748, ed. David W.
Carrithers, University of California Press 1977) book 26, 364.
36
Rousseau (n 31) book 1, 67, book 2, 69.
37
Morris R. Cohen, ‘Property and sovereignty’ (1927) 13 Cornell L. Q. 8, 12–13.
38
Rahmatian (n 32) 268–70. See also Aoki (n 33) 461.
39
The ICANN regime, for example, assumes a regulatory role that would traditionally have
been reserved to States. What has been said before has to be distinguished from virtual
sovereignty in a virtual world of a developer who created that virtual world (in computer games)
which uses the cyberspace. Discussion of that phenomenon by Wian Erlank, ‘Property and
sovereignty in virtual worlds’ in James C. Smith (ed.), Property and Sovereignty. Legal and
Cultural Perspectives (Ashgate 2013) 99, 116.
40
Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217
A(III) (UDHR) art 17: ‘Everyone has the right to own property alone as well as in association
with others. No one shall be arbitrarily deprived of his property’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 5
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Covenant on Economic, Social and Cultural Rights 1966, contain property protection
provisions; the latter only has an oblique reference to patent and copyright protection in
Article 15(1).41 The protection of property is more clearly spelt out under the regime of
the European Convention on Human Rights – not in the Convention itself, but in
Article 1 of the First Protocol. According to that provision ‘every natural or legal
person is entitled to the peaceful enjoyment of his possessions’. The European Court of
Human Rights has extended the meaning of the term ‘possessions’ to cover intellectual
property rights, such as patents,42 trade marks and trade mark applications,43 and
copyright.44
41
Ibid. art 15(1)(c): ‘The parties to the Covenant on Economic, Social and Cultural Rights
recognise the right of everyone to benefit from the protection of the moral and material interests
resulting from any scientific, literary or artistic production of which he is the author.’
42
Smith Kline and French Laboratories Ltd. v. Netherlands (1990) 66 European Commis-
sion of Human Rights, DR 70.
43
Anheuser–Busch Inc. v. Portugal (2007) 45 EHHR, 36, [2007] ETMR 24 (Grand
Chamber). Discussion of this case in Andreas Rahmatian, ‘Trade marks and human rights’, in
Paul Torremans (ed.), Intellectual Property and Human Rights (Kluwer 2008) 345–7.
44
Balan v. Moldova [2009] ECDR 6.
45
Directive 2008/95/EC of the European Parliament and of the Council of 22 October 2008
to approximate the laws of the Member States relating to trade marks (codified version) (Trade
Marks Directive).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 6
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
intellectual property adheres formally to the territoriality principle,46 but with consid-
erable modifications.
In public international law the territoriality principle,47 itself a somewhat vague term,
means that certain types of State action within the exercise of the State’s sovereign
rights (statutes, court decisions, administrative acts and decisions) which generally
serve to advance State interests are normally effective only within the territory of the
acting State. The State is not subject to any other State, but free and sovereign. All
States are equal, and therefore respect each other’s sovereignty.48 An example of the
application of the territoriality principle is where State A seeks to expropriate private
property located in State B. Where such encroachments by foreign State A in the area
of private law are motivated by political or economic goals, State B need not give effect
to these.49 This is so with regard to tangible property, but there are also cases involving
intellectual property. For instance, the French Cour de Cassation said in Fondation Carl
Zeiss Stiftung v. Fondation Carl Zeiss Heidenheim that the expropriation of trade marks
by the German Democratic Republic was inoperative in France where these trade
marks had also been registered.50
However, the situation is more complex with intellectual property rights that are
regulated by international conventions. The international conventions, such as the Paris
and Berne or the European Patent Convention (EPC) 1973,51 are the root of a ‘bundle
theory’ of intellectual property that can be interpreted as the effect of the territoriality
principle:52 while traditional tangible property is valid everywhere or not at all
according to private international law, intellectual property is valid in form of a
‘bundle’ of independent rights within single States, subject (in principle) to the national
intellectual property law of the single State in question, and also subject to the private
international law of that State.53 Although the Berne Convention or the TRIPS
Agreement introduced minimum standards for the protection of copyright (‘inter-
national law’), the copyrights in question are still the national copyrights of the UK,
Canada or Australia (‘national laws’). Or, in the words of the English High Court: ‘The
concept of a world wide copyright is not acceptable as a matter of law, save to the
extent that there is any Convention or Treaty, such as the Berne Convention, recognised
46
Graeme B. Dinwoodie, ‘Developing a private international intellectual property law: The
demise of territoriality?’ (2009) 51 W. & Mary L. Rev. 711–800.
47
On territoriality principle in cyberspace see Kohl (Ch 2 of this book).
48
Gerhard Kegel and Ignaz Seidl-Hohenveldern, ‘On the territoriality principle in public
international law’ (1981) 5 Hastings Int’l & Comp. L. Rev., 245, 249–50.
49
Ibid. 253–4.
50
(1974) 47 Int’l. L. Rep. 129, 132; see also ibid. 276–7.
51
Signed on 5 October 1973; the EPC is technically outside the EU institutions and a
number of non–EU countries are also members of this intergovernmental treaty, including
Switzerland, Liechtenstein, Norway, Serbia and Turkey. All EU Member States are members of
the EPC. The EPC constitutes a special agreement within the meaning of art 19 of the Paris
Convention. See e.g. Kur and Dreier (n 17) 90–96.
52
Paris Convention (n 10) art 4bis(1) (for patents), art 6(3) (for trade marks); Berne
Convention (n 15) art 5(2) (for copyright).
53
Kegel and Seidl–Hohenveldern (n 48) 247; Dinwoodie (n 46) 734) Hugenholtz (2012: 9).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 7
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
in English law which has that sort of effect.’54 A result of this territoriality principle is
the generally accepted lex loci protectionis55 to determine the applicable law in
intellectual property infringement cases. But there are exceptions, for example the
courts in the US determine the law for copyright authorship and ownership according
to the lex originis.56 There is no definite rule either for the allocation of intellectual
property rights between employer and employee.57 The question whether and how the
lex loci protectionis is applied to determine the applicable law is obviously also
important with regard to dealings in intellectual property rights: for example, an
assignment of copyright is permitted under UK copyright law (and common), but void
under German author’s rights law.58
A loosening of the strict application of the lex loci protectionis also indicates a
certain relaxation of the territoriality principle from which it derives. A work protected
by copyright is the same work everywhere, but the same creation is protected by about
200 separate national copyrights.59 Registered intellectual property rights, such as
patents and trade marks that may be registered in numerous separate countries, also
relate to the same object (inventions in case of patents and signs in case of trade
marks).60 Increasing constraints by international conventions on individual States to
regulate intellectual property, extensive international harmonisation of substantive
intellectual property law, more frequent trans-border activity, especially through the
internet, and augmented commercial power of multinational companies, call the
justification of the classical territoriality principle into question.61
54
Peer International Corporation v. Termidor Music Publishers Ltd. [2002] EWHC 2675
(Ch) (first instance), para. 71. Further, ‘[a]t least in the view of English law, copyright is, of
necessity and by definition, a territorial concept, and in so far as it is English – or United
Kingdom – copyright, it is governed by English – or United Kingdom – law. Although it is an
abstract concept, English copyright could no more be removed from England than English real
property could be removed from England.’
55
The law of the country in which protection is sought (in German law called ‘Schutz-
land ’).
56
See the discussion of the application of the lex originis with regard to authorship and
ownership and works created by employees in different jurisdictions, with a preference of an
‘origin single law’ approach: Paul Torremans, ‘Authorship, ownership of right and works created
by employees: which law applies?’ (2005) 27(6) Eur. Intell. Prop. Rev. 220, 221.
57
See extensive discussion by Dinwoodie (n 46) 728–33 with examples from case law in
the US.
58
Andreas Rahmatian, ‘Dealing with rights in copyright-protected works: assignments and
licences’ in Estelle Derclaye, Research Handbook on the Future of EU Copyright (Edward Elgar
2009) 299–301.
59
The Berne Convention and the TRIPS Agreement secure a minimum standard of
copyright protection of the creation in all countries that are members of these conventions, while
the national copyright laws are the basis of the separate property (copyright) in each country.
60
Dinwoodie (n 46) 766–7.
61
Ibid. 769–71. For the loosening of the territoriality principle by the Uniform Domain
Name Dispute Resolution Policy and ICANN specifically, see Hong Xue, ‘Territorialism v.
Universalism: International intellectual property law in the internationalised domain name
system’ in Ysolde Gendreau (ed.), Intellectual Property: Bridging Aesthetics and Economics
(Les Éditions Thémis 2006) 257.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The case of the well-known trade mark is another example of the gradual disintegra-
tion of the traditional territoriality principle. Article 6 bis of the Paris Convention
contains an exception to the territoriality principle for well-known trade marks:62
protection is granted against the registration of a sign in country B that is liable to
create confusion with a well-known mark in country A in relation to identical or similar
goods for which that mark has been registered in country A.63 So there is no
registration in country B, yet the reputation of the mark registered in country A can
prevent the registration or use of a confusingly similar sign in country B. The TRIPS
Agreement 1994 took this further in that it extended this protection of the well-known
mark to classes of goods outside these for which it has been registered, and to classes
of services.64 The result is that the rules regarding well-known trademarks leave the
national laws confined to the respective territorialities and form a kind of global law.65
This rule introduced by TRIPS is already reflected in court decisions throughout the
world.66
The regional harmonisation of intellectual property laws by the supranational laws of
the EU is a special case. The law of trade marks is most advanced in this regard. The
Trade Mark Directive67 ‘approximates’ or harmonises the national trade mark laws of
the EU Member States, but rests on the territoriality principle. Only the EU Community
Trade Mark Regulation68 introduces a new EU wide trade mark right. If, however, the
community trade mark is declared invalid or revoked, the owner can request conversion
of his registration into national trade mark applications in other EU Member States in
which the mark is not tainted with invalidity or non-use.69 The Community Designs
Regulation70 has a unitary design protection similar to the unitary trade mark protection
under the Community Trade Mark Regulation. The recent development concerning the
unification of patent law in the EU,71 however, does not follow the direction of EU
62
For ascertaining whether a mark is well known, see Joint Recommendation concerning
Provisions on the Protection of Well–Known Marks 1999, art 2.
63
Paris Convention (n 10) art 6bis(1). Discussion by James E Danton, ‘The coming of age
of the global trademark: The effect of TRIPS on the well-known marks exception to the
principle of territoriality’ (2011) 20 Michigan State Int’l. L. Rev. 11, 17.
64
TRIPs Agreement (n 18) art 16(2) and (3).
65
Danton (n 63) 19–20; Graeme Dinwoodie, ‘Trademarks and territory: Detaching trade-
mark law from the nation state’ (2004) 41 Houston L. Rev., 885, 919.
66
See e.g. cases from South Africa, Russia, discussed by Danton (n 63) 20–25. The matter
is characteristically less clear in the US. The 2nd Circuit, in contrast to the 9th Circuit, did not
recognise the rule on well-known trademarks because it does not consider the TRIPS Agreement
as self-executing in US law. If the territoriality principle be overridden, Congress needs to
amend the Lanham Act (US Trade Marks Act) accordingly, ITC Ltd. v. Punchgini, Inc. 482 F.3d
135 (2d Cir. 2007), at 161–2. See discussion in Danton (n 63) 25–9.
67
Directive 2008/95/EC of the European Parliament and of the Council of 22 October 2008
(codified version).
68
Council Regulation (EC) no. 207/2009 of 26 February 2009 on the Community Trade
Mark (codified version).
69
Ibid. art 112.
70
Council Regulation (EC) No 6/2002 of 12 December 2001 on Community Designs.
71
On the history of the (attempted) unification of patent law in the EU, see Justine Pila,
‘The European patent: An old and vexing problem’ (2013) 62(4) I.C.L.Q. 917, 917.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
trade mark law. The relevant Regulation72 rather retains the existing EPC and the
national laws as its basis (though ‘with unitary effect’)73 and is therefore not an
autonomous system that creates a genuine EU patent, unlike the EU community trade
mark. Under the Unitary Patent Regulation we encounter several layers of protection:
the Regulation, the EPC, national laws of the EU Members States and private
international law.74
Most problematic is the case of copyright law in the EU. European copyright law is
still firmly based on the principle of territoriality.75 A harmonisation of national
copyright laws does not remove the principle of territoriality as such but can weaken it
somewhat. However, European copyright law has only been harmonised in relation to
specific areas, including computer programs, term of protection, rental and lending,
data bases, artists’ resale right, rights of reproduction and communication. The core
copyright law is not harmonised, let alone unified,76 for example dealings with
copyright (assignments and licences),77 copyright contracts, and moral rights, and it is
questionable whether such a harmonisation that goes to the foundations of the various
copyright protection philosophies and legal traditions is politically feasible at all. Since
the lex loci protectionis holds sway, a work made available on the internet affects as
many copyright laws as there are countries in which the work can be accessed online.
Copyright licences have to be sought in each EU country according to each individual
country’s legal provisions.78 For this reason, the Online Music Recommendation of the
European Commission gives some alleviation for music put online.79 This (non-
binding) recommendation requires collective rights management societies to permit
copyright holders to withdraw their online rights and grant them instead to a collective
rights manager operating at EU level.80 Now a new EU Directive, to be implemented
by the Member States by 10 April 2016, lays down requirements for multi-territorial
72
Regulation (EU) No 1257/2012 of 17 December 2012 implementing enhanced
cooperation in the area of the creation of unitary patent protection, OJ L 361.
73
See especially EPC (n 51) art 5(3): ‘participating Member State whose national law is
applicable to the European patent with unitary effect as an object of property in accordance with
Article 7’; Art 7(1): ‘A European patent with unitary effect as an object of property shall be
treated in its entirety and in all the participating Member States as a national patent of the
participating Member State in which the patent has unitary effect …’ See also Recital 8.
74
Katharina Kaesling, ‘The European patent with unitary effect – a unitary patent
protection for a unitary market?’ (2013) 2(1) UCL J. of L. & Jurisp. 87, 92.
75
Bernt P. Hugenholtz, ‘Harmonisation or unification of European Union copyright law’,
(2012) 38 Monash U. L. Rev. 4, 8.
76
See ibid. 4–8 for a discussion of advantages and disadvantages of harmonisation.
77
See Rahmatian (n 58) 315–6, questioning whether harmonisation in this area is fruitful
and desirable.
78
Hugenholtz (n 75) 9.
79
Commission Recommendation 2005/737/EC of 18 May 2005 on Collective Cross–border
Management of Copyright and Related Rights for Legitimate Online Music Services [2005] OJ L
276/54.
80
Hugenholtz (n 75) 10–11.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Just a few comments can be made here in relation to this area of the law, and only with
regard to EU Member States.84 We have touched upon the private international law rule
of the lex loci protectionis already because of the connection of the principle of
territoriality with private international law rules.85 The nature of the internet invariably
leads to multi-jurisdictional disputes.86 The jurisdiction of a court for litigation arising
from registration or invalidity of an intellectual property right (patent, trade mark,
design) in the EU is contained for most aspects in Article 22(4) of the Brussels I
Regulation,87 which provides that the court of the Member State in which registration is
sought has jurisdiction.88 Jurisdiction for litigation arising from infringement is
determined according to Article 2 of the Brussels I Regulation (jurisdiction of the
defendant’s domicile) which, however, does not specifically deal with infringement.89
There can be special jurisdiction because of a close connecting factor to the defendant
81
Directive 2014/26/EU of 26 February 2014 on collective management of copyright and
related rights and multi–territorial licensing of rights in musical works for online use in the
internal market, OJ L. 84/72, 20 March 2014, arts 1 and 43.
82
Starting with Infopaq International v. Danske Dagblades Forening [2009] ECDR 16
(Case C–5/08).
83
Andreas Rahmatian, ‘Originality in UK copyright law: The old “skill and labour”
doctrine under pressure’ (2013) 44 Int’l. Rev. of Intell. Prop. & Comp. L. 4, 4, and briefly below
under 3.
84
A treatise devoted to the private international law of intellectual property is Fawcett and
Torremans (n 5).
85
Dinwoodie (n 46) 725.
86
Julia Hörnle, ‘The jurisdictional challenge of the internet’ in Lilian Edwards and
Charlotte Waelde (eds.), Law and the Internet (3rd edn., Hart Publishing 2009) 122–3.
87
Brussels I Regulation on Jurisdiction and Enforcement of Judgments in Civil and
Commercial Matters (44/2001), OJ L 012, 16/01/2001.
88
Fawcett and Torremans (n 5) 10, 15.
89
Ibid. 143.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
other than his domicile.90 As to the applicable law, the intellectual property conventions
contain no specific choice of law rules, but only provisions which address part of the
matter, for example the national treatment rules of the Paris and Berne Conventions.91
Relevant connecting factors are: nationality, first publication (in case of copyright
works), headquarters and habitual residence, etc.92 The law of the protecting country is
applicable: lex loci protectionis.93 This applies to the acquisition, scope, transferability
and termination of patents, trade marks and copyright alike.94 The law applicable to a
claim arising from the infringement of an intellectual property right is the law of the
country for which protection is claimed.95
On the basis of these preliminary observations one can now discuss the substantive
law of the specific intellectual property rights which are relevant to the cyberspace.
As the technological carrier and much of the content of the cyberspace is computer
software, the principal intellectual property protection regime is that of copyright. This
is not self-evident as such. The technical nature of software would rather suggest
protection by patents, and patent protection is indeed available (beside copyright) in the
US,96 but not under the EPC.97 The thinking behind this decision was presumably that
usually a patent protection process (application, examination, registration) would be far
too slow and too costly to keep pace with the extreme speed of software development
– so software that would eventually obtain a patent would be long out of date. The
amendment to the EPC in 2000 preserved the exclusion of software from patent
protection. Since all members of the European Union and a few other countries have
acceded to this convention,98 this legal regime – software protection by copyright only,
90
Brussels I Regulation (n 87), arts 5 and 6. For the traditional rules on jurisdiction, in
countries where the EU Brussels I Regulation does not apply, see ibid. 259.
91
Ibid. 671. This complex issue cannot be discussed here.
92
Ibid. 672–3, 686–7.
93
Ibid. 676.
94
Fawcett and Torremans (n 5) 706, 727. The discussion is greatly simplified here.
95
Article 8(1) Rome II Regulation (Rome II Regulation governing non–contractual
obligations), Reg. (EC) 864/2007 [2007] OJ L 199/40. See also ibid. 804. Again, the discussion
is much simplified. On the infringement of foreign intellectual property rights outside the EU
framework, see Graeme W. Austin, ‘The infringement of foreign intellectual property rights’
(1997) 113 L.Q.R. 321, with case law from Australia and New Zealand.
96
US Patent Act 1952, § 101.
97
EPC (n 51) (2000 revision), art 52(2)(c).
98
Non–EU members of the EPC are, in the order of their accession date in brackets:
Switzerland (1977), Liechtenstein (1980), Monaco (1991), Turkey (2000), Iceland (2004),
Norway (2008), Macedonia (2009), San Marino (2009), Albania (2010), and Serbia (2010).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
not (also) by patents – has been implemented accordingly in the national laws in
Europe.99 The newly enacted EU Regulation that will introduce a unitary patent in the
EU100 has retained this position in this regard through its general reference to the
EPC.101 Hence in the following the discussion will concentrate on copyright. Copyright
arises automatically once the protection criteria are met, and attaches immediately to
software just produced. Although more appropriate for software than patents, copyright
is, however, not really suitable, but rather an artificial solution, as will be shown.
Therefore, right from the beginning of a discussion about the protection of software by
intellectual property rights, a sui generis protection for software had been suggested,
because it would have catered for software properly rather than squeezed software into
the protection regime of copyright which was not designed for it.102 However, these
suggestions have not been implemented.
Following the publication of the WIPO Model Provisions on the Protection of
Computer Programs in 1978,103 the consensus in the late 1980s was that copyright was
the most appropriate method for protection.104 The US introduced copyright protection
for software in the Computer Software Act 1980,105 which was followed by the EU
Directive on the legal protection of computer programs 1991 (Software Directive).106
This EU Directive postulates that computer programs be protected by copyright as
literary works, whereby the term ‘computer programs’ shall include preparatory design
material for computer programs.107 The implementation of this rule in the UK can be
found in section 3(1)(a) and (b) of the CDPA 1988.108 Technically, therefore, a
computer program is the same as a novel or a newspaper article for copyright purposes.
At international level, the TRIPS Agreement requires copyright protection of computer
programs (whether in source or object code)109 as literary works under the Berne
Convention.110 Substantially, the same rule is contained in the WIPO Copyright Treaty
1996.111
A sui generis protection does exist for databases under the Database Directive.112
Databases are defined as ‘a collection of independent works, data or other material
99
CDPA (n 7), s. 3(1)(b) and (c) for the UK.
100
Regulation (EU) No 1257/2012 of 17 December 2012 implementing enhanced
cooperation in the area of the creation of unitary patent protection, OJ L 361.
101
Ibid. art 7(1) and Recitals 5 and 8.
102
See especially the view in France in Michel Vivant and Jean-Michel Bruguière, Droit
d’auteur (2nd edn., Dalloz 2012) 256. For Germany, see e.g. Gerhard Schricker and Ulrich
Loewenheim (eds.), Urheberrecht. Kommentar (4th edn., C. H. Beck 2010) 1299–1300.
103
WIPO publication No. 814(E), 1978.
104
See e.g. Schricker and Loewenheim (n 102) 1304–5).
105
Pub. L. No. 96–517, 94 Stat. 3015, 3028 (1980).
106
Today Directive 2009/24/EC (codified version), originally 91/250/EEC.
107
Ibid. art 1(1).
108
CDPA (n 7) c. 48.
109
TRIPs Agreement (n 18) art 10(1).
110
The definition of literary (and artistic) works in the Berne Convention (n 15), the
principal international copyright convention (1971 text, with amendments 1979), can be found in
art 2(1).
111
WIPO Copyright Treaty (n 22) art 4.
112
Directive 96/9/EC (Database Directive), arts 1(2), 7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
13 / Date: 6/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
113
Ibid. art 1(2).
114
Ibid art 3(1). On this specific copyright–originality requirement, see also immediately
below.
115
A brief outline (in English) of the most salient distinguishing features of these two
different regimes in Rahmatian (n 32) 36–60.
116
Vivant and Bruguière (n 102) 256. For an opposite view in France, see Nicolas Binctin,
Droit de la Propriété Intellectuelle (Lextensio Éditions 2010) 60.
117
CDPA (n 7), s. 1(1)(a); ss. 5A(2) (sound recordings), 5B(4) (films), 6(6) (broadcasts),
8(2) (published editions).
118
Ibid. s. 3(2).
119
See ibid. ss. 3–8.
120
Directive 2009/24/EC (n 106) art 1(3).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
121
Database Directive (n 112), art 3(1). This is the copyright protection of databases, not the
separate sui generis database protection.
122
According to classical UK case law, see e.g. University of London Press v. University
Tutorial Press [1916] 2 Ch 601. Thus two photographers who photograph the Tower Bridge
from almost the same angle both obtain copyright because the photograph (artistic work) in each
case is the result of each photographer’s independent skill, labour and judgment. If photographer
A copies the photograph from photographer B, he infringes B’s copyright.
123
Lionel Bently and Brad Sherman, Intellectual Property Law (3rd edn., OUP 2009) 93–4.
124
Especially Infopaq International v. Danske Dagblades Forening (n 82); Bezpečnostní
softwarová asociace v. Svaz softwarové ochrany v. Ministerstvo kultury [2011] FSR 18 (Case
C–393/09); Painer v. Standard Verlags GmbH, Axel Springer AG, Süddeutsche Zeitung GmbH,
Spiegel–Verlag Rudolf Augstein GmbH & Co. KG, Verlag M. DuMont Schauberg Expedition der
Kölnischen Zeitung GmbH & Co KG [2012] ECDR 6 (C–145/10); Football Dataco Ltd and
others v. Yahoo! UK Ltd and others, 1 March 2012 (Case C–604/10), [2012] ECDR 10.
125
This highly complex problem has been discussed at length in Rahmatian (n 83) 7–22 et
passim.
126
Infopaq International v. Danske Dagblades Forening (n 82) para. 45.
127
Football Dataco Ltd and others v. Yahoo! UK Ltd and others (n 124) paras 26, 28–9.
128
Painer v. Standard Verlags GmbH, Axel Springer AG, Süddeutsche Zeitung GmbH,
Spiegel–Verlag Rudolf Augstein GmbH & Co. KG, Verlag M. DuMont Schauberg Expedition der
Kölnischen Zeitung GmbH & Co KG (n 124) paras 90–95.
129
Rahmatian (n 83) 29–32.
130
Estelle Derclaye, ‘Case Comment: Infopaq International A/S v. Danske Dagblades
Forening (C-5/08): wonderful or worrisome? The impact of the ECJ ruling in Infopaq on UK
copyright law’ (2010) 32(5) Eur. Intell. Prop. Rev. 247; Eleonora Rosati, ‘Towards an EU-wide
Copyright? (Judicial) pride and (legislative) prejudice’, (2013) 1 Intell. Prop. Q. 47.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
original in the sense of being the author’s own intellectual creation (and recorded in
writing or otherwise131).
The ‘author’ is the maker of the computer program (‘the natural person or group of
natural persons who has created the program’132). Because the computer program is
technically a literary work, the general rules for the duration of copyright apply:
copyright expires 70 years after the end of the calendar year in which the author
died.133 Here we have already one of the strange effects of the legal definition of
computer programs as literary works: if the computer programmer is, say, 18 at the
time of creating the software and dies at the age of 90, the effective protection period
is about 140 years. This is bizarre for software, and, in addition, that calculation applies
to the original release, not to updates which qualify as new copyright works in almost
all cases. The calculation of the duration of copyright is independent from copyright
ownership. The author, by default the first owner of the copyright,134 may in the
meantime have assigned the copyright in the software. Or, typically, the employer
obtains copyright directly by operation of law as soon as his employee programmer
creates the software.135 But in all cases copyright starts running with the end of the year
of the death of the author, whether he is copyright owner or not.
The legal abstraction that equates computer software with a traditional written or
printed text, like a novel or poem, is artificial not only in relation to the duration of
protection. That will become apparent when one considers what the object of protection
in case of a computer program really is, and what could constitute an infringement of
copyright. The owner of the software copyright is entitled to acts restricted to the
copyright owner, including copying, issuing copies of the work to the public, renting
and lending, adaptation.136 Anyone who performs any of these acts in relation to the
whole or a substantial part of the work, without authorisation or permission of the
copyright owner (licence, either against payment or for free), infringes the owner’s
copyright; the liability for such primary infringement is strict.137 ‘Copying’ means
reproducing the work in any material form, including storing the work in any medium
by electronic means; transient copies and copies incidental to some other use of the
work (typical for software), are also included.138 An internet service provider (ISP) can
avoid liability for infringing material he caches or hosts if, upon obtaining actual
knowledge, he ‘expeditiously’ removes or disables access to the material in question.139
131
See CDPA (n 7) s. 3(2).
132
Directive 2009/24/EC (n 106) art 2(1): the author of the computer program can also be a
legal person if the legislation of the EU member state so permits.
133
CDPA (n 7) s. 12(2), implementing the EU Term Directive, 2006/116/EC art 1(1).
134
Ibid. s. 11(1).
135
According to the employee–copyright provisions of s. 11(2). The situation is normally
different in continental European author’s rights countries.
136
Ibid. ss. 16 et seq.
137
Ibid. s. 16(2) and (3): Liability for secondary infringement requires knowledge or having
reason to believe that the copy is an infringing one. Secondary infringement includes the import,
possession, dealing with an infringing copy, providing the means for making infringing copies,
etc.
138
Ibid. s. 17(2) and (6), see also Directive 2009/24/EC (n 106) art 4.
139
Directive 2000/31/EC on Electronic Commerce arts 13(1)(e), 14(1)(b).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Generally, ISPs have no liability for the information transmitted if they do not initiate
the transmission, do not select the receiver of the transmission or do not select or
modify the information contained in the transmission; furthermore, they do not have a
general obligation to monitor the information transmitted.140 The problem with the
‘notify-and-take down’ approach is that ISPs too quickly act upon notices without
ascertaining whether the claims have any substance.141
The problems arise with non-literal copying of software – literal copying, such as
downloading, etc. is obviously copyright infringement. In case of traditional literary
works, non-literal copying means that a qualitatively, not only quantitatively, substan-
tial part of the pre-existing work has been used. So, for example, a historical novel
using historic events or legends cannot monopolise these; a new novelist can write
about them, but by rendering that material in different modes of expression, such as
different wording and language, different scenic events, different selection and arrange-
ment of the material used and so forth.142 This is an application of the idea-expression
dichotomy in copyright law: ideas are not protected by copyright, while expressions
are.143 ‘Ideas’ in this context are concepts, historical facts, plots of a story, techniques,
harmonic standard progressions in music – generally procedures, systems, principles,
intellectual building blocks for the creation of a work. Hence one is free to write a
historical novel about Henry VIII, using known historical facts (idea), but one cannot
take over the wording and sequence of scenes of a pre-existing historical novel about
Henry VIII (expression). When a new work enters the realm of expression of a
pre-existing work (and infringes copyright) or when it remains in the free realm of
ideas, is ultimately a normative question decided by the courts considering the specific
case.
The curious situation copyright creates is that the idea–expression dichotomy
principle shall apply to computer programs in the same way, something IT practitioners
and programmers often find contrived and puzzling. This application of the idea–
expression dichotomy is the result of software having the same status in copyright as
traditional literary works, and it is even prescribed expressly by the Software Directive
itself.144 Since then the courts have struggled to accommodate this rule.145 Following
140
Ibid. arts 12(1), 15.
141
Lilian Edwards, ‘The fall and rise of intermediary liability online’ in Edwards and
Waelde (n 2) 75.
142
Ravenscroft v. Herbert [1980] RPC 193; Baigent v. Random House Group Ltd. [2006]
EMLR 16 (High Court), [2007] FSR 24 (CA) (the latter case involved Dan Brown’s novel ‘Da
Vinci Code’).
143
This principal rule applies in copyright and author’s rights jurisdictions alike, see
Rahmatian (n 32) 125–6, although statutory expression of this rule for copyright in general is
only given in the US Copyright Act 1976, 17 USC § 102(b) and the TRIPs Agreement (n 18) art
9(2).
144
Directive 2009/24/EC (n 106) art 1(2): ‘Ideas and principles which underlie any element
of a computer program, including those which underlie its interfaces, are not protected by
copyright under this Directive.’
145
Sometimes the application of the idea–expression dichotomy to computer programs is
referred to as the ‘look–and–feel’ protection of computer programs, see Arne Kolb, ‘Protection
of Computer Software’ in Edwards and Waelde (n 2) 342.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
146
Computer Associates Inc. v. Altai Inc. 982 F. 2d 693 (1992), 20 U.S.P.Q. 2d 1641 (1992).
The next few lines follow Rahmatian (n 32) 136–7, which contains slightly more discussion.
147
John Richardson Computers Ltd v. Flanders [1992] FSR 497: Abstraction: discovering
non-literal elements through a kind of reverse engineering; filtration: separation of protectable
expression from non-protectable material; comparison: ascertainment of whether the defendant
has copied a substantial part of the protected expression.
148
Ibcos Computers v. Barclays Mercantile [1994] FSR 275.
149
Cantor Fitzgerald International v. Tradition (UK) Ltd. [2000] RPC 95, at 134–5;
Navitaire Inc. v. EasyJet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725 (Ch),
[2006] RPC 111, paras 118–126; Nova Productions Ltd. v. Mazooma Games Ltd. [2007] EWCA
Civ. 219, paras 35–36, 41.
150
Navitaire Inc. v. Easyjet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725
(Ch), [2005] ECDR 17, [2006] RPC 111, paras 79, 81, 83, 92.
151
SAS Institute v. World Programming Ltd. [2010] EWHC 1829 (Ch), at paras 206–207,
217.
152
Ibid. para. 198.
153
Ibid. para. 217.
154
Directive 2009/24/EC (n 106) art 1(2).
155
CJEU in SAS Institute v. World Programming Ltd. (Case C–406/10), [2012] RPC 31,
[2012] ECDR 22, paras 39–40, 71.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
to the extent to which one can make one’s own program appear to be relying only on
the underlying ideas of a pre-existing program. That can in some cases nevertheless
inflict considerable commercial damage on the owner of the computer program. Since
national intellectual property laws, albeit harmonised at European level in some
measure, struggle in each jurisdiction with intricate details when ascertaining the extent
of protection afforded, it is practically impossible that international law would be able
to intervene more efficiently and clarify or, where desired, strengthen the position of
copyright owners in such cases.
Finally, it needs to be noted that a user can do any of the acts restricted to the
copyright owner without the owner’s permission if he can avail himself of a defence,
that is, his act falls into one of the permitted acts provided by copyright statute. There
are specific permitted acts with regard to computer programs. It is not an infringement
to make a backup copy necessary for lawful use,156 or to decompile the program (that
is, the conversion of the program from a low-level language to a high-level one which
involves incidental copying of the program) for the sole purpose of obtaining the
information necessary to enable the creation of another program interoperable with the
original one.157 Furthermore, the observation, study or testing of the program while
loading, displaying, running, etc. the program,158 and copying and adaptation as
necessary for lawful use159 are not infringements. These specific defences concerning
the use of computer programs reflect the provisions in the EU Software Directive.160
The Information Society Directive, following equivalent US legislation,161 introduced
a protection against the circumvention of technological measures which limit or prevent
acts restricted to the copyright owner.162 Thus circumventing an electronic copy
protection has in itself been made unlawful, irrespective of the underlying work which
may or may not be in copyright. This can conflict with the legitimate exercise of
permitted acts, such as fair dealing of the underlying work (e.g. a novel in electronic
format, a computer program) for research and private study163 or for criticism and
review,164 or the defence of making a back-up copy.165 Where the technological
measure does not allow the legitimate exercise of a permitted act in relation to the
underlying work, the user is entitled in the UK to issue a notice of complaint to the
156
CDPA (n 7) s. 50A.
157
Ibid. s. 50B.
158
Ibid. s. 50BA. The acts are permitted under this defence on condition that the person does
not infringe the exclusive rights of the owner of the copyright in the program, see SAS Institute
v. World Programming Ltd., CJEU (Case C–406/10), [2012] RPC 31, [2012] ECDR 22, paras 56,
71, with reference to the equivalent provision in the Directive 2009/24/EC (n 106) art 5(3).
159
Ibid. s. 50C. The defence in s. 50C can be contractually excluded.
160
Directive 2009/24/EC (n 106) arts 5 and 6.
161
Digital Millennium Copyright Act 1998 (DCMA), Pub. L. No. 105–304, 112 Stat. 2860
(Oct. 28, 1998).
162
Directive 2001/29/EC, art 6, implemented in the UK in CDPA (n 7) ss. 296, 296ZA et
seq.
163
CDPA (n 7) s. 29.
164
Ibid. s. 30.
165
Ibid. s. 50A.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
19 / Date: 24/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
relevant Secretary of State.166 The reader may guess how practical this rule is. In any
case, if the underlying work is a computer program, this rule does not apply.167
166
Ibid. s. 296ZE (1) and (2).
167
Ibid. s. 296ZE (2).
168
EPC (n 51) (revised in 2000), art 52(2)(c) and (3). Implemented in the UK by Patents Act
1977, s. 1(2)(c) and proviso.
169
IBM / Computer Program Product [1999] TI173/97, European Patent Office, Technical
Board of Appeal.
170
[1986] T208/84, European Patent Office, Technical Board of Appeal.
171
Ibid. para. 16.
172
Ibid. para. 5.
173
Discussion of UK cases in this area, see e.g. Kolb (n 145) 351–8.
174
Trade marks can be registered or unregistered. The former are protected according the
infringement provisions of the trade mark statutes (in the UK, TMA 1994, s. 10), the latter are
protected (in Common Law countries) by passing off.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
20 / Date: 24/3
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
those of other undertakings.175 Domain names are a different and more user-friendly
expression of internet protocol addresses (unique numbers that identify each computer
linked to the internet) which indicate the location of a given website.176 The question of
infringement arises if a domain name is confusingly similar or identical to a trade
mark. Very often this is even intended by the registrant of the domain name: he
registers (in bad faith) a domain name that is identical to a known trademark or trade
name of a company and then offers that company the domain name against payment of
a large sum of money – ‘cybersquatting’.177 In the UK the principal decision in this
regard is BT (and others) v. One in A Million: where there is clear evidence of
systematic registration by the appellants of well-known trade names for blocking
registrations and for extracting money from the owners of the goodwill in the chosen
name that is a threat to exploit the goodwill by trading under that name. The registering
of a distinctive name makes a representation to persons who consult the register that the
registrant is connected or associated with the name registered and thus the owner of the
goodwill in the name. This amounts to passing off, and also to trade mark infringe-
ment.178
Usually conflicts between trademarks and domain names are resolved according to
the Uniform Domain Name Dispute Resolution Policy (UDRP) which operates
worldwide. The registrant submits to this process on registration of his domain name.
Where the registrant’s domain name is identical or confusingly similar to the
complainant’s trade mark, and the registrant has no legitimate interests in the domain
name, and the domain name has been registered and is being used in bad faith, UDRP
will cancel, transfer or change the domain name.179 Although the law on infringement
is clear, it is also obvious that in fact cybersquatting opens up a large field of potential
cyber war activities.
175
For Europe, see Directive 2008/95/ EC (Trade Mark Directive), art 2. In the UK TMA
1994, s. 1, implementing this Directive.
176
See e.g. Caroline Wilson, ‘Domain names and trade marks: An uncomfortable inter-
relationship’ in Edwards and Waelde (n 2) 313.
177
Common is also ‘typosquatting’: the registration of a misspelt version of an existing
domain name or an existing trade mark (whether registered or not). The recent rise of websites
in languages written in the Cyrillic script has increased the opportunities for cybersquatters, as
the internet has been conceived on the basis of the Latin script, see Oleksandr Pastukhov,
‘Internationalised domain names: The window of opportunity for cybersquatters’, (2006) 4
Intell. Prop. Q. 421.
178
BT (and others) v. One in A Million and others [1999] 1 WLR 903, at 924–926, CA.
Discussion of other cases on cyberpiracy in the US and the UK, see Anan S Younes,
‘Trademarks and domain names: Exploring the inadequacy of existing protection for the
economic value of trade marks’ (2012) 34(12) Eur. Intell. Prop. Rev. 847, 849–50.
179
UDRP policy as approved by ICANN (Internet Corporation for Assigned Names and
Numbers), <http://www.icann.org/en/help/dndr/udrp/policy> accessed 7 February 2014, paras 3,
4(a) and (i).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
21 / Date: 24/3
JOBNAME: Tsagourias PAGE: 22 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
7. CONCLUSION
The real problem the cyberspace creates for intellectual property right holders is the
enforcement of their rights. The cyberspace necessarily operates worldwide, while
intellectual property rights are still territorial in nature, although intellectual property
protection has been standardised by international conventions, especially the TRIPs
Agreement. This standardisation has also loosened the territoriality principle which
governs intellectual property rights. An international regulation of the cyberspace
would have to address the problem of the territoriality of intellectual property rights.
Any attempt at the international regulation of the cyberspace and its interaction with
intellectual property rights would face the same legal and political problems as the
negotiation of any other international convention, and, perhaps, the establishment of an
international organisation for the monitoring and policing of such a convention. But in
such a context one could seek to regulate questions of cyber attacks and cyber war
through international law.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter4 /Pg. Position:
22 / Date: 6/5
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
As policy areas, cyberspace and human rights have become so intertwined that
understanding one requires sustained attention to the other. This observation holds even
though human rights are not dependent on any technology, and the technologies
producing cyberspace have no ‘hard wired’ ideology. This chapter analyses the
relationship between cyberspace and human rights – an interconnection forged during a
unique historical moment that exhibits increasing controversy as world politics experi-
ences shifting power and ideas. The relationship has evolved, from early visions of
cyberspace as an unprecedented realm for human rights to today’s struggles to protect
rights in a cyberspace shaped by divergent interests colliding in a multipolar world
increasingly dependent on cyber technologies.
The chapter argues that the Internet – the technical infrastructure that facilitates
cyberspace – is the most consequential communications technology to emerge during
the human rights era (Part 2). The Internet’s importance to human rights is as much a
function of chronology as technology. This largely American innovation became a
global phenomenon in the post-Cold War world dominated by US power, interests and
ideology, including US perspectives on democracy and human rights.
The human rights consequences of the Internet’s emergence are apparent in two
contexts. First, cyberspace challenges general principles of international law important
for human rights, including sovereignty, non-intervention and jurisdiction (Part 3).
Second, cyberspace emerges in the human rights regime – the international law,
institutions and processes associated with protecting human rights (Part 4). The human
rights ‘footprint’ of cyberspace is so large that experts debate whether Internet access
is, or should be, a new human right.
The cyberspace-human rights relationship extends beyond the human rights regime
because activities in other policy areas create human rights issues. This chapter
considers three such areas – Internet governance, cybersecurity and trade and com-
merce in cyber technologies and services – in order to identify how such issues arise
across different areas of international politics (Part 5). In these areas, controversies
emerged but have not been resolved, raising questions about the effectiveness of human
rights law in cyberspace.
The chapter concludes by assessing the trajectory of the cyberspace-human rights
relationship since it emerged in the late 1990s and speculating about its future. An
important trend is that human rights controversies have multiplied as Internet access
and use have increased. Recent developments, especially Edward Snowden’s revela-
tions, have also altered this relationship, especially aspects connected with US policy,
interests and reputation in cyberspace. Rather than being an exceptional technological
94
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1
Wolfgang Kleinwächter, ‘The history of internet governance’ in Christian Möller and
Arnaud Amouroux (eds.), Governing the Internet: Freedom and Regulation in the OSCE (OSCE
2007).
2
Barry Leiner et al., ‘Brief history of the internet’ (15 October 2012) Internet Society
<http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet#LK
61> accessed 1 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
packets, transmitted over different routes in the networks, and reassembled at the
destination. With standardized communication protocols, this approach is robust,
achieves scale geographically and in numbers of users and supports many applications,
such as email.3 The development of the World Wide Web improved Internet accessibil-
ity and expanded its use.4
One way to sense how the Internet differs is to appreciate how it supports
communication previously undertaken through earlier technologies. People now listen
to the radio, watch television programs and make person-to-person video and voice
calls over the Internet. It is the most multi-functional communication technology ever
invented. In addition, the nature, interoperability and scalability of the component
technologies mean the Internet can link millions of people around the world, an
accessibility and connectivity no previous technology achieved. The Internet is a
technology of versatile capabilities and mass participation.
Although it has Cold War origins, the Internet did not emerge as a national and
global phenomenon until the 1990s, the first decade of the post-Cold War world.
Geopolitically, the dominance of US power, interests and ideas and the absence of great
power competition characterized this period. The international environment in which
the Internet came of age was, thus, unlike the political contexts that affected previous
communication innovations. In addition, because it was an American invention, US
political dominance facilitated the Internet’s rise to global prominence. The Internet
had space in the post-Cold War period to take root politically and expand globally, and
the Internet’s technologies did not create technical barriers to exploiting that space.
The end of the Cold War also opened room for other aspects of international
relations, including human rights. The Soviet Union’s collapse freed human rights
efforts from the ideological, zero-sum game the bipolar system often made human
rights politics. The Vienna Conference on Human Rights in 1993 – the first major
human rights meeting to convene after the Cold War ended – recognized ‘the major
changes taking place on the international scene’ and reflected the new energy the Cold
War’s end brought to human rights.5
3
David G. Post, In Search of Jefferson’s Moose: Notes on the State of Cyberspace (OUP
2009).
4
‘History of the Web’ (World Wide Web Foundation) <http://www.webfoundation.org/
vision/history-of-the-web/> accessed 1 March 2014.
5
World Conference on Human Rights, Vienna Declaration and Programme of Action, 25
June 1993.
6
John P. Barlow, ‘A declaration of the independence of cyberspace,’ (8 February 1996)
Electronic Frontier Foundation <https://projects.eff.org/~barlow/Declaration-Final.html> accessed
22 August 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 3
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
7
Kenneth N. Waltz, Man, the State and War: A Theoretical Analysis (Columbia UP 1959).
8
Kleinwächter (n 1) 41.
9
Tom Gjelten, ‘Shadow Wars: Debating cyber “disarmament”’ (2010) World Affairs
<http://www.worldaffairsjournal.org/article/shadow-wars-debating-cyber-disarmament> accessed
1 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 4
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
10
On legal status of cyberspace see Tsagourias (Ch 1 of this book).
11
Post (n 3) 164 (discussing French case against Yahoo! concerning Nazi memorabilia on an
auction website).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
rights and cyberspace link, spill over occurs that heightens the pressure the combination
creates for Westphalian principles. Cyberspace begins to take on political significance
related to human rights the underlying technologies do not intrinsically have. Likewise,
human rights take on a technological imperative perhaps unprecedented for this field, a
development captured in the debate whether Internet access is a distinct human right
(see Part 4).
The existence of these challenges to general principles of international law does not
mean the challenges overwhelm the principles. The human rights movement still
confronts friction from appeals to sovereignty and non-intervention. For example, the
effort to re-calibrate human rights demands and sovereignty claims through the
principle of the responsibility to protect has proved controversial. In terms of
cyberspace, this chapter explores below how authoritarian States are increasing Internet
access while strengthening their control and manipulation of cyberspace, which
suggests cyberspace – even informed by human rights – has not killed sovereignty.
Understanding how the cyberspace-human rights relationship affects international law
also requires analysing specific areas of the law, a task the chapter addresses next.
International law recognizes civil and political rights directly connected with commu-
nications – the rights to freedom of expression and privacy. These rights protect private
and public communications from government interference, and these protections
facilitate enjoyment of other civil and political rights, including the rights to: freedom
of opinion; freedom of thought, conscience and religion; freedom of association; and
taking part in public affairs. Freedom of expression and privacy also facilitate
enjoyment of economic, social and cultural rights, including the rights to education and
taking part in cultural life.
As an accessible, multi-functional communication platform, the Internet provides
people with opportunities to share and receive information and associate with others.
Increasing use of Internet-based communication makes the right to privacy a central
cyberspace issue. Growing personal and social dependence on online communication
heightens the importance of civil and political rights in cyberspace. The emphasis the
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘Internet freedom’ approach to Internet governance gives to civil and political rights
demonstrates the extent to which these rights affect political discourse about cyber-
space.
It is an unfortunate truth that today, many countries censor Internet content – dictatorships
and democracies alike – and the number of countries doing so is growing every year. This set
of censorial regimes includes the obvious – repressive regimes like China, North Korea, and
others … but also those countries we might least expect, including liberal democracies like
the U.K., other western democracies, Asian democracies like South Korea, as well as Canada
and Australia.15
Identifying Internet censorship in democracies and authoritarian States does not mean
that both kinds of States restrict freedom of expression equally or in the same ways.
The point is that rules on freedom of expression operate in more complicated ways than
the ‘freedom v sovereignty’ dichotomy captures. National differences on freedom of
expression demonstrate that international law accords some deference to sovereignty –
what the European Court of Human Rights (ECtHR) calls the ‘margin of appreciation’
in protecting freedom of expression and other civil and political rights. The explosion
of online communications has not produced harmonization on the scope of freedom of
expression. In fact, the way the Internet makes all forms of information more accessible
can heighten State interests in restricting the right to send or receive certain kinds of
information. National differences on the freedom of expression also highlight how this
12
See articles in ‘Symposium: An ocean apart? Freedom of expression in Europe and the
United States’ (2009) Indiana L. J. 803.
13
International Covenant on Civil and Political Rights, 16 December 1966, 999 UNTS 171
[ICCPR] art 19.
14
European Convention on Human Rights and Fundamental Freedoms, 4 November 1950,
213 UNTS 221 art 10.
15
Dawn C. Nunziato, ‘How (not) to censor: Procedural First Amendment values and internet
censorship’ (2011) Georgetown J. Int’l. L. 1124, 1126.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
[I]n many instances, States restrict, control, manipulate and censor context disseminated via
the Internet, without any legal basis, or on the basis of broad and ambiguous laws, without
justifying the purpose of such actions, and / or in a manner that is clearly unnecessary and /
or disproportionate to achieving the intended aim … Such actions are clearly incompatible
16
ICCPR (n 13) art 19.3.
17
Human Rights Council, Report of the Special Rapporteur on the Promotion and
Protection of the Right to Freedom of Opinion and Expression, UN Doc. A/HRC/17/27, 16 May
2011, para. 24 [Special Rapporteur’s Report]. See also Human Rights Committee, General
Comment No 34 on Article 19: Freedoms of Opinion and Expression, UN Doc. CCPR/C/GC/34,
12 September 2011, paras 21–36.
18
Ahmet Yildirim v. Turkey App no 3111/10 (ECHR, 18 December 2012).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
with States’ obligations under international human rights law, and often create a broader
‘chilling effect’ on the right to freedom of opinion and expression.19
19
Special Rapporteur’s Report (n 17), para. 26.
20
Freedom House, Freedom on the Net (Freedom House 2012) 1.
21
Ibid. 2.
22
Freedom House, Freedom on the Net (Freedom House 2013) 1.
23
Ibid. 2.
24
Special Rapporteur’s Report (n 17); Freedom House (n 20); Freedom House (n 22).
25
ITU, ‘Percentage of Individuals Using the Internet, 2000–2012’ <http://www.itu.int/en/
ITU-D/Statistics/Pages/stat/default.aspx> accessed 1 March 2014.
26
Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom (Public Affairs
2011) (analyzing authoritarian governments’ increasing control over Internet activities).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
These principles create negative and positive duties. First, ICCPR States parties cannot
restrict the right to privacy unless government interference relates to a legitimate
purpose and complies with procedural requirements. Legitimate purposes centre on
surveillance for criminal law enforcement, counter-intelligence and national security
(e.g., counter-terrorism). The procedural requirements mandate the need for: (1) a legal
basis for surveillance; (2) authorization to conduct the surveillance (e.g., a court order);
and (3) the surveillance to be necessary, meaning the interference with privacy must be
proportionate to the objectives sought.
Second, the ICCPR requires States parties to protect personal information stored,
transmitted, processed and used by governments or non-governmental actors (e.g.,
companies) from unlawful access and use. For the government, this requirement creates
27
ICCPR (n 13) art 17.
28
Smith v. Maryland 442 US 735 (1979).
29
Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, 28 January 1981, ETS no 108.
30
Council Directive (EC) 95/46/EC on the protection of individuals with regard to the
processing of personal data and on the free movement of such data [1995] OJ L281/31.
31
ICCPR (n 13) art 17.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
positive obligations to: (1) protect personal data collected, stored, processed and used
by government agencies; and (2) regulate third parties to ensure protection of personal
data from unlawful access and use. The ICCPR also requires governments to allow
individuals to ascertain what government agencies or third parties have their data and to
have data revised if incorrect or purged if held or used without legal authorization.
As with many aspects of the human rights regime, describing international legal
doctrine on privacy does not convey the reality of government practices. A long-
standing problem with surveillance has been expansive readings of the legitimate
purposes. Authoritarian governments often interpret these purposes broadly and the
procedural requirements narrowly (if they recognize them at all) in order to justify
surveillance against persons or groups considered actual or possible political oppo-
nents. Privacy advocates also lament inadequate legal protections for personal infor-
mation stored, processed or used by governments or private-sector entities. The
differences between the US and the EU on legal requirements for private sector
handling of personal data represent one example of the divergence that exists on this
aspect of privacy.32 As with freedom of expression, such differences among countries
on the substantive and procedural aspects of privacy reinforce, in practice, the
principles of sovereignty, non-intervention and territorial jurisdiction.
The movement of communication online creates, however, problems for privacy
arising from use of digital technologies linked through the Internet. Privacy contributes
to human dignity by protecting individual autonomy from government interference and
private efforts to profit from or exploit personal information. Protecting autonomy
becomes more difficult when individuals generate and share massive amounts of
information through Internet-facilitated technologies to communicate and engage in
transactions. The proliferation of these technologies, and increasing dependence on
them, accelerates this phenomenon. Massive production of digital data produces
opportunities for large-scale public and private storage, processing, analysis, utilization
and surveillance. These opportunities create commercial, law enforcement and national
security incentives to access and ‘mine’ this data, which places strains on rules
designed to protect privacy – at least in countries where such rules matter. Further,
concerns about cyber crime and cyber espionage33 indicate that protecting Internet-
linked streams and reservoirs of digital data from unauthorized access and exploitation
– as the right to privacy mandates – is difficult. These problems form part of debates
about the future of privacy in the age of Internet communication.
The human rights regime includes economic, social and cultural (ESC) rights, and the
leading multilateral treaty is the International Covenant on Economic, Social and
32
Paul M. Schwartz, ‘The E.U.-US privacy collision: A turn to institutions and procedures’
(2013) Harvard L. Rev. 1966.
33
On cyber espionage and international law see Buchan (Ch 8 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Cultural Rights (ICESCR).34 ICESCR States parties accept general obligations, includ-
ing the principles of non-discrimination35 and progressive realization, or the duty to
‘take steps… to the maximum of its available resources’ to achieve progressively full
realization of the rights recognized in the treaty.36 These rights promote human
development and include the rights to: work; just and favourable working conditions;
social security; an adequate standard of living; the highest attainable standard of health;
education; to partake in cultural life; and enjoy the benefits of scientific progress.37
+ Are based on clear, accessible laws that are not discriminatory, arbitrary or
unreasonable and provide remedies for illegal or abusive actions;
+ Promote the population’s general welfare;
34
International Covenant on Economic, Social and Cultural Rights, 16 December 1966, 993
UNTS 3 [ICESCR].
35
Ibid. art 2.2.
36
Ibid. art 2.1.
37
Ibid. arts 6–15.
38
Committee on Economic, Social and Cultural Rights, General Comment No 14: The Right
to the Highest Attainable Standard of Health, UN Doc. E/C.12/2000/4, 11 August 2000, para. 34.
39
Ibid. para. 35.
40
Ibid. paras 36–37.
41
Committee on Economic, Social and Cultural Rights, General Comment No 3 on the
Nature of State Parties Obligations (art 2, para. 1), Report of the Fifth Session, Supp No 3,
Annex III, para. 10, UN Doc. E/1991/23.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
12 / Date: 6/5
JOBNAME: Tsagourias PAGE: 13 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
This description of basic ICESCR principles does not communicate controversies that
international law on ESC rights has long experienced. Despite the right to health being
in the Constitution of the World Health Organization (1946), the Universal Declaration
of Human Rights (UDHR, 1948) and the ICESCR (1966), a 1999 study argued that this
right suffered from a ‘lack of conceptual clarity and… weak international and national
implementation’.43 The principle of progressive realization has been at the heart of
many ESC rights controversies. The idea that enjoyment of ESC rights is linked to the
level of a country’s economic development made them seem, to many, as political
aspirations rather than rights. Further, critics have argued that, without protections for
civil and political rights, ESC rights are not secure. For example, without freedom of
expression, the peoples’ ability to change government policies is undermined. Under
the margin of discretion, States can use the principles of sovereignty and non-
intervention to deflect outside concerns about government failure to protect, respect and
fulfil ESC rights, which weakens the international community’s ability to monitor
compliance.
42
ICESCR (n 34) art 4; Limburg Principles on the Implementation of the International
Covenant on Economic, Social and Cultural Rights <http://www.escr-net.org/docs/i/425445>
accessed 1 March 2014.
43
Brigit C. A. Toebes, The Right to Health as a Human Right in International Law (Hart
Publishing 1999) 85.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
asked what Djibouti was ‘doing to facilitate access to the internet, particularly for
marginalized and disadvantaged groups’.44 The Djibouti Government responded:
Concerning internet access, the Government had obliged the national internet provider to cut
its rates by 50 per cent so that everyone, including students, could access the internet at a
very low cost. A wireless system was widely available in schools and universities. Djibouti
constantly worked to ensure that internet access was available in the more remote areas of the
country.45
(iii) The ‘digital divide,’ ESC rights and the right to development
Achieving human development through ESC rights connects to the ‘digital divide’
problem in development policy. The digital divide refers to the gap between developed
and developing countries in access to information and communications technologies
(ICTs), including the Internet. It also encompasses the ICT gap within countries
between, for example, more affluent urban areas and poorer rural areas. Reducing the
digital divide has become part of development strategies, including how increasing
access to ICTs (especially to broadband Internet) can contribute to achieving, for
example, the Millennium Development Goals and sustainable development objectives.
44
Office of the High Commissioner for Human Rights, ‘Committee on Economic, Social
and Cultural Rights Examines Report of Djibouti,’ (12 November 2013) <http://www.ohchr.org/
EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=13978&LangID=E> accessed 1 March 2014.
45
Ibid.
46
See, e.g., Office of the High Commissioner for Human Rights, ‘Committee on Economic,
Social and Cultural Rights Examines Second to Fourth Periodic Report of Egypt,’ (14 November
2013) <http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=13989&Lang
ID=E> accessed 1 March 2014.
47
Committee on Economic, Social and Cultural Rights, Guidelines on Treaty-Specific
Documents to be Submitted by States Parties under Articles 16 and 17 of the International
Covenant on Economic, Social, and Cultural Rights, UN Doc. E/C.12/2008/2, 24 March 2009,
para. 67.
48
Of the ten general comments the ESCR Committee has issued since 1999, only General
Comment No. 21 on the right to take part in cultural life mentions the Internet. Committee on
Economic, Social and Cultural Rights, General Comment No. 21 on the Right of Everyone to
Partake in Cultural Life, UN Doc. E/C.12/GC/21, 21 December 2009.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
14 / Date: 6/5
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The digital divide problem highlights not only the importance of cyberspace to ESC
rights but also the Internet’s role in the ‘right to development’. The UN General
Assembly declared in 1986 that everyone and all peoples have an inalienable right to
‘participate in, contribute to, and enjoy economic, social, cultural and political
development’.49 According to the UN High Commissioner for Human Rights:
Since the adoption of that landmark document, a debate has been raging in the halls of the
United Nations and beyond. On one side, proponents of the right to development assert its
relevance (or even primacy) and, on the other, sceptics (and rejectionists) relegate this right to
secondary importance, or even deny its very existence. Unfortunately … that debate has done
little to free the right to development from the conceptual mud and political quicksand in
which it has been mired all these years.50
This ongoing controversy has not prevented human rights advocates from making
cyberspace important to the right to development. The Human Rights Council
recognized ‘the global and open nature of Internet as a driving force in accelerating
progress towards development in its various forms’.51 The Special Rapporteur on the
Right to Freedom of Opinion and Expression argued that ‘the Internet boosts economic,
social and political development, and contributes to the progress of humankind as a
whole’.52 The World Federation of University Women emphasized to the UN Working
Group on the Right to Development that Internet access was key to women’s enjoyment
of the right to development, which required greater attention to the digital divide and its
gender implications.53
However, the efforts of the UN Working Group on the Right to Development and the
High-Level Task Force on the Implementation of the Right to Development54 indicate
that the digital divide has not been the most prominent concern related to access to
technologies. Working Group and Task Force reports demonstrate that technology
transfer issues, such as tensions between intellectual property rights and access to
essential medicines, have received more attention than Internet access and the digital
divide. Technology transfer has long been a problem for development policy, but
Internet access does not resemble traditional technology transfer controversies. The
technologies needed to produce such access are widely available and not subject to
limitations that have triggered technology transfer concerns, such as export controls on
‘dual use’ technologies and protection of intellectual property rights.
49
UNGA Declaration on the Right to Development (1986) UN Doc Res 41/128.
50
Navi Pillay, UN High Commissioner for Human Rights, ‘Development is a Human Right
for All,’ <http://www.ohchr.org/EN/ISSUES/DEVELOPMENT/Pages/DevelopmentIndex.aspx>
accessed 1 March 2014.
51
Human Rights Council, The Promotion, Protection and Enjoyment of Human Rights on
the Internet (29 June 2012) UN Doc A/HRC/20/L.13, 2.
52
Special Rapporteur’s Report (n 17) para. 67.
53
Report of the Open-Ended Working Group on the Right to Development (20 March 2001)
UN Doc E/CN.4/2001/26, para. 138.
54
High-Level Task Force on the Implementation of the Right to Development <http://
www.ohchr.org/EN/Issues/Development/Pages/HighLevelTaskForce.aspx> accessed 1 March
2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The Internet features so prominently across the human rights regime that people now
debate whether Internet access is, or should be, a human right. As the previous two
sections demonstrated, the Internet is important for the enjoyment of human rights,
with Internet access supporting the exercise of civil and political rights and the
progressive realization of ESC rights. The Special Rapporteur on the Right to Freedom
of Opinion and Expression captured this perspective in arguing that ‘the Internet has
become an indispensable tool for realizing a range of human rights, combating
inequality, and accelerating development and human progress’.55 Framing the Internet
in this way is consistent with the traditional approach – technologies are means for
protecting and promoting human rights. For example, health advocates see access to
technologies, such as vaccines, as important instruments in achieving the right to the
highest attainable standard of health.
Many arguments associated with ‘Internet access is a human right’ fall into this
instrumental approach. Secretary of State Hillary Clinton articulated a ‘freedom to
connect’ to the Internet, but this freedom’s meaning and purpose depend on other civil
and political rights – namely, the freedoms of opinion, expression and assembly.56
Mark Zuckerberg, founder of Facebook, argued that Internet connectivity is a human
right,57 but the connectivity he described is instrumental – connectivity as a means for
achieving the political, economic and social objectives the human rights regime already
targets. Vint Cerf, one of the Internet’s creators, stressed this point in arguing that
‘Internet access is just a tool for obtaining something else more important’.58
The idea of Internet access as a distinct right has to differ from the instrumental
perspective by positing that access is, by itself, so central to individual life, autonomy
or dignity that it deserves protection as a fundamental right. Responding to Cerf, Scott
Edwards, writing on an Amnesty International blog, asserted that Internet access is so
‘indispensable to world’s most marginalized people’ that its loss ‘in places from
Sub-Saharan Africa to the most impoverished communities here in the US … could
mean an immediate threat to lives and livelihoods’.59
This argument ignores the digital divide – the world’s most marginalized people do
not enjoy much Internet access. Further, problems already of grave concern in the
human rights regime more immediately threaten the lives and livelihoods of the world’s
most marginalized populations, such as lack of clean water, food insecurity, inadequate
health care, environmental degradation, poor education and political or criminal
55
Special Rapporteur’s Report (n 17) para. 85.
56
Hillary Clinton, ‘Remarks on Internet Freedom,’ (21 January 2010) <http://www.state.gov/
secretary/rm/2010/01/135519.htm> accessed 1 March 2014.
57
Mark Zuckerberg, ‘Is connectivity a human right?’ <https://fbcdn-dragon-a.akamaihd.net/
hphotos-ak-ash3/851575_228794233937224_51579300_n.pdf> accessed 1 March 2014.
58
Vint Cerf, ‘Internet access is not a human right’ (4 January 2012) NY Times <http://
www.nytimes.com/2012/01/05/opinion/internet-access-is-not-a-human-right.html> accessed 1
March 2014.
59
Scott Edwards, ‘Is internet access a human right?’, (10 January 2012) Human Rights Now
Blog <http://blog.amnestyusa.org/business/is-internet-access-a-human-right/> accessed 1 March
2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
60
Constitutional Council, Decision no 2009-580 on act furthering the diffusion and
protection of creation on the Internet, 10 June 2009 (official English translation).
61
Richard Wray, ‘French anti-filesharing law overturned,’(10 June 2009) The Guardian
<http://www.theguardian.com/technology/2009/jun/10/france-hadopi-law-filesharing?guni=Article:
in%20body%20link> accessed 1 March 2014.
62
Constitutional Council (n 60), para. 12.
63
Ibid. paras 15–16.
64
Ibid. para. 15.
65
Ibid. para. 12.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
relationship. This part looks at Internet governance, cybersecurity and trade and
commerce in cyber technologies as contexts in which human rights issues have
emerged. The ways in which human rights arise are controversial, reveal disagreements
about human rights in the Internet age and raise questions about the future of the
human rights regime in the next phase of cyberspace’s evolution.
This chapter previously mentioned the fault line on Internet governance between the
‘Internet freedom’ and ‘Internet sovereignty’ perspectives. The international politics of
Internet governance involve many issues, including great power competition, friction in
defining what problems fall within Internet governance, divergent views about non-
State actor participation in international governance and disagreements over civil and
political rights. Although the Internet governance controversy is broad, human rights
are one of the most prominent and divisive features.
Briefly, ‘Internet freedom’ views cyberspace as a means for advancing civil and
political rights, encouraging the spread of democracy and supporting technological and
governance innovation through collaboration of public, private and non-governmental
stakeholders. Internet freedom is a transformative vision – the Internet and cyberspace
can help change politics within and among countries. ‘Internet sovereignty’ embeds
cyberspace in an international order that functions through inter-State governance
mechanisms, the balance of power, and adherence to the principles of sovereignty and
non-intervention. Internet sovereignty is conservative – States must discipline use of the
Internet and cyberspace through traditional mechanisms for maintaining order among
sovereign States.
These contrasting perspectives have taken centre stage in negotiations on Internet
governance. In 2012, the ITU convened the World Conference on International
Telecommunications (WCIT) so that ITU members could revise the International
Telecommunication Regulations (ITRs).66 The negotiations failed because of the fault
line between Internet freedom and Internet sovereignty. Countries associated with
Internet freedom, especially the US and European democracies, rejected the revised
ITRs for a number of reasons, including concerns that the revisions introduced
provisions that could threaten civil and political rights, such as freedom of expression.
States linked with the Internet sovereignty approach, including China, Russia and other
authoritarian countries, supported the revised ITRs because, among other things, the
revisions reflected their interests in expanding the scope of Internet governance and
strengthening inter-governmental control of such governance.
Even though the WCIT produced stalemate rather than victory for either position,
what happened reflects growth in the influence and impact of the Internet sovereignty
perspective. China, Russia and supportive countries prevailed in getting Internet
governance on the ITU’s negotiating agenda, succeeded in having new ITR provisions
66
David P. Fidler, ‘Internet Governance and international law: The controversy concerning
revision of the International Telecommunication Regulations’ (7 February 2013) American
Society of International Law Insights <http://www.asil.org/sites/default/files/insight130207.pdf>
accessed 1 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
they wanted and held firm against US and European opposition. In that sense, the
WCIT represented a culmination of authoritarian efforts, dating back to the turn of the
century, to make Internet governance reflect their interests more strongly. From a
human rights perspective, this development is worrisome given how authoritarian States
disregard civil and political rights in cyberspace.
(b) Cybersecurity
As other chapters in this volume analyse, cybersecurity has become a significant policy
concern, and this area involves human rights considerations. Cyber threats posed by
criminals, terrorists, intelligence agencies, and militaries have provoked governments to
respond in ways human rights advocates believe infringe civil and political rights.
Government exploitation of cyber technologies to repress political opposition, conduct
espionage and develop cyber weapons has also generated human rights worries. The
disclosures Edward Snowden started making in June 2013 about the cyber surveillance
and cyber espionage67 activities of the US National Security Agency (NSA) sparked
controversies about the threats these activities posed to civil and political rights in the
US and around the world. Cumulatively, cybersecurity problems convey the impression
that cyberspace is becoming insecure and dangerous in ways that undermine using the
Internet to strengthen human rights.
Over the past decade, concerns about cyber threats to national security have
increased. Cyber attacks by criminals, ‘hacktivist’ groups, and foreign intelligence
agencies, the fear of cyber terrorism, and development of offensive cyber weapons by
rival countries have forced governments to devote more attention to cybersecurity.
Policy thinking about how to respond has identified strategies that raise human rights
questions. For example, improving cyber defences requires improved ‘situational
awareness’, which heightened surveillance of Internet communication and expanded
information sharing between the private sector and government agencies can achieve.
However, persons and groups focused on protecting freedom of expression and privacy
oppose these strategies because they expand government power without adequate
safeguards for these rights.68
A different, but related, worry involves authoritarian governments using cybersecu-
rity threats as an excuse for expanding surveillance and repression of political
opposition. China’s attempts to censor and monitor Internet activities demonstrate that,
for the Communist Party, cybersecurity means protecting against the use of cyberspace
to challenge its authority and power.69 The treaty on information security concluded by
the Shanghai Cooperation Organization, the members of which are authoritarian States
67
See Buchan (Ch 8 of this book).
68
Rainey Reitman, ‘CIPSA, the privacy-invading cybersecurity spying bill, is back in
Congress,’ (13 February 2013) Electronic Frontier Foundation <https://www.eff.org/deeplinks/
2013/02/cispa-privacy-invading-cybersecurity-spying-bill-back-congress> accessed 1 March
2014.
69
Nigel Inkster, ‘China in cyberspace’ (2010) 52 Survival 55.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
19 / Date: 24/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
(including China and Russia), defines terms – such as ‘information security’, ‘infor-
mation crime’, and ‘information terrorism’ – in ways that demonstrate no interest in
protecting freedom of expression and privacy in cyberspace.70
Snowden’s disclosures about NSA cyber surveillance and cyber espionage sparked
debate about privacy in the US and internationally. Within the US, Snowden exposed
NSA programs that collect domestic telephony metadata and communications of US
persons with foreign intelligence targets located outside the US. Privacy advocates have
challenged these programs in court and through proposed legislation, and these
challenges inform an ongoing US debate about how best to protect privacy in light of
national security needs and capabilities to conduct electronic surveillance.
Internationally, Snowden’s revelations about US cyber espionage against allied and
friendly countries, such as Germany and Brazil, produced a backlash against the US. In
November 2013, Germany and Brazil introduced a draft resolution in the UN General
Assembly’s Third Committee entitled ‘The Right to Privacy in the Digital Age’.71
Submitted as a response to NSA cyber spying, the draft resolution applied the right to
privacy to surveillance conducted by States outside their territories. This effort recalls
previous controversies about when human rights obligations apply when a country acts
outside its territory. But, the draft resolution contained a more radical proposition – that
a State’s foreign espionage activities, including against online communications, are
subject to the right to privacy in international law. At the UN, US diplomats opposed
the extraterritorial application of the right to privacy, meaning it does not apply to
espionage activities, and insisted that US electronic surveillance was lawful, in
compliance with international human rights law.72 The revised resolution submitted by
the Third Committee to the UN General Assembly contained compromise language that
permitted the different sides of the debate to claim it reflected their perspectives.73 The
UN General Assembly approved this resolution in December 2013 without a vote,74
another indication of the disagreements surrounding it.
This controversy raises interesting international legal issues, including whether the
power the US exercises in cyberspace qualifies, in the virtual world, as the equivalent
of effective, physical control of individuals often associated with extraterritorial
obligations under international human rights law.75 However, mounting concerns about
70
Shanghai Cooperation Organization, Agreement on Cooperation in the Field of Inter-
national Information Security, December 2008.
71
UNGA, The Right to Privacy in the Digital Age (1 November 2013) UN Doc A/C.3/68/
L.45.
72
Colum Lynch, ‘Exclusive: Inside America’s plan to kill online privacy rights everywhere,’
(20 November 2013) The Cable <http://thecable.foreignpolicy.com/posts/2013/11/20/exclusive_
inside_americas_plan_to_kill_online_privacy_rights_everywhere> accessed 1 March 2014.
73
UNGA, The Right to Privacy in the Digital Age (20 November 2013) UN Doc A/C.3/
68/L.45/Rev. 1.
74
UNGA, The Right to Privacy in the Digital Age (18 December 2013) UN Doc
A/RES/68/167.
75
Anne Peters, ‘Surveillance without borders: The unlawfulness of the NSA panopticon,
Part II,’ (4 November 2013) EJIL: Talk! <http://www.ejiltalk.org/surveillance-without-borders-
the-unlawfulness-of-the-nsa-panopticon-part-ii/> accessed 1 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
20 / Date: 24/3
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
cyber espionage demonstrate that intelligence agencies of many countries have power-
ful capabilities to penetrate foreign computer systems and networks, manipulate them,
and obtain sensitive information, including communications of private persons. The
countries to which Snowden fled – China and Russia – are accused of violating
domestic Internet freedoms, including the right to privacy,76 hardly an indication these
States seriously believe the right to privacy in international law affects their foreign
espionage activities.
The ubiquity of cyber espionage works against the notion that State practice reflects
the extraterritorial application of the right to privacy to government intelligence
activities. Questions about the extraterritorial application of the right to privacy will
continue to be important because, for example, the UN General Assembly requested the
UN High Commissioner for Human Rights to ‘submit a report on the protection and
promotion of the right to privacy in the context of domestic and extraterritorial
surveillance and/or the interception of digital communications and the collection of
personal data, including on a mass scale’ to the Human Rights Council and the General
Assembly.77
For its part, the US has long held that its ICCPR obligations do not extend outside
the US, a position enunciated again in the UN negotiations on the resolution on the
right to privacy in the digital age. However, in reforms announced in January 2014,
President Obama instructed the US intelligence community to protect the privacy
interests of all persons, including non-US persons located outside the US.78 Specific-
ally, US intelligence activities must ‘include appropriate safeguards for the personal
information of all individuals, regardless of the nationality of the individual … or
where that individual resides’.79 Although framed in terms of privacy ‘interests’ rather
than ‘rights’, how this dramatic shift in US policy on intelligence activities will affect
debates about the extraterritorial application of the right to privacy deserves close
scrutiny.
Snowden also disclosed information about US cyber espionage against other
countries, including China, Russia, and Iran. These authoritarian countries have not,
like Germany and Brazil, responded by calling for strengthening the right to privacy.
Instead, the revelations vindicated their claims that they were targets of large-scale US
cyber espionage. The disclosures badly damaged, if not destroyed, US diplomatic
efforts to pressure China to stop engaging in economic cyber espionage. Snowden’s
leaks also undermined the Obama administration’s Internet freedom agenda because
they exposed the US Government’s willingness to conduct cyber surveillance on a
global scale against friend and foe alike. Even Michael Hayden, former NSA and CIA
director, admitted the US could be fairly accused of militarizing cyberspace after what
76
Freedom House (n 22) 181–214 (China), 588–600 (Russia).
77
The Right to Privacy in the Digital Age (n 74), para. 5.
78
Presidential Policy Directive/PPD-28 – Signals Intelligence Activities, 17 January 2014,
§ 4, <http://www.lawfareblog.com/wp-content/uploads/2014/01/2014sigint.mem_.ppd_.rel_.pdf>
accessed 1 March 2014.
79
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
21 / Date: 24/3
JOBNAME: Tsagourias PAGE: 22 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Human rights issues have arisen in connection with the private sector’s development,
use and sale of cyber technologies and services. As mentioned above, migration of
communication to online formats gives ICT companies access to massive amounts of
data, and privacy advocates have expressed concerns that existing laws, especially in
the US, are insufficient to protect privacy from corporate interests. Human rights
groups have also criticized ICT companies of: (1) cooperating with Chinese Govern-
ment efforts to censor and control the Internet in repressing domestic political
opposition; and (2) selling cyber technologies to repressive regimes, such as Syria, that
use them against political opponents. These concerns informed creation of the Global
Network Initiative (GNI), a multi-stakeholder effort that helps ICT companies advance
freedom of expression and privacy through independent reviews of corporate compli-
ance with GNI’s principles.82 Countries participating in the Wassenaar Arrangement on
Export Controls for Conventional Arms and Dual-Use Goods and Technologies agreed
in December 2013 to include in this regime restrictions on exporting ‘dual use’ ICT
products, such as intrusion software and network surveillance systems, governments
could use to violate civil and political rights.83
80
Andrea Peterson, ‘Former NSA and CIA Director says terrorists love using gmail,’ (15
September 2013) Washington Post < http://www.washingtonpost.com/blogs/the-switch/wp/2013/
09/15/former-nsa-and-cia-director-says-terrorists-love-using-gmail/> accessed 1 March 2014.
81
Barton Gellman and Ellen Nakashima, ‘U.S. spy agencies mounted 231 offensive cyber
operations in 2011, documents show,’ (30 August 2013) Washington Post <http://articles.
washingtonpost.com/2013-08-30/world/41620705_1_computer-worm-former-u-s-officials-obama-
administration> accessed 1 March 2014.
82
Global Network Initiative <http://www.globalnetworkinitiative.org/> accessed 1 March
2014.
83
Public Statement: 2013 Plenary Meeting of the Wassenaar Arrangement on Export
Controls for Conventional Arms and Dual-Use Goods and Technologies, 4 December 2013; Edin
Omanovic, ‘International agreement reached controlling export of mass surveillance and
intrusive surveillance technology’ (9 December 2013) Privacy International <https://www.
privacyinternational.org / blog / international-agreement-reached-controlling- export-of-mass - and-
intrusive-surveillance> accessed 1 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
22 / Date: 1/4
JOBNAME: Tsagourias PAGE: 23 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
6. CONCLUSION
The complexity of the cyberspace-human rights relationship makes finding its critical
features difficult, if not foolhardy. The relationship emerged at a unique historical
moment when unprecedented political conditions facilitated new technologies of
communication and connectivity with potential to strengthen human rights. The many
ways the human rights regime applies to the Internet and human rights activism on
cyberspace issues constitute partial fulfilment of this promise. However, political, legal
and technological developments have dramatically affected the relationship in ways that
burden the present and the future.
Politically, the uni-polar moment of the post-Cold War period has passed, replaced
by a multi-polar configuration characterized by divergent interests on the Internet and
human rights and intensifying geopolitical competition, including in cyberspace.
Legally, all-too-familiar gaps between legal doctrine and State practice on human rights
appear as well in the cyberspace-human rights relationship. Technologically, authoritar-
ian governments appear to have figured out how to expand Internet access and use
while increasing censorship and control over activities in cyberspace. As Snowden’s
84
ICANN, gTLD Applicant Guidebook, Module 3 (4 June 2012). As of this writing, the
Independent Objector had issued 11 limited public interest objections, all against proposed
gTLDs in the health/medical area and all applying the right to health. ‘The Objections Filed
by the Independence Objector’ <http://www.independent-objector-newgtlds.org/home/the-
independent-objector-s-objections/> accessed 1 March 2014.
85
ICANN, 3-21–3-22.
86
See for example Prof. Allain Pellet (Independent Objector) v Afilias Ltd, Case No
EXP/409/ICANN/26 (November 2013) (rejecting Independent Objector’s limited public interest
objection grounded in the right to health against .HEALTH gTLD application).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
23 / Date: 24/3
JOBNAME: Tsagourias PAGE: 24 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
disclosures make clear, the US harnessed cyber technologies for intelligence and
military purposes in ways that human rights advocates believe undermine what
cyberspace should mean for human rights.
These observations leave the impression that increasing individual, commercial,
social and governmental dependence on the Internet is weakening human rights in
cyberspace, which contradicts beliefs that the Internet’s global proliferation and
penetration of societies would transform whether and how people enjoy human rights.
The developing prowess of authoritarian governments in monitoring and manipulating
online activities, the momentum of the Internet sovereignty perspective, and the
damage Snowden’s disclosures have done to US interests and influence produce the
most difficult and dangerous conditions the relationship between cyberspace and
human rights has faced.
Whether changes to the human rights regime would make things better is doubtful.
International law on civil and political rights and ESC rights already applies compre-
hensively to online activities. Recognising Internet access as a distinct right would not
solve the problems facing the protection of civil and political rights in authoritarian
States. Attempts to impose privacy obligations on foreign espionage activities will
deepen the diplomatic problems the US faces and will be ignored by authoritarian
States that engage in cyber espionage. Monitoring implementation of ESC rights could
be more systematic in evaluating how the Internet can contribute to the realization of
these rights, but moving in this direction might reveal the limits of the Internet more
than it identifies untapped opportunities. Reducing the digital divide does not neces-
sarily improve the enjoyment of human rights because increased Internet access and
use does not, by itself, equate with stronger protection for civil and political rights or
more progressive realization of ESC rights.
Although the Internet is the most consequential communication technology to
emerge in the human rights era, it has not proven to be an exceptional technology in
freeing the human rights project from politics. Looking ahead, the primary human
rights challenges in cyberspace will involve grappling with age-old political problems,
including the resiliency of sovereignty, the tenacity of authoritarianism, the complexity
of international law, the difficulty of balancing human rights and national security, and
the unpredictability of shifts in power and interests in the international system.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter5 /Pg. Position:
24 / Date: 6/5
JOBNAME: Tsagourias PAGE: 1 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
* I thank my student research assistant Torben Schlüter for assistance in preparing this
chapter and Muriel Nißle for a final editorial revision.
1
This is admitted at the outset in the serious publications on the matter, see for example
David Turns, ‘Cyber warfare and the notion of direct participation in hostilities’ (2012) 17(2) J.
Conflict & Sec. L. 280, 282 (stating that it is ‘rather difficult to write authoritatively about
international law and CW [cyber warfare]: one has a distinct feeling of the ink not yet being dry
on the page.’).
2
US Department of Defense according to Herbert Lin, ‘Cyber conflict and international
humanitarian law’ (2012) 94(886) I.R.R.C. 515, 516; similarly Michael Schmitt, ‘Classification
of cyber conflict, (2012) 17 J. Conflict & Sec. L. 245, 258. On the differences between conflict
in cyberspace and physical space (i.e., traditional conflict) see ibid. 520.
3
It is not easy to find a comprehensive definition of the term ‘cybercrime’. It is often
interchangeably used with the terms ‘computer crime’, ‘computer-related crime’, ‘high-tech
crime’ and ‘cybercrime’. The Cybercrime Convention of the Council of Europe of 23 November
2001 lists: illegal access; illegal interception; data interference; system interference; misuse of
devices; computer-related forgery; computer-related fraud; offences related to child porn-
ography; and to infringements of copyright and related rights (arts 2–10). The AP of 28 January
2003 adds to this impressive list acts of a racist and xenophobic nature committed through
computer systems. EU documents take a similarly broad approach covering any conduct that
describes: ‘a) the use of information and communication networks that are free from geographi-
cal constraints; and b) the circulation of intangible and volatile data’, see European Commission,
‘Fight against cybercrime’ (12 September 2005) <http://europa.eu/legislation_summaries/justice_
freedom_security/fight_against_organised_crime/l33193b_en.htm> accessed 22 October 2013.
For a similar broad definition from an US-perspective see Oona A Hathaway et al., ‘The law of
cyber-attack’ (2012) 100 Cal. L. Rev. 817, 833; David Weissbrodt, ‘Cyber-conflict, cyber-crime,
and cyber espionage’ (2013) 22 Minnesota J. of Int’l. L. 345, 366–70.
118
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 1
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 2 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
more shortly ‘cyber attacks’. A CNA is the strongest form of what is regarded to be
cyber warfare,4 i.e., the use of technical means to wage war against an adversary in
cyberspace.5 Apart from network attacks, other forms of attacks are cyber operations6
and cyber espionage.7 The reason for this focus on CNAs is that only these forms of
attacks are normally serious enough to qualify as international crimes and thus be
covered by an international criminal jurisdiction like the International Criminal Court
(ICC). However, the exact meaning of a CNA is still subject of discussion.8 Following
the majority view three elements may be distinguished. First, a CNA is not carried out
for (direct) financial gain or profit as are classical economic cybercrimes.9 Secondly,
the attack is not conducted for the purpose of gaining information (‘cyber espio-
nage’).10 Thirdly, a CNA alters, disrupts, degrades or destroys a computer network and
may lead to a disruption of devices connected to the network under attack.11 The latter
element is well captured by the definition provided for by the Tallinn Manual on Cyber
4
On the different understandings of ‘cyber warfare’ in state practice Cordula Droege, ‘Get
off my Cloud: Cyber Warfare, international humanitarian law and the protection of civilians’
(2012) 94 I.R.R.C. 533, 536–7. On computer network exploitation (CNE) and computer network
defence (CND) see Nils Melzer, Cyberwarfare and International Law (UNDIR Resources 2011)
5, available at <http://unidir.org/Publications/listerPublications/ idConference:170> accessed 20
October 2013.
5
See Lin (n 2) 519 (discussing the differences between traditional warfare and cyber
warfare regarding the law of armed conflict); Droege (n 4) 538 (referring to ‘cyber operations
amounting to or conducted in the context of armed conflict’); also Melzer (n 4) 4; Harrisson
Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 4 et seq.
6
Michael Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) [Tallinn Manual], probably the most authoritative source on our topic,
defines a cyber-operation as ‘The employment of cyber capabilities with the primary purpose of
achieving objectives in or by the use of cyberspace’ (258). For a critique on the Manual’s
methodological approach and the composition of the Expert group see Oliver Kessler and
Wouter Werner, ‘Expertise, uncertainty, and international law: A study on the Tallinn Manual on
cyberwarfare’ (2013) 26(4) L.J.I.L. 793 (concluding that ‘the Manual reduces uncertainty
through consensus on some issues, but also reproduces or even radicalizes uncertainty’ by
making ‘authoritative claims in the absence of consensus’ and reintroducing ‘open-ended
principles and contextual factors in legal reasoning’). See also Ducheine (Ch 10 of this book).
7
According to the Tallinn Manual ibid. Rule 66, this means ‘any act undertaken
clandestinely or under false pretences that uses cyber capabilities to gather (or attempt to gather)
information with the intention of communicating it to the opposing party.’ See also Weissbrodt
(n 3) 370–1; Buchan (Ch 8 of this book).
8
Cf. Ryan McClure, ‘International adjudication options in response to state-sponsored
cyber-attacks against outer-space satellites’ (2012) 18 New England J. of Int’l. & Comp. L. 431,
432 (with further references).
9
Melzer (n 4) 21; Lesley Swanson, ‘The era of cyber warfare: Applying international
humanitarian law to the 2008 Russian-Georgian cyber conflict’ (2010) 32 Loyola Los Angeles
Int’l. & Comparative L. J. 303, 307 (‘[cybercrimes] are governed by national criminal statutes
and include such acts as identity theft and internet fraud’).
10
Lin (n 5) 519; see also Jack Goldsmith, ‘How cyber changes the laws of war’ (2013) 24
E.J.I.L. 129, 135; Buchan (Ch 8 of this book).
11
This is basically the US Department of Defense definition, as quoted in Noam Lubell,
‘Lawful targets in cyber operations: Does the principle of distinction apply?’, (2013) 89 Int’l. L.
Studies 252, 258; see also Melzer (n 4) 5; Lin (n 2) 518–9; Brian T O’Donnell and James
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 2
/ Date: 6/5
JOBNAME: Tsagourias PAGE: 3 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Kraska, ‘Humanitarian law: developing international rules for the digital battlefield’ (2003) 8 J.
Conflict & Sec. L. 133, 138; crit. of the scope of the definition Lubell, op.cit., 258–9.
12
Tallinn Manual (n 6) rule 30; for an even broader definition Lin (n 2) 518–9; see also
Droege (n 4) 556–61 (including the interference ‘with the functioning of an object by disrupting
the underlying computer system’, at 560); for a too broad (albeit called ‘narrow’) definition
Hathaway and others (n 3) 826 et seq. (letting suffice ‘any action … to undermine the functions
of a computer network …’). Why the authors themselves consider this a ‘narrow’ definition
remains their secret, the special purpose requirement (‘political or national security purpose’)
does, in any case, not do the trick and their examples are also far too broad (ibid. 837 et seq.).
Discussing different cyber operations and attacks Charlotte Lülf, ‘International humanitarian law
in times of contemporary warfare – the new challenge of cyber attacks and civilian participation’
(2013) 26 Humanitäres Völkerrecht – Informationsschriften 74, 76–77.
13
IHL refers to all rules of the law of armed conflict protecting individuals in armed
conflicts (Christopher Greenwood, ‘Historical developments and legal basis’ in Dieter Fleck
(ed.), The Handbook of International Humanitarian Law (2nd edn., OUP 2008) 1–43, marginal
number (‘mn.’) 101.) and to cases of declared war or occupation (Gerhard Werle/Florian
Jessberger, Principles of International Criminal Law (3rd edn., OUP 2014) [Principles] mn.).
14
More on the application of IHL to the cyber realm can be read in Part IV of this book.
15
Cf. Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network
Attacks’ (19 November 2004) ICRC <http://www.icrc.org/eng/resources/documents/misc/
68lg92.htm> accessed 22 October 2013, 2; Droege (n 4) 540–1; Dinniss (n 5) 260–1; William H
Boothby, ‘Methods and means of cyber warfare’ (2013) 89 Int’l. L. Studies 387, 400.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 3
/ Date: 8/5
JOBNAME: Tsagourias PAGE: 4 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
War crimes are nowadays most comprehensively defined in Article 8 ICC Statute
containing 53 individual offences all based on the primary prohibitions of the Hague
and Geneva Laws.16 Pursuing a structural and systematic approach focusing on the
interests and rights protected one can distinguish between basic offences against
protected persons and objects, attacks on civilian population and objects (prohibited
means of warfare) and other offences (including prohibited methods of warfare).17
Cyber attacks may constitute such offences if they meet their objective (actus reus) and
subjective (mens rea) requirements. This cannot be determined in the abstract but
depends on the concrete circumstances of each case. At any event, the application of
the war crimes regime to any form of attack – be it by traditional kinetic or modern
cyber means – is predicated on the existence of the general requirements for the
application of IHL to the case at hand. Thus, these general requirements must be
examined first before analyzing how the traditional IHL principles play out in the field
of cyber attacks.
16
On these primary rules see Kai Ambos, Treatise on International Criminal Law. Volume
I: Foundations and General Part (OUP 2013) 11 et seq.
17
Cf. Kai Ambos, Treatise of International Criminal Law. Volume II: The Crimes and
Sentencing (OUP 2014) 164 et seq.
18
See also Arimatsu (Ch 15 of this book).
19
Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in
Armed Forces in the Field (adopted 12 August 1949, entered into force 21 October 1950) (GC I)
75 UNTS 31 (GC I); Convention II for the Amelioration of the Condition of Wounded, Sick and
Shipwrecked Members of Armed Forces at Sea. Geneva Field (adopted 12 August 1949, entered
into force 21 October 1950) 75 UNTS 85 (GC II); Convention relative to the Treatment of
Prisoners of War Field (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS
135 (GC III); Convention relative to the Protection of Civilian Persons in Time of War Field
(adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 267 (GC IV).
20
Prosecutor v Tadić, ICTY (Jurisdiction) ICTY-94-1-AR (2 October 1995) [Tadić
Jurisdictional Decision] [70]; Prosecutor v Lubanga (Confirmation of Charges) ICC-01/04-
01//06 (27th January 2007) [209]; cf. Werle/Jessberger (Principles) (n 13), mn. 1078; Antonio
Cassese and others, Cassese’s International Criminal Law (3rd edn., OUP 2013) 66.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 4
/ Date: 15/5
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Thus, what is of relevance is the employment of armed force and its attribution to one
of the parties to the conflict.21
The same principles apply to cyber attacks22 as long as there is no specific definition
of ‘war’ or ‘armed conflict’ for this kind of attack.23 Thus, one should first of all
distinguish between a situation where such an attack is part of an ongoing (conven-
tional) armed conflict or where it is carried out independently of such a conflict (i.e.,
where such a conflict does not exist in the first place or only at a different time).24
Given that in the former case the armed conflict threshold is passed anyway by the
recourse to conventional armed force, the question of a separate assessment of the
quality of a CNA arises only in the latter case of – what could be called – a ‘pure’
cyber attack. In such a case it must be inquired whether armed force has been
employed25 and whether this can be attributed to one party to the conflict.
Whether armed force has been employed may be determined by looking at the means
or instruments employed – ‘means approach’ – or at the effects, consequences or results
generated by this employment – ‘(equivalent) effects approach.’26 The former approach
would have difficulties to consider a CNA as an ‘armed’ use of force since the
computer systems employed to carry out such an attack cannot be considered ‘arms’ in
21
Cf. Ambos (n 17) 123.
22
Droege (n 4) 543 et seq.; Dinniss (n 5) 126 et seq.; generally more cautiously Lin (n 2)
515 et seq. (concluding that many of the traditional IHL assumptions ‘either are not valid in
cyberspace or are applicable only with difficulty’, at 530).
23
See for an enlarged definition of the concept of ‘war’ Annex 1 of the Agreement between
the Governments of the Member States of the Shanghai Cooperation Organisation on
Cooperation in the Field of International Information Security (adopted 16 June 2009) quoted in
Melzer (n 4) 22 and Droege (n 4) 535. This Annex defines ‘information war’ as a:
confrontation between two or more states in the information space aimed at damaging
information systems, processes and resources, critical and other structures, undermining
political, economic and social systems, mass psychologic brainwashing to destabilize society
and state, as well as to force the state to taking decision in the interest of an opposing party.
24
Dinniss (n 5) 127 et seq. distinguishes between three situations: during ongoing armed
conflict, independent of such an armed conflict and accompanying conventional use of force not
as such amounting to an armed conflict. The last situation may, however, be grouped together
with the first since in both cases conventional armed and cyber attacks happen together with a
lower degree of conventional force in the last situation. For Melzer (n 4) 24 cyber operations
‘not accompanied by a threat or use of conventional military force’ would normally not pass the
armed conflict threshold but ‘most likely be regarded as a criminal threat to be addressed
through law enforcement measures’.
25
Insofar the difference between ‘attack’ (as defined in art 49 (1) AP I) and the broader
concept of military ‘operation’ (see for e.g., art 51(1) AP I; for a discussion see Droege (n 4) 554
et seq.) is not relevant since in both situations armed force is employed. See with regard to the
principle of distinction (art 48 AP I) however infra (n 91).
26
The three relevant approaches (instrumentality-, target- and consequence-/effects-based)
have been developed with regarding to the ius ad bellum concept of an ‘armed attack’ (art 51 UN
Charter) see Hathaway et al. (n 3) 845–6; Weissbrodt (n 4) 363–4) but can be applied in the ius
in bello context of the armed conflict threshold as well.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
the traditional sense since they lacking any kinetic expression of force.27 In any case,
such an approach does not only ignore the modern understanding of use of force which
does not focus on the weapons employed.28 It also fails to capture the special quality of
cyber attacks which is expressed in the effects of such attacks as compared to
traditional (kinetic) armed attacks. Thus, one should follow the effects approach.29
An effects-based reading is not excluded by the definition of an ‘armed attack’ as
‘acts of violence against the adversary’ (Art. 49 (1) AP I). For ‘violence’ can also be
brought about by the violent effects of a CNA producing a lasting harmful result.30
Thus, if a CNA brings about the replacement of a physical part of an attacked computer
network,31 it reaches the armed force or armed attack threshold of IHL.32 This confirms
that the crucial issue is not the nature of the attack in terms of its means but of its
effects. This entails, in contrast, that a CNA not causing any (lasting) physical or
serious functional damage (e.g., a temporary shutdown/breakdown of a computer
system) does not reach the armed conflict threshold.33 Of course, the effects of an
attack must be assessed in a broad sense. While a CNA may only produce limited
damage on the attacked system as such the broader effects may nevertheless produce
serious consequences, for example, if a large dam was regulated by this system and its
deactivation entails widespread flooding. Thus, the question is always whether a cyber
attack causes comparable or analogous damage to a traditional armed attack.34 In this
regard, also the equal treatment of ‘destruction, capture and neutralization’ in Article
27
On the differences between traditional warfare and cyber warfare insofar see: Lin (n 2)
520 et seq.; see also Nils Melzer, ‘Cyber operations and ius in bello’ (2011) 4 Disarmament
Forum 3, 5.
28
Cf. Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ
Rep 226 para. 39 (‘any use of force, regardless of the weapons employed’); conc. Tallinn
Manual (n 6) 42; Melzer (n 4) 13; Weissbrodt (n 4) 356; Boothby (n 15) 391; on the concept of
weapon with a view to the military advantage achieved Dinniss (n 5) 68–70.
29
Tallinn Manual (n 6) 107; in the same vein Richard W Aldrich, ‘The international legal
implications of information warfare’ (1996) 10 Airpower Journal 99; Dinniss (n 5) 74, 123,
131–2; Michael Schmitt, ‘Cyber operations and the jus in bello: Key issues’ (2011) 87 Int’l. L.
Studies 89, 92 et seq.; Melzer (n 4) 7, 24; Emily Haslam, ‘Information warfare: Technological
changes and international law’ (2000) 5(2) J. Conflict & Sec. L. 157, 170; Lülf (n 12) 77–8 (also
focusing on the effects of a cyber-operation and arguing that it reaches the threshold ‘whenever’
it ‘endangers protected persons or objects’ and ‘is more than a sporadic and isolated incident’);
Boothby (n 15) 389 (‘critical factor … injurious or damaging effect ‘), 402; Dörmann (n 15) 3
(‘degree of damage’); Lubell (n 11) 262–3, 265, 275 (‘violent effects’, ‘harm caused’);
Weissbrodt (n 4) 364 (regarding armed attack); Hathaway and others (n 3) 845, 847–8; crit.
because of a too high threshold Katherine C. Hinkle, ‘Countermeasures in the cyber context:
One more thing to worry about’ (2011) 37 Y.J.I.L. Online 11, 11–2, 21 (regarding the alleged
Russian cyber-attack on Estonia in 2007); crit. because of uncertainties with regard to the
concrete application Kessler and Werner (n 6) 808.
30
In the same vein Schmitt ibid. 93–4; Melzer (n 4) 26.
31
Tallinn Manual (n 6) 106.
32
Schmitt (n 29) 93; see also Yoram Dinstein, ‘Computer network attacks and self-defense’
(2002) 76 Int’l. L. Studies 99, 103; Melzer (n 27) 7.
33
Melzer (n 27) 7; Schmitt (n 29) 95; similar: Swanson (n 9) 323; more detailed Tallinn
Manual (n 6) 106–107.
34
Droege (n 4) 546.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
35
Cf. Dörmann (n 15) 4, 6; crit. Schmitt (n 29) 95–6 (warning of over-inclusivity and
arguing that art 52(2) AP I is predicated on the existence of an ‘attack’ and that may exclude
mere cyber-operations); Dinniss (n 5) 197–8; for a nuanced approach Melzer (n 4) 26 (arguing
that both positions have strong points).
36
Cf. Droege (n 4) 558.
37
Ibid. 559 (‘operations that disrupt the functioning of objects without physical damage or
destruction, even if the disruption is temporary’); see also Boothby (n 15) 389–90 (arguing, with
regard to ‘data’, that it ‘only becomes an “object” when it is critical to the operation of the
targeted system’): Lubell (n 11) 265–6 (criticizing an exclusive focus on physical damage).
38
On this criterion with definitions (regarding ius ad bellum) Melzer (n 4) 14–6.
39
Schmitt (n 29) 95; in a similar vein ibid. 26.
40
Droege (n 4) 559; see also Boothby (n 15) 403 (emphasizing that ‘only death, injury,
damage or destruction to protected persons or objects’ should be considered); with respect to
state practice Schmitt (n 29) 95, 103.
41
Michael Schmitt, ‘Wired warfare: Computer network attack and ius in bello’ (2002) 84
I.R.R.C. 365, 377–8.
42
Ibid. 374; Droege (n 4) 545 et. seq., 560, 578; Dinniss (n 5) 123, 131, 137–8 (threshold
of ‘significant seriousness’); Melzer (n 27) 5; Droege (n 4) 14 (critical towards the requirement
of consequence equal to traditional armed attacks); Tallinn Manual (n 6) 106; Haslam (n 29)
170; Swanson (n 9) 314–5.
43
Jean Pictet (ed.), Commentary on the Geneva Convention for the Amelioration of the
Condition of the Wounded and Sick in Armed Forces in the Field (1952, ICRC reprint 2006)
[Pictet, GC I’] 32 (‘It makes no difference how long the conflict lasts, or how much slaughter
takes place.’).
44
Schmitt (n 41) 373.
45
On such a combined approach Droege (n 4) 547–8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
46
Cf. Tadić Jurisdictional Decision (n 20) [70]; incorporated in art 8 (2)(f) ICC Statute
(adopted 17 July 1998, entered into force 1 July 2002, 2187 UNTS 3); see also Schmitt (n 29)
106.
47
Cf. Droege (n 4) 551.
48
Melzer (n 4) 24–5 (arguing that the precise threshold has not yet been defined); Dinniss
(n 5) 131. For Hathaway and others (n 3) 850 and Robin Geiss, ‘Cyber warfare: Implications for
non-international armed conflict’ (2013) 89 Int’l. L. Studies 627, 633–4, the necessary threshold
has not yet been reached in practice by an isolated CNA. Kessler and Werner (n 6) 800 generally
point out that there has been, apart from the Stuxnet attack, ‘no incident of cyberwar that
inflicted the widespread devastation and damage usually associated with “war”.’
49
In this sense Schmitt (n 41) 374 (‘either intended to cause injury, death, damage or
destruction … or such consequences are foreseeable.’); also Schmitt (n 29) 94–5; emphasizing
the intention of the attacker also Dinniss (n 5) 132–3.
50
In this vein Melzer (n 4) 16.
51
Cf. Droege (n 4) on the problems of attribution in light of the anonymity of the attacker
(541, 543–5); see also Goldsmith (n 10) 131–2, 134; Hinkle (n 29) 17–8; Dinniss (n 5) 99–102;
Kessler and Werner (n 6) 799.
52
See for the definition Ambos, Treatise ICL II (n 17) 125–6; in our context Schmitt (n 29)
105–6; Geiss (n 48) 634; Dinniss (n 5) 124–5.
53
Droege (n 4) 550–1; Geiss (n 48) 635–6; Melzer (n 4) 24; for a different view apparently
Michael Schmitt, ‘Classification of cyber conflict’ (2012) 17(2) J. Conflict & Sec. L. 245, 256
(arguing that ‘such groups can act in a coordinated manner against the government … take
orders from a virtual leadership, and be highly organized.’).
54
Geiss (n 48) 635.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
State responsibility for wrongful acts55 provide a useful guidance.56 Accordingly, the
fact that a ‘rough’ State may always lay blame for a CNA from its territory on private
hackers in order to elude its State responsibility57 is not relevant in this context since
the existence of an armed conflict with the respective parties will be determined
objectively.
55
Cf. ILC, Articles on Responsibility of States for Internationally Wrongful Acts, with
Commentaries (2001) Report of the ILC, 53rd Session (23 April to 1 June and 2 July to 10
August 2001) UN Doc A/56/10 (2001) 20, arts 4–9 (establishing the rules of attribution of acts
of state organs or private groups or agents to a State). On the effective vs. the overall control test
(ICJ Nicaragua vs. ICTY Tadić) in this context see Schmitt (n 29) 104–5. Discussing possible
(‘reciprocal’) countermeasures Hathaway and others (n 3) 857–9; Hinkle (n 29) 14 et seq.;
regarding the ius in bello Dinniss (n 5) 75 et seq.
56
Droege (n 4) 544.
57
Cf. Goldsmith (n 10) 135.
58
Cf. art 1 AP I, and relating to the Protection of Victims of Non-International Armed
Conflicts (adopted 12 December, entered into Force 7 December 1978) 1125 UNTS 609 [AP II],
Art. 8(2)(f) ICC Statute.
59
Ambos (n 17) and main text. See also Prosecutor v. Blaskić (Judgement) ICTY-95-14-T
(3 March 2000) [63]– [64]; Prosecutor v. Hadžihasanović and Kubura (Judgement) ICTY-01-
47-T (15 March 2006) [14]; Prosecutor v. Limaj et al.(Judgement) ICTY-03-66-T (30 November
2005) [84]; Prosecutor v. Milutinović et al. (Judgement) ICTY-05-87-T (26 February 2009)
[127]; Prosecutor v. Perišić (Judgement) ICTY-04-81-T (6 September 2011) [72].
60
Prosecutor v. Bemba (Confirmation of Charges) ICC-01/05-01/08 (15 June 2009) [231].
61
Geiss (n 48) 631, 637; Goldsmith (n 10) 131.
62
Droege (n 4) 565–6.
63
Geiss (n 48) 640.
64
Dinniss (n 5) 135.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
those computers, devices or networks that caused the said effects, and would probably
spread over different territories. A limitation would only be possible if the cyber attack
could be traced back to the computer or device where it originated and if only this
could be a lawful target of a counter attack.
65
Tadić Jurisdictional Decision (n 20) [70]; Prosecutor v. Aleksovski (Judgement) ICTY-
95-14/1-T (25 June 1999) [45]; Prosecutor v. Musovic et. al. (Judgement) ICTY -96-21-T (16
November 1998) [193]; see also Werle/Jessberger (Principles) (n 13) mn. 1109 et seq. (with
further references).
66
Ambos (n 17) 141.
67
Prosecutor v. Kunarac, Kovac & Vokovic (Appeals Judgement) ICTY-96-23 & ICTY-96-
23/1-A 12 June 2002 [59]
take into account, inter alia, the following factors: the fact that the perpetrator is a combatant;
the fact that the victim is a non-combatant; the fact that the victim is a member of the
opposing party; the fact that the act may be said to serve the ultimate goal of a military
campaign; and the fact that the crime is committed as part of or in the context of the
perpetrator’s official duties.
Concurring Prosecutor v. Katanga & Ngudjolo Chi (Confirmation of Charges) ICC-01/04-01/07-
717 (30 September 2008) [382].
68
Tallinn Manual (n 6) 76; Melzer (n 4) 23.
69
See in this regard Werle/Jessberger (Principles) (n 13) mn. 1111.
70
Jean Pictet (ed.), Commentary on the Geneva Convention relative to the Protection of
Civilian Persons in Time of War (1958, reprint 1994) 212; Werle/Jessberger (Principles) (n 13)
mn. 1113; Tallinn Manual (n 6) 77.
71
Turns (n 1) 289–90 (with a useful distinction of the tasks to be fulfilled); Hathaway and
others (n 3) 854; Lülf (n 12) 79.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
10 / Date: 15/5
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
and as such possess combatant72 and POW status.73 The same applies to members of
organized armed groups74 and participants in a ‘levée en masse’.75 Contract personal
may also be assimilated to mercenaries who do not have combatant or POW status.76
In all other cases civilians lose immunity from attack if they take ‘direct part in
hostilities’.77 This is generally the case if they fulfill three minimum requirements:78 (1)
the respective act must negatively affect the adversary’s military capacity or inflict
substantive harm on him (threshold of harm); (2) a direct link between the act and the
harm inflicted exists (direct causation); (3) the act must be related to the hostilities
(belligerent nexus).79 These criteria can also be applied in the cyber context although
some cyber-specific questions exist, for example, how cyber active civilians should
distinguish themselves from ordinary civilians.80 If a civilian takes direct part depends,
of course, on the circumstances of the specific case81 but a clear-cut example would be
a civilian preparing and activating a virus to be sent to the computer network of another
State since in this case the civilian would actually conduct a cyber attack.82 Also, a
direct participation would generally exist if the attack would not have been possible
without the special expertise of the civilian.83 In contrast, there would be no direct
participation if the civilian only possesses a merely inferior support function84 or if he
only makes malware available online.85
72
This cuts both ways: they would then benefit from the combatant privilege (immunity
from prosecution for lawful acts of war) but would also be lawful target, i.e., lose civilian
immunity.
73
In the case of art 4A(2) GC III they must fulfil the four requirements indicated there; see
generally Melzer (n 4) 34; Turns (n 1) 290; Dinniss (n 5) 140 et seq.
74
Nils Melzer, lnterpretive Guidance on the Notion of Direct Participation in Hostilities
under International Humanitarian Law (ICRC 2009) 31; conc. Schmitt (n 29) 98. On the criteria
see already supra Ambos (n 52) with main text.
75
Cf. art 4A(6) GC III.
76
Cf. art 47(2) AP I; see also see also Dinniss (n 5) 172–5; Turns (n 1) 294.
77
Cf. arts 3 GC I-IV, 51(3) AP I, 13(3) AP II and Tallinn Manual (n 6) Rule 35. See also
Bannelier-Christakis (Ch 16 of this book).
78
These are criteria which resulted from the ICRC consultation process, cf. Melzer (n 74)
46; conc. Schmitt (n 29) 101; Dinniss (n 5) 165–6; see also Ambos (n 17) 156; Turns (n 1) 286.
They have also been adopted by the Tallinn Manual (n 6) 119–20. For a more thorough
treatment see Dinniss (n 5) 161 et seq.
79
This last criterion rules out purely criminal conduct, cf. Tallinn Manual (n 6) 120.
80
Cf. Melzer (n 4) 29–30; Dinniss (n 5) 145 et seq. (especially referring to art 44(3) AP I).
81
For a discussion see Turns (n 1) 286–9, 294–5 (demonstrating the uncertainty of these
criteria and presenting a useful table with possible examples).
82
Tallinn Manual (n 6) 120 with further examples; see also Lin (n 2) 526; Dinniss (n 5) 167.
83
Cf. Melzer (n 74) 53 (‘where the expertise of a particular civilian was of very exceptional
and potentially decisive value for the outcome of an armed conflict …’).
84
Louise D. Beck, ‘Some Thoughts on Computer Network Attack’ (2002) 76 Int’l. L.
Studies 163, 171 (arguing that technicians ‘that actually undertake the attacks’ would be
considered civilians taking direct part in hostilities and would therefore be subject to counter-
attack without the right to POW status pursuant to art 4 (4) GC III); conc. Dörmann (n 15) 9
(‘executing’ a CNA versus mere maintenance of computer networks); Turns (n 1) 293; for a
more nuanced approach Dinniss (n 5) 167–72 (excluding only ‘routine systems maintenance’).
85
Tallinn Manual (n 6) 120.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Here again the issue arises, already discussed above with regard to the attribution
requirement, how to treat a group of hackers which organizes a spontaneous resistance
activity and attacks the computer networks of an occupying force? Does such a group
of persons qualify as an organized armed group as defined above and could for that
reason be attacked?86 Or could their acts attributed to a party to the conflict? Or does
such an activity amount to a ‘levée en masse’ mentioned above? This would require
consideration of the computers or software of the hackers as ‘arms’ carried ‘openly’
(Art. 4A(6) GC III) and their conduct as a spontaneous act of resistance.87
Finally, as to the duration of the participation (‘for such time’) and a (definite)
withdrawal of a cyber participant the traditional problems88 are even magnified in the
cyber context. If one would consider it sufficient that a cyber participant interrupts his
activity for a moment – parallel to a (temporal) withdrawal from the battlefield – it
would become practically impossible to counter-target him since the actual cyber attack
only lasts minutes and the virtual battlefield, in any case, may be the private PC of the
hacker in his apartment. It is for this reason that the duration of the participation should
last as long as the cyber participant engages in repeated cyber operations.89
The commission of a concrete war crime depends to a large extent on the understand-
ing of the traditional IHL principles, i.e., the principles governing the conduct of
hostilities,90 in particular the principles of distinction, proportionality and precaution.91
This is not different with regard to cyber attacks or, more broadly speaking, cyber
operations92 which qualify as ‘hostilities’ in this sense.93 Thus, for example, to
86
See for a discussion Schmitt (n 29) 98–101 (identifying as the hard cases the ones of
persons acting with a common purpose).
87
Rather sceptical Turns (n 1) 293; see also Melzer (n 4) 34 (questioning how the
requirement of ‘carry arms openly’ should be interpreted).
88
Cf. Ambos (n 17) 157 et seq.
89
Schmitt (n 29) 102; the issue was controversial within the Tallinn expert group, cf.
Tallinn Manual (n 6) 121–2.
90
According to the ICRC ‘the concept of “hostilities” refers to the (collective) resort by the
parties to the conflict to means and methods of injuring the enemy, and could be described as the
sum total of all hostile acts carried out by individuals directly participating in hostilities’ (Melzer
(n 74) 43, 44).
91
On the prohibition of perfidy (art 37 AP I) and the difficult delimitation to lawful ruses in
our context see Beck (n 84) 171; Dörmann (n 15) 10–12; Melzer (n 4) 32–3; more recently
Dinniss (n 5) 261–5, 278; Boothby (n 15) 404.
92
These principles apply not only in the context of ‘attacks’ (within the meaning of Art. 49
(1) AP I) but also in the context of broader ‘military operations’ as clearly follows from art 51
(1) and 57 (1) AP I referring explicitly to the latter (cf. Dinniss (n 5) 196 et seq.; in the same
vein Droege (n 4) 555–6; Melzer (n 4) 27; stressing however the difference Schmitt (n 29) 91–3
(arguing that ‘operation’ in art 48 AP I is to be understood as ‘attack’); Lubell (n 11) 261; in a
similar vein the majority of the drafters of the Tallinn Manual (n 6) 177 [with regard to art 58(c)
AP I] ).
93
The threshold is lower than that for an ‘attack’ (art 49(1) AP I, supra note 26 and main
text), cf. Melzer (n 4) 28–9.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
determine whether the war crime of an intentional attack on civilian objects (Art.
8(2)(b) (ii) ICC Statute) has been committed by way of a CNA, one must distinguish
between civilian and military objects. Similarly, to decide whether a CNA causes
disproportional collateral damage the meaning of proportionality in this context must
be determined.
94
See also Bannelier-Christakis (Ch 16 of this book).
95
Article 48 AP I reads: ‘In order to ensure respect for and protection of the civilian
population and civilian objects, the Parties to the conflict shall at all times distinguish between
the civilian population and combatants and between civilian objects and military objectives and
accordingly shall direct their operations only against military objectives.’
96
Jean-Marie Henckaerts, Louise D. Beck and Carolin Alvermann, ICRC Study on
Customary International Humanitarian Law, Volume I: Rules (CUP 2005) [ICRC Study I], 25;
see also ibid., rules 1–10 with 3 et seq.
97
Tallinn Manual (n 6) rules 31 and 110.
98
See generally with regard to the distinction between civilians (protected persons) and (de
facto) combatants Ambos (n 17) 146 et seq.
99
Article 52(2) AP I (emphasis added); for a discussion see Dinniss (n 5) 184 et seq.; see
also Schmitt (n 41) 380; Geiss (n 48) 639–40.
100
Claude Pilloud et al., Commentary on the Additional Protocols of 8 June 1977 to the
Geneva Conventions of 12 August 1949 (Nijhoff 1987) 636.
101
Cf. Art. 52(2) AP I; see also Schmitt (n 41) 381; crit. Droege (n 4) 567–8; Dinniss (n 5)
188–9.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
location, purpose, or use of the target,102 expressing a close nexus between the targeted
object and military action.103 Thus, the decision will always be context-related and on
a case-by-case basis. For example, if combat takes place in a per se civilian area but
civilian buildings like schools or churches are taken as cover by combatants or
insurgents, those buildings turn into military objectives;104 of course, absolute prohib-
itions, e.g. regarding medical establishments,105 must always be respected.106
Another question in this context is whether data can be considered a protected
object. The mainstream position that the term ‘objects’ only covers tangible and visible
objects and not data itself,107 takes a too traditional approach relying on the old
interpretation of the rule which had been developed when the possibility of cyber
attacks must have appeared as mere science fiction. From a modern perspective the
difference between physical and virtual objects becomes, at least in the cyber context,
blurred; therefore, data should, in principle, be covered by the protection.108 In any
case, pursuant to the effects approach one has to look at the overall harm caused
instead of the isolated physical damage.109
The key problem of the applicability of the principle of distinction is the intercon-
nectivity between military and civilian computer systems and the mostly dual-use of
cyber infrastructure.110 Dual-use objects serve both civilian and military purposes but,
as a matter of the law of armed conflict (i.e., a consequence of the principle of
distinction), an object is either of a civilian or military nature.111 In fact, as a rule,
dual-use objects are qualified as military objectives since they normally contribute to
military purposes, i.e., the first prong of the Article 52(2) AP I definition is fulfilled.112
However, the alleged military contribution must effectively be demonstrated and cannot
merely be presumed.113
102
Stefan Oeter, ‘Methods and Means of Combat’ in Fleck (n 13) mn. 442 (‘The formula
used constitutes a general criterion the existence of which can be judged in abstracto’).
103
Cf. Droege (n 4) 562.
104
Dörmann, ‘§ 11 VStGB’ in Joecks and Miebach, Münchener Kommentar zum Strafgesetz-
buch, (Vol. 8, 2nd ed, C.H. Beck 2013), mn. 54.
105
Cf. art 19 GC I, art 18 GC IV, art 12 AP I; see also arts 54–56 AP I.
106
For a comprehensive discussion of such prohibitions in our context see Dinniss (n 5) 220
et seq.; see also Dörmann (n 15) 6 et seq.
107
Tallinn Manual (n 6) 127.
108
In a similar vein Lubell (n 11) 267–8, 271; Melzer (n 27) 11; Melzer (n 4) 31 (both
considering data as ‘objects‘); Dinniss (n 5) 184–5 (focusing on the aim or purpose of an
operation).
109
In the same vein Schmitt (n 29) 96.
110
Melzer (n 4) 30; Droege (n 4) 539, 541; Tallinn Manual (n 6) 169; Turns (n 1) 296–7;
Hathaway and others (n 3) 852–3; Goldsmith (n 10) 134; Dinniss (n 5) 193–5.
111
Cf. Tallinn Manual (n 6) rule 39 and 134 (‘As a matter of law, status as a civilian object
and military object cannot coexist; an object is either one or the other’).
112
cf. ibid. (‘confirms that all dual-use objects and facilities are military objectives, without
qualification’); in the same vein Droege (n 4) 562–3.
113
Dominik Steiger, ‘Civilian objects’, in Rudiger Wolfrum (ed.) Max-Planck-Encyclopedia
of Public International Law (OUP 2008–2013) mn. 12 (‘In the majority of cases, dual-use
objects have to be considered military objectives. However, this is only true as long as the object
makes an effective contribution to military action by its nature, location, purpose and use and if
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Given that there is no clear-cut separation between civilian and military computer
systems, i.e., that any computer system can be used for both civilian and military
purposes at the same time or interchangeably, the distinction is ‘largely impossible’
and, therefore, the protection offered by the principle of distinction of a limited
practical importance.114 Of course, this also depends on the broader or narrower
reading of the principle and the particular circumstances of the case. In general, it
seems quite plausible to argue that a per se civilian computer system loses its civilian
status if it is used to support military ends.115 For example, if a conflict party uses a –
per se civilian – information system of a hospital to launch cyber attacks these
information systems turn into military objectives.116 It is more difficult to draw the line
if one refers to a whole cyber infrastructure, including the internet. As the military
relies to a large extent on civilian cyber infrastructure in all its operations,117 including
preparing and carrying out an attack, one may argue that this infrastructure per se –
including the IT companies providing and supporting it or even social networks like
Facebook or Twitter118 – makes an effective contribution to the military effort and thus
its destruction offers a definite military advantage.119 Still more broadly one could
argue that such a military use of civilian cyber infrastructure contaminates this
infrastructure to a degree that it turns into a military objective. In this vein, the Tallinn
expert group argues that in cases in which it is unclear, which internet connections are
used for military transmissions, the whole network qualifies as a military target.120 If
one goes even further and let it suffice – contrary to the view defended here – that the
military has the intent to use a civilian cyber infrastructure for military purposes in the
its destruction offers a definite military advantage in the circumstances ruling at the time.’);
ICRC Study I (n 96) 32 (‘As far as dual-use facilities are concerned … practice considers that
the classification of these objects depends, in the final analysis, on the application of the
definition of military objective.’); William J. Fenrick,’ Targeting and proportionality during the
NATO bombing campaign against Yugoslavia’ (2001) 12 E.J.I.L. 489, 494 (‘[It] is situation
dependent. … [Dual-use] objects may become military objectives in certain conflicts depending
on various factors, including the strategic objectives of the parties to the conflict and the degree
to which the conflict approaches total war.’). For a more nuanced view see also Robin Geiß and
Henning Lahmann, ‘Cyber warfare: Applying the principle of distinction in an interconnected
space’ (2012) 45(3) Israel L. Rev. 381, 389 (arguing that, in the physical world, most civilian
objects have no significant military potential and therefore cannot be used in a militarily
conducive way).
114
Geiß and Lahmann ibid. 383, 384–90; in the same vein Lucian E. Dervan‚ ‘Information
warfare and civilian population: How the law addresses a fear of the unknown’ (2011) 3
Goettingen J. Int’l. L. 373, 388; Droege (n 4) 541, 562–6.
115
Tallinn Manual (n 6) 28.
116
Cf. Lin (n 2) 526.
117
According to Dervan (n 114) 388, ‘it is estimated that 98 percent of all classified
governmental communications and 95 percent of all military communications in the United
States flow through civilian communication systems, not dedicated military networks.’
118
Cf. Tallinn Manual (n 6) 135–7; crit. Droege (n 4) 566–9.
119
Geiß and Lahmann (n 113) 386, 388–9.
120
Tallinn Manual (n 6) 135; cf. ibid (n 113) 388 et seq.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
future the whole civilian cyberspace would potentially constitute a legitimate military
target.121
A further consequence of the principle of distinction is the prohibition of indis-
criminate attacks,122 although they differ from direct attacks against civilian objects in
that the harm to the protected object does not matter to the attacker. It is questionable
whether this prohibition can be complied with at all in case of cyber attacks to the same
extent as in the case of traditional attacks. If, as argued above, a clear-cut separation
between civilian and military cyber infrastructure is not possible, an attack against a
cyber infrastructure can neither be considered clearly as an attack ‘directed at a specific
military objective’ (Art 51(4)) nor at a purely civilian object. Apart from that, the
means used in a cyber attack, for example a virus like in the Stuxnet attack against the
Iranian military installations, may not be sufficiently controllable, i.e., their effects
cannot be – by definition – reasonably limited and thus cannot be discriminate.123 If
this is the case the respective cyber attack qualifies as ‘method or means of combat the
effects of which cannot be limited’.124 In fact, as correctly asserted by Droege, there is
a twofold burden on the conflict parties: on the one hand, they may not employ cyber
weapons that are indiscriminate by nature and cannot be sufficiently controlled; on the
other hand, in each case of an attack the party has to verify whether the weapon
employed can be and is in fact directed against a specific military target.125
In sum, the principle of distinction could only play a greater role if civil and military
objects could be more clearly separated, for example by the creation of ‘digital safe
havens’ in analogy to demilitarized zones within the meaning of Article 60 AP I.126 As
the law currently stands the principles of proportionality and precaution, to be
discussed in the following, may prove to be more useful to limit cyber attacks.127
121
Geiß and Lahmann (n 113) 386; Pilloud and others (n 100) 636.
122
Cf. art 51(4) AP I:
Indiscriminate attacks are prohibited. Indiscriminate attacks are: (a) those which are not
directed at a specific military objective; (b) those which employ a method or means of
combat which cannot be directed at a specific military objective; or (c) those which employ
a method or means of combat the effects of which cannot be limited as required by this
Protocol; and consequently, in each such case, are of a nature to strike military objectives and
civilians or civilian objects without distinction.
See generally ICRC Study I (n 96), rules 11–13.
123
Boothby (n 15) 393–4; Beck (n 84) 169 called already more than ten years ago the
limited control with regard to the effects of a CAN the ‘most serious problem’; conc. Dörmann
(n 15) 5; see also Dinniss (n 5) 256–7 (discussing the issue under ‘indiscriminate weapons’).
124
Cf. art 51(4)(c) AP I.
125
Droege (n 4) 571.
126
For a critical discussion of this and other possibilities see Geiß and Lahmann (n 113)
383, 390–5; see also ibid. 576–7.
127
See also Tallinn Manual (n 6) Rule 39: ‘An attack on a military objective that is also used
in part for civilian purposes is subject to the principle of proportionality and the requirement to
take precautions in attack’; in the same vein Dervan (n 114) 388.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
128
See also Gill (Ch 17 of this book).
129
ICRC Study I (n 96), rule 14; Tallinn Manual (n 6) 159. See also Héctor Olásolo,
Unlawful Attacks in Combat Situations: From the ICTY’s Case Law to the Rome Statute (Nijhoff
2008) 155 et seq., 226 et seq., 256 et seq.; Helen Keller and Magdalena Forowicz; ‘A tightrope
walk between legality and legitimacy: An analysis of the Israeli Supreme Court’s judgment on
targeted killing’ (2008) 21(1) L.J.I.L. 189, 213 et seq.; Gerd Hankel, Das Tötungsverbot im
Krieg: Eine Intervention (Hamburger Edition 2011) 22 et seq.; Jason D. Wright, ‘”Excessive”
ambiguity: analysing and refining the proportionality standard’ (2012) 94 I.R.R.C. 819, 838 et
seq. (focusing especially on the ambiguous term ‘excessive’).
130
Cf. arts 22 and 23(e) Annex of the Hague Convention Respecting the Laws and Customs
of War on Land and Its Annex: Regulations Concerning the Laws and Customs of War on Land
(18 October 1907, entered into force 26 January 1910); art 35(1) and (2) AP I. See also Dinniss
(n 5) 252–6. For possible war crimes see art 8(2)(b)(iii), (x), (xx) (xxv) and (e)(xi).
131
Article 35(3) AP I; see also art 55 AP I (in relation to protected objects) and Boothby (n
15) 394. For a possible war crime see art 8(2)(b)(iv).
132
Article 51(5)(b) and 57(2)(a) (iii) and (b) AP I. For a possible war crime see art
8(2)(b)(iv).
133
Tallinn Manual (n 6) rule 51: ‘A cyber attack that may be expected to cause incidental
loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof,
which would be excessive in relation to the concrete and direct military advantage anticipated is
prohibited.’; see also Geiß and Lahmann (n 113) 395.
134
Boothby (n 15) 391–2.
135
Tallinn Manual (n 6) 160.
136
Geiß and Lahmann (n 113) 395–8, 398; see also Dervan (n 114) 389.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
civilian harm or damage, while not contravening the principle of distinction, would
have to be balanced against the anticipated military advantage.137
Of course, the proportionality test would only be able to counter the adverse effects
of the strict reading of the principle of distinction if the collateral or incidental damage
brought about by the per se lawful CNA, i.e., ‘loss of civilian life, injury to civilians,
damage to civilian objects, or a combination thereof,’138 would be interpreted
broadly.139 Thus, collateral damage should encompass both direct and indirect effects
of cyber attacks, i.e., the ‘immediate, first order consequences’ of the attack and ‘the
delayed and/or displaced second-, third- and higher-order consequences … created
through intermediate events or mechanisms.’140 In particular, as to incidental ‘damage
to civilian objects’ a broad and dynamic interpretation is called for, including a mere
loss of functionality of an attacked civilian object in the proportionality equation.141 For
the excessive evaluation one must try to determine as precisely as possible the adverse
effects of a CNA on civilian cyber activities and relate them to the military advantage
anticipated: ‘The question is whether the harm that may be expected is excessive
relative to the anticipated military advantage given the circumstances prevailing at the
time.’142 The military advantage is to be determined equally precise (‘concrete and
direct’),143 taking into account the attack as a whole144 and prospectively (‘antici-
pated’),145 i.e., the respective commander has, on the one hand, a ‘fairly broad margin
of judgment,’146 also with regard to the possible collateral damage, but, on the other
hand, faces a reasonableness test, i.e., his judgment must withstand a reasonableness
analysis taking the ‘reasonably well-informed person in the circumstances of the actual
perpetrator’ as the relevant standard.147 Of course, the uncertainty of the indirect
second, third etc. order effects of cyber attacks makes it very difficult, perhaps
impossible, for a commander to correctly anticipate the consequences of the attack.148
It remains controversial, as in traditional IHL, whether a particularly great military
137
See also Tallinn Manual (n 6) 160 with the example of an attack on the GPS.
138
Cf. art 51(5)(b) and 57(2)(a) (iii) and (b) AP I as well as Tallinn Manual (n 6) rule 51.
139
Geiß and Lahmann (n 113) 396–7.
140
Tallinn Manual (n 6) 160; see also ibid 396; Droege (n 4) 572–3; Boothby (n 15) 390,
395, 397–8, 401.
141
In this vein Geiß and Lahmann (n 113) 397–8; Geiss (n 48) 644–5. The Tallinn Manual
experts also agreed that a ‘deprivation of functionality’ may in certain circumstances be included
albeit explicitly excluding ‘de minimis damage’ (n 6, rule 30).
142
Tallinn Manual (n 6) 161; see also Boothby (n 15) 392.
143
Ibid. rule 51 (‘advantage … substantial and relatively close’, referring to ICRC,
Commentary AP, [2209]).
144
Cf. ibid. 162.
145
Ibid. rule 51 (‘assessment of the reasonableness of the determination at the time of the
attack … not to be applied with the benefit of hindsight’).
146
Ibid. 163 referring to ICRC, Commentary AP, para. 2210.
147
Prosecutor v. Galic (Judgment) ICTY-98-29-T (5 December 2003) [58]; see also Tallinn
Manual (n 6) 163 and Beck (n 84) 167 (military advantage ‘clear and obvious’ to the attacker).
148
On the uncertainty re the consequences see also Hathaway and others (n 3) 851; Dinniss
(n 5) 207–8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
advantage may outplay particularly serious or extensive damage, i.e., if a certain degree
of damage may pose absolute limits to the proportionality equation.149
149
In this vein Pilloud and others (n 100) [1980]; contra Tallinn Manual (n 6) 161.
150
See on its customary law status ICRC Study I (n 96), Rules 15–24.; see also Droege (n 4)
573 et seq.; from an US perspective Wright (n 132) 830–2.
151
Tallinn Manual (n 6) rule 52.
152
Ibid. rule 53; stressing this as the main problem Beck (n 84), 170–1; see also Dinniss
(n 5) 211–2.
153
Tallinn Manual ibid. rule 54 (‘choice of means and methods of warfare … with a view to
avoiding, and in any event to minimizing, incidental injury to civilians’) and rule 56 (choice of
targets with a view ‘to cause the least danger to civilian lives and to civilian objects’). See as
primary norm art 57(3) AP I; on this provision Dinniss (n 5) 216–7.
154
Tallinn Manual ibid. rule 58.
155
Droege (n 4) 573–4.
156
See Tallinn Manual (n 6) 169–70 with the example of inserting malware in a closed
military network in a way to minimize collateral damage.
157
Droege (n 4) 574; ibid. 166.
158
Tallinn Manual (n 6) 164; see also art 58 AP I (‘to the maximum extent feasible’) and
Dinniss (n 5) 211.
159
Cf. Tallinn Manual ibid. 169 with further references in (n 186).
160
Pilloud and others (n 100) 2230 (‘“all reasonable precautions” must be taken, which is
undoubtedly slightly different from and a little less far-reaching than the expression “take all
feasible precautions”’).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
19 / Date: 6/5
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
attack; a more liberal view contends that such a mapping would not be reasonable since
the operation focuses on a target beyond land territory.161
As to the passive precautionary obligation to ‘remove’ civilian objects from military
objectives (Art. 58(a) AP I) the interconnectivity problem already mentioned above
makes this obligation in cyberspace difficult to fulfill: if the civilian and military
infrastructure is intimately connected or – even worse – the cyberspace is a classical
dual use structure it is practically impossible to comply with this obligation, i.e., it is
not ‘feasible’162 in the cyber context.163 Article 58(c) AP I requires ‘other necessary
precautions’ but they are, of course, also predicated upon the practical possibilities (‘to
the maximum extent feasible’).164 Thus, Article 58(c) is a ‘catch-all’ provision165 trying
to ensure protection of the civilian cyber infrastructure by other means than strict
separation, i.e., ‘to ensure a continuing cyber functionality’ with regard to critical
civilian infrastructure, for example by providing backups for power grids.166
161
Tallinn Manual (n 6) 165 according to which the majority of the experts took the more
liberal view; see also Dinniss (n 5) 217–9.
162
Article 58 AP I: ‘to the maximum extent feasible.’
163
Cf. Geiß and Lahmann (n 113) 392–4 therefore concluding that a segregation obligation
cannot be deduced from this provision; in the same vein Droege (n 4) 575 (‘hardly realistic’).
164
See also Tallinn Manual (n 6) rule 59; with discussion of practical limitations (‘feasibil-
ity’).
165
Ibid. 177.
166
Geiß and Lahmann (n 113) 395; in a similar vein Droege (n 4) 576.
167
See also Roscini (Ch 11 of this chapter).
168
This position is represented by Johnatan Ophardt, ‘Cyber warfare and the crime of
aggression: The need for individual accountability on tomorrow’s battlefield’ (2010) 3 Duke L. &
Tech. Rev. 3, 35; Noah Weisbord, ‘Conceptualizing aggression’ (2009) 20 Duke J. Comp. & Int’l
L. 1 [Weisbord, Conceptualizing aggression]; Noah Weisbord, ‘Judging aggression’ (2011) 50
Columbia J. Trans. L. 82 [Weisbord, Judging aggression]; Weissbrodt (n 4) 369; in a similar vein
Chance Cammack, ‘The Stuxnet worm and potential prosecution by the International Criminal
Court under the newly defined crime of aggression’ (2010) 20 Tulane J. Int’l. & Comp. L. 303.
169
Crit. Ambos (n 17) 203–4.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
20 / Date: 24/3
JOBNAME: Tsagourias PAGE: 21 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
8bis but, at best, their superiors, if they belong to the leadership level and can be held
responsible for the acts of the actual ‘cyber warriors.’
(a) ‘Act of Aggression’ Pursuant to Article 8 bis (2) lit.(a)–(g) ICC Statute?
170
This corresponds rather to ‘armed attack’ within the meaning of art 51 UN Charter than
the broader ‘use of force’ within the meaning of art 2(4) UN Charter (for a comparison Melzer
(n 4) 11–2).
171
Cf. Matthew Gillet, ‘The anatomy of an international crime: Aggression at the ICC’
(2013) 13 Int’l. Crim. L. Rev. 829, 838 (explicitly excluding ‘cyber warfare’).
172
Cf. Stefan Barriga, ‘Against the odds: The results of the Special Working Group on the
Crime of Aggression’, in Stefan Barriga, Wolfgang Danspeckgruber and Christian Wenawesser
(eds.), The Princeton Process on the Crime of Aggression – Materials of the Special Working
Group on the Crime of Aggression (Lynne Rienner Publishers 2003–2009) 10 (‘Suggestion were
made to include non-conventional means of aggression beyond the use of armed force, such as
cyber-attacks or economic embargoes’).
173
Cf. SWGCA, June 2008 Report (June 2008), in Assembly of States Parties to the Rome
Statute of the International Criminal Court, Official Records, Resumed 6th sess (June 2008)
ICC-ASP/6/20/Add.1, Annex II, para 35 <http://www.icc-cpi.int/iccdocs/asp_docs/ICC-ASP-6-
20-Add.1%20English.pdf> accessed 24 October 2013. See also Barriga (n 172) 10 (‘there was
no desire to open the proverbial can of worms, and the great majority of delegations considered
the limitation to the use of armed force as appropriate for the purpose of individual criminal
justice’).
174
Barriga (n 172) 10, fn. 44. See with regard to the art 2(4) threshold Michael Schmitt,
‘Cyber operations and the jus ad bellum revisited’ (2011) 56 Villanova L. Rev. 569, 576–7
(proposing a seven-factor test including severity, immediacy, directness, invasiveness, measur-
ability, presumptive legitimacy and responsibility); see also Melzer (n 4) 6 et seq.; Marco
Benatar, ‘The use of cyber force: Need for legal justification?’ (2009) 11 Goettingen J. Int’l. L.
376; Matthew C Waxman, ‘Cyber Attacks and the use of Force’ (2011) 36 Yale .J. Int’l. L. 421;
Michael Gervais, ‘Cyber attack and the laws of war’ (2012) 30 Berkeley J. Int’l. L. 525; crit.
Dinniss (n 5) 63–5. This test has also been adopted by the Tallinn Manual (n 6) 48–51; crit. in
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
21 / Date: 24/3
JOBNAME: Tsagourias PAGE: 22 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
provisions of the UN Charter, i.e., Article 2(4) referring to ‘use of force’ and Article 51
referring to an ‘armed attack,’175 as only encompassing military, but not political or
economic sanctions,176 does not contradict this broader approach since this approach
entails that a CNA may, under certain circumstances, amount to a military attack.
As to the listed acts only lit.(b) and (d) can possibly be fulfilled by a CNA. Lit.(b)
requires, in its second alternative, the ‘use of any weapons’ against State territory. If
one defines ‘weapons’ in a traditional sense, as is indeed suggested by the requirement
that it be directed ‘against the territory of another State,’ the typical tools to carry out a
CNA (e.g., by way of computer worms or viruses) would not be covered. Such a
narrow interpretation would however go against the more flexible approach of the ICJ
in the Nuclear Weapons opinion quoted above and there is indeed no convincing reason
to exclude a CNA from the provision if it causes the same or a similar damage as a
conventional weapon.177 In any case, lit.(d), requiring an ‘attack by the armed forces,’
allows for a more liberal interpretation, encompassing cyber attacks carried out by
members of the armed forces against the listed forces of another State. Indeed, a cyber
attack on a developed country, which relies heavily on computer networks to operate its
infrastructure (e.g., traffic control, water supply and the electrical grid) and its armed
forces (e.g., air defense systems, modern fighter jets, drones or communications
equipment) could lead to a partial or complete inoperability of the respective system.
Indeed, in terms of the outcome, it does not matter whether national armed forces are
inoperable due to strikes by ‘conventional’ armed force or due to a cyber attack.178
As to the second question, i.e., whether the list is exhaustive, it has been argued
elsewhere that this is the case.179 Of course, the issue has been controversial during the
this regard Kessler and Werner (n 6) 808–9 (arguing that this ‘stamps the uncertainties
surrounding the scope of the prohibition in the context of cyber attacks’).
175
For a thorough analysis and generally strict reading Dinniss (n 5) 37 et seq., 75 et seq.
176
Generally Albrecht Randelzhofer and Oliver Doerr, ‘Article 2 4)’, in Bruno Simma and
others (eds.) The Charter of the United Nations – A Commentary (Vol 1, 3rd edn., OUP 2012),
mn. 16–20; see in our context: Michael Schmitt, ‘Computer network attack and the use of force
in international law: Thoughts on a normative framework’, (1999) 37 Columbia J. Trans. L. 885,
905–908; Daniel B Silver, ‘Computer network attack as a use of force under Article 2(4) of the
UN Charter’ (2002) 76 Int’l. L. Studies 73, 80 et seq.; Hathaway and others (n 3) 842;
Weissbrodt (n 4) 358–60; Goldsmith (n 10) 133; see on the different scholarly approaches
Dinniss (n 5) 58 et seq.
177
Cf. Cammack (n 168) 322–3 (arguing that ‘many objectives for which armed force was
used in the past are now being realized through nonmilitary, nonforceful pressures’; with regard
to the Stuxnet attack against Iran he argues that according to subpara (b) ‘the allowance of any
weapons used against a territory will qualify’ focusing on ‘the damage or destruction caused’).
178
The only difference is a higher probability of casualties in cases of conventional attacks
(although a cyber-attack may also lead to fatalities, e.g., when it causes the total failure of a
fighter jet’s computer network in flight).
179
Ambos (n 17) 202. For the same view Gerhard Kemp, Individual Criminal Liability for
the International Crime of Aggression (Intersentia 2010) 236; Helmut Satzger, International and
European Criminal Law, (C.H. Beck 2012) 273; Schmalenbach, ‘Das Verbrechen der Aggression
vor dem Internationalen Strafgerichtshof: Ein politischer Erfolg mit rechtlichen Untiefen’ (2010)
65 Juristenzeitung 745, 748; Strapatsas, ‘Aggression’ in Schabas and Bernaz (eds.), The
Routledge Handbook of International Criminal Law (Routledge 2011) 155, 160; leaving it open.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
22 / Date: 6/5
JOBNAME: Tsagourias PAGE: 23 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
(b) Manifest violation of the UN Charter (Article 8 bis (1) ICC Statute)?
The threshold clause of Article 8bis(1) requires an ‘act of aggression which, by its
character, gravity and scale, constitutes a manifest violation of the Charter of the
United Nations’. It expresses the qualitative difference between an ‘act’ of aggression
which entails collective responsibility and a ‘crime’ of aggression which entails
individual (criminal) responsibility.186 Its purpose is to exclude minor incidents (e.g.
border skirmishes) or legally controversial cases (e.g. a humanitarian intervention) from
Werle/Jessberger (Principles) (n 13) mn. 1473; Andreas Paulus, ‘Second thoughts on the crime
of aggression’ (2009) 20 E.J.I.L. 1117, 1120 (‘it remains open whether the list is meant to be
exhaustive’).
180
Special Working Group on the Crime of Aggression, ‘June 2008 Report’ (June 2008)
ICC-ASP/6/20/Add. 1, Annex II, printed in: Barriga and Kreß (eds.), The Travaux Preparatoires
of the Crime of Aggression (CUP 2012) 602–14, 608; cf. Robert Heinsch, ‘The crime of
aggression After Kampala: Success or burden for the future?’ (2010) 2 Goettingen J. Int’l. L.
713, 723–4.
181
UNGA Res 3314 (14 December 1974) A/RES/3314, art 4 (explicitly declaring that the
list is not exhaustive and authorizing the Security Council to expand it).
182
Christoph Safferling, Internationales Strafrecht (Springer 2011), mn. 183.
183
Roger S. Clark, ‘Negotiating provisions defining the crime of aggression, its elements
and the conditions for ICC exercise of jurisdiction over it’ (2009) 20 E.J.I.L. 1103, 1105; Roger
S. Clark, ‘Amendments to the Rome Statute of the International Criminal Court considered at the
first Review Conference on the Court, Kampala, 31 May–11 June 2010’ (2010) 2 Goettingen J.
Int’l. L. 689, 696 (‘Clark, GoJIL 2010’); more ambiguously Claus Kreß, ‘Time for decision:
Some thoughts on the immediate future of the crime of aggression: A reply to Andreas Paulus’
(2009) 20 E.J.I.L. 1129, 1137 (‘‘semi-open’ at best […]’); Drew Kostic, ‘Whose crime is it
anyway? The International Criminal Court and the Crime of Aggression’ (2011) 22 Duke J.
Comp. & Int’l. L. 109, 129–130; Ophardt (n 168) 66; see also Heinsch (n 180) 713, 723–6;
Weisbord, Conceptualizing Aggression (n 168) 40.
184
On the nullum crimen principle see Ambos (n 16), 88–93. See also Barriga (n 172) 12;
ibid., ‘Negotiating the Amendments’, in Barriga and Kreß (n 180) 30–31.
185
Schmalenbach (n 179) 747–748; different: Weisbord, Conceptualizing Aggression (n 168)
40.
186
Cf. Ambos (n 17) 199; crit. of the distinction Ilich F Corredor, El Crimen de Agresión en
Derecho Penal Internacional (Universidad del Rosario 2012) 88–9.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
23 / Date: 15/5
JOBNAME: Tsagourias PAGE: 24 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
criminalisation.187 Thus, for example, the 2003 US-led invasion in Iraq, albeit consid-
ered by most international lawyers as an unlawful act of aggression,188 might not have
amounted to a crime of aggression due to the absence of a ‘manifest’ – i.e., from an
objective perspective quantitatively and qualitatively serious189 – ‘violation’ of the UN
Charter in light of the fact that a respectable scholarly view existed according to which
the invasion was justified, especially on the basis of Security Council Resolution 678 of
29 November 1990.190 As for cyber attacks this means that it is difficult to envisage an
attack which would be large and grave enough to amount to a manifest violation of the
Charter. Indeed, as discussed in the previous section, it is even disputed whether cyber
attacks constitute a simple violation of the Charter’s prohibition of the use of force (Art
2(4)) in the first place, especially because the effects approach cannot be employed
without more.
According to the Tallinn Manual a cyber operation constitutes use of force ‘when its
scale and effects are comparable to non-cyber operations rising to the level of a use of
force.’191 The ‘scale and effects’ depend, in turn, on a series of factors to be taken into
account.192 What clearly seems to follow from that is that a cyber operation ‘resulting
in damage, destruction, injury, or death is highly likely to be considered a use of
force,’193 i.e., more than mere economic or political coercion is required.194 Thus, if
one defines a CNA as causing death, injury or severe destruction to objects it amounts
to a use of force. However, it this attack further constitutes a manifest violation of the
Charter is an open question and depends on the specific circumstances of the case.
187
See SWGCA, ‘June 2005 Report’ (June 2005) ICC-ASP/4/32, Discussion Paper 3, No. 3,
reprinted in Barriga, Danspeckgruber and Wenaweser (n 172) 197; see also Barriga (n 172) 8;
Barriga (n 180) 29; Roger Clark, ‘Alleged aggression in Utopia’ in William Schabas, Yvonne
McDermot and Niamh Hayes (eds.), The Ashgate Research Companion to International
Criminal Law (Ashgate 2013) 66.
188
See Claus Kreß, ‘Strafrecht und Angriffskrieg im Licht des “Falles Irak”’ (2003) 115
Zeitschrift für die Gesamte Strafrechtswissenschaft 294, 313 et seq. with further references.
189
The term is certainly ambiguous, cf. Paulus (n 179) 1121; for an – not entirely
convincing – explanation see Kreß (n 183) 1137 et seq. The objective perspective is determined
by Element 3 of the Introduction to the Elements of Crimes to art 8bis ICC Statute.
190
Kreß (n 188) 331; critically Paulus (n 179) 1123.
191
Tallinn Manual (n 6) rule 11.
192
Cf. ibid. 48–50 (severity, immediacy, directness, invasiveness, measurability of effects,
military character, state involvement and presumptive legality).
193
Ibid. 48.
194
See also ibid. 46.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
24 / Date: 6/5
JOBNAME: Tsagourias PAGE: 25 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
to the distinction between civilians and combatants already discussed above with regard
to war crimes,195 the ‘widespread or systematic attack’ is the peculiar feature of crimes
against humanity. Insofar, the wording of Article 7(2)(a) ICC Statute implies that this
requirement has to be understood qualitatively, i.e., the ‘attack’ must always –
notwithstanding its predominantly ‘widespread’ or ‘systematic’ character – be based on
(‘pursuant to or in furtherance of ‘) a certain policy.196
As to cyber attacks this means that they must, first of all, be carried out pursuant to
a certain policy and, further, be widespread or systematic. The policy requirement
presupposes that such attacks are planned, organized, coordinated or at least tolerated
by a State or organization within the meaning of Article 7(2)(a) ICC Statute. If this is
the case the attack would normally also be qualified as ‘systematic.’197 While a loosely
organized group of hackers acting autonomously would not meet the organizational
requirement, organized armed groups within the meaning of IHL that take recourse to
methods of cyber warfare certainly would.198 If, further, the cyber attacks carried out by
a State or a sufficiently organized group caused severe and extensive damage, in the
sense of the examples given above, the attack could, arguably, also be qualified as
‘widespread.’ Such widespread or systematic cyber attacks may, finally, result in the
killing or extermination of civilian populations or even in one of the other underlying
acts of Article 7 ICC Statute. Of course, ultimately, the fulfilment of the elements of a
crime against humanity will depend on the circumstances of the concrete case.
5. CONCLUSIONS
Individual criminal liability for cyber attacks may rather be imposed for war crimes
than for a crime of aggression. Waging a ‘cyber war’ under violation of the ius ad
bellum will rarely lead to criminal liability for aggression under Article 8bis ICC
Statute, since it is rather difficult to envisage that a cyber attack amounts to an act of
aggression within the meaning of Article 8bis(2) ICC Statute, let alone to a manifest
violation within the meaning of Article 8bis(1) ICC Statute.
IHL applies to cyber attacks without further ado if such attacks are part of an
ongoing conflict. In the absence of such a conflict, the cyber attacks must themselves
be serious enough to pass the armed conflict threshold. This is the case if, following the
effects approach, a cyber attack causes considerable human and other damage, going
beyond mere sporadic and isolated incidents causing only inconvenience or the
temporary shutdown of computer systems. Cyber attacks producing such effects also
qualify as armed attacks within the meaning of Article 49(1) AP I. To qualify as a war
crime a cyber attack must be linked to an ongoing armed conflict. Attribution is
possible if the attacker can be identified and acts on behalf of a conflict party within
the meaning of IHL, i.e., either a State or an organized armed group. Cyber attacks of
less organized groups of individuals which do not qualify themselves as a conflict party
195
For a more restrictive interpretation of this element however Ambos (n 17) 63 et seq.
196
Cf. ibid. 63, 67 et seq.
197
Cf. ibid. 59–61.
198
On the respective dispute in the ICC’s Kenya decision see ibid. 72 et seq.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
25 / Date: 24/3
JOBNAME: Tsagourias PAGE: 26 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
may be attributed to such a party pursuant to the rules of State responsibility.199 For
‘pure’ civilian cyber participants the rules on the direct participation in hostilities apply.
As to the IHL principles governing the conduct of hostilities the principle of
proportionality appears to have the greatest capacity to limit harm to civilians and
civilian objects. In contrast, the principle of distinction is of little practical relevance
given the high interconnectivity between military and civilian computer systems and
the mostly dual-use of cyber infrastructure. The principle of precaution also guides the
conduct of cyber operations but it is itself limited by feasibility or reasonability
considerations. All in all IHL seems to be sufficiently broad and flexible enough to
accommodate the new developments with regard to cyber warfare.200 However, as the
effectivity of the rules often depends on their broad or restrictive interpretation, ‘more
stringent rules’ may prove necessary.201
Cyber attacks passing the armed conflict threshold may also constitute systematic or
widespread attacks within the meaning of Article 7 ICC Statute. In any case, they must
be carried out pursuant to a policy of a State or an organization within the meaning of
Article 7(2)(a) ICC Statute.
199
Supra (n 55).
200
In the same vein Dinniss (n 5) 28–9, 279.
201
In the same vein Droege (n 4) 540, 578.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
26 / Date: 24/3
JOBNAME: Tsagourias PAGE: 27 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter6 /Pg. Position:
27 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
PART II
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
7. Cyber terrorism
Ben Saul and Kathleen Heath
1
UNODC, ‘The use of the Internet for terrorist purposes’ (2012) 11.
2
CTITF, ‘Countering the use of the Internet for terrorist purposes’ (Working Group
Report, CTITF Publication Series, February 2009).
3
Ibid. 6; Hamadoun Touré, ‘Cyberspace and the threat of cyberwar’ in Hamadoun Touré,
The Quest for Cyber Peace (International Telecommunications Union 2011), 7, 9–13; Darren
Pauli, ‘Hackers gain “full control” of critical SCADA systems’ (10 January 2014) IT News
<http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx>
accessed 24 January 2014.
147
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 1
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
The adjective ‘cyber’ should not, however, be taken to dilute the requirement that an
act also falls within the legal definition or category of terrorism itself. Cyber terrorism
is not a new form of terrorism, but merely a ‘new terrorist tactic’.4 This begs the
complex question of how ‘terrorism’ is defined or regulated in international law,
including the well-known disagreements over ‘state terrorism’ and terrorism by national
liberation movements. Not every interference with a computer system is cyber
terrorism; some interference may be mere cyber crime5 but not terrorism, while others
may be legitimate dissent protected by international human rights law.
Thus far there is no direct or specific international legal response to cyber terrorism,
such as a treaty defining, prohibiting or criminalising it. Instead, in large part cyber
terrorism falls to be residually addressed by existing international legal frameworks,
including the various international anti-terrorism treaties and norms. As discussed
below, for instance, some of the ‘sectoral’ treaties adopted since the 1960s and dealing
with particular manifestations of terrorism may cover certain instances of cyber
terrorism, even if not all facets are addressed.
In addition, all States bear a long-standing, general international law obligation to
diligently prevent and repress terrorist activities emanating from their territory and
directed towards harming other States, whether as prohibited interventions or uses of
force.6 Such obligation is not limited to any particular terrorist means or methods, but
extends to any acts capable of causing terrorist harm. The general international law
obligation is consequently flexible enough to confront new means of perpetrating
terrorism, including cyber attacks. The difficulty here is not the existence of a
normative standard but more practical matters such as proof of State responsibility for
a violation and securing a forum in which to vindicate rights.
Working out what comes within the ambit of cyber ‘terrorism’ also depends on
situating it within the spectrum of other ‘cyber’ harms, from cyber ‘crime’ to cyber
‘attack’, and their associated legal regimes.7 For instance, much discussion has focused
on whether a cyber attack may constitute a prohibited intervention, use of force (under
art 2(4) of the UN Charter) or an armed attack (under art 51 of the Charter) under the
international law on the use of force, including for the purpose of one State exercising
4
Peter Fleming and Michael Stohl, ‘Myths and realities of cyberterrorism’ in Alex P.
Schmid, Eithne Boland and Rebekah Grindlay (eds.), Countering Terrorism Through Inter-
national Cooperation (ISPAC 2001) 30.
5
See Kastner and Mégret (Ch 9 of this book).
6
United Nations General Assembly (UNGA), Declaration on Principles of International
Law concerning Friendly Relations and Cooperation among States in accordance with the
Charter of the United Nations, annexed to UNGA res 2625 (XXV) (1970), [2] (non-
intervention), [8]–[9] (non-use of force); reiterated in numerous UNGA resolutions on terrorism:
3034 (XXVII) (1972); 32/147 (1977), preamble; 34/145 (1979), preamble, [7]; 38/130 (1983),
[4]; 40/61 (1985), [6]; 42/159 (1987), [4], [5(a)]; 44/29 (1989), [3], [4(a)]; 46/51 (1991), [3],
[4(a)]; 49/60 (1994), [4], [5(a)]; 51/210 (1996), [5]; 52/165 (1997), [5]; 53/108 (1999), [5];
54/110 (2000), [5]; 55/158 (2001), [5]; 56/88 (2002), [5]; 57/27 (2003), [5]; 58/81 (2004), [5];
UNGA (60th Session), World Summit Outcome, UN Doc A/60/L.1 (20 September 2005), [86].
7
See Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 2
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
self-defence against another.8 There are related debates about the lawfulness of cyber
weapons or means or methods of warfare under international humanitarian law.9
At a more pedestrian level, certain regional instruments10 and many national laws
already address the wider category of cyber crime, which can variously encompass the
commission of any kind of offence by cyber means (from stalking to fraud or extortion
to terrorism), attacks on information systems, or the misuse of computer systems.11
General offences of cyber crime may obviate the need for a more specific cyber
terrorism offence, unless there are policy reasons (discussed further below) for
differentiating between different types of cyber harms and accordingly designating a
more elaborate palette of offences.
There is as yet no international treaty on cyber crime. However, the UN Convention
against Transnational Organized Crime 200012 enables transnational criminal
cooperation in relation to serious crimes under national law (meaning those punishable
by at least four years’ imprisonment) where the offence is transnational13 and an
organised group is involved. Such groups must be structured, involve three or more
people, exist for a period of time, and aim to commit serious crimes to obtain a
financial or other material benefit (art 2(a)).
In general, terrorism is often distinguishable from ‘ordinary’ transnational organised
crime for private profit because of the political or other ‘public’ motive underlying
terrorism. But it depends on how terrorism is defined; while some national laws include
a political motive element,14 many more do not.15 It can thus overlap with the category
8
Ibid.; see also Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited
interventions?’ (2012) 17 J. Conflict & Sec. L. 211; Nicholas Tsagourias, ‘Cyber attacks,
self-defence and the problem of attribution’ (2012) 17 J. Conflict & Sec. L. 229; Johann-
Christoph Woltag, ‘Cyber warfare’ in Rüdiger Wolfrum (ed.), Max Planck Encyclopedia of
Public International Law (OUP 2010).
9
See Arimatsu (Ch 15 of this book); Gill (Ch 17 of this book); Michael Schmitt (ed.),
Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013); Michael
Schmitt, ‘Classification of cyber conflict’ (2012) 17 J. Conflict & Sec. L. 245; Yoram Dinstein,
‘The principle of distinction and cyber war in international armed conflicts’ (2012) 17 J. Conflict
& Sec. L. 261; David Turns, ‘Cyber warfare and the notion of direct participation in hostilities’
(2012) 17 J. Conflict & Sec. L. 279.
10
See, e.g., Council of Europe Convention on Cybercrime, adopted 23 November 2001,
CETS 185 (entered into force 1 July 2004) (discussed further below); EU Framework Decision
2005/222/JHA on Attacks against Information Systems (24 February 2005) OJ L69/67.
11
See Kastner and Mégret (Ch 9 of this book).
12
Adopted 15 November 2000, 2225 UNTS 209 (entered into force 29 September 2013).
13
An offence is transnational where it is committed in more than one State; or a substantial
part of it is prepared, planned, directed or controlled in another State; or it is committed in one
State but the criminal group has activities elsewhere, or the crime has substantial effects
elsewhere: art 3.
14
As in the UK, Canada, Australia, South Africa and New Zealand: see Ben Saul, ‘The
curious element of motive in definitions of terrorism: Essential ingredient or criminalizing
thought?’ in Andrew Lynch, Edwina MacDonald and George Williams (eds.), Law and Liberty in
the War on Terror (Federation Press 2007) 28.
15
See the numerous national laws cited in UN Special Tribunal for Lebanon (Appeals
Chamber), Interlocutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide,
Perpetration, Cumulative Charging, STL-11-01/I, 16 February 2011, [106].
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 3
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
16
These activities formed the focus of the UNODC (n 1). Information and communication
technology can also be incorporated into the execution of a conventional attack which is not
strictly a cyber attack. For example, to coordinate and execute the shooting and bombing attacks
in Mumbai, India in 2008, terrorists used technology including Global Positioning System (GPS)
equipment, mobile phones, satellite imagery and voice-over-Internet-protocol phone numbers:
Emily Wax, ‘Mumbai attackers made sophisticated use of technology’ (3 December 2008)
Washington Post <http://www.washingtonpost.com/wp-dyn/content/article/2008/12/02/AR20081
20203519.html> accessed 29 August 2014.
17
Fleming and Stohl (n 4) 38.
18
UNSC res 1624 (14 September 2005) UN Doc S/RES/1624 para 1(a).
19
The Terrorist Financing Convention makes it an offence to provide or collect funds with
the intention or knowledge that they be used to carry out a terrorist offence.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 4
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
networks and individuals in Europe’.20 However, such conduct does not constitute
cyber terrorism as such,21 that is, the commission of terrorist acts by cyber means or
against cyber targets.
Security Council resolution 1373 (2001) also requires States to ‘find ways of
intensifying and accelerating the exchange of operational information, especially
regarding use of communications technologies by terrorist groups’.22 This has been
supplemented by the unanimous adoption in the General Assembly of the 2006 UN
Global Counter-Terrorism Strategy, in which States resolved to ‘coordinate efforts at
the international and regional levels to counter terrorism in all its forms and manifes-
tations on the Internet’.23 In support of this resolution, the UNCTITF established a
Working Group on Countering the Use of the Internet for Terrorist Purposes. The Task
Force produced, in collaboration with the UNODC, valuable research about the use of
the Internet for terrorist purposes.24 However, this work has yet to yield any standards
of a ‘norm-creating character’25 that could eventually establish soft or hard law
obligations for States.
This chapter focuses on criminal law responses to cyber terrorism, including through
the existing sectoral treaties, the proposed Draft UN Comprehensive Terrorism Conven-
tion, customary international criminal law, and in regional and selected domestic
criminal laws. It considers the adequacy of the existing international legal framework,
including by comparison with regional and domestic initiatives and in the light of
policy discussions in UN fora. It concludes by asking whether it is necessary or
desirable for the international community to take more direct legislative action against
cyber terrorism, or whether it is sufficient to rely upon the patchwork of general norms
on terrorism and cyber crime.
20
EU Framework Decision 2008/919/JHA amending EU Framework Decision 2002/475/
JHA [28 November 2008], OJ L330, para. 4.
21
See Kalliopi Koufa, Special Rapporteur on Terrorism and Human Rights, ‘Progress
Report’ (27 June 2001) UN Doc E/CN.4/Sub.2/2001/31, 27 [99].
22
UNSC res 1624 para. 3(a).
23
(20 September 2006) UN Doc A/Res/60/288 para. II(12)(a).
24
See UNODC (n 1); CTITF (n 2).
25
North Sea Continental Shelf Cases (Federal Republic of Germany v Denmark; Federal
Republic of Germany v Netherlands [1969] ICJ Rep. 3 42.
26
See, e.g., Convention on Offences and Certain Other Acts Committed on Board Aircraft,
adopted 14 September 1963, 704 UNTS 219 (entered into force 4 December 1969); Convention
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 5
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
terrorism.27 Such treaties typically require States parties to criminalise certain conduct,
establish extraterritorial jurisdiction over it, and cooperate by prosecuting or extraditing
suspected offenders.
This pragmatic, functional approach enabled the repression of common terrorist
methods while sidestepping the irreconcilable problem of defining ‘terrorism’, espe-
cially during the Cold War when States were unable to agree on the legitimacy of
violence by self-determination movements or State forces. Such an approach was
necessary because it was the only achievable one at the time. This is not, however, an
entirely satisfactory means of regulating the criminal aspects of terrorism.
Because the sectoral treaties were adopted in an ad hoc and reactive fashion, they do
not comprehensively suppress all possible terrorist methods, or even the most com-
monly used ones, and they do not protect all conceivable civilian objects. The treaties
only criminalise violence by terrorists in specific contexts or by particular methods, and
thus fail to prohibit the terrorist killings of civilians by any means or method. Just as
there is no treaty addressing terrorist acts by use of small arms, biological or chemical
toxins, or against public infrastructure or places, there is no treaty on cyber terrorism.
This is despite the great importance of computer networks and electronic infrastructure
to the working of modern economies and societies. The negotiation of new treaties is
typically stimulated by the occurrence of a major attack utilising the means in question.
A serious cyber terrorist attack may thus be the stimulus necessary for political interest
and legal action.
It is unlikely that the drafters of most of the sectoral treaties anticipated the threat of
cyber terrorism. Most of the treaty offences are squarely aimed at physical attacks on
protected targets or by prohibited means. Even so, the offences in some of the treaties
may be sufficiently broad to encompass at least some cyber attacks, particularly where
for the Suppression of Unlawful Seizure of Aircraft, adopted 16 December 1970, 860 UNTS 105
(entered into force 14 October 1971); Convention on the Prevention and Punishment of Crimes
against Internationally Protected Persons, including Diplomatic Agents, adopted 14 December
1973, 1035 UNTS 167 (entered into force 20 February 1977); International Convention against
the Taking of Hostages, adopted 17 December 1979, 1316 UNTS 205 (entered into force 3 June
1983); Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation, adopted 10 March 1988, 1678 UNTS 221 (entered into force 1 March 1992);
Protocol for the Suppression of Unlawful Acts against the Safety of Fixed Platforms Located on
the Continental Shelf, adopted 10 March 1988, 1678 UNTS 304 (entered into force 1 March
1992); Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation,
adopted 23 September 1971 (entered into force 26 January 1973); Protocol on the Suppression
of Unlawful Acts of Violence at Airports Serving International Civil Aviation, adopted 24
February 1988, 974 UNTS 177 (entered into force 6 August 1989); Convention on the Marking
of Plastic Explosives for the Purpose of Detection, adopted 1 March 1991 (entered into force 21
June 1998); International Convention for the Suppression of Terrorist Bombings, adopted 15
December 1997 by UN General Assembly Resolution 52/164 (1997), 2149 UNTS 256 (entered
into force 23 May 2001); International Convention for the Suppression of the Financing of
Terrorism, adopted 9 December 1999 by UN General Assembly Resolution 54/109, 2178 UNTS
229 (entered into force 10 April 2002); International Convention for the Suppression of Acts of
Nuclear Terrorism, adopted 13 April 2005 by UN General Assembly Resolution 59/290 (2005)
(entered into force 7 July 2007).
27
See Ben Saul, Defining Terrorism in International Law (OUP 2006) Ch 3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
the offences are defined by the harm resulting and contemplate any, rather than only
enumerated, means. For example, under the Convention on Unlawful Acts of Violence
at Airports 1988, the offence of destroying or seriously damaging the facilities of an
airport, or disrupting the service of an airport, can be committed ‘using any device,
substance or weapon’.28
Moreover, the Convention on Acts of Nuclear Terrorism 2005 prohibits the use or
damage of a nuclear facility in a manner which releases, or risks the release of,
radioactive material.29 (There is no further requirement that such acts coerce a
government and the offence can be committed by any person.) Such use or damage
could conceivably arise by cyber means. The ‘Stuxnet’ computer worm attack on
Iranian uranium enrichment centrifuges in 2010, allegedly committed by the US and
Israel, is a case in point. Information is limited and it is unknown whether radiation
was released or risked being released. Regardless, it is evident that cyber damage to
nuclear facilities (whether reactors, enrichment installations, or storage depots) is
possible in principle and may risk releasing radioactive material.
Some of the offences under the Convention for the Suppression of Unlawful Acts
against the Safety of Civil Aviation 1971 may extend to cyber acts. For instance, it is an
offence to damage or interfere with navigational facilities if it is likely to endanger the
safe flight of an aircraft.30 Such interference could conceivably be caused by remote
electronic interference with certain facilities vulnerable to it. It is also an offence to
knowingly communicate false information if that is likely to endanger flight safety,31
which again could be occasioned by Internet-based communications technologies.
Similar offences to both of these exist in relation to the safe navigation of ships under
the Maritime Safety Convention 1988.32
Most offences in the sectoral treaties are, however, less likely to cover cyber acts
because they generally require some element of physical attack. This is described in
such terms as ‘violence’ against a person on an aircraft, ship or fixed maritime
platform;33 ‘destroying’ or ‘damaging’ an aircraft, ship or fixed platform;34 seizing or
controlling an aircraft (but only by a person on board), ship or fixed platform by
28
Protocol on the Suppression of Unlawful Acts of Violence at Airports Serving Inter-
national Civil Aviation (n 26) art II.
29
International Convention for the Suppression of Acts of Nuclear Terrorism (n 26) art
2(1)(b).
30
Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation
(n 26) art 1(d).
31
Ibid. art 1(e).
32
Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation (n 26) art 3(e) and (f) respectively.
33
Respectively, Convention for the Suppression of Unlawful Acts against the Safety of
Civil Aviation (n 26) art 1(a); ibid. art 3(b); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(b).
34
Respectively, Convention for the Suppression of Unlawful Acts against the Safety of
Civil Aviation (n 26) art 1(b); Convention for the Suppression of Unlawful Acts against the
Safety of Maritime Navigation (n 26) art 3(c); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(c).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
35
Respectively, Convention for the Suppression of Unlawful Seizure of Aircraft (n 26) art
1(a); Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation (n 26) art 3(a); Protocol for the Suppression of Unlawful Acts against the Safety of
Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(a).
36
Respectively, Convention for the Suppression of Unlawful Acts against the Safety of
Maritime Navigation (n 26) art 3(g); Protocol for the Suppression of Unlawful Acts against the
Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(g).
37
Respectively, Convention for the Suppression of Unlawful Acts against the Safety of
Civil Aviation (n 26) art 1(c); Convention for the Suppression of Unlawful Acts against the
Safety of Maritime Navigation (n 26) art 3(d); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(d).
38
Convention on the Prevention and Punishment of Crimes against Internationally Pro-
tected Persons, including Diplomatic Agents (n 26) art 2. Protected persons include heads of
state or government, ministers and diplomats.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
transport, or in an infrastructure facility, with the intent to cause death or serious injury
or extensive destruction resulting in major economic loss.39 Cyber acts are clearly not
explosives (though explosives can of course be detonated remotely by electronic
means). An ‘other lethal device’ is defined as one designed or capable of causing death,
serious injury or substantial material damage through the release, dissemination or
impact of toxic chemicals, biological agents or toxins, radiation, or similar substances.
That definition is plainly restricted to certain dangerous physical objects and does not
extend to cyber means alone, absent the presence of an explosive or lethal object; a
computer cannot kill a person.
39
International Convention for the Suppression of Terrorist Bombings (n 26) art 2(1).
40
See Saul (n 27).
41
UNGA, Measures to Eliminate International Terrorism: Working Group Report (29
October 2001) UN Doc A/C.6/56/L.9, annex I, 16 (informal Coordinator texts).
42
Ancillary offences are found in ibid. 16 (arts 2(2), (3) and (4)(a)–(c)).
43
UN Special Tribunal for Lebanon (Appeals Chamber), Interlocutory Decision on the
Applicable Law: Terrorism, Conspiracy, Homicide, Perpetration, Cumulative Charging, STL-11-
01/I, 16 February 2011, para. 85:
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position: 9
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
a customary crime remains much doubted.44 In this respect the Draft Convention
diverges from UN Security Council resolution 1566 (2004), which limits the Council’s
(non-binding) conception of terrorism to acts which are already offences under the
sectoral treaties.45
The Draft Convention definition could thus include, for instance, cyber attacks
against computer systems which control critical public infrastructure such as transport
networks (air, rail, road or sea), water and sewage, or energy supplies (such as
electricity or gas distribution networks). But it would also encompass cyber attacks
causing serious harm to private property, such as the deletion or manipulation of
economic information relating to banking, stock holdings and the like.
In addition, the definition explicitly safeguards certain cyber or cyber-related objects
which may be the target of terrorist attacks (whether by physical or cyber means).
Under article 2(1), ‘property’ expressly includes ‘a place of public use, a State or
government facility, a public transportation system, an infrastructure facility … or the
environment’.46 In turn an ‘infrastructure facility’ is defined in article 1(3) to include
‘communications, telecommunications and information networks’.
Thus an act which causes ‘serious damage’ (whether temporary or permanent) to a
public or private computer, communications or other electronic systems, whether public
or private, is a terrorist offence, whether the damage is inflicted by conventional
physical means (such as setting on fire a building containing computer servers) or
computer-based interference (such as planting a destructive virus). Such an act is an
offence even if the serious damage to a computer system does not have the further
effect of damaging any ‘real world’ property or objects which some computer systems
are capable of controlling.
The definition in the Draft Convention does, however, contain a number of necessary
limitations. Acts must cause death or personal injury, ‘serious’ property damage, or
(i) the perpetration of a criminal act (such as murder, kidnapping, hostage-taking, arson, and
so on), or threatening such an act; (ii) the intent to spread fear among the population (which
would generally entail the creation of public danger) or directly or indirectly coerce a
national or international authority to take some action, or to refrain from taking it; (iii) when
the act involves a transnational element.
See also R v Mohammed Gul [2012] EWCA Crim 280.
44
Ben Saul, ‘Legislating from a radical Hague: The UN Special Tribunal for Lebanon
invents an international crime of transnational terrorism’ (2011) 24 L.J.I.L. 677; Kai Ambos,
‘Judicial creativity at the Special Tribunal for Lebanon: Is there a crime of terrorism under
international law?’ 24 L.J.I.L. 655; Stefan Kirsch and Anna Oehmichen, ‘Judges gone astray:
The fabrication of terrorism as an international crime by the Special Tribunal for Lebanon’
(2001) 1 Durham L. Rev. 32.
45
UNSC res 1566 (8 October 2004) UN Doc S/RES/1566, para. 3:
criminal acts, including against civilians, committed with the intent to cause death or serious
bodily injury, or taking of hostages, with the purpose to provoke a state of terror in the
general public or in a group of persons or particular persons, intimidate a population or
compel a government or an international organization to do or to abstain from doing any act,
which constitute offences within the scope of and as defined in the international conventions
and protocols relating to terrorism.
46
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 2(1)(b).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘major economic loss’. While the parameters of ‘serious’ property damage are
somewhat slippery, it indicates that minor damage caused by cyber attacks is excluded.
It is right that cyber attacks that merely ‘disrupt nonessential services or that are mainly
a costly nuisance’ ought to be treated as cyber crime rather than terrorism.47 A former
UN Special Rapporteur on Terrorism and Human Rights emphasised that the label of
cyber terrorism should be reserved for acts intended to cause ‘disruption or destruction
sufficient enough to terrorize the population’.48
Thus ‘hacktivists’ who engage in ‘electronic civil disobedience’,49 such as the global
group Anonymous, would not usually cause sufficient harm to life or property to be
classified as committing terrorist acts. Common hacktivist operations include taking
control of and defacing websites; distributing computer worms or viruses; overloading
a server with external communications requests to prevent it processing legitimate
internet traffic (a ‘denial of service attack’); or using automated programs to bombard
a target with thousands of emails (an ‘email bomb’).50
It remains possible, however, that such activities cause serious economic harm, such
as where corporate websites are disabled resulting in the loss of revenue. An example is
Anonymous’ ‘Operation Avenge Assange’, which targeted payment entities (such as
Paypal and credit card companies) which had bowed to US pressure to refuse to
process donations to Wikileaks.51 Such attacks were instrumentally designed to coerce
corporate and government behaviour. Such acts would not usually, however, be
regarded as ‘terrorism’ in the popular consciousness, illustrating the potential overreach
of the Draft Convention definition.
Even hacking techniques used by terrorist groups will not amount to cyber terrorism
where they do not cause serious damage to persons or property. One example of the use
of these techniques by a terrorist group involved the Liberation Tigers of Tamil Eelam
(LTTE) sending around 800 emails a day to Sri Lankan embassies around the world in
1997.52 The emails read: ‘We are the Internet Black Tigers and we’re doing this to
disrupt your communications’. Embassy networks were disabled for two weeks.
Although sending a strong and intimidatory political message, such disruption should
not be considered an act of cyber terrorism, since it did not harm people or ‘seriously’
damage property. However, if a similar attack disrupted a critical service, such as
emergency medical communications,53 resulting in serious harm, liability for terrorism
could be appropriate.
47
Dorothy Denning, ‘Cyberterrorism’ (Testimony before the Special Oversight Panel on
Terrorism, Committee on Armed Services, US House of Representatives, 23 May 2000).
48
Koufa (n 21) 28 [101].
49
Dorothy Denning, ‘Activism, hactivism and cyberterrorism: The Internet as a tool for
influencing foreign policy’ in John Arquilla and David Ronfeldt (eds.), Networks and Netwars:
The Future of Terror, Crime and Militancy (RAND 2001) 263.
50
Ibid. 263–80.
51
Mark Townsend and others, ‘WikiLeaks backlash: The first global cyber war has begun,
claim hackers’ (12 December 2010) Guardian http://www.theguardian.com/media/2010/dec/11/
wikileaks-backlash-cyber-war accessed 29 August 2014.
52
See Yvonne Jewkes and Majid Yar, Handbook of Internet Crime (Routledge 2013) 198–9.
53
An example provided by Koufa (n 21) para. 101.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
For similar reasons, State-sponsored cyber attacks which do not cause serious harm
also fall outside the ambit of the Draft Convention offences. One example is attacks on
western government and corporate websites by the Free Syrian Army (aligned with the
Assad regime in Syria).54 Another example is the activities of PLA Unit 61398, a
Chinese Government military unit which has launched cyber attacks on foreign
governments and companies.
A further important limitation in the Draft Convention’s definition of terrorism is that
the purpose of an act must be ‘to intimidate a population, or to compel a Government
or an international organization to do or abstain from doing any act’. A similar ‘special
intent’ element is found in the UN Security Council’s guideline definition of terrorism
in resolution 1566 (2004) and in the purported customary international law crime of
transnational terrorism recognised by the UN Special Tribunal for Lebanon in 2011.55
The Security Council definition suggests a third alternative intent element, ‘the purpose
to provoke a state of terror in the general public or in a group of persons or particular
persons’,56 although that standard is not so different from the other element of
intimidating a population.
Cyber attacks which do not aim to intimidate a population or compel a government
or international organisation will therefore not qualify as terrorism under the Draft
Convention. To some extent this excludes acts which are privately motivated or
narrowly targeted, although it is still possible for perpetrators motivated by private ends
(such as money or revenge, rather than political aspirations) to intimidate populations
or coerce governments. (An example might be hacktivists who extort money from a
government or corporation in exchange for ceasing to damage public or private
property respectively.) The Draft Convention does not additionally require proof of a
political, religious or ideological motive underlying acts designed to intimidate a
population or compel a government. As such, its definition is broader and captures
wider conduct as terrorism than certain common law crimes of terrorism which also
require a political motive.57
An ambiguous but illustrative example is the cyber attack by Vitek Boden in
Queensland, Australia in 2000 (putting aside for present purposes the fact that the
example is purely domestic and involves no transnational element). Driven by a ‘desire
for vengeance’ against his former employer (a local government council which had
terminated his employment),58 Boden used radio equipment and a computer to issue
commands to sewage equipment in the local council area. He caused 800,000 litres of
raw sewage to be released into local parks, rivers, and the grounds of a hotel, causing
substantial environmental damage. After at least 46 such attacks, Boden was arrested
by police officers and convicted of multiple counts of ‘using a restricted computer with
the consent of its controller thereby intending to cause detriment or damage’.59
54
‘Microsoft in more hacking misery’ (21 January 2014) BBC News <http://www.bbc.
co.uk/news/technology-25825781> 29 August 2014.
55
UN Special Tribunal for Lebanon (Appeals Chamber) (n 43) para. 85.
56
UNSC res 1566 (8 October 2004) UN Doc S/RES/1566 para. 3.
57
Saul, (n 14).
58
R v Boden [2002] QCA 164 para. 48.
59
Criminal Code Act 1899 (Qld), s 408E(1) (‘Computer hacking and misuse’); ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
12 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
60
Committee on Freedom of Association, Case No 1913 (Panama), Report No 309 (March
1998) 112.
61
Peter Ker and Ben Cubby, ‘Environmentalist’s hoax triggers $314m Whitehaven share
price fall’ (8 January 2013) Sydney Morning Herald <http://www.smh.com.au/business/
environmentalists-hoax-triggers-314m-whitehaven-share-price-fall-20130107-2cd11.html> ac-
cessed 29 August 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
arguably intended (in part) to compel the government to revoke its approval of the coal
mine.62 Yet, such an act of environmental protest is far from regarded as ‘terrorist’ in
the popular imagination, even if it may transgress ordinary domestic criminal law. The
hoaxer was actually charged with making a false and misleading statement under
domestic corporations law.63
The above example illustrates the difficulty that even an apparently tightly drafted
definition of terrorism – limited to serious harms committed for prohibited instrumental
purposes – is still likely to capture some non-terrorist conduct. It suggests that good
sense is needed in the selection of charges in the exercise of prosecutorial discretion –
an obvious point, but one necessary to reiterate in a world where too many national
authorities abuse their legal systems to settle political scores. It may further demon-
strate that a ‘carve out’ provision for democratic protest or dissent, which does not
cause personal injury, should be tacked on to the definition of terrorism in the Draft
Convention, just as Australia has done in its federal offence of terrorism.64
While the definition of terrorism in the Draft Convention was settled reasonably
quickly, stimulated by the attacks of 9/11, disagreement remains over its scope of
application to certain non-State and State violence.65 Those disagreements are also
relevant to the regulation of cyber terrorism. Presently the Draft Convention excludes
from its scope the activities of State and non-State armed forces in armed conflict
covered by international humanitarian law66 (even if debate remains about which
groups come within the meaning of armed forces). Thus, cyber attacks by armed forces
in armed conflict cannot be characterised as cyber terrorism.
That does not mean that such forces are free to attack civilians by cyber means or to
destroy cyber targets without impediment. The usual rules of humanitarian law apply,
including the principles of distinction and proportionality and avoidance of weapons
62
The hoaxer asserted that civil disobedience was necessary because the community was
locked out of the approval process and there are few legitimate avenues to protect the
environment: ‘Anti-coal activist Jonathan Moylan granted bail over Whitehaven share hoax’ (23
July 2013) ABC News <http://www.abc.net.au/news/2013-07-23/activist-given-bail-over-
whitehaven-share-hoax/4837432> accessed 29 August 2014.
63
Leo Shanahan, ‘Jonathan Moylan’s Whitehaven hoax case to go to the Supreme Court’
(24 September 2013) The Australian <http://www.theaustralian.com.au/business/mining-energy/
jonathan-moylans-whitehaven-hoax-case-to-go-to-supreme-court/story-e6frg9df-1226726171306
?nk=1ae56ee488f58ce954304122f5fd5f39> accessed 29 August 2014.
64
Criminal Code Act 1995 (Cth), s. 100.1(3).
65
See Measures to Eliminate International Terrorism: Working Group Report (n 41) annex
II 7–8. Little headway was made between 2003 and the present (2014), despite the urgings of
high level UN reports and world leaders’ meetings: United Nations High-Level Panel on Threats,
Challenges and Change, A More Secure World: Our Shared Responsibility (2004); UN
Secretary-General, In larger freedom: Towards development, security and human rights for all
(21 March 2005) UN Doc A/59/2005; Club of Madrid, ‘The Madrid Agenda’ (International
Summit on Democracy, Terrorism and Security, 11 March 2005); 2005 World Summit Outcome
(24 October 2005) UN Doc A/RES/60/1 paras 83–84.
66
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 20(2).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
14 / Date: 7/5
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
67
Hans-Peter Gasser, ‘Acts of terror, “terrorism” and international humanitarian law’ (2002)
84 I.R.R.C. 547. See also Bannelier-Christakis (Ch 16 of this book) and Gill (Ch 17 of this
book).
68
Schmitt, Tallinn Manual (n 9) rule 36. This was based on art 51(2) of Protocol Additional
to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of
International Armed Conflicts, adopted on 8 June 1977, 1125 UNTS 3 (entered into force 7
December 1978), and art 13(2) of Protocol Additional to the Geneva Conventions of 12 August
1949, and Relating to the Protection of Victims of Non-international Armed Conflicts, adopted
on 8 June 1977, 1125 UNTS 609 (entered into force 7 December 1978).
69
Prosecutor v Galic, ICTY-98-29-T (5 December 2003) paras 65–66; affirmed in
Prosecutor v Galic (Appeals Chamber Judgment), IT-98-29-A (30 November 2006) paras 87–90.
See also Ben Saul, ‘Crimes and prohibitions of “terror” and “terrorism” in armed conflict:
1919–2005’ (2005) 4 J. of the Int’l L. of Peace and Armed Conflict 264. See Gasser (n 67).
70
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 20(3).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
71
The Convention has been ratified by 41 countries in total. Non-members who have
ratified include Australia, Japan and the US.
72
EU Framework Decision 2005/222/JHA (n 10).
73
ASEAN Convention on Counter Terrorism 2007 art VI(1)(j).
74
Ibid. art II.
75
Committee of Experts on Terrorism (CODEXTER), Opinion for the Attention of the
Committee of Ministers on Cyberterrorism and the Use of Internet for Terrorist Purposes
(2008) 2.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
16 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
76
Ibid. 3.
77
Ibid. 2.
78
Arab Convention on the Suppression of Terrorism, adopted 22 April 1998 (entered into
force 7 May 1999).
79
Organisation of the Islamic Conference Convention on Combating International Terror-
ism, adopted 1 July 1999 (entered into force 7 November 2002).
80
Shanghai Cooperation Organisation Convention on Combating Terrorism, Separatism and
Extremism, adopted 15 June 2001 (entered into force 29 March 2003).
81
EU Framework Decision on Combating Terrorism (2002/475/JHA), 13 June 2002, OJ
L164/3, 22 June 2002, entered into force 22 June 2002; see Ben Saul, ‘International terrorism as
a European crime: The policy rationale for criminalization’ (2003) 11 Eur. J. of Crime, Criminal
L. and Crim. Jus. 323.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
17 / Date: 7/5
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
hoc and partial approach of the sectoral treaties. If the Draft Convention remains in
stasis, however, there are stronger reasons for a cyber terrorism treaty. Likewise, if
there remains no instrument on cyber crime generally, there is a stronger case for a
cyber terrorism specific instrument to combat that narrow type of cyber crime. The
issue is partly therefore which instrument will be developed first to plug the common
normative gaps.
The necessity of pursuing a cyber terrorism instrument partly depends also on
extra-legal policy considerations about the gravity and likelihood of the threat. Opinion
is divided over whether terrorist groups have the capacity or motivation to commit
cyber terrorism.82 To date, there have been no confirmed reports of a cyber terrorism
attack. Two UN reports concur that ‘there is not yet an obvious terrorist threat in the
area’ of cyberspace,83 and that there are ‘few indications of terrorist attempts to
compromise or disable [Information Communications Technology (ICT)] infrastructure
or to execute operations using ICTs’.84 Thus far there has been far more concern about
States launching cyber attacks on each other (such as Russia’s attacks on Estonia in
2007, or Georgia in 2008) than non-State cyber attacks against States, principally
because of the level of technical resources, skills and sophistication often necessary to
mount serious and sustained cyber attacks.
However, some security analysts and policy makers regard the threat of cyber
terrorism as real and likely to intensify. US President Barack Obama described ‘the
cyber threat to our nation’ as ‘one of the most serious … national security challenges
we face’,85 and warned that: ‘Al Qaeda and other terrorist groups have spoken of their
desire to unleash a cyber attack’ on the US.86 The UK classed a ‘cyber attack, including
by … terrorists’ as one of four ‘Tier One’ threats in its National Security Strategy.87
Israeli Prime Minister Benjamin Netanyahu has accused Hezbollah and Hamas of
launching cyber attacks against Israeli infrastructure.88 The question is whether these
concerns are shared widely enough in the international community to impel enough
States to believe it is worthwhile to draft yet another sectoral anti-terrorism treaty,
when many are exhausted by the Draft Convention negotiations.
82
See Denning (n 47).
83
CTITF (n 2) para. 92.
84
Group of Governmental Experts on Developments in the Field of information and
Telecommunications in the Context of International Security: Note by the Secretary General (30
July 2010) UN Doc A/65/201.
85
President Barack Obama, ‘Taking the cyberattack threat serious’ (19 July 2012) Wall
Street Journal.
86
President Barack Obama, ‘Remarks by the President on securing our nation’s cyber
infrastructure’ (Speech, 29 May 2009) <http://www.whitehouse.gov/the-press-office/remarks-
president-securing-our-nations-cyber-infrastructure> accessed 29 August 2014.
87
HM Government, ‘A strong Britain in an age of uncertainty: The national security
strategy’ (Paper presented to Parliament, October 2010) 11. The remaining threats were
international terrorism, international military crises between states, and a major accident or
national hazard.
88
Shlomo Cesana and Ilan Gattegno, ‘Netanyahu: Iran, Hamas stepping up cyberwarfare
against Israel’ (10 June 2013) Israel Hayom <http://www.israelhayom.com/site/newsletter_
article.php?id=9869> accessed 29 August 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 21 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
89
ITU Toolkit for Cybercrime Legislation (February 2010), ss 2(d), 3(f), 4(f), 6(h). The
ITU is a unique UN treaty organisation, as its members include not only 193 States, but also 700
private companies operating in the ICT sphere.
90
Ibid. 32.
91
The Information Technology (Amendment) Act 2008 (India), adding s 66F to the
Information Technology Act 2000; Criminal Code of Georgia 2007 art 324 (‘Technological
Terrorism’).
92
Criminal Code Act 1995 (Cth) s 101.1(2)(f) (an electronic system is defined as including
information, telecommunications, or financial systems, and systems used for essential govern-
ment services, an essential public utility, or a transport system); Terrorism Act 2000 (UK)
s 1(2)(e); Protection of Constitutional Democracy against Terrorism and Related Activities Act
2004 (South Africa).
93
Criminal Law of the People’s Republic of China art 287.
94
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act 2001 s 814 (‘Deterrence and prevention of cyber crime’).
95
CODEXTER (n 75) 2.
96
UNODC (n 1) 92.
97
Kelly A Gable, ‘Cyber-apocalyse now: Securing the Internet against cyberterrorism and
using universal jurisdiction as a deterrent’ (2010) 43 Vanderbilt J. Trans. L. 57, 97.
98
UNODC (n 1) [365]ff.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 22 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
security organisations and private companies who offer cyber services.99 There are
peculiar jurisdictional difficulties in investigating and taking enforcement action in
relation to cyber offences, aspects of which may take place across Internet servers in
multiple countries, or using anonymous methods.
These technical challenges are, however, common to both cyber crime and cyber
terrorism and are not unique to the latter. As such, alone they do not provide a
compelling reason to generate a narrow convention on cyber terrorism as distinct from
a wider, more encompassing instrument on cyber crime. It is possible that negotiating a
cyber terrorism instrument could lessen the impetus to agree a wider cyber crime
convention, though conversely agreeing a narrower instrument on terrorism could build
confidence towards a wider crime convention.
Another reason to pursue a special instrument against cyber terrorism is to send an
expressive or stigmatising signal that the international community regards it as
wrongful. While cyber terrorism can often already be qualified as ordinary crime or
terrorism, a special instrument could more pointedly condemn and punish the abuse of
the Internet to commit terrorism, possibly strengthening deterrence and encouraging
stronger international cooperation. Such an instrument could also potentially address
cyber acts facilitative of terrorism, such as the misuse of the Internet for incitement,
recruitment, financing and the like (even though these are already addressed by
separate international standards). There may be effectiveness gains in consolidating and
finessing relevant standards in one place, which may outweigh the conceptual messi-
ness of duplicating international efforts across multiple instruments. This presupposes,
however, that the threat of cyber terrorism justifies singling it out for special treatment,
and currently there is far from international consensus on that point.
A final reason for concluding a convention on cyber terrorism is to promote
consistency between domestic legal regimes and encourage restraint by national
governments when determining the scope of cyber terrorism offences. Mutual assist-
ance, extradition and prosecution of transnational cyber terrorist offences is most
feasible and effective where States broadly agree on the underlying definition of cyber
terrorism offences. As noted earlier, currently there are widely divergent national
approaches to dealing with the problem, inhibiting the potential for cooperation. At the
same time, the lack of an international consensus encourages individual States to
potentially adopt over-broad and rights-abusive definitions of cyber terrorism, a
problem arising in the field of terrorism laws generally.
At the same time, some States have been wary of deepening cooperation on cyber
terrorism for fear that it could lead to the erosion of human rights. In general,
counter-terrorism norms adopted since 9/11 have placed great pressure on fundamental
human rights and freedoms. The Internet is a ‘powerful vehicle for the exercise and
protection of human rights of freedom of opinion and expression’.100 International
legislative overreach could have a chilling effect on the way that people exercise their
rights of opinion and expression over the Internet, and can be readily exploited by
governments to target political activists or dissidents, and unjustifiably infringe on
personal privacy.
99
CTITF (n 2) 7.
100
CTITF (n 2) 23.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
20 / Date: 7/5
JOBNAME: Tsagourias PAGE: 23 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
The risk comes not only from the many authoritarian States that make up a
significant part of the international community, but also from democratic States. The
cyber terrorism offence in Indian domestic law, for instance, is not limited to cyber
activities which can be genuinely characterised as terrorist. Instead, it purports to label
as a cyber terrorist any person who accesses restricted information through a computer,
if that information is likely to cause harm such as damaging friendly relations with
foreign States, or injuring public order, decency or morality.101 Punishment can extend
to life imprisonment.
Elsewhere, there has been much criticism of the excessive intelligence collection
methods by US national security agencies which target the emails, Internet usage and
telephone communications of millions of innocent citizens and non-citizens alike.102 A
EU directive mandating lengthy data retention103 has been challenged under national
constitutions for infringing human rights,104 and was declared invalid in 2014 by the
European Court of Justice for excessively infringing the right to privacy.105 Similar data
retention schemes in the UK and Australia faced fierce domestic opposition.106
In principle, transnational cyber terrorism is undoubtedly harmful and worthy of
suppression. But whether further international measures to combat it are a good idea
depends on how the problem is defined, what measures are proposed to confront it, and
whether basic rights will be respected. Otherwise, it is too easy for the juggernaut of
international counter-terrorism cooperation to roll on without regard to the conse-
quences for diminishing essential freedoms.
101
Information Technology Act 2000 (India) s 66F(1).
102
See ‘The NSA Files’, The Guardian <http://www.theguardian.com/world/the-nsa-files>
accessed 29 August 2014.
103
EU Directive 2006/24/EC on the Retention of Data Generated or Processed in Connec-
tion with the Provision of Publicly Available Electronic Communications Services or of Public
Communications Networks and Amending Directive 2002/58/EC (15 March 2006).
104
Bulgarian Supreme Administrative Court, Decision No. 13627, 11 December 2008;
Supreme Court of Cyprus Appeal Case Nos. 65/2009, 78/2009, 82/2009 and 15/2010-22/2010, 1
February 2011; Federal Constitutional Court of Germany, 1 BvR 256/08, 1 BvR 263/08, 1 BvR
586/08, 2 March 2010; Czech Constitutional Court on Act No. 127/2005 and Decree No
485/2005, 22 March 2011.
105
Digital Rights Ireland and Seitlinger and Others, Judgment in Joined Cases C-293/12
and C-594/12, ECJ, 8 April 2014.
106
See Parliamentary Joint Committee on Intelligence and Security, Report of the Inquiry
into Potential Reforms of Australia’s National Security Legislation (May 2013), 150–66; ‘UK’s
data communication bill faces tough criticism’ (14 June 2012) BBC News <http://www.bbc.
com/news/technology-18439226> accessed 29 August 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter7 /Pg. Position:
21 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
Cyberspace has emerged as an indispensable feature of the contemporary era. All actors
within the international system now utilise cyberspace in order to perform their
manifold activities and maximise their potential. Although it goes without saying that
this highly interconnected and instantaneous environment yields enormous benefits,
cyberspace has also become the source of significant threats and vulnerabilities.1
The threat landscape is multifaceted and dynamic. In recent years however the
exploitation of cyberspace for the purpose of espionage has emerged as a particular
concern.2 According to reports, ‘cyber espionage projects [are] now prevalent’.3 Indeed,
there are numerous examples of both State and non-State actors infiltrating computer
networks of State and non-State actors in order to access and collect confidential
information.4 Several high profile instances of cyber espionage have attracted inter-
national attention. In January 2010 Google reported that it had ‘detected a highly
sophisticated and targeted attack against our corporate infrastructure originating from
China that resulted in the theft of intellectual property from Google’.5 Internal
investigations revealed that ‘a primary goal of the attackers was accessing the Gmail
accounts of Chinese human rights activists’.6
1
In the words of US President Barack Obama, ‘[t]hreats to cyberspace pose one of the
most serious economic and national security challenges of the 21st Century for the United States
and our allies’; White House, Cyberspace Policy Review: Assuring a Trusted and Resilient
Information and Communication Infrastructure (2009), <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> accessed 7 October 2014.
2
‘[D]igital espionage and cyber crime remain the biggest threats to both government and
the business community’; National Cyber Security Centre, Cyber Security Assessment
Netherlands (CSAN) (2013) 7, <http://english.nctv.nl/publications-products/Cyber_Security_
Assessment_Netherlands/> accessed 7 October 2014.
3
The Guardian, ‘State-sponsored cyber espionage projects now prevalent’ (30 August
2012) <http://www.theguardian.com/technology/2012/aug/30/state-sponsored-cyber-espionage-
prevalent> accessed 7 October 2014.
4
Mandiant Report, ‘APT1: Exposing one of China’s Cyber Espionage Units’ (2013)
<http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf> accessed 7 October 2014.
5
D Drummond, ‘A New Approach to China’(12 January 2010) Google: Official Blog,
<http://googleblog.blogspot.co.uk/2010/01/new-approach-to-china.html> accessed 7 October 2014.
6
Ibid. Note that China has denied responsibility for these allegations; Ma Zhaoxu, Foreign
Ministry Spokesperson, Remarks on China-related Speech by US Secretary of State on ‘Internet
Freedom’ (22 January 2010), <http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/
2535_665405/t653351.shtml> accessed 7 October 2014.
168
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
In another significant incident of cyber espionage in May 2012 the Russian security
firm Kaspersky Lab detected computer malware (subsequently referred to as the Flame
virus) in computer systems of Iranian Oil Companies which allowed confidential
information to be accessed, monitored and collected. According to reports, this virus
had the capacity to ‘activate computer microphones and cameras, log keyboard strokes,
take screen shots, extract geolocation from images, and send and receive commands
and data through Bluetooth wireless technology’;7 ‘basically an industrial vacuum
cleaner for sensitive information’.8 Although definitive attribution has never been made,
it has been alleged that the US and Israel were the authors of this virus and responsible
for its deployment.9
The publication of the Mandiant Report in February 2013 exposed for the first time
the scale and intensity of cyber espionage in the international community.10 This report
in particular identified China as a persistent perpetrator of cyber espionage. In fact, the
report claimed that a cyber espionage entity known as Unit 61398 has been specifically
created by the Chinese Government and is formally incorporated into the Chinese
People’s Liberation Army. The Mandiant Report suggested that Unit 61398 was
responsible for organising and instigating a massive cyber espionage campaign against
other States and non-State actors, looking to exploit vulnerable computer systems in
order to access sensitive and confidential information with the aim of bolstering
China’s position in the international political and economic order.
Only four months later in June 2013 cyber espionage was again thrust firmly into the
international spotlight when Edward Snowden, a former contractor for the US National
Security Agency (NSA), disclosed through Wikileaks thousands of classified docu-
ments to several media companies including The Guardian newspaper and The
Washington Post. The documents revealed that the NSA had been engaged in a global
surveillance programme. At the heart of this surveillance programme was the collection
of confidential information that was being stored in or transmitted through cyberspace.
In particular, the NSA had been engaged in a sustained and widespread campaign of
intercepting and monitoring private email and telephone communications. This cyber
espionage targeted numerous State and non-State actors, including officials of inter-
national organisations (such as the EU), State organs (including heads of State such as
German Chancellor Angela Merkel and Israeli Prime Minister Ehud Olmut), religious
leaders (the Pope), companies (such as the Brazilian oil company Petrobas), non-
governmental organisations (including UNICEF and Médecins du Monde) and indi-
viduals suspected of being involved in international terrorism.11
7
The Washington Post, ‘U.S., Israel developed Flame Computer Virus to slow Iranian
Nuclear efforts, Officials say’ (19 June 2012), <http://www.washingtonpost.com/world/national-
security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/
06/19/gJQA6xBPoV_story.html> accessed 7 October 2014.
8
BBC News, ‘Flame: Massive cyber attack discovered, researchers say’ (28 May 2012),
<http://www.bbc.co.uk/news/technology-18238326> accessed 7 October 2014.
9
The Washington Post (n 7).
10
Mandiant Report (n 4).
11
For an overview of the Snowden revelations see The Guardian, ‘The Snowden Files –
Inside the surveillance state’ (2 December 2013) <http://www.theguardian.com/technology/2013/
dec/03/tim-berners-lee-spies-cracking-encryption-web-snowden> accessed 7 October 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
These incidents raise important questions concerning the legality of cyber espionage
under international law generally and the adequacy of international law in protecting
State and non-State actors from cyber espionage in particular. To date, these important
international legal questions have received inadequate attention in the literature. This
chapter will therefore attempt to provide answers to some of these legal questions. This
chapter will be structured accordingly. Section 2 formulates a working definition of the
concept of cyber espionage in order to focus the research scope of the chapter. Section
3 examines the role and nature of the practice of cyber espionage in the contemporary
international order. In particular, this section presents cyber espionage as a pernicious
practice that represents a threat to international peace and security and which is thus in
need of international regulation. In light of this, section 4 identifies the international
law implicated by cyber espionage and assesses the extent to which it regulates this
practice. Section 5 offers some conclusions.
12
Katharina Ziolkowski, ‘Peacetime cyber espionage – new tendencies in public inter-
national law’, in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyber-
space: International Law, International Relations and Diplomacy (CCDCOE, 2013) 425.
13
Geoffrey B. Demarest, ‘Espionage in international law’ (1996) 24 Denv. J. Int’l. L. & Pol.
321, 326.
14
US Presidential Policy Directive, ‘U.S. Cyber Operations Policy’ (October 2012)
<http://www.fas.org/irp/offdocs/ppd/ppd-20.pdf> accessed 7 October 2014. Similarly, Lin
defines cyber espionage as ‘the use of actions and operations – perhaps over an extended period
of time – to obtain information that would otherwise be kept confidential and is resident on or
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 3
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
need to be identified and elaborated upon in order to provide some much needed
clarification to the practice of cyber espionage and, further, to refine the focus of this
chapter.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 4
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Espionage Act when a Grand Jury indicted five Chinese military officers,
allegedly acting at the behest of the Chinese Government, accusing them of
committing cyber espionage in order to obtain important trade secrets from US
companies.18 However, the enforcement of national criminal laws against perpet-
rators that are located in foreign jurisdictions is likely to be extremely difficult,
and so national law will often prove ineffective.19 Ultimately, protection against
transboundary cyber espionage will therefore rest with international law. It is for
this reason that the focus of this chapter is upon the application and effectiveness
of international law.
4. Cyber espionage, like espionage, can be committed during times of peace or
times of armed conflict. As we shall see, there is no specific conventional or
customary international legal framework that regulates peacetime espionage. In
contrast espionage committed during times of armed conflict, and where this
espionage is committed in support of one of the parties to the armed conflict, is
specifically regulated by international humanitarian law, notably Article 46 of
Additional Protocol 1 (1977) to the Geneva Conventions (1949). Due to space
restrictions, and in light of the recent topicality of peacetime cyber espionage, this
chapter will focus exclusively upon the permissibility under international law of
cyber espionage committed during peacetime.
5. Various treaties and in particular arms controls treaties permit States to engage in
surveillance and monitoring of other State parties so as to assure and verify their
compliance with the obligations imposed by the treaty. The accessing and
copying of confidential information that is committed consensually pursuant to a
treaty does not constitute cyber espionage (as defined in this chapter) and does
not raise any international legal concerns, providing of course it is committed
within the parameters stipulated by the treaty. The focus of this chapter is to
examine the international legality of cyber espionage, which by definition
requires the unauthorised exploitation of cyberspace in order to access and copy
confidential information.20
6. Historically, espionage was an activity that was practised by States, against States,
usually targeting important organs of the State such as those relating to defence
and foreign affairs. Significantly, however, and as exemplified by the Snowden
18
The Guardian, ‘Chinese military officials charged with stealing US data as tensions
escalate’ (20 May 2014) <http://www.theguardian.com/technology/2014/may/19/us-chinese-
military-officials-cyber-espionage> accessed 7 October 2014.
19
In relation to the indictment of the five Chinese military officials under the Espionage
Act, Fidler explains that ‘[t]he U.S. government knows the likelihood of successfully prosecut-
ing these individuals for violating U.S. criminal law is virtually nil because the cooperation of
the Chinese government would be necessary for the U.S. to gain custody and conduct a criminal
trial’; David Fidler, ‘Cyber espionage indictment of Chinese officials: IU experts comment’ (19
May 2014) <http://info.law.indiana.edu/releases/iu/2014/05/china-cyber-spying.shtml> accessed
7 October 2014.
20
Similarly, the accessing and copying of confidential information pursuant to a resolution
adopted by the Security Council under Chapter VII UN Charter does not constitute cyber
espionage because it is conducted with legal authority. Such conduct cannot be therefore
regarded as unauthorised.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The participation of this multitude of different actors in the practice of cyber espionage
raises many interesting and complex international legal questions. In relation to cyber
espionage committed by States, relevant international law questions include
21
BBC News, ‘Ordinary internet users ‘made up bulk of NSA intercepts’ (6 July 2014)
<http://www.bbc.co.uk/news/world-us-canada-28182494> accessed 7 October 2014.
22
‘A growing array of state and non-state adversaries are increasingly targeting – for
exploitation and potentially disruption or destruction – our information infrastructure including
the Internet, telecommunications networks, computer systems, and embedded processors and
controllers in critical infrastructure’; Director of National Intelligence Dennis C. Blair, Annual
Threat Assessment of the Intelligence Community for the Senate Armed Services Committee,
Statement for the Record (February 2009) 39-40.
23
Jean d’Aspremont, ‘Introduction’ in Jean d’Aspremont (ed.), Participants in the Inter-
national Legal System: Multiple Perspectives on Non-State Actors in International Law
(Routledge, 2011).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Due to space restrictions this chapter cannot address all of these questions. For this
reason, this chapter does not assess the role of international law in regulating cyber
espionage committed by non-State actors. Instead, this chapter assesses the legality
under international law of cyber espionage committed by States. To be clear, this
entails an examination of whether cyber espionage constitutes a violation of the
non-intervention principle contained in customary international law or an unlawful use
of force or armed attack under the UN Charter. Note that this chapter does not consider
whether cyber espionage committed by States against individuals violates international
human rights law. This question is examined in detail elsewhere in this handbook.24
24
See Fidler (Ch 5 of this book).
25
See generally Michael Herman, Intelligence Power in Peace and War (CUP, 1996).
26
See generally Kenneth Waltz, Theory of International Relations (Addison-Wesley Pub.
Co. 1979).
27
‘[W]ars usually begin when two nations disagree on their relative strength, and wars
usually cease when the fighting nations agree on their relative strength’; Geoffrey Blainey, The
Causes of War (New York: The Free Press, 1988) 293.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 7
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
material power with other States in the system. In this sense, espionage becomes
crucial to the maintenance of international peace and security.28 In the words of one
scholar, ‘[e]spionage is regarded by States as a necessary tool for pursuing their foreign
policy and security interests and for maintaining the balance of power at the inter-State
level. Thus, it has always been a common practice in international relations, even in
time of peace’.29
I reject this realist defence of espionage. Its weakness is that it fails to appreciate that
since at least the inception of the UN Charter in 1945 international relations have been
predicated upon the principle of the sovereign equality of States.30 Indeed, such is the
importance of this principle that it is often considered to be a constitutional norm of the
international community.31 The ‘corollary’ of this principle is that States are legally
precluded from intervening in each other’s internal affairs.32 The objective is to protect
State sovereignty by creating an international covenant of universal applicability that
legally compels States to abstain from intervening in each other’s internal affairs. In
this environment international peace and security is maintained through legal regu-
lation, not the balance of power.33
The consequence is that even if espionage is effective in enabling a State to access
useful information relating to its adversaries capabilities, it must be recognised that this
is necessarily achieved by violating a foundational legal rule of the international
community which is designed to guarantee State survival. Somewhat inevitably,
espionage therefore constitutes a hostile act that threatens State security and inter-
national peace and security more generally.34
In light of this, in recent years the defence of espionage has moved away from realist
theory and towards a more functionalist approach; namely, that espionage is a desirable
feature of international relations because it is a ‘tool that enables functional
cooperation’.35 Baker has been a prominent proponent of this approach.
Baker argues that during the Cold War international peace and security was defined
narrowly, being maintained where armed conflict between States was avoided. In the
contemporary era however Baker contends that international peace and security is
28
Stone has been a particular advocate of this approach; Julius Stone, ‘Legal problems of
espionage in conditions of modern conflict’, in Robert J. Stranger (ed.), Essays on Espionage
and International Law (Ohio State University Press, 1962).
29
Christian Schaller, ‘Spies’ (2009) Max Planck Encyclopaedia of Public International
Law. Parks argues that states regard espionage ‘as a vital necessity in the national security
process’; W. Hays Parks, ‘The international law of intelligence collection’, in John Norton
Moore and Robert Turner (eds.), National Security Law (Carolina Academic Press, 1990) 433.
30
Article 2(1) UN Charter 1945.
31
Bardo Fassbender, ‘The United Nations Charter as constitution of the international
community’ (1998) 36 Columbia J. Trans. L. 529.
32
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States
of America) (Merits) [1986] ICJ Rep 14 para. 202.
33
Russell Buchan, International Law and the Construction of the Liberal Peace (Hart,
2013) 19 ff.
34
See generally Herbert Scoville Jr., ‘Is espionage necessary for our security?’ (1976) 54
Foreign Affairs 482.
35
Christopher D Baker, ‘Tolerance of international espionage: A functional approach’
(2003) 19 Am. U. Int’l. L. Rev. 1091, 1112.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
defined far more expansively, being maintained not just where armed conflict between
States is avoided but also where other important problems facing the world order are
effectively addressed, including those relating to human rights violations, environ-
mental degradation, economic insecurity, widespread poverty, pandemic influenza,
etc.36 Baker submits that these common problems can only be resolved, and thus
international peace and security maintained, where States act in a collaborative and
coordinated manner. International collaboration in resolving common problems is at its
most effective, Baker suggests, when promises and commitments are enshrined in
legally enforceable international rules which are in turn embedded within international
organisations.37
It goes without saying that in order for these international agreements to successfully
achieve their objectives State parties must comply with and discharge the obligations
that these regimes impose. More often than not such regimes will have compliance and
verification mechanisms integrated into them, sometimes through the creation of
international organisations (for example the WTO) and sometimes through international
tribunals (such as the Appellate Body of the WTO). However, Baker argues that in
many instances States are able to circumvent these international regimes, thus under-
mining their effectiveness; ‘conventional verification and assurance techniques repre-
sent an incomplete method for yielding information sufficient to satisfy States that
parties to an agreement are complying with their international obligations’.38
It is here where Baker locates the utility of espionage. Obtaining confidential
information belonging to States enables other States that participate in that legal
framework to accurately determine whether or not such States have complied with their
international obligations.39 Where a State insists that it has complied with its inter-
national obligations and through espionage it is revealed that this is in fact true, a sense
of trust will emerge and so States will become more willing to cooperate across
functional lines and conclude additional international agreements aimed at resolving
common problems that undermine the maintenance of international peace and security.
He explains that:
[m]utual trust between treaty parties increases when espionage affirms that the assurances
provided are accurate. States will be more willing to cooperate with other states in the future
if their espionage confirms that the assurances provided by these parties are truthful.40
Thus, for Baker the benefit of espionage is that it plays a key role in encouraging states
to conclude international legal rules and institutions, a feature of international life that
he considers essential to enabling the maintenance of international peace and security.
Writing in the context of cyber espionage (as opposed to espionage generally as
Baker was), Pelican explains that ‘[t]he benefits to international stability and
36
Ibid. 1099.
37
Ibid.
38
Ibid. 1103.
39
‘When armed with such tools as spying and eavesdropping, states enjoy greater certainty
that they will be able to validate international compliance, or at least detect when other
participants are failing to comply with the treaty’; ibid. 1104.
40
Ibid. 1105 (footnotes omitted).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
cooperation as outlined by … Baker are as relevant today as they ever have been’.41
After explicitly adopting Baker’s reasoning Pelican concludes that cyber espionage
‘should be recognized as a valuable tool for countries in promoting international
stability’42 and that ‘cyber-espionage, like other forms of espionage, should persist
unabated’.43
I disagree with this functional defence of espionage. I agree with Baker that many of
the world’s most pressing problems are now held in common and that in order for these
to be resolved States must address them cooperatively. Indeed, the functional develop-
ment of this cooperation into international law is often indispensable to resolving such
problems. However, international legal frameworks can only be formulated and
implemented if States enjoy close, trusted and effective cooperation. I argue that the
surreptitious and unauthorised collection of confidential information, which as I have
already argued constitutes a clear violation of a State’s constitutional right under
international law to have its sovereignty respected, is not conducive to fostering an
environment imbued with trust and confidence. The consequence, I argue, and in
contrast to Baker’s claim, is that espionage inhibits and deters functional cooperation,
thus preventing States from addressing important matters pertaining to international
peace and security. In this sense, espionage represents a threat to the maintenance of
international peace and security. A good example of the adverse implications that
espionage yields for international cooperation is evident from the Gary Powers
incident. Powers was a pilot of a US plane that was shot down in Soviet Union airspace
on 1 May 1960. After initially asserting that the plane was a weather research aircraft
the US administration eventually conceded that it was an aerial reconnaissance plane,
and Powers was convicted for espionage under Soviet criminal law. This incident
prompted a marked deterioration in relations between the US and the Soviet Union.
Notably, recriminations over the incident meant that the much anticipated Four Powers
Peace Summit that was due to take place in Paris on 16 May 1960 ended in abject
failure. In fact, Soviet President Nikita Khrushchev explicitly blamed the US’s spying
for derailing the talks and subsequently rescinded an invitation he had earlier extended
to President Eisenhower to visit the Soviet Union.44
As we shall see in the next section, States exert sovereignty in cyberspace
notwithstanding the fact that it is a non-physical domain that transcends territorial
borders and which at first sight appears immune from the exercise of State sovereignty.
Thus, the accessing and copying of confidential information located in cyberspace, and
which belongs to entities that fall under the sovereignty of a State (whether this is
public authorities, private companies, individuals, etc), is regarded by States as a
violation of their sovereignty. Given that cyber espionage results in the transgression of
State sovereignty it becomes apparent that cyber espionage jeopardises the potential for
41
Luke Pelican, ‘Peacetime cyber-espionage: A dangerous but necessary game’ (2012) 20
Commlaw Conspectus 363, 385.
42
Ibid. 364.
43
Ibid. 385.
44
BBC News, ‘1960: east-west summit in tatters after spy plane row’ (17 May 1060),
<http://news.bbc.co.uk/onthisday/hi/dates/stories/may/17/newsid_2512000/2512335.stm> ac-
cessed 7 October 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
close and effective international cooperation and therefore undermines the potential for
States to engage in dialogue and formulate international regulation in relation to
matters that threaten international peace and security. This is well illustrated by Brazil’s
response to the revelations of NSA cyber espionage. When it was revealed that the US
had routinely committed cyber espionage against Brazil, Brazilian President Dilma
Rousseff cancelled a scheduled visit to Washington to meet representatives from the
Obama administration to discuss important issues of international concern. Instead, she
went to New York to formally denounce the NSA’s activities before the UN General
Assembly. Indeed, in doing so she explained that cyber espionage violates State
sovereignty which, in turn, hinders effective cooperation between States:
Friendly governments and societies that seek to consolidate a truly strategic partnership, such
as is our case, cannot possibly allow recurring and illegal actions to go on as if they were
normal, ordinary practice. Such actions are totally unacceptable.45
45
The Guardian, ‘Brazilian President: US surveillance a ‘breach of international law’ (24
September 2013), <http://www.theguardian.com/world/2013/sep/24/brazil-president-un-speech-
nsa-surveillance> accessed 7 October 2014.
46
Office of the National Counterintelligence Executive, ‘Foreign spies stealing US eco-
nomic secrets in cyberspace: Report to Congress on foreign economic collection and industrial
espionage 2009–2011’ (2011) i.
47
Ziolkowski (n 12) 463.
48
‘The internet provides a technological platform and target-rich environment for govern-
ments to engage in espionage on a scale, speed, intensity and depth never before witnessed’;
David Fidler, ‘Tinker, Tailor, Soldier, Duqu: Why cyberespionage is more dangerous than you
think’ (2012) 5 Int. J. Crit. Infra. 28, 29.
49
James Lewis from the Centre for Strategic and International Studies explains that ‘[t]he
internet is God’s gift to spies’; quoted in Fidler, ibid.
50
Ziolkowski (n 12) 425.
51
David Fidler, ‘Economic cyber espionage and international law: Controversies involving
government acquisition of trade secrets through technologies’ (20 March 2013) 17 A.J.I.L.
Insights, <http://www.asil.org/insights/volume/17/issue/10/economic-cyber-espionage-and-inter
national-law-controversies-involving> accessed 7 October 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
espionage represents such a serious threat to international peace and security. Fidler is
therefore correct in his assertion that ‘cyberespionage is more dangerous than you
think’.52
The argument that cyber espionage represents a threat to international peace and
security is perhaps easiest to sustain where confidential information is copied that
directly relates to a State’s critical national infrastructure. An example would be reports
that the NSA intercepted the private communications of Heads of State whilst
conducting State business. Indeed, The Guardian newspaper reported that German
Chancellor Angela Merkel’s private communications were monitored for ten years.53
Given the institution targeted (Head of State) and the likely nature of the information
targeted (confidential communications relating to national security), such cyber espio-
nage represents a significant infraction of State sovereignty and is likely to seriously
disrupt cooperation between States and thus their ability to resolve matters that
adversely impact upon international peace and security. According to Chancellor
Merkel’s spokesperson Steffen Seibert, Merkel was ‘livid’ at the revelations that her
private communications had been monitored and telephoned US President Barack
Obama to inform him that the NSA’s actions represented a ‘serious breach of
confidence’ and to demand an explanation.54
For similar reasons there is little difficultly in accepting that international
cooperation is threatened where a State exploits cyberspace in order to obtain
confidential information from a private company that provides services to critical
national infrastructure. For example, the theft of terabytes worth of data on the F-35
fighter plane being developed by Lockheed Martin, a private company, for the US
Government by (allegedly) the Chinese Government represented a ‘direct threat to
national security’ and, moreover, to international peace and security more generally.55
Importantly, I argue cyber espionage constitutes a threat to international peace and
security even where cyberspace is exploited to access and copy confidential infor-
mation that is not immediately linked to critical national infrastructure. The issue is
whether the person or entity whose confidential information has been appropriated falls
under the authority and control – the sovereignty – of the State. If so, a violation of
State sovereignty occurs, international cooperation is disrupted and a threat to
international peace and security arises. As an illustration, in response to revelations that
the NSA had committed cyber espionage against Brazilian citizens, before the General
Assembly the Brazilian President explained that the NSA’s violation of fundamental
human rights constituted a violation of Brazil’s sovereignty, ‘[a] sovereign nation can
never establish itself to the detriment of another sovereign nation. The right to safety of
citizens of one country can never be guaranteed by violating fundamental human rights
52
Fidler (n 48).
53
The Snowden Files (n 11) 9.
54
The Guardian, ‘Angela Merkel’s call to Obama: Are you bugging my phone?’ (24
October 2013), <http://www.theguardian.com/world/2013/oct/23/us-monitored-angela-merkel-
german> accessed 7 October 2014.
55
Alexander Melnitzky, ‘Defending America against Chinese cyber espionage through the
use of active defenses’ (2012) 20 Cardozo J. Int’l. & Comp. L. 537, 545. On this incident see
The Wall Street Journal, ‘Computer spies breach fighter-jet project’ (21 April 2009), <http://
online.wsj.com/news/articles/SB124027491029837401> accessed 7 October 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
of citizens of another country’.56 Similarly, in response to claims that the NSA had
committed cyber espionage against German citizens, German Chancellor Angela
Merkel explained that ‘[w]e need to have trust in our allies and partners, and now this
must be established again. I repeat that spying among friends is not acceptable against
anyone, and that goes for every citizen in Germany’.57
Although not expressly contained in the UN Charter, in the Nicaragua judgment the
ICJ explained that the principle of non-intervention is nevertheless ‘part and parcel of
customary international law’.60 In this decision the ICJ sought to clarify the scope of
the non-intervention principle. The ICJ explained that:
A prohibited intervention must accordingly be one bearing on matters in which each State is
permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of
a political, economic, social and cultural system, and the formulation of foreign policy.
56
Quoted in US Surveillance a ‘breach of international law’ (n 45).
57
Quoted in The Snowden Files (n 11) 9.
58
‘Long-standing international norms guiding state behaviour – in times of peace and
conflict – also apply in cyber space’; The White House, The US International Strategy for
Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011) 9, <http://
www.whitehouse.gov/sites/default/files/rss_viewer/International_Strategy_Cyberspace_Factsheet.
pdf> accessed 7 October 2014.
59
John Murphy, ‘Cyber war and international law: Does the international legal process
constitute a threat to U.S. vital interests?’ (2013) 89 Int’l. L. Studies 309, 399.
60
Nicaragua (n 32) para. 202.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Intervention is wrongful when it uses methods of coercion in regard to such choices, which
must remain free ones.61
Thus, ‘the element of coercion … defines, and indeed forms the very essence of, [a]
prohibited intervention’.62 In this context coercion is defined as the imposition of
circumstances or conditions against a State that compromises or undermines its
sovereignty.63 On the basis that State sovereignty is ordinarily (or perhaps has been
historically) understood as the exercise of exclusive authority and control over
territory,64 coercion is often regarded as at its most obvious and easily detectable where
a State engages in conduct that violates the territorial integrity of another State.65
Traditional espionage, describing the situation where a State sends agents into the
territory of another State to obtain confidential information, constitutes the imposition
of coercion against the territorial integrity of a State and thus constitutes a violation of
the non-intervention principle. As Wright explains, ‘[i]n times of peace … espionage
and, in fact, any penetration of the territory of a State by agents of another State in
violation of the local law is also a violation of the rule of international law imposing a
duty upon States to respect the territorial integrity and political independence of other
States’.66 It therefore follows that ‘any act by an agent of one State committed in
another State’s territory, contrary to the laws of the latter, constitutes intervention’.67
Similarly, it is generally accepted that the use of reconnaissance aeroplanes in the
territorial airspace of another State constitutes an unlawful intervention in the sovereign
affairs of that State.68
Significantly, espionage committed in cyberspace does not result in the transgression
of the territory of a State. This is because, to date, States have failed to subject
61
Ibid. para. 205. See further UN General Assembly Declaration on Principles of
International Law concerning Friendly Relations and Co-operation among States in Accordance
with the Charter of the United Nations (1970) UN Doc A/RES/2625 (XXV).
62
Nicaragua (n 32) para. 205.
63
Philip Kunig, ‘Intervention, Prohibition of’ (2008) Max Planck Encyclopaedia of Public
International Law. See generally Richard N Haass, Intervention: The Use of American Military
Force in the Post-Cold War World (Brookings Institution, 1999).
64
‘The basic legal concept of State sovereignty in customary international law … extends
to the internal waters and territorial sea of every State and to the air space above its territory’;
Nicaragua (n 32), para. 212. See generally Tsagourias’s chapter in this handbook (Ch 1).
65
‘[T]he first and foremost restriction imposed by international law upon a State is that …
it may not exercise power in any form in the territory of another State’; SS Lotus Case (France
v Turkey) [1927] PCIJ Report Series A No. 10, 18. ‘[S]overeignty has always been, in part, based
on the idea of territoriality … The extent of a sovereign’s reach has usually been decided by
geographic borders’; Walter Wriston, The Twilight of Sovereignty: How the Information
Revolution is Changing Our World (New York: Scribner’s, 1992) 7.
66
Quincy Wright, ‘Espionage and the doctrine of non-intervention in domestic affairs’, in
Richard Falk (ed.), Essays on Espionage and International Law (Ohio State University Press,
1962) 12.
67
Ibid. 13.
68
‘It appears that reconnaissance activities [that] are conducted in national airspace …
violate national sovereignty’; Note, ‘Legal aspects of reconnaissance in airspace and outer space’
(1961) 61 Columbia L. Rev. 1074, 1095.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
cyberspace to territorial claims in the sense of dividing this domain into territorial
units.69 To put the same matter differently, States do not possess territory in cyber-
space.70
But this does not mean that cyber espionage does not violate the non-intervention
principle. What is important to recognise is that the principle of non-intervention is
designed to protect State sovereignty;71 and as Jennings and Watts explain, ‘[s]over-
eignty has different aspects’.72 Crucially, although as I have already noted State
sovereignty is generally understood in terms of the possession of exclusive authority
and control over territory, it is nevertheless well established in international law that
State sovereignty transcends a State’s physical territory and encompasses its authority
and control over national affairs more broadly.73 The principle of State sovereignty
therefore protects both the territorial integrity of a State and its political integrity.74
Thus, even in the absence of intervention in the physical territory of a State, where a
State pursues a course of action that undermines or compromises the political integrity
of another State that conduct is rightly classified as coercive and thus amounts to an
unlawful intervention.
It should be noted here that commentators have argued that a State’s political
integrity will only be compromised or undermined (that is, subject to coercion) where
69
For a more detailed discussion of why states do not possess territory in cyberspace see
Tsagourias’s contribution in Chapter 1 of this handbook. Note however that other commentators
have argued that states do possess territory in cyberspace. Their argument is grounded in the idea
that ‘cyberspace requires physical architecture to exist’, including copper wires, fiber-optic
cables, satellite transponders, microwave relay towers, etc; Patrick W Franzese, ‘Sovereignty in
cyberspace: Can it exist?’ (2009) 64 Air Force L. Rev. 1, 33. In this sense, the internet is a ‘set
of inter-connected computer networks linked to state territory and, thus, is liable to the exercise
of sovereign jurisdiction on a territorial basis’; Teresa Scassa and Robert J. Currie, ‘New first
principles? Assessing the Internet’s challenges to jurisdiction’ (2011) 42 Georgetown J. Int’l. L.
1017, 1079. See also von Heinegg who explains that ‘[s]tate practice provides sufficient
evidence that components of cyberspace are not immune from territorial sovereignty’; Wolff
Heintschel von Heinegg, ‘Territorial sovereignty and neutrality in cyberspace’ (2013) 89 Int’l L.
Studies 123, 126.
70
The one exception maybe Iran’s attempt to create a ‘National Internet’ (referred to as
‘Halal Internet’), which is designed to be completely isolated from the World Wide Web and
under the exclusive control of Iran. It is therefore certainly open to argument that the ‘National
Internet’ maps on to the territory of Iran and thus constitutes a national cyberspace with clearly
defined legal borders – in this sense the ‘National Internet’ can be considered an integral even if
virtual part of Iran’s territory; The Guardian, ‘Iran clamps down on Internet use’ (5 January
2012), <http://ww.guardian.co.uk/world/2012/jan/05/iran-clamps-down-internet-use> accessed 7
October 2014.
71
‘[T]he raison d’être of the non-intervention rule is the protection of the sovereignty of
the State’; Kunig (n 63).
72
Robert Jennings & Adam Watts, Oppenheim’s International Law (Longman, 1996) 382.
73
As Pirker notes, ‘[a] State’s power reaches beyond its territory’; Benedict Pirker,
‘Territorial sovereignty and integrity and the challenges of cyberspace’ in Ziolkowski (n 12) 196.
74
‘Between independent States, respect for territorial sovereignty is an essential foundation
of international relations’, and international law requires political integrity also to be respected’;
Nicaragua (n 32) para 202, citing its judgment in the Corfu Channel (United Kingdom of Great
Britain and Northern Ireland v Albania) [1949] ICJ Rep 35.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘action is taken by one State to secure a change in the policies of another’.75 This
interpretation is important in the context of cyber espionage because cyber espionage
describes the practice of accessing and copying confidential information without
authorisation i.e. cyber espionage does not require the copied information to be used to
impose pressure or influence upon the victim State. Indeed, in many instances a State
will be unaware that it has been the victim of cyber espionage. As a result,
commentators have argued that cyber espionage does not constitute an infraction of the
non-intervention principle:
A forbidden intervention in domestic affairs requires the element of coercion of the other
state. Scholars assert that illegal coercion implies massive influence, inducing the affected
state to adopt a decision with regard to its policy or practice which it would not entertain as
a free and sovereign state. It is clear that clandestine information gathering as such will not
fulfil such requirements.76
75
Maziar Jamnejad and Michael Wood, ‘The principle of non-intervention’ (2009) 22
L.J.I.L. 345, 347–8.
76
Ziolkowski (n 12) 433. See also Terry Gill, ‘Non-intervention in the cyber context’ in
Ziolkowski (n 12) 224 (‘the obtaining of information in itself falls short of coercive or dictatorial
interference, and would not constitute ‘intervention’ in the legal sense’).
77
On jurisdiction in cyberspace see Kohl (Ch 2 of this book).
78
UN Doc 68/98 (24 June 2013) 8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
understandings that govern State relations and provide the foundation for international
peace and security’.79
The recent practice of States in the context of cyber espionage is especially
revealing, indicating that States exert sovereignty over information in cyberspace which
belongs to entities and individuals over which they exercise jurisdiction and that where
this information is accessed and copied without authorisation an unlawful intervention
occurs. As I have previously noted, in January 2010 Google alleged that China had
infiltrated its computer network in order to access Gmail passwords of human rights
activists in China. As Google is a company registered in the US and therefore subject to
US jurisdiction (and the information belonging to this company falling under US
sovereignty), the US responded to these claims by declaring that the conduct ‘raised
serious concerns’ and demanded an explanation from the Chinese Government.80
Significantly, the US Senate adopted Resolution 405 which stated that ‘this attack was
one in a series of attempts to exploit security flaws and illegally access computer
networks of individuals and institutions through the clandestine installation of phishing
an malware technology’.81
The revelations of NSA’s cyber espionage activities also stimulated a number of legal
rebukes, especially from Brazil. The Brazilian President’s statement before the General
Assembly is informative in so far as it reveals that Brazil considers sovereignty to
extend to information resident in cyberspace and, moreover, where such information is
accessed and copied a breach of international law occurs. Employing strong and
unambiguous language the Brazilian President repeatedly referred to the US’s conduct
as an
intrusion [and that the] [m]eddling in such a manner in the life and affairs of other countries
is a breach of international law [and] as such an affront to the principles that must guide the
relations among them, especially among friendly nations. A country’s sovereignty can never
affirm itself to the detriment of another country’s sovereignty.82
The President further noted that Brazil’s objections to such ‘illegal actions’ had been
communicated to the US by ‘demanding explanations, apologies and guarantees that
such acts or procedures will never be repeated again’.83 China adopted a similar
position, determining that the NSA had ‘flagrantly breached international laws,
seriously infringed upon the [sic] human rights and put global cyber-security under
79
Ibid. 4. See also the remarks of the Chinese Assistant Foreign Minister Zheng Zequang
who explained in 2013 that ‘[i]nternational cyber governance should follow the principles of
state sovereignty and non-interference in other’s internal affairs’; quoted in <http://www.
aspistrategist.org.au/arf-and-how-to-change-the-tune-of-the-cyber-debate/> accessed 7 October
2014.
80
Hillary Rodham Clinton, Secretary of State, Address, Washington, DC: Statement on
Google Operations in China (12 January 2010), <http://www.state.gov/secretary/2009
2013clinton/rm/2010/01/135105.htm> accessed 7 October 2014.
81
Senate Resolution 405, 111th Congressional (my emphasis).
82
US Surveillance a ‘Breach of International Law’ (n 45).
83
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
threat’.84 China declared that the NSA’s conduct ‘deserve[d] to be rejected and
condemned by the whole world’.85
Three final points need to be recorded. First, it is important to recognise that the
claim that espionage (in its traditional conception) is unlawful under international law
has attracted considerable criticism. The argument runs that because espionage is so
widely practised by States customary international law has modified the scope of the
non-intervention prohibition, which now recognises espionage as a permissible excep-
tion to the non-intervention principle. For example, Smith argues that:
because espionage is such a fixture of international affairs, it is fair to say that the practice of
states recognizes espionage as a legitimate function of the state, and therefore it is legal as a
matter of customary international law.86
However, just because espionage is widely practised does not render it permissible
under customary international law. In order for a customary exception to form State
practice must be accompanied by opinio juris.87 Crucially, States overwhelmingly
refuse to accept responsibility for espionage when accused, let alone assert the legality
of this practice. Consequently, State practice of espionage ‘is accompanied not by a
sense of right but by a sense of wrong’88 and to this end State practice and opinio juris
run in opposite directions. Consequently, ‘there is little doctrinal support for a
“customary” defense of peacetime espionage in international law’.89 The same argu-
ment can be made in relation to cyber espionage. As I noted in the introduction to this
chapter, incidents of cyber espionage have increased dramatically in recent years.
However, just because cyber espionage is widely practised by States does not mean that
is it lawful under international law. What is important is whether this practice is
accompanied by a belief that cyber espionage is lawful. As the above discussion of
cyber espionage reveals, when committing cyber espionage States do not advocate that
such conduct is permitted by international law. In fact, they often deny their
involvement in the practice. Moreover, and as we have seen, States which are the
84
Quoted in The Guardian, ‘China demands halt to ‘Unscrupulous’ US cyber-spying
(27 May 2014), <http://www.theguardian.com/world/2014/may/27/china-demands-halt-
unscrupulous-us-cyber-spying> accessed 7 October 2014.
85
Ibid.
86
Jeffrey H. Smith, Symposium, ‘State intelligence gathering and international law:
Keynote Address’ (2007) 28 Michigan J. Int’l. L. 543, 544. Similarly, see Glenn Sulmasy and
John Yoo, ‘Counterintuitive: Intelligence operations and international law’ (2007) 28 Michigan J.
Int’l. L. 625, 628 (‘[s]tate practice throughout history … supports the legitimacy of spying.
Nowhere in international law is peaceful espionage prohibited’).
87
Article 38(1)(b) of the Statute of the International Court of Justice 1945.
88
Wright (n 66) 17.
89
Craig Forcese, ‘Spies without borders: International law an intelligence collection’ (2011)
5 J. Nat’l Sec. L. & Pol. 179, 203. For a similar approach see Simon Chesterman. ‘The Spy Who
Came in from the Cold War: Intelligence and international law’ (2006) 27 Michigan J. Int’l. L.
1071, 1072; Ingrid Delupis, ‘Foreign warships and immunity of espionage’ (1984) 78 A.J.I.L. 53;
Manuel Garcia-Mora, ‘Treason sedition and espionage as political offenses under the law of
extradition’ (1964) 26 University of Pittsburgh L. Rev. 65, 79-80.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
victims of cyber espionage have protested (often vociferously) that such conduct is
contrary to international law.
Secondly, it is worth reiterating for the sake of clarity that when determining whether
an unlawful intervention in a State’s sovereignty has occurred, it is irrelevant whether
the information that has been copied belongs to State organs, private companies or even
private individuals. Providing that the actor whose information has been accessed and
copied is under the authority and control of the State, appropriation of that information
constitutes intervention in that State’s sovereignty.90
Thirdly, the application of the non-intervention prohibition is subject to the principle
of de minimis non curat lex – which is generally translated from Latin as the law does
not concern itself with trifles. The effect of the de minimis doctrine is to place ‘outside
the scope of legal relief the sorts of intangible injuries, normally small and invariably
difficult to measure, that must be accepted as the price of living in society’.91 Thus, this
maxim signifies ‘that mere trifles and technicalities must yield to practical common
sense and substantial justice’ so as ‘to prevent expensive and mischievous litigation,
which can result in no real benefit to the complainant, but which may occasion delay
and injury to other suitors’.92
Although often described as a maxim, this principle does impose a recognised legal
restriction upon the operation of the non-intervention principle.93 The consequence then
is that acts of cyber espionage that can be regarded as insignificant will not trigger the
non-intervention prohibition; acts of cyber espionage must be sufficiently serious in
order warrant the application of international law. Much will depend upon the context
of the specific case of cyber espionage in question. However, and for the purpose of
illustration, it can perhaps be contended that whilst the unauthorised copying of
information belonging to an important State organ (such as the Ministry of Defence) is
likely to exceed the de minimis threshold, the one-off accessing and copying of
innocuous electronic correspondence of a private individual is unlikely to be considered
sufficiently serious to justify the engagement of international law.
90
In assessing the application of the non-intervention principle to hostile cyber operations
von Heinegg explains that ‘[i]t is irrelevant whether the cyber infrastructure protected by the
principle of territorial sovereignty belongs to or is operated by government institutions, private
entities or private individuals’; von Heinegg (n 69) 129.
91
Jeff Nemerofsky, ‘What is a trifle anyway?’ (2001/2002) 37 Gonzaga L. Rev. 315, 323.
92
Ibid.
93
Jennings and Watts (n 72) 385 ff.
94
Nicaragua (n 32) paras 187–190.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
19 / Date: 24/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
destruction to life and property’.95 According to this understanding Article 2(4) does
not extend to attacks against computer systems and networks which do not result in
physical harm. In recent years this position has been criticised on the basis that in the
contemporary era States are heavily reliant upon computer systems and networks and
thus even a cyber attack that does not result in physical harm can still cause significant
amounts of damage and disruption, such as a cyber attack that disables banking
systems or incapacitates important government communications.96 Indeed, it has been
suggested that where these attacks are against computer systems that sustain critical
national infrastructure the disruption may be so severe as to be equivalent to
conventional attacks that cause kinetic harm.97 Commentators have therefore argued
that Article 2(4) should be reinterpreted so as to apply to cyber attacks which although
not manifesting physical harm nevertheless cause damage and disruption equivalent to
a kinetic attack.98
Developing this effects-based interpretation of Article 2(4) Melnitzky argues that
exploiting computer systems in order to acquire highly sensitive and confidential
information (cyber espionage) can, in particularly egregious circumstances, produce
extremely serious adverse effects and should therefore be categorised as a use of force
The severity of the problem of data theft is simply too great and its effects too harmful. […]
The scale of theft is unprecedented. […] Prior to the Internet, looting on such a scale could
only have been accomplished by a military occupation. The effects-based approach require-
ment that a cyberattack must cause damage only previous possible by traditional military
force is therefore satisfied.99
I argue that there is insufficient State practice to support a reinterpretation of the term
force within Article 2(4) to include cyber operations that do not produce kinetic
harm.100 Indeed certain States, most notably the US, have expressly rejected this
approach. In 2012 the then US Legal Advisor Harold Koh unambiguously stated that
cyber operations will only amount to an unlawful use of force where physical harm
95
Ian Brownlie, International Law and the Use of Force by States (Clarendon, 1963) 362.
On the use of force prohibition in the context of cyber operations see Roscini (Ch 11 of this
book).
96
Michael Schmitt, ‘Computer network attack and the use of force in international law:
Thoughts on a normative framework’ (1998-1999) 37 Columbia J. Trans. L. 885.
97
As Melnitzky notes, ‘[m]ilitaries have discovered that sophisticated cyberattacks on their
own can be as debilitating as any conventional or “kinetic” attack’; Melnitzky (n 55) 542.
98
See for example Marco Roscini, Cyber Operations and the Use of Force in International
Law (OUP, 2013) 55; Matthew Waxman, ‘Cyber-attacks and the use of force: Back to the future
of Article 2(4)’ (2011) 36 Yale J. Int’l L. 421, 437.
99
Melnitzky (n 55) 566. For a similar approach see also Jack Goldsmith, ‘How cyber
changes the laws of war’ (2014) 24 E.J.I.L. 129; Todd Huntley, ‘Controlling the use of force in
cyberspace: The application of the law of armed conflict during a time of fundamental change in
the nature of warfare’ (2010) 60 Naval L. Rev. 1, 39; Anna Wortham, ‘Should cyber exploitation
every constitute a demonstration of hostile intention that may violate UN Charter provisions
prohibiting the threat or use of force?’ (2012) 64 Federal Communications Law Journal 643.
100
I develop this argument in more detail in Russell Buchan, ‘Cyber attacks: Unlawful uses
of force or prohibited interventions?’ (2012) 17 J. Conflict & Sec. L. 211.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
20 / Date: 24/3
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
occurs.101 This is also the position adopted by the influential Tallinn Manual, which
attempts to codify the international legal framework relating to the use of force to cyber
warfare.102
On this basis I argue that cyber espionage cannot be regarded as a use of force under
Article 2(4) UN Charter. Indeed, as Fidler concludes, ‘no government regards cyber
espionage of any kind as a prohibited use of force’.103 It is worth noting here that if
cyber espionage cannot amount to a use of force then, a fortiori, it cannot constitute an
armed attack and engage a State’s right to use force in self-defence under Article 51
UN Charter.104
5. CONCLUSION
This chapter has argued that in the contemporary world order international peace and
security can only be maintained where States band together as a cohesive international
community and address common problems in a coordinated and collaborative manner.
In particular, the international community must confront these common problems by
proactively adopting international legal regulation. However, States will only forge and
implement international law where they have trust and confidence in each other’s
commitment to international law. In this chapter I have further reasoned that cyber
espionage results in the violation of State sovereignty and thus breeds distrust and leads
to a deterioration in international relations. In such an environment, I contend, States
are unlikely to formulate and conclude international law in relation to important
international issues that adversely impact upon the maintenance of international peace
and security. When cast in this light, I argue that cyber espionage can be regarded as a
threat to the maintenance of international peace and security.
Leading cyber security experts have noted the difficulty in developing computer
software that provides effective protection against cyber espionage.105 Actors therefore
101
Harold Koh, International Law in Cyberspace (18 September 2012), <http://www.state.
gov/s/l/releases/remarks/197924.htm> accessed 7 October 2014.
102
Michael Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP, 2013) 48.
103
Fidler (n 48).
104
‘[C]yber espionage cannot be deemed either a ‘threat’ or ‘use of [armed] force’ in the
meaning of Article 2(4) of the UN Charter, nor an ‘armed attack’ pursuant to Article 51 UN
Charter’; Ziolkowski (n 12) 456. On self-defence in cyberspace see Focarelli (Ch 12 of this
book).
105
See Richard Clarke & Robert Knake, Cyber War: The Next Threat to National Security
and What to Do About it (Harper Collins, 2010). According to Tim Berners-Lee, who is often
accredited with inventing the internet, ‘[i]nternet security is hard. All systems have undiscovered
holes in them, and it’s only a question of how fast the bad guys can discover the holes compared
with how fast the good guys can patch them up’; The Guardian, The Snowden Files – Hands off
my Baby (2 December 2013), http://www.theguardian.com/technology/2013/dec/03/tim-berners-
lee-spies-cracking-encryption-web-snowden> accessed 7 October 2014. Cf Ziolowski who
argues that ‘[t]he only way to counter the threat of foreign States’ cyber espionage is to improve
the cyber security and resilience of the [sic] own IT-systems or computer networks’; Ziolkowski
(n 12) 464.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
21 / Date: 24/3
JOBNAME: Tsagourias PAGE: 22 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
look to law, and in the context of transboundary cyber espionage international law, for
protection from this pernicious activity. However, according to current academic
opinion international law does not prohibit cyber espionage. Fidler, for example, has
declared that ‘the lack of international law … allows cyberespionage to operate in a
legal black hole’.106
In this chapter I have disputed this conclusion, arguing that there is international law
that applies to cyber espionage. In particular, I have argued that cyber espionage
contravenes the non-intervention principle. In order to effectively protect the sover-
eignty of States the non-intervention principle protects not just the territorial integrity
of States but also their political integrity. As I have demonstrated above by reference to
recent State practice, States regard information in cyberspace which belongs to entities
and individuals which fall under their jurisdiction as representing an important element
of their political integrity. For this reason, the unauthorised accessing and copying of
such information is regarded as compromising State sovereignty. Consequently, cyber
espionage amounts to a proscribed intervention under customary international law.
This is not to say that recent calls to build a new international treaty dedicated to
regulating cyber operations (which would include cyber espionage) should not be
pursued.107 An international dialogue on the practice of cyber espionage – and indeed
subsequently a specifically devised and technologically savvy international treaty
regulating conduct in this new domain – would of course be beneficial. However,
formulating international treaties in the field of international peace and security is
notoriously difficult.108 Until this can be achieved we should be reassured that existing
principles of international law apply to State-sponsored transboundary cyber espionage
and provide a certain degree of legal protection against this activity.
106
Fidler (n 48) 29.
107
Benjamin Mueller, ‘The laws of war and cyberspace: On the need for a treaty concerning
cyber conflict’ (June 2014) 8, <http://www.lse.ac.uk/IDEAS/publications/reports/pdf/SU14_2_
Cyberwarfare.pdf> accessed 7 October 2014.
108
‘[I]t has proven very difficult in today’s environment for an international conference to
conclude a global treaty to resolve challenges in the most important areas of international
relations’; Murphy (n 59) 326.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter8 /Pg. Position:
22 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Hacked computers, virus attacks, massive spam, online fraud, harassment in cyberspace
or ‘cyberstalking’.1 Networked technology has given rise to a new, yet apparently
ubiquitous phenomenon: cybercrimes. According to a 2013 report released by a
software security producer, 7 million people in Canada have been ‘victims’ of
‘cybercrime’ in the past 12 months, at a cost of $3 billion.2 Globally, we are speaking
of 1 million victims per day.3 Are States really losing the fight against cybercrime, as a
British Parliamentary Committee warned in July 2013?4
The internet age has certainly transformed social relations and the economy in ways
that suggest that criminal behaviour will follow suit. The cyberspace has opened up a
whole range of new opportunities for criminal activity that challenge traditional
approaches based on jurisdiction and law enforcement by the nation-State.5 Communi-
cation has become fast and easy. It often passes through multiple jurisdictions,
sometimes in an automated manner. Conventional crimes, like theft and fraud, are
increasingly facilitated by technology and may now take wholly different forms than
they did a few decades ago. In many instances, the offenders and victims of a harmful
conduct are not located in the same jurisdiction. It is because of this typically
deterritorialized nature of cybercriminal activities that legal responses have increasingly
taken an inter- or transnational dimension.
1
On the phenomenon of cyberstalking and legislative responses, see Jonathan Clough,
Principles of Cybercrime (CUP 2010) 365–87.
2
Symantec, ‘2013 Norton Report by Symantec’ <http://www.symantec.com/content/en/us/
about/presskits/b-norton-report-2013.en_ca.pdf> accessed 22 October 2013.
3
Ibid.
4
‘UK “losing” fight against internet crime, warn MPs’ BBC News (30 July 2013)
<http://www.bbc.co.uk/news/uk-politics-23495121> accessed 22 October 2013.
5
See Kohl (Ch 2 of this book).
6
For additional terms, see Clough (n 1) 9.
7
Bernadette H. Schell and Clemens Martin, Cybercrime: A Reference Handbook (ABC-
CLIO 2004) 29.
190
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 1
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
technology. What is interesting about the definition therefore is that it focuses on the
instrument or possibly the context rather than the specific social harm caused.
Cybercrimes may result in harm to property or in harm to persons.8 They have
developed from the use of computers to prepare crimes to offences mediated almost
entirely by technology, such as spamming.9 Computer technology has become central
to the commission of various crimes which only exist, at least in their specific form, as
a result of the existence of computer systems. Online fraud, forgery, and ‘phishing’ fall
into this category. Computers and computer systems may also be the target or ‘victim’
of cybercriminal activities. These so-called computer integrity crimes include illegal
access to computer data or systems, commonly referred to as ‘hacking’ or ‘cracking’;
the dissemination of malicious software, such as viruses and worms; and denial of
service attacks that may represent a method of modern terrorism or warfare.10 Finally,
cybercriminal activity may relate to a specific content, with the dissemination of child
pornography and hate speech figuring most prominently in this category.
Due to the increasing digitalization of social relations, it may become necessary to
add another category: ‘crimes’ committed in virtual worlds such as Second Life or in
so-called ‘massively multi-player online role-playing games’ (MMORPGs). While theft
of virtual property, virtual rape and sexual harassment as well as virtual paedophilia
could and should arguably be regulated by the operator of the respective virtual world,
they may also have significant consequences in the real world. Virtual property is
widely traded online and paid for with real money. This means that stolen virtual
property also has value in the real world. The person behind a sexually harassed avatar
may suffer emotional harm and be traumatized in the same way as a victim of
conventional harassment. It is still unclear to which extent the ‘real’ world – including
law enforcement authorities – should be concerned with such ‘virtual’ crimes. It has
been argued that virtual crimes are always ‘grounded in physical reality’ and that,
without harm in the real world, there is no cybercrime.11 Moreover, some virtual
behaviour, even without causing direct harm in the real world, can arguably contribute
to downplaying and normalizing an activity that is criminalized in the physical world,
an obvious example being paedophilia.12 In some instances, the national criminal
system has already responded. The arrest of a Dutch teenager in 2007 for stealing
virtual furniture on Habbo is only one example.13
8
For this categorization, see ibid. 30.
9
For this differentiation, see David S. Wall, Cybercrime: The Transformation of Crime in
the Information Age (Polity 2007) 44–8.
10
For more information on cyber terrorism and cyber warfare, see Saul and Heath (Ch 7 of
this book) and also Part IV of this book.
11
Susan W. Brenner, ‘Fantasy crime’ (2008) 11 Vanderbilt J. of Tech. & Ent. L. 1, 26.
12
A good example is virtual ageplay, where all players are adults but engage, via their
avatars, in sexual behaviour between children and adults. For an overview over the main
arguments, see ibid. 42–3. For the reasoning of the Supreme Court of Canada regarding child
pornography fuelling fantasies that incite offenders, see R v. Sharpe 2001 SCC 2.
13
See ‘‘‘Virtual Theft” Leads to Arrest’, BBC News (14 November 2007) <http://
news.bbc.co.uk/2/hi/7094764.stm> accessed 18 October 2013. In some States, such as in South
Korea, where virtual worlds are particularly popular, law enforcement authorities have created
specialized divisions to address such ‘crimes’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 2
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
14
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004).
15
In early 2014, 41 States, including the non-CoE member States US, Australia and Japan,
had ratified the convention.
16
For a thorough comparison of these instruments, see UN Office on Drugs and Crime,
Comprehensive Study on Cybercrime (February 2013) <http://www.unodc.org/documents/
organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf> accessed
8 October 2013, 63–72 and Annex Three.
17
Draft African Union Convention on Cybersecurity (Version 01/09/2012) parts I–III.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 3
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
adopted by the Council of the European Union in 2005.18 With respect to substantive
law, this Framework Decision on attacks against information systems resembles the
CoE Convention in many respects;19 the Framework Decision is, however, more
specific with respect to the procedural law, in particular when it comes to jurisdiction.20
One significant challenge in the global fight against cybercrime consists in the fact
that similar activities may be considered a crime in some countries, such as a massive
spam attack against a specific person or company, but simply an unwanted behaviour in
others akin to, in the case of spam, conventional unsolicited publicity by a company.
‘Hacking’ and ‘cracking’ may be considered harmful activities, to be outlawed and
penalized. But how should we deal with hackers who do not necessarily act with
criminal intent but enter systems for fun or with so-called hacker activists or
‘hacktivists’ who seek, for instance, to circumvent excessive restrictions and online
surveillance of repressive governments? Even if there exists a general consensus among
States regarding which acts – broadly speaking – should be criminalized,21 opinions
and approaches diverge when it comes to the details. There may, for instance, exist a
consensus on the criminalization of a certain conduct related to the content of
webpages in some jurisdictions; in others, such criminalization would be seen as
unduly limiting the freedom of expression. Child pornography and hate speech are
again good examples.22 Issues relating to intellectual property have also proved
divisive, particularly as between developed and developing States, and explain why a
country like Brazil declined to sign the CoE Convention.
The problem is that if not restricted and prohibited globally, in other words without
exception, the content in case may always resurface – legally – on the internet and be
accessible from anywhere in the world. One ‘hole’ in the system is sufficient to make,
by default, any content available on a global scale. Similar problems arise in the
context of copyright. What may be promoted as ‘open access’ or ‘freedom of the
internet’ in one place may represent grave infringements of intellectual property rights
elsewhere. In short, what used to be local problems that could easily be dealt with
domestically now require not only concerted efforts but also far-reaching compromises.
With respect to content-related cybercrimes, however, the territorial restriction of
websites may be an alternative to the harmonization of substantive legal rules.
The CoE is a convenient starting point to discuss current efforts to criminalize
cybercrimes because of its fairly wide ratification and its helpful approach to the
classification of offences. The CoE Convention itself does not criminalize certain acts
but requires States parties to adopt ‘legislative and other measures’ to ensure that the
18
Council of the European Union, Council Framework Decision 2005/222/JHA of 24
February 2005 on attacks against information systems.
19
For a more detailed comparison between the two instruments, see Paul De Hert, Gloria
Gonzáles Fuster and Bert-Jaap Koops, ‘Fighting Cybercrime in the two Europes’ (2006) 77
Revue internationale de droit pénal 503.
20
Council Framework Decision 2005/222/JHA (n 18) section 4.
21
For the summary findings of a survey conducted by the UN Office on Drugs and Crime,
to which 56 States responded, see UNODC/CCPCJ/EG.4/2013/2, paras 13–15.
22
For the recurrent problem of enforcement between different jurisdictions, in this case
because of the accessibility of illegal material in France through a US-based internet provider,
see Yahoo! v. La Ligue contre le racisme et l’antisémitisme 433 F.3d 1199 (9th Cir. 2006).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 4
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
23
Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of
acts of a racist and xenophobic nature committed through computer systems (Council of
Europe), CETS No. 189, 28 January 2003 (entered into force: 1 March 2006). In late 2013, the
protocol had been ratified by 20 States.
24
Clough (n 1) 28.
25
See also Council of Europe, Convention on Cybercrime, Explanatory Report, para 49. The
CoE Convention only speaks of illegal access ‘without right’, which arguably includes those
hackers who are driven by ethical considerations and, for instance, seek to promote privacy
rights or to enhance security by carrying out penetration tests. For the distinction between
‘ethical hackers’ and ‘unethical hackers’ or ‘crackers’, see Wall (n 8) 54–56.
26
UN Office on Drugs and Crime (n 16) 62.
27
Convention on Cybercrime, Explanatory Report (n 25) para. 51. The Explanatory Report,
adopted by the Committee of Ministers of the Council of Europe, does not provide an
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 5
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘authoritative interpretation of the Convention’ but aims to ‘facilitate the application’ of its
provisions. Ibid. para. II.
28
For the distinction between these forms of malicious software, see Clough (n 1) 33–4.
29
Convention on Cybercrime, Explanatory Report (n 25) para. 64.
30
For more information on these attacks, see Clough (n 1) 37–9.
31
‘Operation Payback cripples MasterCard site in revenge for WikiLeaks ban’, BBC News
(8 December 2010) <http://www.theguardian.com/media/2010/dec/08/operation-payback-master
card-website-wikileaks> accessed 18 October 2013.
32
Convention on Cybercrime, Explanatory Report (n 25) para. 69.
33
For the comparison of several studies, see Clough (n 1) 234.
34
For this distinction, see De Hert, Gonzáles Fuster and Koops (n 19) 510–12.
35
For more information, see UN Office on Drugs and Crime (n 16) 95–6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 6
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
36
Convention on Cybercrime, Explanatory Report (n 25) para. 93.
37
For this argument, see also Susan W. Brenner, ‘The Council of Europe’s Convention on
Cybercrime’ in Jack M. Balkin and others (eds.), Cybercrime: Digital Cops in a Networked
Environment (New York University Press 2007) 212.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 7
/ Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
and procedural provisions to the domestic legislatures. This approach has therefore
been criticized as a ‘watered down compromise of flexible harmonization [that] offers
little to motivate nations to voluntarily relinquish sovereignty in favor of international
regulation.’38 As we will see, this also potentially raises important jurisdictional issues.
Other instruments similarly seek to strengthen the protection of children against
sexual exploitation by requiring States to establish as criminal offences various forms
of conduct relating to child pornography. The Optional Protocol to the Convention of
the Rights of the Child on the Sale of Children, Child Prostitution and Child
Pornography does not deal specifically with the use of computer systems but contains,
in article 2(c) a sufficiently broad definition of child pornography: ‘any representation,
by whatever means, of a child engaged in real or simulated explicit sexual activities or
any representation of the sexual parts of a child for primarily sexual purposes’.39 Few
additional content-related offences appear in other multilateral instruments. The League
of Arab States Convention goes beyond the criminalization of child pornography and
requires States parties to criminalize the ‘production, display, distribution, provision,
publication, purchase, sale, import of [all] pornographic material’ (art 12), with
offences involving child pornography carrying increased punishment. The draft African
Convention contains similar provisions as the CoE Convention with respect to child
pornography (arts III-29 to III-32), but it also demands States criminalize computer-
related acts involving racism and xenophobia (arts III-34 and III-35).
Finally, the CoE Convention contains offences related to the infringements of
copyright and related rights (art 10). No particular conduct is defined; instead, the CoE
Convention refers to domestic law and the obligations undertaken by States pursuant to
a number of international instruments in this area, such as the Bern Convention for the
Protection of Literary and Artistic Works and the Copyright Treaty of the World
Intellectual Property Organization. However, as article 10(1) clarifies, the provision is
intended to cover only those infringements that are committed ‘wilfully’ and ‘on a
commercial scale’.
Clearly, these offences do not encompass all possible cybercrimes. As the Explana-
tory Report to the CoE Convention states, ‘[t]he list of offences included represents a
minimum consensus not excluding extensions in domestic law’.40 By way of example,
the use of computers and computer systems to commit theft and extortion or to engage
in other harmful activities, such as cyberstalking, are not covered. One may therefore
wonder why only some of the crimes already criminalized at the domestic level, such
as forgery, fraud and child pornography, are included in the CoE Convention, but not
others.
38
For this debate, see Miriam F. Miquelson-Weismann, ‘The Convention on Cybercrime: A
harmonized implementation of international penal law: What prospects for procedural due
process?’(2005) 23 John Marshall J. of Computer & Information L. 329, 354.
39
Optional Protocol to the Convention of the Rights of the Child on the Sale of Children,
Child Prostitution and Child Pornography, 25 May 2000, 2171 UNTS 227 (entered into force 18
January 2002) (emphasis added).
40
Convention on Cybercrime, Explanatory Report (n 25) para. 34.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 8
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Given that around 80 per cent of all cybercrime acts are committed through some
form of organized activity,41 another international instrument that can be relied upon to
some extent in the fight against cybercrime is the United Nations Convention against
Transnational Organized Crime from 2000 (Palermo Convention).42 This Convention
has been ratified almost universally, which makes it a potentially useful instrument to
coordinate the global fight against cybercrime. Most cybercrimes can be subsumed
under the definition of ‘transnational’ as defined in article 3(2) of the Convention,
according to which an offence is transnational when it is: (a) committed in more than
one State; (b) committed in one State but planned, prepared, directed or controlled in
another State; (c) committed in one State but involving an organized group engaging in
criminal activities in more than one State; or (d) committed in one State but has
substantial effects in another State. However, the Palermo Convention is only applic-
able to ‘serious crimes’, which are defined as ‘conduct constituting an offence
punishable by a maximum deprivation of liberty of at least four years or a more serious
penalty’ (art 2(b)) and which are committed for the purpose of obtaining a financial or
other material benefit (art 1(a)(i)); to the laundering of proceeds of a crime (art 6); and
to corruption (art 8). In other words, even though the Palermo Convention is completely
silent on cybercrime, certain serious forms of cybercriminal activities, such as
organized online fraud, are covered.43
41
Expert Group to Conduct a Comprehensive Study on Cybercrime, ‘Comprehensive study
of the problem of cybercrime and responses to it by Member States, the international community
and the private sector’ (UNODC/CCPCJ/EG.4/2013/2, Vienna, February 2013) para. 5.
42
United Nations Convention against Transnational Organized Crime, 15 November 2000,
2225 UNTS 209 (entered into force 29 September 2003).
43
The only reference to computers is made in the provision on training and technical
assistance, which requires States to initiate, develop or improve specific training programmes,
including ‘[m]ethods used in combating transnational organized crime committed through the
use of computers, telecommunications networks or other forms of modern technology’, ibid. art
29.1(h).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position: 9
/ Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
44
The Convention, therefore, emphasizes expeditiousness, for instance of the preservation
and disclosure of computer data. As the Explanatory Report notes, ‘[s]peed and, sometimes,
secrecy are often vital for the success of an investigation.’ Convention on Cybercrime,
Explanatory Report (n 25) para. 133.
45
Ibid. para. 195. The only exception is access to data that is publicly available or if the
consent of the person who has the lawful authority to disclose the data has been obtained.
Convention on Cybercrime (n 14) art 32.
46
Convention on Cybercrime, Explanatory Report (n 25) para. 147.
47
For a critique of the lack of procedural guarantees, see Miquelson-Weismann (n 38) 341.
48
See Convention on Cybercrime, Explanatory Report (n 25) para. 256.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Other instruments contain similar provisions with respect to extradition and mutual
legal assistance, including mechanisms for expedited assistance. While the draft
African Convention only touches on principles of international cooperation in a general
manner and encourages States parties to sign the Convention on mutual legal assistance
(art III-14), the League of Arab States Convention contains detailed provisions on
extradition and mutual assistance (arts 30–43). By way of example, States parties may
be requested to seize, secure or disclose data in their territory, including through
expedited means of communication, such as e-mail, and every State party is required to
establish a 24/7 contact point ‘to ensure the provision of prompt assistance’ (art 43).49
The League of Arab States Convention also resembles the CoE Convention with respect
to grounds for refusal of assistance. A State party may notably not respond to another
State’s request, for instance to preserve or disclose data, if ‘the request concerns an
offence which the requested Party considers a political offence’ or if ‘the requested
Party considers that execution of the request is likely to prejudice its sovereignty,
security, ordre public or other essential interests’.50 Although grounds for refusal
should, generally speaking, be ‘narrow and exercised with restraint’,51 it does not seem
that detailed reasons must be specified if requests for assistance are refused by invoking
one of these provisions.
In sum, the CoE Convention represents a traditional, decentralized criminal law
approach based on the territoriality principle of regulation and enforcement that seeks
to increase the capacity of States to deal with cybercrimes. As Susan W Brenner has
argued, cybercrime is treated in the Convention ‘as an internal threat which is to be
dealt with by the criminal justice system of a nation whose citizens have suffered
‘harm’ from a particular activity’.52 The very fact of criminalizing similar behaviour in
similar terms is in itself a great boost to transnational judicial cooperation, particularly
in the extradition domain where the dual criminality rule typically requires that an
offence exist in both the requesting and requested State.
49
For a discussion of institutional aspects and a few examples of ways in which such contact
points were established, see Council of Europe, ‘The effectiveness of international co-operation
against cybercrime: examples of good practice’, discussion paper prepared by Pedro Verdelho
(12 March 2008) 21–4 <http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/
documents/reports-presentations/567%20study4-Version7%20provisional%20_12%20March%
2008_.pdf> accessed 6 January 2014.
50
Convention on Cybercrime (n 14) arts 27(4), 29(5), 30(2); the corresponding provision in
the League of Arab States Convention can be found in art 35.
51
Convention on Cybercrime, Explanatory Report (n 25) para. 268.
52
Brenner (n 37) 210.
53
For a general overview of jurisdiction in cyberspace, see Kohl (Ch 2 of this book).
54
Susan W Brenner, ‘Cybercrime jurisdiction’ (2006) 46 Crime, L. & Social Change 189.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
11 / Date: 24/3
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
framework in a very radical way, almost to the point of making ‘geography irrel-
evant’.55 Cybercrimes are often transnational, even global in their concrete operation,
and not simply as a result of political fiat as in the case of major supranational crimes
(genocide, crimes against humanity or war crimes may, after all, be quite national in
character). However, there is also almost always a certain physicality even to
cybercrime. Criticizing a common overreliance on virtual metaphors in the scholarship,
for example, Orin S Kerr has argued that ‘virtual metaphors will obscure rather than
illuminate the dynamics of computer crime. … what matters is the physical reality of
the network, the actual bits and bytes, rather than the virtual world a user might
imagine’.56 At any rate, both prescriptive and adjudicative/enforcement issues arise that
at the very least complicate issues of jurisdiction.
At the prescriptive level, in the 1980s and 1990s, several countries, especially in
North America and Europe, started to adopt national legislation criminalizing certain
cybercrimes. Since websites can usually be accessed in every country, the content of
each website could be seen as having to comply with the national regulations of every
country from where it is accessible.57 The danger of overregulation, amplified in its
complexity by a still highly fragmented system based on national legislation, is
tangible. However, there is a strong correlation with the actual enforcement jurisdiction.
As Uta Kohl highlights, the:
fact that the existence of enforcement jurisdiction tends to be perceived as a prerequisite for
exercising adjudicative/legislative jurisdiction in respect of transnational criminal activity
means that the subjective territoriality principle, i.e. the country-of-origin approach, is far
more user-friendly for States. … the person responsible for the acts tends to be on the State’s
territory.58
In terms of adjudication and enforcement, even if bolstered with mutual legal assistance
treaties and extradition treaties, domestic laws are insufficient to establish jurisdiction
over many cybercrimes and deal effectively with jurisdictional conflicts, especially in
the case of cybercrimes of the latest generation. It is evident that the territoriality
principle, one of the principles on which national criminal jurisdiction is usually based,
is only of limited use in the context of cybercrime.59 There may be no single locus
delicti in the traditional sense; several offenders may act together yet from different
locations; experienced crackers can route their activities through portals in jurisdictions
without specific legislation; and digital evidence may be dispersed on servers located in
different jurisdictions.
55
Ibid.
56
Orin S Kerr, ‘Virtual crime, virtual deterrence: A skeptical view of self-help, architecture,
and civil liability’ (2005) 1 J. of L., Econ. & Pol’y. 197, 199–200. Kerr criticizes three proposals
associated with virtual metaphors: offensive self-help strategies or ‘cybervigilantism’, ‘architec-
ture regulation’, and civil liability for third-party computer operators.
57
For this debate, see Uta Kohl, Jurisdiction and the Internet (CUP 2007) 24–6. For the
argument that the rise of jurisdictional conflicts has been facilitated by technical developments,
especially those relating to the territorial restriction of websites, see ibid. 104.
58
Ibid. 106.
59
For this argument, see also Fausto Pocar, ‘New challenges for international rules against
cyber-crime’ (2004) 10 European J. on Criminal Policy and Research 27, 36.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
In most instances, however, the offenders, the victims and the harm caused are very
real. Basing jurisdiction on the principle of nationality and of objective territoriality,
according to which a State may exercise jurisdiction over a conduct having a
substantial effect in its territory, although the conduct occurred outside its territory,
allows States both to prosecute and to seek to protect their own nationals. This
approach is, for instance, adopted by the CoE Convention. While the provisions on
territorial jurisdiction are not very precise in this regard, with article 22(1)(a) only
requiring a State party to adopt measures allowing it to establish jurisdiction for
offences committed ‘in its territory’, the Explanatory Report specifies that an offence
committed ‘in its territory’ includes, for instance, the attack of a computer system in its
territory, even if the attack is launched from outside its territory.60
Should the State of origin and the State of destination both be able to exercise
jurisdiction? Conflicts are inevitable when the specific conduct in question is criminal-
ized in the former but not in the latter. These conflicts can be negative (no State claims
jurisdiction) or positive (multiple States do), both of which are problematic. The CoE
Convention deals with this dilemma to some extent by allowing States, under article
22(2), to opt out from the requirement to exercise jurisdiction over offences committed
by a national if the offence is punishable where it was committed.61 While integrating
the general principle of aut dedere aut judicare,62 the CoE Convention provides little
guidance to resolve jurisdictional conflicts and to avoid competition among law
enforcement authorities. It merely states that: ‘when more than one Party claims
jurisdiction … the Parties involved shall, where appropriate, consult with a view to
determining the most appropriate jurisdiction for prosecution’ (art 22(5)). These
consultations are not mandatory and, as the Explanatory Report specifies, may even be
declined if a State deems them to be an obstacle to its investigations.63
Compared to the CoE Convention, the EU Framework Decision is more specific with
respect to conflicts of jurisdiction. Relying above all on the territoriality and the
nationality principles, three options, in order of preference, are outlined to determine
which member State should prosecute: where the offence has been committed; whose
national has committed the offence; and where the offender has been found.64 The
League of Arab States Convention also establishes a clear order of priority. When
several States claim jurisdiction, the order is as follows: States whose security or
interests have been disrupted; then States in whose territory the offence was committed;
60
Convention on Cybercrime, Explanatory Report (n 25) para. 233.
61
Convention on Cybercrime (n 14) art 22(1)(d). On negative and positive jurisdiction
conflicts, see De Hert, Gonzáles Fuster and Koops (n 19) 519; see also Susan W. Brenner and
Bert-Jaap Koops, ‘Approaches to cybercrime jurisdiction’ (2004) 4 J. of High Technology L. 1.
62
The provisions on extradition include the following clause:
If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely
on the basis of the nationality of the person sought, or because the requested Party deems that
it has jurisdiction over the offence, the requested Party shall submit the case at the request of
the requesting Party to its competent authorities for the purpose of prosecution and shall
report the final outcome to the requesting Party in due course. Convention on Cybercrime
(n 14) art 24(6).
63
Convention on Cybercrime, Explanatory Report (n 25) para. 239.
64
See also De Hert, Gonzáles Fuster and Koops (n 19) 519.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
13 / Date: 24/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
and finally, the State of the nationality of the offender (art 30(3)). In practice, it appears
that States resolve jurisdictional conflicts on an ad hoc basis through formal and
informal consultations.65 As the UN Office on Drugs and Crimes concluded in 2013,
‘forms of territoriality-based and nationality-based jurisdiction are almost always able
to ensure a sufficient connection between cybercrime acts and at least one State’.66
5. CHALLENGES
Three areas seem to require specific attention in any attempt to deal with cybercrime:
the role of service providers, the impact on rights, and the possibility of non-criminal
preventive measures. First, regarding the regulation of the internet more generally, and
the prevention of, and fight against, cybercrime more specifically, establishing the
liability and responsibility of service providers, which are ‘effectively the gatekeepers
of data on the Internet’,67 may be particularly relevant. Moreover, law enforcement
authorities increasingly seek the cooperation of private companies, such as information
and service providers. Several States have established requirements to retain data for a
certain period and to disclose data following a formal request from law enforcement
authorities.68 The CoE Convention only deals with internet service providers in a few
procedure-related provisions, allowing, for instance, State authorities to compel service
providers to collect or record data.69 Several model legislative texts establish more
extensive responsibilities, for instance, of access and hosting providers, including
monitoring obligations.70
Second, the fight against cybercrime may have an impact on the human rights of
users of computers and the internet, perhaps especially when service providers are
enlisted in an enterprise of surveillance.71 Although cybercrime is a concern for the
public, the potential of cybercrime laws being interpreted by governments in ways that
allow them to better suppress dissent or control populations is high, in ways that are
very reminiscent of debates surrounding the repression of terrorism. The right to
privacy may be violated, as may freedom of expression unduly limited by content-
related restrictions.72 Concerns have been voiced that the CoE Convention was
65
UN Office on Drugs and Crime (n 16) 189.
66
Ibid.
67
Clough (n 1) 8.
68
UN Office on Drugs and Crime (n 16) 144–6.
69
Convention on Cybercrime (n 14) arts 20(1)b and 21(1)b.
70
E.g. the 2010 Model Legislative Texts on Cybercrime/e-Crimes and Electronic Evidence
elaborated by the International Telecommunication Union (ITU)/Caribbean Community
(CARICOM)/Caribbean Telecommunications Union (CTU) and the 2011 Cybersecurity Draft
Model Bill of the Common Market for Eastern and Southern Africa (COMESA).
71
See Fidler (Ch 5 of this book).
72
Joint Declaration on Freedom of Expression and the Internet by the UN Special
Rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the
Media, the OAS Special Rapporteur on Freedom of Expression and the ACHPR Special
Rapporteur on Freedom of Expression and Access to Information, <http://www.osce.org/fom/
78309> accessed 18 October 2013. The Joint Declaration states, for instance, that ‘[c]ontent
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
established thanks to the work of a Committee of Experts with little access for civil
society organizations, especially those concerned with privacy. It should be recalled
that the Convention recognizes States’ quite broad powers to combat even those
cybercrimes that are not actually defined in it. Although the Preamble states that
signatories are ‘mindful of the need to ensure a proper balance between the interests of
law enforcement and respect for fundamental human rights’, it does not itself establish
guarantees to respect such rights, leaving it instead to the States parties to legislate on
proportionality and checks and balances according to already existing obligations under
human rights law. This means that no shared minimal standards with respect to due
process exist for all States parties to the CoE Convention. Most notably, the ECHR,
which may provide particularly useful guarantees in the context of the fight against
cybercrime, is only applicable to the European States which are parties to this
Convention; contrary to the Cybercrime Convention, the ECHR is not open to
non-States parties of the CoE.73 Moreover, there are no provisions in the Convention
outside the Preamble on the protection of personal data, a sensitive issue in light of
States’ extensive surveillance powers and the fact that judicial cooperation under the
Convention may lead to data being shared with States beyond those bound by the EU’s
own relatively protective standards. More generally, the fight against cybercrime has
created concerns that it may impair citizens’ ability and right to ‘seek, receive and
impart information’74 in a context where States may feel empowered to seize or
otherwise obtain computer data without warrants or adopt expansive libel laws when it
comes to the internet.75 However, combating cybercrime should arguably be subject to
particular regulation. Just as some forms of cybercrime, because of their novel
characteristics, demand specific legal responses, some of these responses may represent
a particular threat to human rights. In other words, the potentially far-reaching intrusion
into the lives of internet users, facilitated by automated surveillance and data storage,
ought to be an inherent aspect of any initiatives intended to fighting cybercrime.
Third, criminal law is obviously not the only avenue to combat cybercrime. A
document entitled ‘cybercrime report’ of a software security producer is clearly not
intended to promote criminal law responses to cybercrime but to make the online user
protect herself through technical means. Indeed, when confronted with – increasingly
filtering systems which are imposed by a government or commercial service provider and which
are not end-user controlled are a form of prior censorship and are not justifiable as a restriction
on freedom of expression’ (para. 3.b). For a general discussion of human rights and cyberspace,
see Ch 6 in this volume.
73
For this discussion, in particular with reference to the US and decisions of the Supreme
Court concluding that the ECHR and other international human rights instruments, such as the
International Covenant on Civil and Political Rights, do not create enforceable rights in the US,
see Miquelson-Weismann (n 38) 355–9.
74
This is the language adopted by the 1948 Universal Declaration of Human Rights in art
19.
75
This was, for instance, the case of the highly controversial 2012 Cybercrime Prevention
Act of the Philippines that extended criminal libel to the internet and provided for harsh prison
sentences; the Act has been temporarily suspended by the Supreme Court. For more information
on the 2012 Act, see Human Rights Watch, ‘Philippines: New “Cybercrime” Law Will Harm
Free Speech’ (28 September 2012) <http://www.hrw.org/news/2012/09/28/philippines-new-
cybercrime-law-will-harm-free-speech> accessed 6 January 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
6. CONCLUSION
It appears that all initiatives, whether at the national, regional or international level,
only react – with a significant delay – to rapidly evolving forms of cybercriminal
activities. It is, indeed, difficult to conceive how law could anticipate future threats, in
other words do more than react and respond. Cybercrime also reveals some of the
shortcomings of the traditional nation-State approach in the field of criminal law: the
monopoly of power has largely become an illusion. States will undoubtedly need to
develop more creative responses. Enhancing harmonization of substantive law and
transnational cooperation via instruments like the CoE Convention is certainly useful,
but several challenges remain, in addition to the Convention’s provisions being
susceptible to different interpretations by its States parties. More comprehensive
approaches that integrate a deeper understanding of the functioning of information
76
For examples of such campaigns organized by governments and the private sector, see UN
Office on Drugs and Crime (n 16) 234–6.
77
E.g. Joint Declaration on Freedom of Expression and the Internet (n 72), para. 1.f.
78
The CoE Explanatory Report recognizes that ‘[t]he most effective means of preventing
unauthorised access is, of course, the introduction and development of effective security
measures. However, a comprehensive response has to include also the threat and use of criminal
law measures’. Convention on Cybercrime, Explanatory Report (n 25) para. 45.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
technology may be required. In this sense, the emergence of entirely virtual worlds has
already created a renewed need for theorizing about criminal law. Is stealing a virtual
object in a virtual world a crime akin to theft?79 Is virtual child pornography the same
as the real thing? On the one hand, surely killing a virtual avatar is not the same thing
as murder, even though it may be portrayed as such in a game environment. Some have
argued for a relatively light intervention of the criminal law, leaving governance and
disciplining of virtual spaces to their organizers. On the other hand, economic and
social harms may occur as a result of actions occurring entirely in virtual spaces, not to
mention the way in which such spaces may serve to play out or experiment with
criminal behaviour in ways that may well spill over into the real world.
A key question is to what extent we can or should look beyond traditional criminal
law responses and whether cybercrime requires radically new approaches. Is inter-
national law, and the law more generally, ill-equipped to deal with cybercrime?
Additional options to strengthen existing and to propose new national and international
legal or other responses to cybercrime, as identified by a United Nations Office on
Drugs and Crime report in 201380 include the development of international model
provisions on the criminalization of cybercrimes, inter alia, to eliminate ‘safe havens’;
the development of a comprehensive multilateral instrument; and the strengthening of
cooperation in order to deliver enhanced technical assistance to combat cybercrime in
developing countries. Furthermore, suggestions such as the establishment of an
International Cybercrime Court or for the expansion of the competences of the
International Criminal Court over cybercrimes81 may be premature but have been
voiced strongly.
The principle of universality merits consideration in this context. Traditionally,
universal jurisdiction has been reserved for the arguably most serious crimes, including
genocide and crimes against humanity. No traditional jurisdictional link being required,
any State may exercise jurisdiction over such crimes, even if committed outside its
territory by a non-national against non-nationals. It seems unlikely that a consensus
regarding universal jurisdiction over cybercrime will develop anytime soon; most
cybercriminal activities do not ‘shock the consciousness of humanity’82 to the same
degree as the crimes under the jurisdiction of the International Criminal Court. It might
be conceivable, however, to imagine the application of the principle of universal
jurisdiction on a basis closer to its original application to crimes of piracy, as a result of
their occurring in areas that were beyond the jurisdiction of any State. Jurisdiction
would be limited to a restricted list of the most serious cybercriminal activities that are
79
Andrea Vanina Arias, ‘Life, liberty, and the pursuit of swords and armor: Regulating the
theft of virtual goods’ (2007) 57 Emory L J 1301; Brenner, ‘Fantasy Crime’ (n 11); Brian
Simpson, ‘What happens online stays online? Virtual punishment in the real world’ (2011) 20
Information & Communications Technology L. 3.
80
UN Office on Drugs and Crime (n 16).
81
Stein Schjolberg, ‘Recommendations for potential new global legal mechanisms against
global cyberattacks and other global cybercrime: An international criminal tribunal for cyber-
space (ICTC), A Paper for the EastWest Institute (EWI) Cybercrime Legal Working Group’
(2012) <http://www.cybercrimelaw.net/documents/ICTC.pdf> accessed 6 January 2014.
82
Rome Statute of the International Criminal Court, 17 July 1998, UN Doc A/CONF.183/9,
preamble.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
universally condemned, in which case the State assuming jurisdiction would not need
to establish a nexus according to the conventional criteria of territoriality or nationality.
However, the threshold is likely to be high; the mere fact that an activity is
deterritorialized in nature – as many cybercrimes are – cannot be considered an
automatic justification for any State asserting jurisdiction.
In sum, cybercrime has not yet altered the nature and modalities of international law,
with the current international legal responses rather following traditional approaches
that were already adopted in other areas of transboundary criminal law, such as human
trafficking or drug trafficking. The various multilateral initiatives are valuable, since
they lay the groundwork for greater cooperation between States. However, these
instruments certainly further the risk of creating regional clusters. Global cooperation,
beyond State or regional boundaries, and across the State/non-State divide, is needed to
deal with many forms of cybercrime.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter9 /Pg. Position:
19 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
PART III
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
1 / Date: 24/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
2 / Date: 24/3
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
(a) Apples and Pears? No, Just (Different) Goals!
Various recent assessments have revealed that ‘digital espionage and cyber crime
remain the biggest threats to both government and the business community’.1 The
so-called Snowden files have shed light on the activities of governmental intelligence
agencies that would have remained unknown to most of us. It appears that intelligence
services and companies around the world conduct operations in and through cyber-
space.2 This is self-evident for public (or governmental) organisations, however, the
number of private enterprises digitally collecting and providing information is growing
steadily.3 Activities include social-media monitoring,4 digital investigation,5 and ordi-
nary marketing research. Most notably, large ICT-companies such as Google, AOL,
Microsoft and applications like Facebook, Whatsapp, Twitter and LinkedIn are also
collecting data for (future) business purposes.6 Google’s knowledge of search-queries
* The author is grateful for the comments delivered by Professor Terry Gill, Mark Roorda,
Willem van Poll and Jelle van Haaster.
1
National Cyber Security Centre, ‘Cyber Security Assessment Netherlands-4’ (CSAN-4,
2014) 7. This national assessment is confirmed by findings of others: Ernst & Young, Under
cyber attack – EY’s Global InformationSecurity Survey 2013 (Ernst & Young 2013); Stephen
Doherty and others, ‘Hidden Lynx – Professional Hackers for Hire’ (Symantec, 17 September
2013) <http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
hidden_lynx.pdf> accessed 12 September 2014.
2
For the description of cyberspace used in this chapter, see Paul A L Ducheine and Jelle
van Haaster, ‘Fighting Power, Targeting and Cyber Operations’ in Proceedings of the 6th
International Conference on Cyber Conflict (2014) (CCDCOE 2014) 303–28, using a five-
layered model consisting of people, cyber-identities, cyber-objects, physical infrastructure
(objects) and geographical locations (of people and infrastructure).
3
For instance services provided by Information Security firms, see Mandiant’s Intelligence
Centre <www.mandiant.com/products/intelligence-center> accessed 12 September 2014, well
known for reporting on China’s alleged Advanced Persistent Threat or see the Dutch niche
company Fox-IT <www.fox-it.com/en> accessed 12 September 2014.
4
See inter alia <http://www.coosto.com/uk/> accessed 12 September 2014. Applications
are offered for: customer service, brand monitoring, campaign monitoring, crisis monitoring,
competitor monitoring and data research.
5
See <www.cyberinvestigationservices.com> accessed 12 September 2014, addressing
internet defamation, cyber harassment, hacking investigation, and cyber security.
6
Recently, a number of those companies advocated more restrictions on governmental
surveillance and reform of legislation in this respect. See <www.reformgovernmentsurveil-
lance.com> accessed 12 September 2014.
211
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
enables it to know more details about individuals than these people know (or realize)
themselves.7 Since a number of these ICT companies are being observed by, or forced
to collaborate with, governmental intelligence agencies, this private (and economic)
information is likely also available for the latter.
Next to espionage and intelligence, the other substantial threat originates from a
group of actors that bears no public responsibility at all: criminals who use cyberspace
as a vector for their actions, as a target for their activity, as a line of communication, or
as a marketplace to sell their ‘products’. In order to counter this threat, stakeholders
varying from individuals to Internet Service Providers (ISPs), from anti-virus vendors
to governments, have taken a variety of countermeasures. These measures may be
preventive in nature by installing firewalls and anti-virus software, or by penalising
cyber crime by implementing (inter alia) the Budapest Cyber Crime Convention.8 In
addition, governments are preparing responses by drafting legislation enabling law
enforcement officials to ‘hack-back’, once designated forms of (cyber) crime have been
discovered.9
However, apart from espionage and crime, cyberspace is also used for a variety of
other purposes. According to David Sanger, the US and Israel produced and used the
famous Stuxnet virus against nuclear production facilities in Iran, delaying its nuclear
program and thereby ‘buying’ time and preventing (or postponing) a physical (military)
aka ‘kinetic’ operation against Iran’s nuclear program.10 This form of cyber sabotage or
‘cybotage’,11 was a complicated, multidimensional and costly operation against an
Industrial Control System (ICS) not connected to the Internet and therefore protected
by (inter alia) a so-called ‘air gap’. This, however, did not hamper the operation and
might become even more likely since researchers have now proved that acoustic signals
may also cross air gaps like these.12 Hence, cyber activities have had (and will have)
effects in the physical domain.
Cyberspace also features and supports warfare, war-related activities and (other)
military operations. In 2007 Syrian air defences did not notice foreign jets bombing a
7
John Lanchester provokingly argues that Google, by virtue of its data, ‘doesn’t just know
you’re gay before you tell your mum; it knows you’re gay before you do’, John Lanchester, ‘The
Snowden files: why the British public should be worried about GCHQ’ The Guardian (3 October
2013) <http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester>
accessed 15 March 2014.
8
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force 1 July 2004).
9
See inter alia Michiel van Blommestein, ‘“Hack back” law would let Dutch police install
spyware, eavesdrop on Skype’ (ZDNet, 3 May 2013) <http://www.zdnet.com/hack-back-law-
would-let-dutch-police-install-spyware-eavesdrop-on-skype-7000014867/> accessed 12 Septem-
ber 2014; and Peter Sommer, ‘Police powers to hack: current UK law’ (2012) 6 Computer and
Telecommunications L. Rev 165.
10
David Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of
American Power (Crown 2012) 188 ff.
11
John Arquilla, ‘Cyberwar is already upon us – But can it be controlled?’ Foreign Policy
(27 February 2012) <http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_
upon_us#sthash.OfFAFk4W.dpbs> accessed 1 March 2014.
12
Michael Hanspach and Michael Goetz, ‘On covert acoustical mesh networks in Air’
(2013) 8(11) J. of Communications 758.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
2 / Date: 7/5
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
nuclear facility at al Kibar. Apparently, the air defences were manipulated from outside,
using cyberspace as an entrance and digital code as tooling.13 During the Second Gaza
War (2012), Israel Defence Force (IDF) and Hamas were battling in cyberspace, using
blogs and tweets as instruments in an information campaign.14 Sympathisers (or
victims) expressed their feelings and ideas as well.15 Characteristically for cyberspace,
geographical dislocation does not hamper groups and individuals from joining conflicts
(and other forms of social behaviour), thus confronting or supporting the warring
parties digitally.16 Hackers bearing the name Anonymous, launched their ‘#OpIsrael’
campaign, defacing and obstructing Israeli websites and e-services.17 Thus, Anonymous
and (h)activist groups alike have entered the realm of conflict,18 partially in pursuance
of their ‘corporate’ mission, but by launching virtual (i.e. cyber) operations, also
entering the domain of operations that are closely related to the physical military
conflict that is being fought by the warring factions as well.
Whichever source is behind these threats, irrespective of the motivation that is
driving such cyber activities, and regardless of where and against what or whom they
are conducted or directed, the common denominator of these forms of social behaviour,
seems – at first glance – to be a military and warlike one, as all of them are referred to
as ‘attacks’, the activities quite often labelled as ‘operations’, and the totality of
operations once and again is characterized as ‘cyber warfare’, as if the whole
phenomenon were militarized.
13
Peter Warren Singer and Allan Friedman, Cybersecurity and Cyberwar – What Everyone
Needs to Know (OUP 2014) 126–8.
14
Tweets from @IDFSpokesman (<https://twitter.com/IDFSpokesperson> accessed 12 Sep-
tember 2014) and IDF–Blog.com, e.g. <www.idfblog.com/wp-content/uploads/2012/11/
checklistinfographic.jpg> (accessed 1 March 2014). See also IDF communication on Hamas in
general (<www.idfblog.com/category/idf-news/terrorism-idf-news/hamas/> accessed 1 March
2014). Hamas operatives’ use of Twitter can be found on <twitter.com/AlqassamBrigade>
(accessed 12 September 2014), for instance with <https://twitter.com/AlqassamBrigade/status/
269186182225747968/photo/1/large> (accessed 2 January 2014), the account was suspended by
Twitter, see NN, ‘Twitter suspends English account of Hamas military wing’ (Al Arabiya News,
12 January 2014) <http://english.alarabiya.net/en/media/digital/2014/01/12/Twitter-suspends-
English-account-of-Hamas-s-military-wing-.html> accessed 15 March 2014.
15
For instance see Occupied Palestine, ‘#GazaUnderAttack | NOV 21, 2012 | LIVE BLOG’
(Occupied Palestine, 21 November 2012) <occupiedpalestine.wordpress.com/2012/11/18/
gazaunderattack-nov-18-2012-live-blog/> accessed 12 September 2014).
16
Garbiella Coleman, ‘Anonymous in context: The politics and power behind the mask’
(Paper No 3, International Governance Innovation, November 2013) <http://www.cigionline.org/
sites/default/files/no3_8.pdf> accessed 1 January 2014.
17
Anonymous, ‘#OpIsrael’ (Youtube, 17 November 2012) <http://www.youtube.com/
watch?v=q760tsz1Z7M> accessed 31 December 2013.
18
I.e. in the factual meaning, without necessarily (directly) participation in the hostilities.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
3 / Date: 24/3
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
However, despite the belligerent language often used,19 in reality, the portion of
military involvement in cyber activities seems fairly limited. This ought to be nuanced.
Even so, the observation may be true regarding cyber warfare proper, i.e. the conduct of
military cyber operations in the context of an armed conflict in the legal meaning.20
Yet, as cyber operations may not – and most times do not – qualify as cyber warfare
proper, other cyber operations below this threshold are characterized by military
involvement as well. Therefore, the military’s contribution to cyber operations is larger:
quantitatively and qualitatively.
First, the military portion may be larger in numbers (quantity), as some States have
provisions whereby the military are involved through non-military institutional arrange-
ments. Some of the military intelligence and security services operate under civil (i.e.
non-military) legislation and control. Some of the intelligence services have a dual role:
civil and military tasking alike. In addition, some States have a role for military police
forces within the law enforcement domain.
Secondly, although small in numbers, the military may play a crucial and inevitable
role in providing ‘cyber security’. Nowadays, governments increasingly rely on a
multidisciplinary or inter agency approaches to (modern) security threats as is clearly
visible in counter-terrorism and cyber-security policies, thus using the ‘whole of
government’ to face and address modern threats.
Suitable or not, the term cyber operations seems to become a common denominator for
activities in cyberspace, undertaken with the aim of achieving objectives in or through
this digital domain. The common denominator however, can be, and indeed is, used in
a great variety of situations, by a diversity of actors and, quite obviously, for various
reasons.
The aim of this chapter therefore, is to elaborate on this notion of ‘cyber operations’
as they seem to be used as a universal, a rather generic and non-specific term. As a
starting point, the definition offered by an international group of experts will be used
for this purpose. Cyber operations are defined as: ‘the employment of cyber capabilities
with the primary purpose of achieving objectives in or by the use of cyberspace’.21
The primary perspective will be that of the State. However, as demonstrated above,
since non-State entities have emerged in this domain as well, attention will also be paid
to the characteristics of (a number of) cyber operations conducted by non-State actors.
19
Kenneth Watkin, ‘The cyber road ahead: Merging lanes and legal challenges’ (2013) 89
Int’l. L. Studies 472, 503.
20
See, e.g. Terry D Gill & Paul A L Ducheine, ‘Anticipatory self-defense in cyber context’
in Yoram Dinstein and Fania Domb (eds.), Israel Yearbook on Human Rights (vol 43, Martinus
Nijhoff Publishers 2013).
21
Michael N Schmitt, ‘“Below the threshold” cyber operations: The countermeasures
response option and international law’ (2014) 54 (Forthcoming) Virginia J. of Int’l. L.
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2353898> accessed 13 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
4 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Although some non-State actors may have explicitly formulated a formal strategy as
States (normally) do, a number of them will only have some form of implied
rudimentary articulated ‘corporate goal or end’.22 Whether communicated explicitly or
not, and regardless of its legitimacy, State and non-State actors alike do tend to allocate
resources (means) and undertake activities (ways) in order to achieve those designated
goals or ends. In doing so, non-State actors (at least rational ones) and States both use
strategic objectives at the ‘corporate’ or ‘strategic’ level of their organization. These
strategic objectives are subsequently implemented at the operational level through the
allocation of means, and the definition of ways to employ the latter. These two
characteristics of organizations will be used to describe differences and similarities in
the various cyber operations.
First, for State and non-State entities alike, the differences in objectives at the
strategic level will be exposed (Section 2). Section 3 will then reveal similarities at the
operational level, being the ‘means and methods’ used to achieve these strategic
objectives.
Subsequently, the primary focus will be on State actors, displaying the distinct roles
of States by articulating five strategic paradigms used to characterize cyber activities,
their purposes and institutional frameworks (Section 4). Section 5 then operationalizes
cyber operations (in general) and military cyber operations in particular (Section 6) by
describing specific features and phases.
22
On non-State actors’ strategies, e.g. Lawrence Freedman, Strategy – A History (OUP
2013) 474 ff.; and Peter R Neumann and Michael L Smith, ‘Strategic terrorism: the framework
and its fallacies’ in Thomas G Mahnken and Joseph A Maiolo (eds.), Strategic Studies – A
Reader (Routledge 2008) 342. Some non-State actors have explicitly stated ‘strategic objectives,
e.g. Hamas’ strategy as expressed in its Charter (The Covenant of the Islamic Resistance
Movement (1988) <http://avalon.law.yale.edu/20th_century/hamas.asp> accessed 17 March
2014); and The Syrian Electronic Army at Helmi Noman, ‘The emergence of open and
organized pro-government cyber attacks in the Middle East: The case of the Syrian electronic
army’ (Infowar Monitor, 30 May 2011) <http://www.infowar-monitor.net/2011/05/7349/>
accessed 12 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
5 / Date: 8/5
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
thematic national strategies focussing on cyber security issues.23 Other States may
derive their strategic aims from general national strategies. As cyberspace, or the digital
domain, is part of other domains, and other vital interests are increasingly interrelated
and dependent on ICT and digital networks, security in the digital domain (hence cyber
security) may be a part of other vital strategic interests, such as economic security and
physical security. However, as was demonstrated by the recent Dutch Diginotar case,
some parts of a State’s critical infrastructure can be purely digital in nature and
formerly not designated as such. Only after having (thus) emerged as vital to security
interests in general, governments are forced to reconsider the notion of ‘critical’
infrastructure, as was the case in the Netherlands.24
Looking at non-State actors, their strategic notion may differ from that of States.
Regarding legitimate commercial enterprises, their goal will be economic profit, as is
the case for Kaspersky, Norton, Symantec, Google, Facebook et al.25 Of particular
interest are commercial enterprises that appear to be supplying tools enabling others to
conduct cyber activities.26 Cyber activities are part of their business model, if not their
product.27
23
See for an overview of those States e.g.: OECD ‘Cybersecurity policy making at a
turning point: Analysing a new generation of national cybersecurity strategies for the internet
economy’ (OECD Digital Economy Papers, No. 211, OECD Publishing 2012) 66 ff.; CCD COE,
‘National Strategies & Policies’ (NATO Cooperative Cyber Defence Centre of Excellence, 2014)
<https://www.ccdcoe.org/328.html> accessed 1 January 2014; ENISA, ‘National cyber security
strategies – Setting the course for national efforts to strengthen security in cyberspace’ (May
2012) <https://wwwenisaeuropaeu/activities/Resilience-and-CIIP/national-cyber-security-strategies-
ncsss/cyber-security-strategies-paper> accessed 12 September 2014).
24
National Cyber Security Centre, ‘Dossier DigiNotar’ <www.ncsc.nl/english/services/
expertise-advice/knowledge-sharing/files%5B2%5D/dossier-diginotar.html> accessed 2 March
2014. On the impact of the case, see National Cyber Security Centre (n 1) 18: ‘For example IT,
telecommunications and electricity are fundamental for the functioning of many (other) vital
sectors and processes in society. Failure in any one of these sectors can result in damaging
effects in all sectors’.
25
For example:
Symantec’s mission is to make the world a safer place by protecting and managing
information so everyone is free to focus on achieving their goals. It’s a statement that ties our
business goals to a social purpose as we help people, businesses, and governments secure and
manage their information-driven world against more risks at more points, more completely
and efficiently than any other company. Steve Bennett, ‘CEO Letter’ (Symantec)
<www.symantec.com/corporate_responsibility/topic.jsp?id=ceo_letter> accessed 12 September
2014.
26
E.g. the US-based Palantir (<www.palantir.com>), the French company Vupen
(<www.vupen.com/english/>) or Israeli enterprise Terrogence (<www.terrogence.com> all
accessed 12 September 2014).
27
For example:
It is Fox-IT’s mission to make technical and innovative solutions that ensure a more secure
society. We do that through the development of advanced cybersecurity and cyberdefense
services and solutions for our clients around the world. We achieve this through a strong
focus on innovation and a tireless dedication to our clients, our values, and our integrity ()
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
6 / Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
7 / Date: 24/3
JOBNAME: Tsagourias PAGE: 10 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
to prevent misuse of cyberspace, or because misuse is their very goal. Taking into
account that the aims of cyber-security companies (e.g. Symantec) and vendors (e.g.
Microsoft) on the one hand, and cyber criminals on the other hand will be opposite,
their ‘business-models’ or in other words, the operational ways to achieve goals, focus
on the same lines of software and code: where it is Symantec’s and Microsoft’s task to
discover and/or to fix vulnerabilities, it is the criminal’s intent to exploit these very
weaknesses.
One of the clearest demonstrations of commonalities at the operational level vis-à-vis
cyber means and methods is monitoring software (and hardware) that is used by
Computer Emergency Response Teams (CERTs), intelligence agencies, law enforce-
ment officials, military units, civilian cyber security companies, as well as organized
criminal groups or hacktivist groups.
Thus, despite strategic differences between States and (some) non-State actors, at the
operational (and tactical) level, there appears to be more similarity as all actors –
conceptually – rely on more or less the same basic requirements (personnel, knowledge
and skills) and means and methods, that is: capabilities and capacities (see Section 5).
With that twofold conclusion in mind, the next sections will take a State perspective as
a starting point in order to further differentiate between the varieties of cyber
operations.31
31
When and where required, special attention will be paid to non-State actors conducting
cyber operations, criminal activities excluded, although the analysis offered may fit their
activities as well.
32
See also Alexander Klimburg and Philipp Mirtl, ‘Cyberspace and governance – A primer’
(Working Paper 65, Austrian Institute for International Affairs, September 2012) 15 <http://
www.oiip.ac.at/fileadmin/Unterlagen/Dateien/Publikationen/Cyberspace_and_Governance_-_
Working_Paper_65_2.pdf> accessed 11 November 2013.
33
See OECD (n 23).
34
E.g. Stuxnet, see also Sanger (n 10).
35
Klimburg and Mirtl (n 32) 15, referring to these paradigms as ‘mandates’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
8 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Zeitgeist regarding topics that have reached the political agenda and require or enable
governmental action.36
To date, the issue of ‘cyber security’ has definitely reached the (international)
political and legislative agenda through the process of ‘securitization’, creating a
window of opportunity for amendments or implementation of these frameworks, and
have thus affected the paradigms.37
Two developments served as the driving forces behind today’s frameworks relevant
to cyber operations. First, the changed notion of security after the terrorist attacks of 11
September 2001 functioned as a catalyst for new (and far reaching) security demands
and arrangements. The second development is the increasing interconnectivity between
ICT-applications (including the so-called Internet of Things) and the dependency of
economic, societal and governmental processes on these applications, in other words:
the continuously emergent role of the digital domain, that is, of cyberspace. The latter
seems to have enabled activities that are (allegedly) necessary to effectively counter the
still-existing terrorist threat.38 Be that as it may, recent publications on the scale of
digital surveillance by States and commercial companies alike have brought the
dilemma of privacy versus security to the political agenda as well.39
The frameworks can be understood as the product of Zeitgeist, public opinion,
political attention, public demands, as well as (lack of) audacity and leadership. The
frameworks are tangible through (institutional and ad hoc) arrangements and govern-
mental organizations tasked with designated roles in cyberspace and cyber security.40
In democratic States adhering to the principle of the rule of law, these arrangements
and organizations, at least when exercising public authority (that may interfere with
civil liberties), will have a designated legal basis establishing the organizations and
arrangements in the very first place. In addition, these arrangements and organization
will have to execute their tasks and powers in accordance with legal regimes that are
applicable once these activities are conducted. The designated legal bases and legal
regimes are part of the legal framework that characterizes the various paradigms.
36
On the process of ‘securitization’ in the digital domain, e.g. Maarten Rothman and Theo
Brinkel, ‘Of snoops and pirates: Competing discourses of cybersecurity’ in Paul A Ducheine,
Frans Osinga and Joseph Soeters (eds.), Cyber Warfare: Critical Perspectives (TMC Asser Press
2012) 49.
37
This is the so-called garbage can explaining (bureaucratic and governmental) decision-
making processes.
38
Note that this threat is subject to debate itself. For instance by pointing out that there
have been few subsequent Al Qaida assaults after 9/11. Recently, The New York Times revealed
that the 2012 Benghazi attack on the US Embassy had no affiliation with Al Qaida. See David D
Kirkpatrick, ‘A deadly mix in Benghazi’ New York Times (28 December 2013) <http://
www.nytimes.com/projects/2013/benghazi/?smid=tw-share#/?chapt=0> accessed 12 September
2014.
39
For an overview of Edward Snowden’s revelations see ‘The NSA Files’, The Guardian
<www.theguardian.com/world/the-nsa-files> accessed 12 September 2014. For a critical note on
surveillance required to counter terrorism see TEDx Talks, ‘Living in a surveillance State
(Mikko Hyponen at TEDxBrussels, 1 November 2013)’ (YouTube, 1 November 2013) <http://
www.youtube.com/watch?v=lHj7jgQpnBM> accessed 2 January 2014.
40
Eric Luiijf and Jason Healey, ‘Organisational Structures and Considerations’ in Alexander
Klimburg (ed.), National Cyber Security Framework Manual (CCD COE 2012) 109–10.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The rise of these frameworks and paradigms, is evident when analysing States’ cyber
security policies or strategies. Five paradigms and underlying frameworks can be
detected: internet governance and diplomacy, protection, law enforcement, (counter-)
intelligence,41 and military operations.42 They will be explored subsequently below.
Each of these paradigms provides a framework that represents public support, legal
bases, legal regimes, and institutional arrangements. More often than not, these frame-
works are used in a complementary manner. Taken together they enable cyber operations
throughout a wide and fluid spectrum, ranging from ‘the monitoring of governmental
networks by … CERTs, to active protection by shutting down sites once they are under
attack,’ followed by ‘criminal investigations into the source of the ‘attacks’ where criminal
activity was reasonably suspected’.43 These operations may be combined with ‘intelli-
gence operations to, inter alia, ascertain the nature of the threat posed and identify the
source of the threat, possibly resulting in a military response in situations which rise to the
level of a use of armed force by a foreign power or organized armed group, even resulting,
in exceptional cases, in participation in an armed conflict’.44
Although this framework does not comprise actual cyber activities, Internet govern-
ance45 and diplomacy46 structure the paradigm applicable to national and international
efforts to shape and create governance in the digital domain.47 As cyberspace – unlike
physical domains – is characterized by a dominant role for non-State actors, both
private and non-governmental,48 the role of States is thus different compared to the
physical world, and to a certain extent rather limited,49 although not irrelevant.50 The
added value of States in this domain lies, inter alia, in the use of ‘classic’ instruments
such as bilateral or multilateral treaties,51 cooperation,52 as well as in their position in
41
Including counter-security.
42
See also Paul A Ducheine et al., ‘Towards a legal framework for military cyber
operations’ in Ducheine, Osinga and Soeters (n 36) 110.
43
As, for instance, in counter-terrorism, see ibid. 110.
44
See ibid.
45
For a definition of Internet governance see WSIS, ‘Tunis Agenda for the Information
Society (WSIS-05/TUNIS/DOC/6(Rev. 1)-E) (2005)’ (ITU 2005) para. 34 <http://www.itu.int/
wsis/docs2/tunis/off/6rev1.html> accessed 15 March 2014.
46
Heli Tiirmaa-Klaar, ‘Cyber diplomacy: Agenda, challenges and mission’ in Klimburg
(n 40).
47
Jovan Kurbalija, ‘E-diplomacy and diplomatic law in the internet era’ in Katharina
Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace International Law,
International Relations and Diplomacy (NATO CCD COE 2013).
48
Laura DeNardis, The Global War for Internet Governance (Yale University Press 2014) 1–2.
49
Luiijf and Healey (n 40) 127.
50
ICANN, ‘Who runs the internet?’ (2013) <http://www.icann.org/en/about/learning/
factsheets/governance-06feb13-en.pdf> accessed 14 March 2014; Ian Walden, ‘International
telecommunications law, the internet and the regulation of cyberspace’ in Ziolkowski (n 47).
51
E.g. Convention on Cybercrime (n 8).
52
E.g. NATO’s efforts through its cyber defence policy (NATO, ‘Chicago Summit Declar-
ation, Issued by the Heads of State and Government participating in the meeting of the North
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 13 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
governmental and non-governmental bodies such as the EU,53 UN54 or ITU.55 It is fair
to say that State activities in the field of Internet governance are pro-active and
preventive in nature,56 and are part of States’ overall cyber security interests and
strategies.57
(b) Protection
The second paradigm for State activities in the cyber domain is related to the protection
of (critical) infrastructure.58 In part, this refers to ‘ordinary’ critical infrastructure such
as electricity or waterworks as far as this infrastructure is ‘controlled’ or processed
through cyberspace. Critical infrastructure protection (CIP) primarily refers to physical
protection against accidents, disasters, technical or human failure, and crime. Initially,
this was the domain of internal security. However, driven by terrorist assaults such as
9/11 (New York), Madrid and Bali, the notion of security has evolved and also
encompasses external and other security threats.
Cyber incidents in Estonia (2007) and the spread of the Stuxnet virus (2010) have
had their effect on CIP as well. Since many of the critical or vital services and
installations are controlled through, or depend on, cyberspace, security in the digital
domain is becoming ever more important.59 In addition, vulnerabilities in the digital
domain itself may be the focal point of (in)security issues, regardless of whether these
breaches had a human or technical trigger, or whether they are the result of accidental
or deliberate events. Serious cyber incidents may lead to major disturbances and
disruption of society.60
Protection as a paradigm refers to a range of State activities, varying from prevention
(legislation, imposing incentives for ‘hardening’, physical protection and technical
standards) to responding to security breaches. The establishment of CERTs is just one
of the examples. Looking at the nature of the critical infrastructure and that of
Atlantic Council in Chicago on 20 May 2012’ (Press Release (2012) 062, 20 May 2012)
<http://www.nato.int/cps/en/SID-8DB5C229-B80F4E08/natolive/official_texts_87593.htm?selected
Locale=en> accessed 15 December 2013).
53
E.g. Digital Agenda for Europe (COM(2010) 245 final/2 )’ (2010) <http://ec.europa.eu/
digital-agenda/digital-agenda-europe> accessed 11 December 2013.
54
E.g. UNGA, ‘The right to privacy in the digital age’ (19 December 2013) UN Doc
GA/11475.
55
ITU, ‘Global Cybersecurity Agenda’ (2007) <http://www.itu.int/osg/csd/cybersecurity/
gca/> accessed 15 February 2014. See e.g. WSIS (n 45).
56
Klimburg (n 40) 129.
57
E.g. ‘The Netherlands aims to develop a hub for expertise on international law and cyber
security’ (National Cyber Security Centre ‘National Cyber Security Strategy 2 – From awareness
to capability’ (25 October 2013) 10 <http://www.enisa.europa.eu/activities/Resilience-and-CIIP/
national-cyber-security-strategies-ncsss/NCSS2Engelseversie.pdf> accessed 15 March 2014).
58
Protection is thus one perspective in order to promote the wider notion of overarching
‘security’.
59
The Stuxnet virus was designed to infect a so-called Industrial Control System (ICS) that
was not connected with Internet.
60
On a critical note however, e.g. Sean Lawson, ‘Beyond cyber-doom: Cyber attack
scenarios and the evidence of history (reprint)’ in Ducheine and others (n 42) 277.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Law enforcement is (thus) one of those alternative paradigms for States, providing for
preventive measures by penalizing cyber crime, repressive measures by empowering
law enforcement agencies to conduct investigations and so forth. The law enforcement
61
See e.g. ‘Notice and takedown policy’ (British Library) <http://www.bl.uk/aboutus/terms/
notice/> accessed 18 March 2014.
62
E.g. in the field of counter-piracy: see Bibi van Ginkel, Frans-Paul van der Putten and
Willem Molenaar, State or Private Protection against Maritime Piracy? A Dutch Perspective
(Clingendael Centre for International Relations 2013).
63
E.g. the ISP Code of Practice and the identification of compromised customer systems in
Australia: Australian Government Attorney-General’s Department ‘Cyber Security Strategy’
<http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx> accessed 15
December 2013.
64
See Ducheine and others (n 42) 114–15. For an European overview of such powers see
Georg Nolte (ed.), European Military Law Systems (De Gruyter Verlag 2003).
65
Article 1 of the Act on the Use of Force by Guards of Military Objects (in: Staatsblad
2003, 134).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
12 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
paradigm ‘comprises a wide set of organisations’ at various levels, i.e. national and
international,66 local and national, and various governmental agencies and depart-
ments.67 To be effective, public-private partnership may be required, as well as
cooperation with national (and other) CERTs and public-private Information Sharing
and Analysis Centres, as well as intelligence and security services.
Apart from (harmonizing and) penalizing cyber crime, enforcement powers in the
digital domain require amendments as well. To date, even ‘classic’ crime investigations
heavily rely on digital investigative techniques, as physical pieces of evidence are
increasingly superseded by digital ones.68 When cyber crime is involved, additional
enforcement and investigative powers will be essential to enhance effective policing
and prosecuting.69 Thus, States are in the process of drafting additional legislation, e.g.
the Netherlands,70 the UK71 and others.72
As in any other domain, powers to execute cyber activities for law enforcement
purposes, will require public support, at least political support, resulting in legislation
providing the legal basis and the applicable legal rules or a code of conduct (i.e. legal
regimes). The legal framework is a common requirement derived not only from the
principles of democratic States, but also from obligations enshrined in international
human rights treaties or customary law.73
Apart from the delicate issues of balancing intrusive powers with human rights,
especially privacy and freedom of expression, the other main dispute concerns the
66
Tiirmaa-Klaar (n 46) 520.
67
Luiijf and Healey (n 40) 122, referring to ‘mandates’ instead of paradigms. See also
Kastner and Mégret (Ch 9 of this book).
68
For a plea to support amendments in this respect: ‘Breaking the backlog of digital
forensic evidence’ (Fox-IT) <www.fox-it.com/en/news/breaking-the-backlog-of-digital-forensic-
evidence/> accessed 15 September 2014.
69
Bert-Jaap Koops, ‘Cybercrime legislation in the Netherlands – Country report for the
18th International Congress on Comparative Law’ (session ‘Internet Crimes’, Washington DC,
25-31 July 2010) <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1633958> accessed 15
September 2014.
70
For the Netherlands: a preliminary draft of the proposal on Cyber Crime III was
published in the beginning of 2013, see Blommestein (n 9). The draft-proposal was due to be
presented to Parliament in the beginning of 2014. The draft (in Dutch) can be found at
<https://www.internetconsultatie.nl/computercriminaliteit/document/726> accessed 15 March
2014. The draft hasn’t been released yet (Spring 2015).
71
For the (rejected) UK amendment to the Regulation of Investigatory Powers Act (RIPA)
2000, see Home Office, Draft Communications Data Bill (Policy Paper, Cm 8359). For US
ideas: Dennis C. Blair and Jon M. Huntsman, ‘The IP Commission Report – The Commission
on the Theft of American Intellectual Property’ (The Commission on the Theft of American
Intellectual Property by The National Bureau of Asian Research, May 2013) <http://
www.ipcommission.org/report/IP_Commission_Report_052213.pdf> accessed 15 March 2014;
on the Cyber Intelligence Sharing and Protection Act (CISPA) see Mark Jaycox and Kurt
Opsahl, ‘CISPA is back: FAQ on what it is and why it’s still dangerous’ (EFF, 25 February
2011) <https://www.eff.org/cybersecurity-bill-faq> accessed 31 December 2013
72
The Explanatory Note (Dutch: ‘Memorie van Toelichting’) to the Dutch preliminary draft
proposal, refers to the situation in Belgium (Dutch: Wet inzake informatiecriminaliteit, Wet van
28 november 2000, Belgisch Staatsblad, 3 februari 2001, nr. 2909), France and Germany.
73
On human rights and cyberspace see Fidler (Ch 5 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Apart from, and in addition to the law enforcement paradigm, States also rely on a
classic security paradigm called intelligence (and counter-intelligence), including
espionage76 and countering security threats through intelligence and security opera-
tions. Depending on institutional and constitutional arrangements, States have essen-
tially similar tasking for their intelligence and security services. Their primary function
is to gather and analyse information about threats directed against the State and its
population.77 This is based on, and is executed in accordance with applicable law and
political guidance. Collecting information in and through cyberspace is complementary
to the existing set of capabilities being used by these services.78
After the terrorist attacks of 2001, 2004 and 2005 (New York, Madrid, London),
legislation has been amended (or at least drafted and proposed) to (more) effectively
counter the terrorist threat.79 This legislation also includes powers (and regulations) to
gather information (or intelligence) through cyberspace, hence it includes cyber
operations.80 Amendments and supplements to existing legal bases for these powers and
activities, have been the result of a successful attempt to use the window of opportunity
after 9/11. However, as a result of the joint revelations of whistle-blowers, journalists
and activists, these powers and applicable regimes are now up for public scrutiny and
legal review.81 This public and political attention will be of influence to (future) cyber
74
E.g. the Dutch preliminary draft proposal refers – rather briefly – to this controversial
issue by stating ‘much will depend on the nature of the actual cyber enforcement activity [i.e.
hacking back] whether or not public international law will legitimize the conduct of the law
enforcement agencies’ [Translation PD].
75
On non-intervention, sovereignty and counter-measures short of force, see respectively
Terry D Gill, ‘Non-intervention in the cyber context’ in Ziolkowski (n 47); Benedikt Pirker,
‘Territorial sovereignty and integrity and the challenges of cyberspace’ in Ziolkowski (n 47);
Schmitt (n 21). See also Roscini (Ch 11 of this book).
76
See Buchan (Ch 8 of this book).
77
Adian Wills, Guidebook Understanding Intelligence Oversight (DCAF 2011) 11 <http://
www.dcaf.ch/layout/set/print/content/view/full/36701> accessed 15 September 2014.
78
Klimburg (n 40) 124.
79
E.g., in the US, this involves the Patriot Act (2001), the Protect America Act (PAA) of
2007 and the FISA (Foreign Intelligence Surveillance Act) Amendment Act 2008 (FAA 2008),
see Joris van Hoboken, Axel Arnbak and Nico van Eijk, ‘Obscured by clouds or how to address
governmental access to cloud data from abroad’ (9 June 2013) 5 <http://www.ivir.nl/
publications/vanhoboken/obscured_by_clouds.pdf> accessed 2 January 2014.
80
See Tsagourias (Ch 1 of this book).
81
For an overview of the Snowden revelations, supported by the lawyer-journalist Glenn
Greenwald, Laura Poitras, and publications in the Guardian and Der Spiegel, see e.g. Coderman,
‘Recent Der Spiegel coverage about the NSA and GCHQ’ (Liberationtech, 2 January 2014)
<https://mailman.stanford.edu/pipermail/liberationtech/2014-January/012498.html> accessed 15
September 2014. For the US report on these issues: Richard A Clarke and others, ‘Liberty and
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
operations and renew, inter alia, the debate regarding necessity, effectiveness, human
rights and so on.82
It is illustrative to examine the Dutch intelligence landscape in this respect. The
General Intelligence and Security Service (AIVD) and the Military Intelligence and
Security Service (MIVD) are authorized through the Intelligence and Security Services
Act 2002 (Wiv 2002) to intercept, store and search telecommunications, to gain access
to their content, and to ‘hack’ computer and/or computer based systems.83 Although
they are empowered to intercept traffic (i.e. non cable-bound telecommunications) en
masse, as well as to intercept designated (cable and non-cable bound) telecommunica-
tions, they lack the power to intercept cable-bound communications en bloc.84 To date
however, as the majority of our communication is enabled by cable-bound infrastruc-
ture, this additional power is highly appreciated by the services (and government). In a
recent report, an evaluating committee, confirmed these needs and proposed the
attribution of such (and additional supervisory) powers to relevant agencies.85 However,
as a result of the current public scrutiny of such operations, it will be far from certain
that these amendments will be enacted (in the near future).86
Although most tasks for intelligence services are defensive in nature, a pro-active
stance is also possible. Some States permit their intelligence services ‘to exploit the
information for other purposes, or directly intervene in order to prevent threats from
(re)occurring’.87 The earlier mentioned Stuxnet virus is probably one of the best-known
cases in this respect. Actions undertaken by intelligence services to counter cyber
threats – i.e. counter-intelligence and counter-measures – are in a furtherance of those
that can be found within the protective paradigm, or could be the start of a cyber
operation that fits within the military (covert) paradigm.
Apart from national legislation, intelligence gathering is the subject of international
legal attention as well.88 Although no prohibition of cyber activities per se of cyber
espionage exists in international law, it is clear the intelligence activities in or through
security in a changing world – Report and recommendations of The President’s Review Group
on Intelligence and Communications Technologies’ (12 December 2013) <http://www.
whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf> accessed 14 January
2014.
82
E.g. Dinah PoKempner, ‘Cyberspace and State obligations in the area of human rights’ in
Ziolkowski (n 47) 252.
83
Ministerie van Binnenlandse Zaken, ‘Interception of telecommunications by the
AIVD: rules and regulations’ (2013) <https://www.aivd.nl/english/publications-press/@3033/
interception/> accessed 30 December 2013.
84
Articles 24–27 Wiv 2002. See also Ducheine et al., (n 42) 114; and ibid.
85
CWM Dessens, ‘Evaluatie Wet op de inlichtingen- en veiligheidsdiensten 2002 – Naar
een nieuwe balans tussen bevoegdheden en waarborgen’ (2002) <https://www.aivd.nl/publish/
pages/2564/rapport_commissie-dessens_evaluatie_wiv_2002.pdf> accessed 31 December 2013.
86
In face of the opposition as expressed by i.e. Academics against Surveillance, ‘Academics
against Mass Surveillance’ (2013) <http://academicsagainstsurveillance.net/> accessed 31
December 2013.
87
Klimburg (n 40) 124, referring to Cabinet Office, ‘Cyber Security Strategy of the United
Kingdom. Safety, security and resilience in cyber space’ (Policy Paper, 25 November 2011)
<https://www.gov.uk/government/publications/cyber-security-strategy> accessed 1 January 2014.
88
See Buchan (Ch 8 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
15 / Date: 7/5
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The last – and in some respects the most extreme – paradigm for States is the one that
could be characterized as military operations.93 The paradigm (and military operations)
comprises: (a) warfare proper (the conduct of military operations within the framework
of armed conflict); and (b) ‘operations other than war’ including peace support (and
enforcement) operations related to conflict, but outside the framework of armed
conflict.94
Military cyber operations, quite often referred to as ‘cyber warfare’ in its generic
meaning, have been preliminary defined95 as the ‘employment of cyber capabilities
with the primary purpose of achieving [military] objectives in or by the use of
cyberspace’.96 These military objectives are translations of a State’s strategic objectives.
This definition is rather broad.
89
David P Fidler, ‘Economic cyber espionage and international law: Controversies involv-
ing government acquisition of trade secrets through cyber technologies’ (2013) 17 A.S.I.L.
Insights 1, 2. See generally on espionage and international law, Simon Chesterman, ‘The spy
who came in from the Cold War: Intelligence and international law’ (2006) 27 Michigan J. Int’l.
L. 1071. On Cyberspace and Intellectual Property Rights see Rahmatian (Ch 4 of this book).
90
Katharina Ziolkowski, ‘General principles of international law as applicable in cyber-
space’ in Ziolkowski (n 47) 169; Pirker (n 75) 202; Gill (n 76) 224; Katharina Ziolkowski,
‘Peacetime cyber espionage – New tendencies in public international law’ in Ziolkowski (n 47)
425.
91
See Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).
92
See also Kohl (Ch 2 of this book).
93
For reasons of clarity and for the purpose of this contribution, the author refrained from
using ‘warfare’ in its more generic meaning: the art of conducting military operations (including
i.a. warfare proper).
94
For an illustrative summary of these operations, see Terry D. Gill and Dieter Fleck, The
Handbook of the International Law of Military Operations (OUP 2010).
95
See Cyberspace and General Principles of International Law (Part I of this book).
96
Michael N Schmitt (ed.) Tallinn Manual on the International Law Applicable to Cyber
Warfare: Prepared by the International Group of Experts at the Invitation of the NATO
Cooperative Cyber Defence Centre of Excellence (CUP 2013), 258, referring to this notion as
‘cyber warfare’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
16 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Others definitions are more specific, e.g. the Dutch Advisory Council on Inter-
national Affairs (AIV) and Advisory Committee on Issues of Public International Law,
in their joint advice to the Netherlands Government, meaning: ‘the conduct of military
operations to disrupt, mislead, modify or destroy an opponent’s computer systems or
networks by means of cyber capabilities’.97 This rather specific and enemy centric
definition refers to three key criteria:
The UK-based Chatham House steers away from this enemy-centric definition and
applies a more liberal – at least from a legal and law of armed conflict point of view –
characterization, concluding that ‘cyber warfare [sic] can enable actors to achieve their
political and strategic goals without the need for armed conflict’.99
Taking note of contemporary military doctrine, the military – alongside economic
power, diplomatic power and information – are comprehensively used as one of the
instruments of State powers to achieve goals by influencing actors through the
application (or threat) of ‘fighting power’.100 Hence, the actors to be influenced could
be opponents or enemies, however, neutral actors will be encouraged to stay (at least)
neutral or even persuaded to partner with the military, whilst supportive actors will be
encouraged to remain supportive.101 The military is thus instrumental to the State’s
strategic interests and goals, providing for a number of strategic functions: anticipation,
prevention, deterrence, protection, intervention, stabilization, and normalization.102
97
Advisory Council on International Affairs and Advisory Committee on Issues of Public
International Law, ‘Cyber Warfare (report no. 77/22, 2011)’ 9 <www.aiv-advice.nl> accessed 31
December 2012, also using ‘cyber warfare’.
98
Ibid. 9.
99
Paul Cornish et al., ‘On cyber warfare’ (A Chatham House Report) 37 <http://www.
chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwar
fare.pdf> accessed 1 January 2012, preceded by a definition: ‘Cyber warfare can be a conflict
between States, but it could also involve non-State actors in various ways. In cyber warfare it is
extremely difficult to direct precise and proportionate force; the target could be military,
industrial or civilian or it could be a server room that hosts a wide variety of clients, with only
one among them the intended target’.
100
E.g. UK Ministry of Defence, ‘Joint Doctrine Publication 0-01 (JDP 0-01) (4th edn.)’
(November 2011) 4-1 <https://www.gov.uk/government/uploads/system/uploads/attachment_
data/file/33697/20111130jdp001_bdd_Ed4.pdf> accessed 17 March 2014.
101
E.g. Ducheine and van Haaster (n 2).
102
David Jordan et al., Understanding Modern Warfare (CUP 2008). E.g. Ministerie van
Defensie, ‘Netherlandse Defence Doctrine’ 37 <http://www.defensie.nl/binaries/defensie/
documenten/publicaties/2013/11/20/defence-doctrine-en/defensie-doctrine_en.pdf> accessed 12
September 2014. In a similar way: US Department of Defense, ‘Doctrine for the Armed Forces
of the United States (Joint Publication 1) (updated 25 March 2013, Joint Chiefs of Staff 2013),
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 20 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
I–10 – I–11. UK Ministry of Defence (n 101) 1–8 – 1–11 – quoting Field Marshal Viscount
Alanbrooke – uses the term Military Strategy, being the:
art to derive from the [policy] aim a series of military objectives to be achieved: to assess
these objectives as to the military requirements they create, and the pre-conditions which the
achievement of each is likely to necessitate: to measure available and potential resources
against the requirements and to chart from this process a coherent pattern of priorities and a
rational course of action.
103
The UK and Dutch doctrines use ‘legitimacy’ as an overarching framework: UK Ministry
of Defence (n 100) 1–22, ‘Legitimacy encompasses the legal, moral, political, diplomatic and
ethical propriety of the conduct of military force’; and Ministerie van Defensie (n 102) 99,
‘Legitimacy has a legal and an ethical side. Legal legitimacy primarily requires a legal basis for
the mission. Secondly, legitimacy is based on the observance of rules that apply during the
mission’.
104
See Paul A Ducheine and Eric H. Pouw, ‘Legitimizing the use of force: Legal bases for
operation enduring freedom and ISAF’ in Jan van der Meulen et al. (eds.), Mission Uruzgan:
Collaborating in Multiple Coalitions for Afghanistan (Amsterdam University Press 2012) and
Paul A. L. Ducheine and Eric H. Pouw, ‘Controlling the use of force: Legal regimes’ in Jan van
der Meulen et al. (eds.), Mission Uruzgan: Collaborating in multiple coalitions for Afghanistan
(Amsterdam University Press 2012), both available on <http://www.uva.nl/binaries/content/
documents/personalpages/d/u/p.a.l.ducheine/nl/tabblad-twee/tabblad-twee/cpitem%5B8%5D/asset>
accessed 16 March 2014.
105
This is normally a prerogative of the Executive branch, see Sascha Hardt, Luc Verhey and
Wytze van der Woude (eds.), Parliaments and Military Missions (Europa Law Publishing 2012)
and Nolte (n 64).
106
Legal basis and legal regimes are covered by the denominator of ‘legality’: UK Ministry
of Defence (n 100) 1–22.
107
Ducheine and others (n 42) 112. See also Roscini (Ch 11 of this book); Focarelli (Ch 12
of this book).
108
Some LOAC rules even apply before operations are launched: e.g. regarding the
dissemination of LOAC and the employment of legal advisors.
109
See Arimatsu (Ch 15 of this book); Bannelier (Ch 16 of this book); Gill (Ch 17 of this
book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 21 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
up the legal framework for military cyber operations, covering the whole spectrum of
(pro-)active, passive, offensive and defensive cyber operation.110
Cyber activities within the law enforcement, intelligence and military operations
paradigm, apart from their unique legal and institutional framework share more than
just the mere existence of that framework. Moreover, in addition to the fact that these
three paradigms involve the explicit authorization for the use of governmental powers
that may interfere with the rights and liberties of citizens, in more than one respect,
these paradigms will use the common means and methods, the same vectors, some
standard form of phasing, and more or less the same type of personnel. These
similarities will be analysed in the subsequent section. As mentioned, the primary focus
will be on State activities.
110
Ducheine and others (n 42) 112.
111
To some extent, activities and actors that have not received detailed attention so far, e.g.
cyber crime/criminals or hactivism/hacktivists, ‘follow’ this model as well.
112
Various descriptions are used, e.g. Lech J. Janczewski and Andrew M. Colarik, Cyber
Warfare and Cyber Terrorism (Information Science Reference 2008) 121; Tom Olzak, ‘The five
phases of a successful network penetration’ (TechRepublic, 16 December 2008) <http://www.
techrepublic.com/blog/it-security/the-five-phases-of-a-successful-network-penetration/701/> ac-
cessed 17 March 2014, both using five; Jason Andress and Steve Winterfeld, Cyber Warfare:
Techniques, Tactics and Tools for Security Practitioners (Syngress 2011) 171, using nine (plus
one: obfuscating). Markus Maybaum, ‘Technical methods, techniques, tools and effects of cyber
operations’ in Ziolkowski (n 47) 103, uses seven (based on Irving Lachow, ‘Active cyber defence
– A framework for policymakers’ (Center for a New American Security Policy Brief , February
2013) <http://www.cnas.org/files/documents/publications/CNAS_ActiveCyberDefense_Lachow_
0.pdf> accessed 15 September 2014; This concept was originally presented in Eric M Hutchins,
Michael J Cloppert and Rohan M Amin, ‘Intelligence-Driven Computer Network Defense
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 22 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
+ reconnaissance,
+ design,
+ intrusion,
+ action,
+ camouflage, and
+ exfiltration.
Subject to the particular purpose of the operation, one or more of the phases can be
expected. During an intelligence operation with the objective to scan the infrastructure
of other actors, an initial operation may be limited to scanning ports, thus the
operations will have one phase only: reconnaissance. With the information thus
gathered, a more targeted operation may be designed to gather additional information
on the hardware and software configuration of the actor’s ICT system, encompassing
all phases, with again an intelligence objective. Based on the collected information
(taken together with other sources) a supplementary law enforcement operation could
be started to gather criminal evidence, again going through all of the seven phases. In
addition, as a spin-off of the two operations, a designated military operation could be
drafted as well, again using one of more of the phases described.
It will be evident that these three examples will be governed by their respective
paradigmatic framework, including the legal frameworks. All three operations, will
require an objective (end), will need means (operators and tools), and will use methods
requiring a plan, an addressee (or ‘target’), techniques tactics and skills.113 For military
operations, these elements are not fully covered by military doctrine (yet). Without
going into details, these rather ‘novel’ operations are therefore briefly described
below.114
Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains’ (6th Annual
International Conference on Information Warfare and Security, Washington, March 17–18, 2011)
<http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-
Paper-Intel-Driven-Defense.pdf> accessed 15 September 2014. This discussion of the kill-
chain concept is also informed by MITRE Corporation, ‘Active defense strategy for cyber’
(July 2012); Charles Croom, ‘The cyber kill chain: A foundation for a new cyber security
strategy’ (2010) 6(4) High Frontier 52–6.
113
In general, this also holds true for cyber activities with a hacktivist or criminal purpose.
114
Using a model derived from: Paul A Ducheine and Jelle van Haaster, ‘Cyber-operaties en
militair vermogen’ (2013) 182 Militaire Spectator 368, 387, see also Ducheine and van Haaster
(n 2).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
20 / Date: 7/5
JOBNAME: Tsagourias PAGE: 23 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Physical dimension
Objects
Effect Physical
Physical component
Persons
component
Conceptual Moral
component component Moral Conceptual
Psyche
component component
Cyber Effect
identity
Cyber
object
Virtual dimension
115
For references, see Joint Doctrine Publications of various States, e.g. Ministerie van
Defensie (n 102); US Department of Defense (n 102); UK Ministry of Defence (n 100). For a
detailed analysis see Ducheine and van Haaster (n 2).
116
See Tsagourias (Ch 1 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
21 / Date: 7/5
JOBNAME: Tsagourias PAGE: 24 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
7. CONCLUSION
This chapter set out to examine the phenomenon of cyber operations as a common
denominator for cyber activities and analysed differences in strategic or ‘corporate’
objectives (for States and non-States alike), the similarities in terms of means to
achieve those objects and the ways those means are employed on the operational level
(of States and non-State actors). Moreover, five distinct paradigms are used to shape
cyber activities on the State level. Three of those paradigms provide the legal basis for
governmental powers that may interfere with human rights and privileges: law
enforcement, intelligence and military operations. The latter paradigm represents the
most far-reaching framework for governmental action.
Having said that, it is noteworthy to add that cyberspace and its actors are influenced
by military jargon. Notwithstanding the idiom used – think of attacks, targeting,
cyberwar – the majority of cyber activities are of a non-military nature. However, it
appears that the main actors in cyberspace are intelligence agencies (governmental) or
enterprises (corporate), and criminals (varying from individual to organized crime), and
that the main objectives of cyber operations are sabotage, espionage, subversion,119 and
crime!
117
William H Boothby, The Law of Targeting (OUP 2012) 378 ff.
118
E.g. Robert Fanelli and Gregory Conti, ‘A methodology for cyber operations targeting
and control of collateral damage in the context of lawful armed conflict’ in Christian Czosseck,
Rain Ottis and Katharina Ziolkowski (eds.), Proceedings of the 4th (2012) International
Confrence on Cyber Conflict (CCD COE 2012) <http://www.ccdcoe.org/publications/2012
proceedings/5_5_Fanelli&Conti_AMethodologyForCyberOperationsTargeting.pdf> accessed on
12 September 2014.
119
See National Cyber Security Centre (n 1) and Thomas Rid, ‘Cyber war will not take
place’ (2012) 35 J. of Strategic Studies 5.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter10 /Pg. Position:
22 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
Article 2(4) of the UN Charter famously provides that ‘[a]ll Members [of the United
Nations] shall refrain in their international relations from the threat or use of
force against the territorial integrity or political independence of any state, or in any
other manner inconsistent with the Purposes of the United Nations’. This provision is
generally considered to reflect customary international law and, at least with
regard to its core, also jus cogens.1 It is generally accepted that the fact that Article
2(4) was adopted well before the Information Age does not necessarily prevent
its application to cyber operations.2 States and international organizations that
have affirmed the applicability of the existing rules on the use of force in the
cyber context include Australia,3 Hungary,4 China,5 Cuba,6 the European
* This chapter is based on and updates considerations developed in the author’s book Cyber
Operations and the Use of Force in International Law (OUP 2014) 44–67, and takes into
account events and law as of March 2014.
1
The customary nature of art 2(4) has been recognized by the International Court of
Justice (ICJ) in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US)
(Merits, Judgment) [1986] ICJ Rep. 1986 [Nicaragua Case] paras 187–90. See also Legal
consequences of the construction of a wall in the occupied Palestinian territory (Advisory
Opinion) [2004] ICJ Rep. 2005 para. 87. Several authors have argued that only the core
prohibition contained in art 2(4), that of aggression, is a peremptory norm of general
international law (Roberto Ago, Addendum to the Eighth Report on State Responsibility (1980)
II/1 Yearbook of the ILC 44; Rein Müllerson, ‘Jus ad bellum: Plus Ça Change (Le Monde) Plus
C’Est la Même Chose (Le Droit)?’ (2002) 7 J. Conflict & Sec. L. 149, 169; Natalino Ronzitti,
Diritto internazionale dei conflitti armati (4th edn., Giappichelli 2011) 33.
2
The US Department of Defense defines ‘cyberspace operations’ as ‘[t]he employment of
cyberspace capabilities where the primary purpose is to achieve objectives in or through
cyberspace’ (US Department of Defense, Dictionary of Military and Associated Terms (Joint
Publication 1–02, 8 November 2010, as Amended Through 15 March 2014) 64 <http://www.
dtic.mil/doctrine/new_pubs/jp1_02.pdf> accessed 15 March 2014).
3
UNGA ‘Developments in the field of information and telecommunications in the context
of international security’ (15 July 2011) UN Doc A/66/152 6.
4
‘Welcome speech by János Martonyi, Minister of Foreign Affairs of Hungary’ (Budapest
Conference on Cyberspace, Opening Session, 4 October 2012) <www.cyberbudapest2012.hu/
welcome-speech-by-janos-martonyi-hungarian-minister-of-foreign-affairs> accessed 15 March
2014.
5
Li Zhang, ‘A Chinese perspective on cyber war’ (2012) 94 I.R.R.C. 801, 804.
6
UN Doc A/57/166/Add.1, 29 August 2002, 3.
233
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Union,7 Iran,8 Italy,9 Mali,10 the Netherlands,11 Qatar,12 the Russian Federation,13 the
UK,14 and the United States.15 On the basis of the views submitted by UN member
States, the 2013 Report of the Group of Governmental Experts set up by the UN
General Assembly to examine threats in cyberspace also found that ‘[i]nternational
law, and in particular the Charter of the United Nations, is applicable and is essential
to maintaining peace and stability and promoting an open, secure, peaceful and
accessible ICT [Information and Communications Technologies] environment’.16
For Article 2(4) and its customary counterpart to apply to cyber operations, however,
three conditions must be met: 1) the cyber operation needs to be attributed to a State:
conduct by private individuals or armed groups does not fall within the scope of the
provision, not even when it results in damage comparable to that caused by States;
2) the cyber operation must amount to either a ‘threat’ or a ‘use of force’; 3) the threat
or use of force must be exercised in the conduct of ‘international relations’. As to the
first condition, the problems concerning the identification of the origin and the
attribution of cyber operations to States are well-known and are probably the main
obstacle to the application of Article 2(4) in the cyber context. They are however
7
Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
(JOIN(2013) 1 final, 7 February 2013) 15–16 <http://ec.europa.eu/information_society/
newsroom/cf//document.cfm?doc_id=1667> accessed 15 March 2014. See also ‘Speech by EU
High Representative Catherine Ashton on Cyber security: an open, free and secure Internet’
(SPEECH/12/685, Budapest, 4 October 2012) 3 <http://europa.eu/rapid/press-release_SPEECH-
12-685_en.htm> accessed 15 March 2014.
8
Alireza Miryousefi and Hossein Gharibi, ‘View from Iran: World needs rules on
cyberattacks’ (The Christian Science Monitor, 14 February 2013) <www.csmonitor.com/
Commentary/Opinion/2013/0214/View-from-Iran-World-needs-rules-on-cyberattacks-video> ac-
cessed 15 March 2014.
9
Governo Italiano, La posizione italiana sui principi fondamentali di Internet (17
September 2012) 5 <www.governo.it/backoffice/allegati/69257-8014.pdf> accessed 15 March
2014.
10
UNGA, ‘Developments in the field of information and telecommunications in the context
of international security (Addendum)’ (9 September 2009) UN Doc A/64/129/Add.1 7.
11
Government of Netherlands, ‘Dutch Government Response to the AIV/CAVV Report on
Cyber Warfare’ 5–6 <www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/
2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-bijlage-regeringsreactie-
en.pdf> accessed 15 March 2014.
12
UNGA ‘Developments in the field of information and telecommunications in the context
of international security’ (20 July 2010) UN Doc A/65/154 9–10.
13
Russian Federation, Conceptual Views on the Activities of the Armed Forces of the
Russian Federation in the Information Space (unofficial translation by CCDCOE, 9 September
2000) 6 <www.ccdcoe.org/strategies/Russian_Federation_unofficial_translation.pdf> accessed 15
March 2014.
14
UNGA 65/154 (n 12) 15.
15
See e.g. Harold Koh, ‘International law in cyberspace’ (Speech at the USCYBERCOM
Inter-Agency Legal Conference, 18 September 2012) in Carrie Lyn D. Guymon (ed.), Digest of
United States Practice in International Law (United States Department of State 2012) 593,
594–595, <www.state.gov/documents/organization/211955.pdf> accessed 15 March 2014.
16
UNGA ‘Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security’ (24 June 2013) UN Doc
A/68/98 8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
2 / Date: 7/5
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
beyond the scope of this chapter, which will assume that a cyber operation has been
conclusively attributed to a State.17 The reference to ‘international relations’ in Article
2(4) entails that the cyber operations must not only be by a State, but also against
another State: a State, therefore, is not prohibited by this provision to threaten or resort
to cyber operations against non-State actors within its territory, not even when the
operations amount to a threat or a use of force.18 Finally, for Article 2(4) to apply, the
cyber operation must qualify either as a threat or as a use of force. This chapter will
focus only on the latter: as, in its 1996 Advisory Opinion on the legality of the threat or
use of nuclear weapons, the International Court of Justice (ICJ) linked the legality of
threats, be they explicit or implied in certain conduct, to the legality of the use of force
in the same circumstances,19 the considerations developed below in relation to cyber
operations as a use of force also apply, mutatis mutandis, to those amounting to threats
of the use of force.20
The determination of the threshold above which a cyber operation amounts to a use
of force has proved to be a very contentious issue. The present chapter will address this
problem and will first establish what is meant by ‘armed’ force and whether cyber
operations can qualify as such. It will then distinguish between cyber attacks and cyber
exploitation and, within the former, between cyber attacks that cause, or are reasonably
likely to cause, physical damage to persons or property, those that incapacitate
infrastructures without physically damaging them, and other cyber attacks and cyber-
related conduct. The overall purpose is to identify which of the above types of cyber
activities may qualify as a use of force and are therefore prohibited by Article 2(4) of
the UN Charter.
17
On the identification and attribution problems, see Roscini (*) 33–40; Nicholas
Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’ (2012) 17 J. Conflict &
Sec. L. 229, 233–43.
18
The situation would be different if the non-State actors were located on and operated
from the territory of another State.
19
Legality of the threat or use of nuclear weapons (Advisory Opinion) [1996] ICJ Rep.
1996 [Nuclear weapons] para. 47. This conclusion was reaffirmed in the Guyana and Suriname
Arbitral Award, 17 September 2007, 47 (2008) International Legal Materials 166, 229–30,
para. 439.
20
Specifically on cyber operations and threats of force, see Roscini (*) 67–9.
21
Ibid. 45–6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
3 / Date: 24/3
JOBNAME: Tsagourias PAGE: 4 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
treated as violations of sovereignty, but not as a use of force under Article 2(4).22 The
presence of a coercive intention is also per se not sufficient to identify armed force.
Indeed, ‘armed force’ is nothing other than an extreme form of intervention that, like
economic and political coercion, is characterized by the intention of the coercing State
to compel the victim State into doing or not doing something through a ‘dictatorial
interference’ in its internal or external affairs.23 Both the use of force and the broader
notion of intervention, then, imply a coercive intention, and what differentiates the two
must be found elsewhere.
Whether or not cyber operations fall within the scope of Article 2(4) depends
ultimately on which of the three main analytic approaches to understanding the nature
of a use of armed force is accepted. The instrument-based approach focuses on the
means used to commit an act, i.e. weapons, and has been traditionally employed to
distinguish armed force from economic and political coercion. This approach has been
criticized for being centred on instruments defined by their physical characteristics: as
such – it has been claimed – it is ill-suited to be extended to digital codes and would
lead to the conclusion that cyber operations can never be a use of force under Article
2(4), even when they result in physical damage.24 The target-based approach argues
that cyber operations reach the threshold of the use of armed force when they are
conducted against a national critical infrastructure (NCI), whatever their effects on such
infrastructure or the nature of the operation might be.25 This approach, however, is
over-inclusive in that it would also qualify as a use of force those cyber operations that
only cause inconvenience or merely aim to collect information as long as they target a
NCI. Another problem with this view – it has been argued – is that there is no generally
accepted definition of ‘NCI’.26
The approach that has received most support is based on the effects of the action:
unlike other forms of coercion, armed force has direct destructive effects on property
and persons.27 Therefore, any cyber operation that causes, or is reasonably likely to
22
Oliver Dörr, ‘Use of force, prohibition of’ in Rüdiger Wolfrum (ed.), Max Planck
Encyclopedia of Public International Law (2nd edn., OUP 2012), vol X, 607, 611.
23
Hersch Lauterpacht, International Law and Human Rights (Stevens & Sons Ltd 1950)
167. As the ICJ emphasized, ‘[t]he element of coercion, which defines, and indeed forms the
very essence of, prohibited intervention, is particularly obvious in the case of an intervention
which uses force’ directly or indirectly (Nicaragua Case (n 1), para. 205). On the principle of
non-intervention, see section 3.C of this chapter.
24
Stephanie Gosnell Handler, ‘The new cyber face of battle: Developing a legal approach to
accommodate emerging trends in warfare’ (2012) 48 Stan. J. Int’l. L. 209, 226–227; Matthew C.
Waxman, ‘Self-defensive force against cyber attacks: Legal, strategic and political dimensions’
(2013) 89 Int’l. L. Studies 109, 111.
25
Walter G Sharp, Cyberspace and the Use of Force (Aegis Research Corp 1999) 129–32.
See similarly Christopher C. Joyner and Catherine Lotrionte, ‘Information warfare as inter-
national coercion: Elements of a legal framework’ (2011) 12 E.J.I.L. 825, 855, who argue that
stealing or compromising sensitive military information could also qualify as an armed attack
(and a fortiori a use of force) ‘even though no immediate loss of life or destruction results’.
26
For a discussion of the different definitions of NCI, see Roscini (*) 55–8.
27
See e.g. Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interven-
tions?’ (2012) 17 J. Conflict & Sec. L. 211, 212; Heather H Dinniss, Cyber Warfare and the
Laws of War (CUP 2012) 74.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
4 / Date: 24/3
JOBNAME: Tsagourias PAGE: 5 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
28
Dinstein has, for instance, argued that ‘what counts is not the specific type of ordnance,
but the end product of its delivery to a selected objective’ (Yoram Dinstein, ‘Computer network
attacks and self-defense’ (2002) 76 Int’l. L. Studies 99, 103). Silver also opines that ‘physical
injury or property damage must arise as a direct and foreseeable consequence of the CNA
[Computer Network Attack] and must resemble the injury or damage associated with what, at
the time, are generally recognized as military weapons’ (Daniel B. Silver, ‘Computer network
attack as a use of force under Article 2(4) of the United Nations Charter’ (2002) 76 Int’l. L.
Studies 73, 92–3).
29
Definition of Aggression, GA Res 3314 (XXIX), 14 December 1974, Preamble.
30
Ibid. art 3(c), (e), and (f).
31
Nicaragua Case (n 1) para. 228.
32
According to art 31(1) of the 1969 Vienna Convention on the Law of Treaties, ‘[a] treaty
shall be interpreted in good faith in accordance with the ordinary meaning to be given to the
terms of the treaty in their context and in the light of its object and purpose’ (UNTS, vol 1115,
331 ff.)
33
Bryan A. Garner (ed.), Black’s Law Dictionary (9th edn., Thomson-West 2009), 123.
34
As has been observed, ‘[t]he essential feature which characterizes the prohibition of the
use of force is … not the intrusion into the sovereign realm of another State, nor is it even the
element of coercion as such, but only an intrusion or coercion accompanied by the special
features of military weaponry and its actual use’ (Dörr (n 22) 611).
35
See Olivier Corten, The Law Against War. The Prohibition on the Use of Force in
Contemporary International Law (Hart 2010) 66–7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
5 / Date: 1/4
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
weapons: economic measures may be enforced with the use of weapons, but are not
weapons themselves, as implied in Article 41 of the UN Charter.36
Although there is no binding definition of ‘weapon’ either in jus ad bellum or jus in
bello instruments, Black’s Law Dictionary defines it as ‘[a]n instrument used or
designed to be used to injure or kill someone’.37 The ICRC Study on Customary
International Humanitarian Law defines weapons as ‘means to commit acts of violence
against human or material enemy forces’.38 Rule 1(ff) of the HPCR Manual on
International Law Applicable to Air and Missile Warfare (the ‘HPCR Manual’) also
attaches one main characteristic to a weapon: the capability to cause either injury/death
of persons or damage/destruction of objects.39 Similarly, a leading commentator has
defined weapons as including ‘any arms … munitions … and other devices, com-
ponents or mechanisms intended to destroy, disable or injure enemy personnel, matériel
or property’.40 The minimum common denominator of the above definitions is the
violent consequences produced by the instrument. Weapons, therefore, are identified by
their effects, not by the mechanisms through which they produce destruction or
damage.41 If this is correct, armed force prohibited by Article 2(4) could be defined as
the form of intervention by a State to exercise coercion on another State that involves
the use of instruments (weapons) capable of producing violent consequences. At a
closer look, then, the debate between the supporters of the instrument-based and
effects-based approaches to establish whether cyber operations are a use of armed force
loses much of its significance, as the two approaches should be combined: it is the
instrument used that defines armed force, but the instrument is identified by its
(violent) consequences. The focus on instrumentality explains why the ICJ qualified
arming and training of armed groups as a use of force:42 although not directly
destructive, those activities are strictly related to weapons, as they aim at enabling
someone to use them.
If, then, a use of armed force under Article 2(4) requires weapons, the next step in
the analysis is to establish whether malware can qualify as such. In its Advisory
Opinion on the legality of the threat or use of nuclear weapons, the ICJ made clear that
Articles 2(4), 51 and 42 of the UN Charter ‘do not refer to specific weapons. They
apply to any use of force, regardless of the weapons employed’.43 There is then no
reason why the weapons covered by these provisions should necessarily have explosive
effects or be created for offensive purposes only: the use of certain dual-use non-kinetic
36
Art 41 of the UN Charter includes the ‘complete or partial interruption of economic
relations’ in the list of ‘measures not involving the use of armed force’.
37
Garner (n 33) 1730.
38
Jean-Marie Henckaerts & Louise Doswald-Beck, Customary International Humanitarian
Law (CUP 2005) vol I, rule 6.
39
Program on Humanitarian Policy and Conflict Research [HPCR], Manual on Inter-
national Law Applicable to Air and Missile Warfare (CUP 2013) 49.
40
Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed
Conflict (2nd edn., CUP 2010) 1.
41
Katharina Ziolkowski, ‘Computer network operations and the law of armed conflict’
(2010) 49 Military Law & Law of War Rev. 47, 69.
42
Nicaragua Case (n 1) para. 228.
43
Nuclear weapons (n 19) para. 39.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
6 / Date: 24/3
JOBNAME: Tsagourias PAGE: 7 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
44
Ian Brownlie, International Law and the Use of Force by States (Clarendon Press 1963)
362.
45
See the examples mentioned in Roscini (*) 3–4, 9–10.
46
Letter dated 23 September 1998 from the Permanent Representative of the Russian
Federation to the United Nations addressed to the Secretary-General, UN Doc A/C.1/53/3, 30
September 1998, 2, <www.un.org/ga/search/view_doc.asp?symbol=A/C.1/53/3&Lang=E>
accessed 15 March 2014.
47
UNGA, ‘Developments in the field of information and telecommunications in the context
of international security’ (10 August 1999) UN Doc A/54/213 3.
48
UNGA, ‘Developments in the field of information and telecommunications in the context
of international security’ (8 July 2009) UN Doc A/64/129 5.
49
UNGA A/66/152/Add.1 (n 3) 2.
50
UNGA A/64/129/Add. 1 (n 10) 10.
51
United States Department of Air Force, ‘Air Force Instruction 51–402’ (27 July 2011)
<www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-053.pdf> accessed 15 March
2014. Art 36 of Additional Protocol I provides that:
[i]n the study, development, acquisition or adoption of a new weapon, means or method of
warfare, a High Contracting Party is under an obligation to determine whether its employ-
ment would, in some or all circumstances, be prohibited by this Protocol or by any other rule
of international law applicable to the High Contracting Party (text in UNTS, vol 1125, 3ff).
52
Joint Chiefs of Staff, ‘Joint Vision 2020 – America’s Military: Preparing for Tomorrow’
(June 2000) 23, <www.fs.fed.us/fire/doctrine/genesis_and_evolution/source_materials/joint_
vision_2020.pdf> accessed 15 March 2014.
53
Prime Minister, ‘A Strong Britain in an Age of Uncertainty: The National Security
Strategy’ (Cm 7953, 2010) 29 <www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
All the above supports the view that ‘cyber … must be looked upon as a new means
of warfare – in other words, a weapon: no less and no more than other weapons’.54 The
Commentary to the HPCR Manual confirms that ‘[m]eans of warfare include non-
kinetic systems, such as those used in EW [electronic warfare] and CNAs [Computer
Network Attacks]. The means would include the computer and computer code used to
execute the attack, together with all associated equipment’.55 The Commentary further
specifies that death, injury, damage, or destruction ‘need not result from physical
impact … since the force used does not need to be kinetic. In particular, CNA
hardware, software and codes are weapons that can cause such effects through
transmission of data streams’.56 Like missiles, cyber weapons include a delivery
system, a navigation system and a payload.57 The delivery system could go from
e-mails to malicious links in websites, hacking, counterfeit hardware and software.
System vulnerabilities are the main navigation systems that provide entry points for the
payload by enabling unauthorized access to the system. The payload is the component
that causes harm: if the code, however sophisticated, is designed solely for the purpose
of infiltrating a computer and exfiltrating information, it would not be a ‘weapon’ in the
sense highlighted above, as it is neither intended to nor capable of causing violent
consequences.58
@dg/@en/documents/digitalasset/dg_191639.pdf?CID=PDF&PLA=furl&CRE=nationalsecurity
strategy> accessed 15 March 2014.
54
Yoram Dinstein, ‘Cyber war and international law: Concluding remarks at the 2012
Naval War College International Law Conference’ (2013) 89 Int’l. L. Studies 276, 280. Schmitt
also notes that ‘[w]ith the advent of CNA, today the computer is no less a weapon than an F-16
armed with precision weapons’ (Michael N Schmitt, ‘Computer network attack: The normative
software’ (2001) 4 Ybk of Int’l. Humanitarian L. 53, 56).
55
HPCR Manual (n 39) 31.
56
Ibid. 49.
57
Fred Schreier, ‘On cyberwarfare’, (DCAF Horizon 2015 Working Paper no 7, 2012)
66–67 <www.dcaf.ch/Publications/On-Cyberwarfare> accessed 15 March 2014.
58
Thomas Rid and Peter McBurney, ‘Cyber-weapons’ (2012) 157(1) RUSI J 6, 11.
59
See Ducheine (Ch 10 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
8 / Date: 24/3
JOBNAME: Tsagourias PAGE: 9 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
60
Herbert S. Lin, ‘Offensive cyber operations and the use of force’ (2010) 4 Journal of
National Security Law & Policy 63, 64.
61
As has been noted, ‘the cyber context changes the scale and consequences of theft and
espionage to a degree that can result in harm to the country at least as severe as a physical
attack’ (Jack Goldsmith, ‘How cyber changes the laws of war’ (2013) 24 EJIL 129, 133). As a
consequence of the cyber intrusions allegedly originating from China, the US Government
adopted a new strategy to combat intellectual property theft (White House ‘Administration
Strategy on Mitigating the Theft of U.S. Trade Secrets’ (February 2013) <www.whitehouse.gov//
sites/default/files/omb/IPEC/admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.pdf>
accessed 15 March 2014).
62
Wolff Heintschel von Heinegg, ‘Territorial sovereignty and neutrality in cyberspace’
(2013) 89 Int’l. L. Studies 129.
63
For a critical analysis of views that qualify ‘cyber espionage’ as a use of force, see
Katharina Ziolkowski, ‘Peacetime cyber espionage – New tendencies in public international law’
in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. Inter-
national Law, International Relations and Diplomacy (CCDCOE 2013) 425, 451–7. On cyber
espionage, see also Buchan (Ch 8 of this book).
64
On cyberattacks and self-defence see Focarelli (Ch 12 of this book).
65
On cyber attacks as ‘armed attack’ under art 51 of the UN Charter and as ‘attack’ under
the law of armed conflict see Roscini (*) 70–77, 178–82.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
potentially fall under the scope of the prohibition contained in Article 2(4) when they
entail the use of cyber tools capable of producing certain harmful consequences. The
different sets of consequences deriving from a cyber attack will be examined in the
following sub-sections in order to determine when they amount to a use of force.
There is general agreement that, if a cyber attack employs capabilities that cause, or are
reasonably likely to cause, physical damage to property, loss of life or injury of persons
in a manner equivalent to kinetic attacks through the alteration, deletion or corruption
of software or data, it would fall under the prohibition contained in Article 2(4) of the
UN Charter. Rule 11 of the Tallinn Manual on the International Law Applicable to
Cyber Warfare (the ‘Tallinn Manual’), for instance, provides that ‘[a] cyber operation
constitutes a use of force when its scale and effects are comparable to non-cyber
operations rising to the level of a use of force’.66 In his speech at the US Cyber
Command (CYBERCOM), the then US Department of State’s Legal Advisor, Harold
Koh, also argued that ‘if the physical consequences of a cyber attack work the kind of
physical damage that dropping a bomb or firing a missile would, that cyber attack
should equally be considered a use of force’.67 Koh cites, as examples of cyber
operations amounting to a use of force, ‘(1) operations that trigger a nuclear plant
meltdown; (2) operations that open a dam above a populated area causing destruction;
or (3) operations that disable air traffic control resulting in airplane crashes’.68 It should
be noted that physical damage to property, loss of life and injury of persons are only
secondary or tertiary effects of a cyber attack resulting from the corruption, alteration
or deletion of data or software.69 This is, however, not necessarily a problem for the
application of the jus ad bellum rules: in the Nicaragua judgment, the ICJ expressly
66
Michael Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) [Tallinn Manual] Rule 11. The Manual, that aims to identify how the lex
lata applies to cyber operations above the level of the use of force, was prepared by a group of
experts at the invitation of NATO’s Cooperative Cyber Defence Centre of Excellence (CCD-
COE) but does not reflect NATO doctrine or the official position of any State or organization.
67
Koh (n 15) 595.
68
Ibid.
69
The primary effects are those on the attacked computer, computer system or network, i.e.
the deletion, corruption, or alteration of data or software, or system disruption through a
Distributed Denial of Service (DDoS) attack or other cyber attacks. As Waxman notes, ‘modern
society’s heavy reliance on interconnected information systems means that the indirect and
secondary effects of cyber-attacks may be much more consequential than the direct and
immediate ones’ (Matthew C Waxman, ‘Cyber attacks and the use of force: Back to the future of
Article 2(4)’ (2011) 36 Yale J. of Int’l. L. 421, 445). On the multiple effects of cyber attacks, see
William A Owens, Kenneth W Dam, and Herbert S Lin, Technology, Policy, Law, and Ethics
Regarding U.S. Acquisition and Use of Cyberattack Capabilities (The National Academies Press
2009) 80. See also Pia Palojärvi, A Battle in Bits and Bytes: Computer Network Attacks and the
Law of Armed Conflict (Erik Castrén Institute of International Law 2009) 32; William H
Boothby, ‘Methods and means of cyber warfare’ (2013) 89 Int’l. L. Studies 387, 390.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
10 / Date: 24/3
JOBNAME: Tsagourias PAGE: 11 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
recognized that intervention that uses armed force may occur either directly or
indirectly.70
No cyber attack has so far been reported to have caused injuries or deaths of persons.
If one excludes the almost legendary case of the explosion of a Soviet gas pipeline in
Siberia in June 1982, apparently caused by a logic bomb inserted in the computer-
control system by the Central Intelligence Agency (CIA),71 the first known use of
malicious software designed to produce material damage to physical property by
attacking the Supervisory Control and Data Acquisition (SCADA) system of a NCI is
Stuxnet. Using four unknown vulnerabilities, Stuxnet was allegedly designed to force a
change in the gas centrifuges’ rotor speed at the Natanz uranium enrichment plant in
Iran, inducing excessive vibrations or distortions that would eventually damage the
centrifuges.72 As a result, the International Atomic Energy Agency (IAEA) reported
that Iran stopped feeding uranium into thousands of centrifuges at Natanz, a claim
denied by the Iranian authorities.73
One could ask whether there is a minimum threshold of gravity that the destructive
consequences of a cyber attack need to reach in order to be a violation of Article 2(4)
and not only of the principle of non-intervention. Koh, for instance, appears to
distinguish between injury/death of persons on the one hand and damage to property on
the other when he argues that it is ‘[c]yber activities that proximately result in death,
injury or significant destruction’ that would be considered a use of force:74 in his view,
then, while any death or injury would turn a cyber operation into a use of force, only
destruction that is significant enough would qualify. Beyond the cyber context, Corten
maintains that ‘there is a threshold below which the use of force in international
relations, while it may be contrary to certain rules of international law, cannot violate
article 2(4)’:75 examples are international abductions, extraterritorial enforcement
measures, international police operations, hot pursuit and police measures at sea, and
the interception and neutralization of aircraft entering a State’s airspace without
authorization. Similarly, in its 2009 Report, the Independent International Fact-Finding
Commission on the Conflict in Georgia found that ‘[t]he prohibition of the use of force
covers all physical force which surpasses a minimum threshold of intensity’ and that
‘[o]nly very small incidents lie below this threshold, for instance the targeted killing of
single individuals, forcible abductions of individual persons, or the interception of a
70
Nicaragua Case (n 1) para. 205. See Dinniss (n 27) 66.
71
Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) 4.
72
David Albright, Paul Brannan and Christina Walrond, ‘Did Stuxnet Take Out 1,000
Centrifuges at the Natanz Enrichment Plant?’ (ISIS Report, 22 December 2010) 6 <http://isis-
online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf> accessed 15 March
2014.
73
William J. Broad, ‘Report suggests problems with Iran’s nuclear effort’, The New York
Times (23 November 2010) <www.nytimes.com/2010/11/24/world/middleeast/24nuke.html>
accessed 15 March 2014. On the legality of Stuxnet and other cyber operations against Iran, see
Marco Roscini, ‘Cyber operations as nuclear counterproliferation measures’ (2014) 19 J.
Conflict & Sec. L. 133–57.
74
Koh (n 15) 595 (emphasis added). It should, however, be recalled that, according to the
US position reflected in Koh’s speech, there is no distinction between ‘use of force’ and ‘armed
attack’.
75
Corten (n 35) 55.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
single aircraft’.76 There seems to be some cautious support for this view in the 1998
ICJ’s Fisheries Jurisdiction Judgment: while Spain argued that the forcible measures
against the Estai amounted to a violation of Article 2(4), the Court found that ‘the use
of force authorized by the Canadian legislation and regulations falls within the ambit of
what is commonly understood as enforcement of conservation and management
measures’ and that ‘[b]oarding, inspection, arrest and minimum use of force for those
purposes are all contained within the concept of enforcement of conservation and
management measures according to a “natural and reasonable” interpretation of this
concept’.77
There is nothing, however, in the wording of Article 2(4) suggesting that uses of
force should be distinguished according to their gravity: as Ago notes, Article 2(4)
prohibits ‘any kind of conduct involving any assault whatsoever on the territorial
sovereignty of another State, irrespective of its magnitude, duration or purposes’.78
Whether or not a ‘minimum use of force’ is a violation of Article 2(4) must ultimately
depend on the circumstances of each case: what can be said is that the more invasive
and damaging the use of (cyber) weapons, the more the affected State will be inclined
to treat it as a use of force.
Whether data can be equated to physical property for the purposes of Article 2(4), so
that their deletion, alteration or corruption qualify per se as a use of force even when
they do not also result in physical damage to property, loss of life, bodily injury, or
malfunction of infrastructures, is a hotly debated question. In August 2012, for
instance, a virus destroyed the data of about 30,000 company computers of Saudi
Aramco, the world’s largest oil producer. The deleted data were replaced with a burning
American flag.79 John Murphy notes that ‘[i]f one views data as a form of property,
indeed a very important form or property, in the modern world, a mass loss of data
could constitute an armed attack’ (and therefore, a fortiori, a use of force).80 There is
no indication, however, that States are willing to interpret Article 2(4) so broadly: as a
commentator has argued, the mere destruction of data, even when of considerable
importance, is not a use of force, as its ‘effects cannot be equated to the effects usually
caused or intended by conventional or BC [biological and chemical] weapons,
76
Independent Fact-Finding Mission on the Conflict in Georgia, ‘Report of the Independent
Fact-Finding Mission on the Conflict in Georgia’ (vol II, September 2009) 242 <www.ceiig.ch/
Report.html> accessed 15 March 2014.
77
Fisheries Jurisdiction (Spain v Canada) (Judgment) [1998] ICJ Rep 1998 para. 84
(emphasis added). See similarly the Report of the Commission of Inquiry (Denmark–United
Kingdom) on the Red Crusader incident, 23 March 1962 [1967] 35 Int’l. L. Rep. 485 ff.
78
Ago (n 1) 41. Similarly, Melzer argues that art 2(4) prohibits all uses of force, regardless
of their magnitude and duration (Nils Melzer, Cyberwarfare and International Law (UNIDIR
2011) 8 <www.isn.ethz.ch/Digital-Library/Publications/Detail/?lng=en&id=134218> accessed 15
March 2014).
79
‘Saudi Aramco says cyber attack targeted kingdom’s economy’, Al Arabiya News (9
December 2012) <www.alarabiya.net/articles/2012/12/09/254162.html> accessed 15 March
2014. Oil production, however, remained uninterrupted.
80
John F. Murphy, ‘Cyber war and international law: Does the international legal process
constitute a threat to U.S. vital interests?’ (2013) 89 Int’l. L. Studies 309, 325.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
12 / Date: 24/3
JOBNAME: Tsagourias PAGE: 13 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
especially not to the physical destruction of the objects’.81 If not of Article 2(4), cyber
attacks deleting, modifying or corrupting data without consequences in the analogue
world may however be a violation of the principle of non-intervention, as will be seen
later.82
If cyber attacks employing capabilities that cause or are reasonably likely to cause
material damage to property or persons can be equated to kinetic attacks, there is
disagreement on whether disruptive cyber operations, i.e. those aimed at rendering
ineffective or unusable infrastructures without physically damaging them,83 also
amount to a violation of Article 2(4) of the UN Charter.84
It is this chapter’s contention that disruptive cyber operations also fall under the
scope of Article 2(4) if the disruption caused is significant enough to affect State
security, or, to use the words of the 2012 US Presidential Policy Directive 20, ‘national
security, public safety, national economic security, the safe and reliable functioning of
“critical infrastructure,” and the availability of “key resources”’.85 This is certainly the
case of cyber operations that severely disrupt defence-related NCIs.86 The 1999 US
Department of Defense’s Assessment of International Legal Issues in Information
Operations, for instance, argues that ‘corrupting the data in a nation’s computerized
systems for managing its military fuel, spare parts, transportation, troop mobilization,
or medical supplies’, therefore seriously interfering ‘with its ability to conduct military
operations’, might be treated as a use of force.87 If a cyber operation seriously
disrupting defence functions is considered a use of force, this conclusion must also be
correct for a cyber operation that aims at taking control of networked weapons and
weapon systems of another State, such as missiles, satellites and drones.88
81
Katharina Ziolkowski, ‘General principles of international law as applicable in cyber-
space’, in Ziolkowski (n 63) 135, 174.
82
See below, sec 3(c).
83
The language is borrowed from the definition of ‘neutralize’ contained in US Department
of Defense’s Dictionary of Military and Associated Terms (n 2) 187.
84
The Tallinn Manual’s (n 66) rules largely neglect disruptive cyber operations because of
lack of consensus among the Group of Experts with regard to their nature and legality.
85
‘US Presidential Policy Directive/PPD–20’ (October 2012) 3 <www.theguardian.com/
world/interactive/2013/jun/07/obama-cyber-directive-full-text> accessed on 15 March 2014.
86
Ziolkowski (n 41) 73–4; Tsagourias (n 17) 232.
87
US Department of Defense ‘An Assessment of International Legal Issues in Information
Operations’ (May 1999) 18 <www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf>
accessed 15 March 2014.
88
A computer virus has for instance been reported to have infected US drones’ cockpits
(‘US drones infected by key logging virus’ Aljazeera (8 October 2011) <www.aljazeera.com/
news/americas/2011/10/201110816388104988.html> accessed 15 March 2014). The virus appar-
ently originated in China and had the purpose of collecting unmanned aerial vehicle (UAV) data.
It was inserted in the military’s network through compromised PDF files (Robert Johnson, ‘New
evidence suggests China’s hacking into US drones using Adobe Reader and Internet Explorer’
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Cyber attacks that severely disrupt other NCIs such as emergency and rescue
services, energy, public health, transportation, food and water supply will in most cases
also result, or will be likely to result, in some physical damage to property or persons.
In particular, prolonged electricity shortage due to a cyber attack disrupting the national
grid is likely to have severe negative repercussions on other NCIs and on virtually all
sectors of society. But even when no physical consequences arise, as in the case of
cyber attacks against the banking and finance, government and communications
sectors, ‘a flexible interpretation [of Article 2(4)] according to the evolution of
weaponry and the logic behind this provision does not prevent a broadening of its
prohibition in order to incorporate new uses of force’.89 Indeed, as has been observed,
‘[i]f law is to remain effective over time, it must be responsive to context’ and ‘[t]his
axiom is no less true in cyberspace than in the kinetic environment’.90 The concept of
dynamic, or evolutive, interpretation, which is also implied in Article 31(3)(b) of the
Vienna Convention on the Law of Treaties,91 has been employed by the ICJ on several
occasions. In the Judgment on the Dispute Regarding Navigational and Related Rights
(Costa Rica v Nicaragua), for instance, the ICJ found that ‘where the parties have used
generic terms in a treaty … [they] must be presumed, as a general rule, to have
intended those terms to have an evolving meaning’.92 The Court gave the example of
‘commerce’,93 but the same reasoning could be applied to ‘force’. It is interesting, for
instance, that Panama noted that misuse of information and telecommunication systems
is a ‘new form of violence’, thus highlighting that violent effects are not limited to
physical damage.94 The increasing dependency of States on computer systems and
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
14 / Date: 24/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
networks to provide critical services for the society as well as the increasing severity
and sophistication of cyber attacks should thus be taken into account when interpreting
Article 2(4). As a report suggests, focusing only on destructive consequences on
individuals and property is reductive in the cyber context, as ‘modern society depends
on the existence and proper functioning of an extensive infrastructure that itself is
increasingly controlled by information technology’: therefore, ‘[a]ctions that signifi-
cantly interfere with the functionality of that infrastructure can reasonably be regarded
as uses of force, whether or not they cause immediate physical damage’.95 Melzer
concurs and remarks how the kinetic equivalence doctrine, that considers as a use of
force only those cyber operations that cause material damage comparable to kinetic
weapons, is too restrictive.96 Similarly, Tsagourias emphasizes that ‘a cyber attack on
critical State infrastructure which paralyses or massively disrupts the apparatus of the
State should be equated to an armed attack, even if it does not cause any immediate
human injury or material damage’.97 Indeed, the limits of the doctrine of kinetic
equivalence become evident if one considers that, under this doctrine, a cyber attack
that shuts down the national grid or the stock exchange for a prolonged time would not
be a use of armed force, while the physical destruction of one server in theory would.
An ‘interpretive reorientation’98 of Article 2(4) that also includes in the scope of the
provision cyber attacks causing serious disruption of essential services without destroy-
ing infrastructures would also reflect the trend in modern warfare to favour incapacita-
tion to destruction. For instance, in the 1999 Operation Allied Force against Yugoslavia,
NATO targeted switching stations instead of generation stations to enable fast repair
after the conflict and used carbon-graphite filaments in such a way as to cause only
temporary incapacitation of electricity.99 The Rules of Engagement distributed to the
US Military Forces in Operation Iraqi Freedom also provided that attacks at the enemy
infrastructure, lines of communication and economic objects should be aimed at
disabling and disrupting them, avoiding destruction whenever possible.100 Like non-
lethal weapons, cyber warfare should be understood in this context.101
95
Owens, Dam & Lin (n 69) 254. Similarly, Brown and Poellet argue that:
[a]lthough no actual kinetic event may occur, the reliance of modern societies on electricity
for health care, communications, and the delivery of essential services makes it clear this
would qualify as a kinetic-like effect and would therefore constitute a military attack if the
disruption were for a significant period of time.
(Gary Brown & Keira Poellet, ‘The customary international law of cyberspace’ (2012) 6(3)
Strategic Studies Quarterly 126, 137.)
96
Melzer (n 78) 14.
97
Tsagourias (n 17) 231.
98
Waxman (n 69) 437.
99
Dominik Steiger, ‘Civilian objects’ in Wolfrum (ed.), Max Planck Encyclopedia (n 22)
vol II, 185, 187.
100
Human Rights Watch, ‘Off target. The conduct of the war and civilian casualties in Iraq’
(2003) 138–9, <www.hrw.org/reports/2003/usa1203/usa1203.pdf> accessed 15 March 2014.
101
NATO has defined non-lethal weapons as ‘weapons which are explicitly designed and
developed to incapacitate or repel personnel, with a low probability of fatality or permanent
injury, or to disable equipment, with minimal undesired damage or impact on the environment’
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
15 / Date: 24/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Although it is not the only decisive factor as the supporters of the target-based
approach suggest, the critical character of the targeted infrastructure is an important
element to consider in order to establish when a disruptive cyber operation amounts to
a use of force under Article 2(4), in particular as an indication of the severity of its
effects on a State. It is especially helpful to exclude that the operation is a use of force:
if the targeted infrastructure is not a NCI, it is highly unlikely that the consequent
disruption will affect a State’s essential functions and its internal public order. A cyber
attack on a NCI, however, is not necessarily always a use of force, for instance when it
disables it only for a very limited time or with limited effects.
Some States have expressly qualified the disruption of certain infrastructures, in
particular those related to the economy, as a use of force. Mali has for instance claimed
that ‘[t]he use of an information weapon could be interpreted as an act of aggression if
the victim State has reasons to believe that the attack was carried out by the armed
forces of another State and was aimed at disrupting … economic capacity, or violating
the State’s sovereignty over a particular territory’.102 A Russian senior military officer
has reportedly declared that ‘the use of Information Warfare against Russia or its armed
forces will categorically not be considered a non-military phase of a conflict whether
there were casualties or not’.103 The US Department of Defense’s Assessment of
International Legal Issues in Information Operations refers to a nation’s air traffic
control system, its banking and financial system, and public utilities and dams as
examples of targets that, if shut down by a coordinated computer network attack, might
entitle the victim state to self-defence.104 The 2011 Department of Defense’s Cyber-
space Policy Report maintains that the US reserves the right to use ‘all necessary
means’ against ‘hostile acts’, including ‘significant cyber attacks’, directed not only
against the US Government or military but also the economy.105 The US Presidential
Policy Directive 20 identifies the following ‘significant consequences’ of cyber
operations that require presidential approval: ‘[l]oss of life, significant responsive
actions against the United States, significant damage to property, serious adverse U.S.
foreign policy consequences, or serious economic impact on the United States’.106
Finally, when submitting its views on information security to the UN Secretary-
General, the US has argued that ‘under some circumstances, a disruptive activity in
cyberspace could constitute an armed attack’ (and therefore a use of force).107
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
16 / Date: 24/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
An objection that is often raised is that a cyber attack that shuts down economic
targets such as the stock exchange and disrupts financial markets amounts to economic
coercion and not to armed force.108 This is not correct, for two reasons. First,
economic coercion does not have a specific target, while the cyber attack would be
undertaken against an identifiable infrastructure. Secondly, while economic coercion,
such as an oil embargo, employs the economy as a means of pressure, in a cyber attack
that incapacitates the financial market or cripples a State’s banking system the economy
is rather the target, while the means employed is malware. Therefore, if the stock
exchange or other financial institutions were to be bombed kinetically and the markets
disrupted as a consequence, this would certainly be considered a use of armed force,
and not economic coercion, even though the economic consequences of the action
would probably outweigh the physical damage to the buildings: one cannot see why the
same conclusion should not apply when the stock exchange, instead of being bombed,
is shut down for an extended period of time by a virus in its computer system.109 Such
scenario would arguably be seen as having more in common with a surgical kinetic
attack than with the 1973 Organization of the Petroleum Exporting Countries (OPEC)’s
oil embargo. If, however, the disruption caused is not severe, ‘the cyber attack may be
less likely to be regarded as a use of force than a kinetic attack with the same
(temporary) economic effect, simply because the lack of physical destruction would
reduce the scale of the damage caused’.110
It should be stressed again that, if all cyber attacks that employ capabilities resulting
in damage to physical property or persons are a use of force, those without physical
consequences fall under the scope of Article 2(4) only when they go beyond mere
inconvenience and cause significant disruption of essential services by rendering
ineffective or unusable critical infrastructure.111 It is only in these cases that the effects
of disruption can be equated to those of destruction caused by traditional armed force.
A week-long cyber attack that shuts down the national grid, and thus leaves millions of
people without electricity, cripples the financial market and the transport system, and
prevents government communications is likely to be treated as a use of force, whether
or not physical damage ensues.112 On the other hand, a cyber attack that shuts down a
university network is not a use of force, even if it causes prolonged and severe service
disruption, because the services affected are not critical. The 2014 DDoS attacks that
targeted Ukraine’s mobile communication networks during the confrontation with the
Russian Federation over Crimea also did not fall under the scope of Article 2(4) even if
it had been demonstrated that they were attributable to Russia, as they caused neither
108
See e.g. Elizabeth Wilmshurst, ‘The Chatham House Principles of international law on
the use of force in self-defence’ (2006) 55 I.C.L.Q. 963, 965.
109
Brown & Poellet (n 95) 138; Lin (n 60) 74.
110
Lin ibid. 74.
111
Antolin-Jenkins (n 103) 172; Ziolkowski (n 41) 74–5.
112
The scenario is inspired by the ‘Cyber ShockWave’ simulation staged by the Bipartisan
Policy Center (Ellen Nakashima, ‘War game reveals U.S. lacks cyber-crisis skills’ The
Washington Post (17 February 2010) <http://articles.washingtonpost.com/2010-02-17/news/
36782381_1_cyber-attack-cyber-coordinator-cyber-shockwave> accessed 15 March 2014).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
17 / Date: 24/3
JOBNAME: Tsagourias PAGE: 18 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
Cyber attacks not resulting, or not reasonably likely to result, in material damage to
property, loss of life or injury of persons, or severe disruption of essential services are
not a use of force and are therefore not a violation of Article 2(4) of the UN Charter:
when attributed to a State, however, they can amount to a violation of the principle of
non-intervention in the internal affairs of another State.117 Intervention is ‘the manifes-
tation of a policy of force’.118 What characterizes intervention and differentiates it from
a mere violation of sovereignty is the element of coercion: a State exercises abusive
pressure on another State in order to coerce it, through certain means, to do or not to do
something ‘on matters in which each State is permitted, by the principle of State
sovereignty, to decide freely’, such as ‘the choice of a political, economic, social and
cultural system, and the formulation of foreign policy’.119 What distinguishes interven-
tion from a violation of Article 2(4) is that it can occur ‘with or without armed
force’.120
113
Dave Lee, ‘Russia and Ukraine in cyber “Stand-Off”’, BBC News (5 March 2014)
<http://www.bbc.co.uk/news/technology-26447200> accessed 15 March 2014. DDoS attacks aim
to inundate the target system with excessive calls, messages, enquiries or requests in order to
overload it and force its shut down.
114
For the facts, see Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber Incidents.
Legal Considerations (CCDCOE 2010) 18 ff <www.ccdcoe.org/publications/books/legal
considerations.pdf> accessed 15 March 2014.
115
Nicaragua Case (n 1) para. 249.
116
Art 50(1)(a) of the ILC Articles on the Responsibility of States for Internationally
Wrongful Acts, Ybk of the ILC, 2001, vol II, Part Two, 30.
117
See Commentary to Rule 10 of the Tallinn Manual (n 66) 44.
118
Corfu Channel (United Kingdom v Albania) (Merits, Judgment) [1949] ICJ Rep 1949 35.
119
Nicaragua Case (n 1) para 205. According to the ICJ, ‘[i]ntervention is wrongful when it
uses methods of coercion in regard to such choices, which must remain free ones. The element
of coercion… defines, and indeed forms the very essence of, prohibited intervention’ (ibid). See
Maziar Jamnejad and Michael Wood, ‘The principle of non-intervention’ (2009) 22 L.J.I.L.
345–81.
120
Nicaragua Case (n 1) para. 206.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
18 / Date: 24/3
JOBNAME: Tsagourias PAGE: 19 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
[t]he right of States and peoples to have free access to information and to develop fully,
without interference, their system of information and mass media and to use their information
media in order to promote their political, social, economic and cultural interests and
aspirations, based, inter alia, on the relevant articles of the Universal Declaration of Human
Rights and the principles of the new international information order (para 2(I)(c)).
A 1989 bilateral treaty between the US and the Soviet Union on the prevention of
dangerous military activities also prohibits ‘interfering with command and control
networks in a manner which could cause harm to personnel or damage to equipment of
the armed forces of the other Party’.127 Article I(9) of the treaty, in particular, defines
121
Ibid. para. 202.
122
See e.g. art 8 of the 1933 Convention on the Rights and Duties of States; art 19 of the
Organization of American States’ Charter; art 4 of the African Union’s Constitutive Act; art
2(2)(e) of the Charter of the Association of Southeast Asian Nations; art 2 of the Charter of the
Shanghai Cooperation Organization; art 2(4) of the Charter of the Organisation of the Islamic
Conference.
123
UNGA Res 2131 (XX) (21 December 1965) (emphasis added).
124
Declaration on Friendly Relations, UNGA Res 2625 (XXV) (24 October 1970). See also
Principle VI of the Helsinki Final Act of the Conference on Security and Co-operation in Europe
(CSCE), 1 August 1975, (1975) 14 International Legal Materials 1293, 1294–5.
125
UNGA Res 31/91 (14 December 1976) para 4.
126
UNGA Res 36/103 (9 December 1981).
127
Art II(1)(d) of the Agreement on the Prevention of Dangerous Military Activities (1989)
28 International Legal Materials, 877 ff. The treaty is still in force.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
19 / Date: 24/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘[i]nterference with command and control networks’ as ‘actions that hamper, interrupt
or limit the operation of the signals and information transmission means and systems
providing for the control of personnel and equipment of the armed forces of a Party’.
There is no difficulty, then, in qualifying disruptive cyber attacks short of the use of
force as unlawful interventions when they are used ‘to coerce another State in order to
obtain from it the subordination of the exercise of its sovereign rights and to secure
from it advantages of any kind’.128 Indeed, in the twentieth century the notion of
‘intervention’ was broadened as a consequence of the increased cooperation among
States allowing more subtle ways of interference than the use of force:129 a further
broadening of the notion to include cyber attacks is now necessitated by the
interconnectivity of networks and the reliance of modern societies on information
systems.130
Not only may cyber attacks that cause low-level disruption be unlawful interventions,
but also those that deface websites in order to foment civil strife in a State or the
sending of thousands of e-mails to voters in order to influence the outcome of political
elections in another State.131 In September 2012, for instance, Azerbaijan denounced
cyber attacks conducted by a so-called ‘Armenian Cyber Army’ under the ‘direction
and control’ of Armenia that were ‘aimed at glorifying terrorists and insulting their
victims, as well as at advocating, promoting and inciting ethnically and religiously
motivated hatred, discrimination and violence’.132 As has been observed, if a broadcast
‘is deliberately false and intended to produce dissent or encourage insurgents, the
non-intervention principle is likely to be breached’.133 Hostile propaganda and defama-
tion are condemned in the above mentioned 1976 Declaration on Non-interference and
1981 Declaration on Non-intervention.134
It has been seen that, according to the ICJ, it is not only the direct use of weapons by
a State against another State that amounts to a use of force, but also enabling someone
else to use those weapons: the arming and training of armed groups, therefore, is a
violation of Article 2(4), even though not an armed attack.135 If this view is extended to
the cyber context, one must conclude that the supply of malware by a State to an armed
128
Declaration on Friendly Relations (n 124) third principle.
129
Philip Kunig, ‘Intervention, Prohibition of’ in Wolfrum (ed.), Max Planck Encyclopedia
(n 22) vol VI, 289, 290.
130
Of course, cyber operations that amount to a use of force are, a fortiori, an intervention.
131
Tallinn Manual (n 66) 45. The UN General Assembly has condemned external interfer-
ence in electoral processes in several resolutions: see e.g. UNGA Res 60/164 (2 March 2006).
132
Letter dated 6 September 2012 from the Chargé d’affaires a.i. of the Permanent Mission
of Azerbaijan to the United Nations addressed to the Secretary-General (7 September 2012) UN
Doc A/66/897–S/2012/687 1.
133
Jamnejad & Wood (n 119) 374.
134
Para 2(II)(j) of the Declaration on Non-intervention, for instance, prohibits ‘[t]he duty of
a State to abstain from any defamatory campaign, vilification or hostile propaganda for the
purpose of intervening or interfering in the internal affairs of other States’.
135
Nicaragua Case (n 1) para. 228.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
20 / Date: 24/3
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
group acting against another State and the training of such group to conduct cyber
attacks are also a use of force.136 This is the opinion of the Group of Experts that
drafted the Tallinn Manual.137 This conclusion, however, is correct only when the
supply of malware and the training enable the group to conduct cyber attacks
amounting to a use of force, and not other types of cyber operations below that
threshold.
Similarly, if one transposes Article 3(f) of the Definition of Aggression in the cyber
context, a State that knowingly allows another State to use its cyber infrastructure in
order to launch a cyber attack amounting to an act of aggression against a third State
would commit an act of aggression itself, and therefore would breach the prohibition of
the use of force.138 It appears, for instance, that North Korea’s cyber warfare Unit 121
is at least partially stationed in China due to the limited internet connections in North
Korea, although the involvement of the Chinese Government is unclear.139 Article 3(f),
however, would only potentially apply to situations where the cyber operation in
question amounts to an act of aggression, not to any use of force and even less to cyber
operations below that threshold, such as cyber exploitation.
On the other hand, according to the ICJ, the ‘mere supply of funds’ to armed groups
does not amount to a use of force, although it ‘undoubtedly’ qualifies as unlawful
intervention.140 A State that finances the cyber operations of an armed group against
another State, therefore, may breach the principle of non-intervention in the internal
affairs of that State, but not Article 2(4).141
4. CONCLUSIONS
The provisions on the use of force contained in the UN Charter apply to cyber
operations even though the rules were adopted well before the advent of cyber
technologies: the lack of ad hoc provisions does not mean that cyber operations may be
conducted by States against other States without restrictions. This chapter has argued
that a cyber operation is a use of armed force when it entails the use of a ‘weapon’
accompanied by a coercive intention. This occurs not only in the case of cyber attacks
designed to cause physical damage to property, loss of life or injury of persons, but also
of cyber attacks employing capabilities that render ineffective or unusable critical
infrastructures so to cause significant disruption of essential services, even when they
136
An example is the alleged cyber training of members of the Syrian dissidents by the US
State Department (Jay Newton-Small, ‘Inside America’s secret training of Syria’s digital army’,
Time (13 June 2012) <http://swampland.time.com/2012/06/13/inside-americas-secret-training-of-
syrias-digital-army> accessed 15 March 2014).
137
Tallinn Manual (n 66) 46.
138
Art 3(f) of the Definition of Aggression includes among the acts of aggression: ‘[t]he
action of a State in allowing its territory, which it has placed at the disposal of another State, to
be used by that other State for perpetrating an act of aggression against a third State’.
139
Richard A. Clarke & Robert K. Knake, Cyber War. The Next Threat to National Security
and What To Do About It (Harper Collins 2010) 27–8.
140
Nicaragua Case (n 1) para. 228.
141
Schmitt (n 90) 280.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
21 / Date: 24/3
JOBNAME: Tsagourias PAGE: 22 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
142
Corfu Channel (n 118) 35.
143
Nicaragua Case (n 1) para. 205.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter11 /Pg. Position:
22 / Date: 24/3
JOBNAME: Tsagourias PAGE: 1 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
Self-defence is permitted under Article 51 UN Charter and customary international law,
as the ICJ stated in the Nicaragua Case.1 Article 51 reads:
Nothing in the present Charter shall impair the inherent right of individual or collective
self-defence if an armed attack occurs against a Member of the United Nations, until the
Security Council has taken measures necessary to maintain international peace and security.
Measures taken by Members in the exercise of this right of self-defence shall be immediately
reported to the Security Council and shall not in any way affect the authority and
responsibility of the Security Council under the present Charter to take at any time such
action as it deems necessary in order to maintain or restore international peace and security.2
In the system of the Charter the right of self-defence basically allows a State, either
individually or collectively, to respond militarily to an armed attack until the UN
Security Council takes measures necessary to maintain international peace and security.
Self-defence thus clearly constitutes an exception to the general prohibition on the
threat and use of force set out in Article 2(4) UN Charter.
The question as to whether the international law rule on self-defence applies to cyber
attacks is much debated. No explicit international law rules exist specifically applicable
to self-defence in cyberspace and the law of self-defence predates the advent of cyber
operations. A treaty on cyber operations is unlikely in the foreseeable future, one of the
reasons being that the most vulnerable States are at the same time those most capable
of conducting cyber attacks.3 A treaty for cyber disarmament has been proposed by the
Russian Federation, but opposed by the United States4 and fiercely resisted by the
private commercial cyber sector at the 2012 World Conference on International
1
Case concerning Military and Paramilitary Activities in and against Nicaragua (Nicara-
gua v. United States) (Merits) (Judgment of 27 June 1986) [1986] ICJ Rep. 14 para. 176.
2
On Article 51 see Bruno Simma et al. (eds)., The Charter of the United Nations: A
Commentary (OUP 2013).
3
Michael Schmitt, ‘Cyber operations and the jus ad bellum revisited’ (2011) 56 Villanova
L. Rev. 569, 604.
4
John Markoff and Andrew E Kramer, ‘US and Russia differ on a Treaty for Cyberspace’,
New York Times (27 June 2009) <http://www.nytimes.com/2009/06/28/world/28cyber.html?page
wanted=all> accessed 30 November 2013. It has been observed that the US plans to use the
Internet for offensive purposes, as it is believed it has done with Stuxnet (see section 3 below):
cf. Mary E O’Connell, ‘Cyber security without cyber war’ (2012) 17 J. Conflict & Sec. L. 187,
206.
255
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
5
See Meyer (Ch 13 of this book); David Gross & Ethan Lucarelli, ‘The 2012 World
Conference on International Telecommunications: Another brewing storm over potential UN
regulation of the internet’ (Who’s Who Legal, 30 April 2012) <http://www.whoswholegal.com/
news/features/article/29378/the-2012-world-conference-international-telecommunications-brewing-
storm-potential-un-regulationinternet> accessed 30 November 2013; David Meyer, ‘ITU chief
claims Dubai meeting “Success”, despite collapse of talks’ (ZDnet, 14 December 2012)
<http://www.zdnet.com/itu-chief-claims-dubai-meeting-success-despite-collapse-of-talks-70000
08808> accessed 30 November 2013.
6
Marshall McLuhan, Understanding Media: The Extensions of Man (Gingko Press 1964)
6; W. Gibson, Neuromancer (Ace Books 1984) 69.
7
<https://projects.eff.org/~barlow/Declaration-Final.html> accessed 30 November 2013.
8
Mark Graham, ‘Time machines and virtual portals: The spatialities of the digital divide’
(2011) 11 Progress in Development Studies 215–217 <http://pdj.sagepub.com/content/11/3/
211.full.pdf+html> accessed 30 November 2013; Mark Graham, ‘Cyberspace’ (ZeroGeography,
3 November 2011) <http://www.zerogeography.net/2011/11/cyberspace.html> accessed 30
November 2013.
9
US Supreme Court, Reno v. American Civil Liberties Union, 521 U.S. 844, 889–90
(1997). According to the US Department of Defense cyberspace is ‘a global domain within the
information environment consisting of the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers’ (US Department of Defence, ‘Quadrennial Roles and
Missions Review Report’ (January 2009) <www.defense.gov/news/jan2009/qrmfinalreport_
v26jan.pdf> accessed 30 November 2013).
10
See PriMetrica, ‘The Submarine Cable Map’ <http://www.submarinecablemap.com>
accessed 4 September 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
11
ITU, ‘Measuring the Information Society 2013’ (Report, Executive Summary, ITU 2013)
1 <http://www.itu.int/dms_pub/itu-d/opb/ind/D-IND-ICTOI-2013-SUM-PDF-E.pdf> accessed 30
November 2013.
12
Symantec, ‘Symantec report finds that more than a third of global targeted attacks are
aimed against small businesses’ (10 July 2012) <http://www.symantec.com/about/news/release/
article.jsp?prid=20120710_01> accessed 30 November 2013.
13
See ITU, ‘ITU National Cybersecurity Strategy Guide’ (2011) <http://www.itu.int/ITU-
D/cyb/cybersecurity/docs/ITUNationalCybersecurityStrategyGuide.pdf> accessed 30 November
2013.
14
UNGA Res 56/19, ‘Developments in the field of information and telecommunications in
the context of international security’ (7 January 2002). See subsequently UNGA Res 58/32
(December 2003); UNGA Res 59/61 (3 December 2004); UNGA Res 60/45 (8 December 2005);
UNGA Res 61/54 (6 December 2006); UNGA Res 62/17 (5 December 2007); UNGA Res 63/37
(2 December 2008); UNGA Res 64/25 (2 December 2009); UNGA Res 65/41 (8 December
2010); UNGA Res 66/24 (2 December 2011); UNGA Res 67/27 (3 December 2012). On the role
of the UN see Henderson (Ch 22 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
3 / Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 9 OUTPUT: Mon May 18 10:36:31 2015
cyber-attacks’.15 Every year, since 2008, a high-level NATO Cyber Conference has
been organized in Tallinn (Estonia) by the NATO Cooperative Cyber Defence Centre of
Excellence (CCDCOE),16 the latest Conference (at the time of writing) having been
held in June 2013.17 The Centre has drafted, inter alia, a ‘Manual on the International
Law Applicable to Cyber Warfare’, published in 2013.18 The 2012 Chicago Summit
Declaration reiterated the commitment of Member States to ‘develop further our ability
to prevent, detect, defend against, and recover from cyber attacks’.19
Since 2008 many States, in addition to the European Union, have developed National
Strategies and Policies concerning cybersecurity.20 An increasing number of States are
also establishing intelligence or military cyber units and commands to address cyber
threats.21 For example, in 2004 the European Network and Information Security
Agency (ENISA) was established as a body devoted to achieving a high and effective
level of network and information security within the EU.22 In the US, in January 2008
US President George W. Bush launched the ‘Comprehensive National Cybersecurity
Initiative’ (CNCI)23. In 2010 the US Department of Defense established CyberCom-
mand, as a sub-unit of Strategic Command, with a view to being prepared ‘to respond
to hostile acts in cyberspace’ and, accordingly, to reserving ‘the right, under the laws of
armed conflict, to respond to serious cyber-attacks, with a proportional and justified
military response, at the time and place of its choosing.24 In May 2011 US President
Obama stated that ‘the United States will respond to hostile acts in cyberspace’ since
15
‘Active Engagement, Modern Defence: Strategic Concept for the Defence and Security of
the Members of the North Atlantic Treaty Organization Adopted by Heads of State and
Government at the NATO Summit in Lisbon (19-20 November 2010) para. 19 <http://
www.nato.int/nato_static/assets/pdf/pdf_publications/20120214_strategic-concept-2010-eng.pdf>
accessed 30 November 2013.
16
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) <http://ccdcoe.org>
accessed 30 November 2013.
17
CyCon 2013 (5th International Conference on Cyber Conflict) 4-7 June 2013, proceed-
ings at <http://ccdcoe.org/429.html> accessed 30 November 2013.
18
Michael Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) available online at <https://www.ccdcoe.org/249.html> accessed 30
November 2013.
19
Chicago Summit Declaration issued by the Heads of State and Government participating
in the meeting of the North Atlantic Council in Chicago (20 May 2012) para. 49 <http://
www.nato.int/cps/en/natolive/official_texts_87593.htm#cyber> accessed 30 November 2013. On
NATO and cyberspace see Ziolkowski (Ch 20 of this book).
20
See Wessel (Ch 19 of this book); ITU, ‘Strategies for Cybersecurity and Critical
Information Infrastructure Protection (CIIP)’ (ITU) <http://www.itu.int/ITU-D/cyb/cybersecurity/
strategies.html> accessed 3 September 2014.
21
E.g. US Cyber Command (USCYBERCOM).
22
ENISA was set up by Regulation (EC) No 460/2004 of the European Parliament and of
the Council on 10 March 2004.
23
National Security Council, The Comprehensive National Cybersecurity Initiative (2009)
<http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative>
accessed 30 November 2013.
24
William Lynn, ‘Announcement of the Department of Defense Cyberspace Strategy at the
National Defense University’ (U.S. Department of Defense, 14 July 2011) <http://www.
defense.gov/speeches/speech.aspx?speechid=1593> accessed 30 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
4 / Date: 8/5
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘[a]ll states possess an inherent right to self-defense’, thus reserving ‘the right to use all
necessary means – diplomatic, informational, military, and economic – as appropriate
and consistent with applicable international law’.25 The same year the Obama Admin-
istration concluded that ‘[t]hreats to cyberspace pose one of the most serious economic
and national security challenges of the 21st Century for the United States and our
allies’.26 In 2012 the Secretary of the US Department of Homeland Security (DHS)
called for cyber-security intelligence information sharing with private sector companies
as critical infrastructure providers (such as gas companies, water suppliers, etc.) ‘which
are at constant risk of cyber-attack’.27 A similar concern has also been raised within
NATO.28
25
White House, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness
in a Networked World’ (Washington, May 2011) <http://info.publicintelligence.net/WH-
InternationalCyberspace.pdf> accessed 30 November 2013.
26
White House, ‘Cyberspace Policy Review: Assuring a trusted and resilient information
and communications infrastructure’ (Washington, 2009), <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> accessed 30 November 2013.
27
Eric B. Parizo, ‘Napolitano calls for cybersecurity intelligence information sharing’
(TechTarget, 10 September 2012) <http://searchsecurity.techtarget.com/news/2240162981/
Napolitano-calls-for-cybersecurity-intelligence-information-sharing> accessed 30 November
2013.
28
See NATO, ‘Working with the private sector to deter cyber attacks’ (10 November 2011)
<http://www.nato.int/cps/en/natolive/news_80764.htm4> accessed 30 November 2013.
29
See e.g. McAfee, ‘McAfee labs threats report: Third Quarter 2013’ <http://www.
mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf> accessed 3 September 2014;
Symantec, ‘Symantec 2013 Internet Security Threats Report’ <http://www.symantec.com/
security_response/publications/threatreport.jsp> accessed 3 September 2014.
30
See e.g. Mark Landler & John Markoff, ‘Digital fears emerge after data siege in Estonia’,
New York Times (29 May 2007) <http://www.nytimes.com/2007/05/29/technology/29estonia.
html?pagewanted=all&_r=0> accessed 30 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
5 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
reacted as a matter of Article 5 of the North Atlantic Treaty.31 NATO, however, rejected
the claim. A NATO official simply said that: ‘This is an operational security issue,
something we’re taking very seriously’. Mr Jaak Aaviksoo, the Estonian Defence
Minister who had raised the matter with NATO, acknowledged that: ‘At present, NATO
does not define cyber-attacks as a clear military action. This means that the provisions
of Article V of the North Atlantic Treaty, or, in other words collective self-defence, will
not automatically be extended to the attacked country’, adding that, ‘Not a single
NATO defence minister would define a cyber-attack as a clear military action at
present’.32 The Russian Federation was suspected of being behind the attack, but it
denied any involvement and there is no conclusive evidence suggesting that it was
actually involved.33
In September 2007, Israel supposedly disabled the Syrian networked air defence
system when its air force penetrated the Syrian air space and bombed a suspected
nuclear site without being engaged or even detected.34
In August 2008, a number of cyber attacks hit Georgia immediately before and
during the Russian occupation of Ossetia. This prevented the Georgian authorities from
keeping information flowing to the national and international media. The Russian
Federation was immediately suspected, but in this case too there is no conclusive
evidence of its actual involvement.35 As is apparent, in both the Syrian case and in the
Georgian case, unlike the Estonian case, cyber attacks preceded and/or accompanied a
conventional attack.
31
Article 5 NATO reads:
The Parties agree that an armed attack against one or more of them in Europe or North
America shall be considered an attack against them all and consequently they agree that, if
such an armed attack occurs, each of them, in exercise of the right of individual or collective
self-defence recognised by Article 51 of the Charter of the United Nations, will assist the
Party or Parties so attacked by taking forthwith, individually and in concert with the other
Parties, such action as it deems necessary, including the use of armed force, to restore and
maintain the security of the North Atlantic area. Any such armed attack and all measures
taken as a result thereof shall immediately be reported to the Security Council. Such
measures shall be terminated when the Security Council has taken the measures necessary to
restore and maintain international peace and security.
32
Ian Traynor, ‘Russia accused of unleashing cyberwar to disable Estonia’, Guardian
(Brussels, 17 May 2007 <http://www.guardian.co.uk/world/2007/may/17/topstories3. russia>
accessed 30 November 2013.
33
Joshua Davis, ‘Hackers take down the most wired country in Europe’, Wired Magazine
(21 August 2007), <http://www.wired.com/politics/security/magazine/15-09/ff_estonia?current
Page=all> accessed 3 September 2014.
34
Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National
Security and What To Do about It (Harper Collins 2010) 1–8.
35
Jon Swaine, ‘Georgia: Russia “conducting cyber war”’, The Telegraph (11 August 2008)
<http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-
cyber-war.html> accessed 2 September 2014; Lesley Swanson, ‘The era of cyber warfare:
Applying international humanitarian law to the 2008 Russian-Georgian Conflict’ (2010) 32
Loyola Los Angeles Int’l. & Comparative L. J. 303; Eneken Tikk et al., Cyber Attacks Against
Georgia: Legal Lessons Identified (CCDCOE 2008) <http://www.carlisle.army.mil/DIME/
documents/Georgia%201%200.pdf> accessed 30 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Finally, in June 2010 a malware (i.e. a malicious software, a ‘worm’ in this case)
called ‘Stuxnet’ hit approximately 1,000 centrifuges at Iran’s Natanz nuclear enrich-
ment facility, in addition to thousands of other computers elsewhere in the world.
Stuxnet targeted industrial control systems, known as programmable logic controllers
(PLCs), made by Siemens. In this case, Israel and the US were suspected of the
attack,36 but, once again, without any conclusive evidence (although recently there have
been revelations confirming this allegation). Iran also accused the German engineering
firm Siemens of helping Israel and the US launch Stuxnet by providing information
about a Siemens-designed control system (SCADA) used in Iran’s nuclear sites.37
Neither the US and Israel have denied computer experts’ claims that they were behind
the development of Stuxnet. In October 2011, Stuxnet’s successor, Duqu, came to light.
It uses a zero-day exploit to install spyware that records keystrokes and other system
information.38 In the Iranian case the cyber attack, like in the Estonian case, was not
accompanied by a conventional attack; however, unlike in the Estonian case, it was
caused by a malware rather than by a DDoS.
These cases have been differently assessed in legal terms in the literature. For
example, Lucas argues for the justifiability of the Syrian, Georgian, and Stuxnet cases
and the unjustifiability of the Estonian case in the light of the just war doctrine.39
O’Connell denies that all such attacks amounted to the equivalent of an Article 51
‘armed attack’.40 Buchan argues that while Stuxnet did cause damage capable of
establishing a violation of Article 2(4) UN Charter, the Estonia case was one of a
violation of the principle of non-intervention.41 According to Tsagourias neither the
36
William J. Broad, John Markoff & David E Sanger, ‘Israeli test on worm called crucial in
Iran nuclear delay’, New York Times (15 January 2011) <http://www.nytimes.com/2011/01/16/
world/middleeast/16stuxnet.html?pagewanted=all> accessed 30 November 2013; Johnatan
Fildes, ‘Stuxnet work “Targeted high-value Iranian assets”’, BBC News (23 September 2010)
<http://www.bbc.co.uk/news/technology-11388018> accessed 30 November 2013; James Hider,
‘Computer virus used to sabotage Iran’s nuclear plan “built by US and Israel”’, The Australian
(17 January 2011) <http://www.theaustralian.com.au/news/world/computer-virus-used-to-
sabotage-irans-nuclear-plans-built-by-us-and-israel/story-e6frg6so-1225989304785> accessed 30
November 2013.
37
Saeed K. Dehghan, ‘Iran accuses Siemens of helping launch Stuxnet cyber-attack’, The
Guardian (17 April 2011) <http://www.guardian.co.uk/world/2011/apr/17/iran-siemens-stuxnet-
cyber-attack?INTCMP=SRCH> accessed 30 November 2013.
38
Symantec (n 12).
39
George R. Lucas, ‘Permissible preventive cyberwar: Restricting cyber conflict to justified
military targets’ in Luciano Floridi and Mariarosaria Taddeo (eds.), Philosophy of Engineering
and Technology (UNESCO Conference on Ethics and Cyber Warfare, University of Hertford-
shire, 1 July 2011); Randall R. Dupert, ‘The Ethics of cyberwarfare’ (2010) 9 J. of Military
Ethics 384.
40
O’Connell (n 4) 201–2.
41
Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interventions’
(2012) 17 J. Conflict & Sec. L. 211, 225–6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
7 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Estonian nor the Georgian case fell within the definition of armed attack for
self-defence purposes since the disruption they caused was contained and manage-
able.42
42
Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’ (2012)
17 J. Conflict & Sec. L. 229, 232.
43
Stewart A. Baker & Charles J. Dunlap, ‘What is the role of lawyers in cyberwarfare?’,
ABA Journal (1 May 2012) <http://www.abajournal.com/magazine/article/what_is_the_role_of_
lawyers_in_cyberwarfare> accessed 20 June 2012; Stewart A Baker, ‘Denial of service, against
cyberwar with arcane rules and regulations’ Foreign Policy (30 September 2011) <http://
www.foreignpolicy.com/articles/2011/09/30/denial_of_service?hidecomments> accessed 30
November 2013.
44
Matthew C. Waxman, ‘Cyber-attacks and the use of force: Back to the future of Article
2(4)’ (2011) 36 Yale J. of Int’l. L. 421. See previously Mike McConnell, ‘To win the cyber-war,
look to the Cold War’, Washington Post (8 February 2010) B 1 <http://www.washington
post.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html> accessed 30 November
2013; Mike McConnell, ‘How to win the cyber war we are losing’, Washington Post (28
February 2010) <http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR201002
2502493.html> accessed 30 November 2013.
45
Noah Schachtman & Peter Singer, ‘The wrong war: The insistence on applying Cold War
metaphors to cybersecurity is misplaced and counterproductive’ (Brookings, 15 August 2011)
<http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_shachtman.aspx> accessed
30 November 2013; Ryan Singel, ‘White House Cyber Czar: “There is no cyberwar”’, Wired
Magazine (4 March 2010) <http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar>
accessed 30 November 2013.
46
E.g. Marco Roscini, ‘World wide warfare: Jus ad bellum and the use of cyber force’
(2010) 14 Max Planck Ybk. of UN L. 85–130; Schmitt (n 3).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
jus in bello applies,47 with some authors covering both fields.48 Some scholars
endeavour to stretch existing rules to cyber attacks by assuming that new treaties are
unlikely and perhaps undesirable; while others call for new rules, given the un-
precedented nature of cyber weapons. Most studies come from US scholars49 and often
analogize international law so as to apply it to cyber warfare,50 with few exceptions.51
Most studies accept that cyber attacks may amount to an unlawful ‘use of force’
prohibited by international law as well as to an ‘armed attack’ justifying (conventional
or ‘kinetic’) self-defence and to ‘armed conflict’ capable of triggering the application of
international humanitarian law in cases where substantial damage and destruction are
caused. While many accept that the effects should be ‘comparable’ to those of
conventional attacks and, in particular, should hit ‘critical infrastructure’, different
views have been taken with respect to the threshold which justifies a military response.
Finally, most studies merely hint at the key issues of identification of the attacker and
of legal attribution of the attack to a State.52 The difference if any between ‘cyber
crime’, ‘cyber terrorism’ and ‘cyber war’ remains blurred. Methodology is also rarely
addressed.53
47
Michael Schmitt, ‘Wired warfare, computer network attack and jus in bello’ (2002)
I.R.R.C 365; Knut Dörmann, ‘Applicability of the Additional Protocols to computer network
attacks: An ICRC approach’ in Karin Byström (ed.), International Expert Conference on
Computer Network Attacks and the Applicability of International Humanitarian Law: Proceed-
ing of the Conference (Stockholm: Swedish National Defence College, 17–19 September 2004);
Jenny Döge, ‘Cyber warfare: Challenges for the applicability of the traditional laws of war
regime’ (2010) 48 Archiv des Völkerrechts 486; Michael Schmitt, ‘Cyber operations and the jus
in bello: key issues’ (2011) 41 Israel Ybk on Human Rights 113. See also Part IV of this book.
48
E.g. Michael Schmitt, ‘Computer network attack and the use of force in international
law: Thoughts on a normative framework’ (1999) 37 Colum. J. Transnat’l. L. 885–937; Heather
H. Dinniss, Cyber Warfare and the Laws of War (Cambridge: CUP 2012); Marco Roscini, Cyber
Operations and the Use of Force in International Law (Oxford: OUP, 2014).
49
For a recent, interesting statement by the US Department of State’s the Legal Advisor on
the US position concerning the role of international law in cyberspace, see Harold H. Koh,
‘International Law in Cyberspace’ (U.S. Department of State, USCYBERCOM Inter-Agency
Legal Conference, 18 September 2012) <http://www.state.gov/s/l/releases/remarks/197924.htm>
accessed 25 February 2014.
50
Scott J. Shackelford, ‘From nuclear war to net war: Analogizing cyber attacks in
international law’ (2008) 27 Berkeley J. of Int’l. L. 191–251.
51
O’Connell (n 4) 209, arguing that ‘it is time … to turn to cyber disarmament and a focus
on peaceful protection of the Internet’ against the growing emphasis in the literature on
militarising cyber security.
52
For a succinct discussion on identification and attribution, see Roscini (n 46), 96–102.
53
Dinniss (n 48).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The term ‘cyber attack’ is perhaps the most commonly used today to describe attacks in
cyberspace, but others are often found in the literature, notably ‘cyber network attack’
(CNA). According to the definition of the US Department of Defense, routinely
accepted as authoritative, a ‘Cyber Network Attack’, is: ‘[a]ctions taken through the use
of computer networks to disrupt, deny, degrade, or destroy information resident in
computers and computer networks, or the computers and networks themselves’.54
NATO adopts this definition, adding that: ‘[a] computer network attack is a type of
cyber attack’.55 What amounts to an ‘attack’ in cyberspace is in fact a complex issue for
a variety of reasons.56
First, not every hostile cyber act is an ‘attack’ for the purposes of justifying a per se
unlawful reaction, let alone a kinetic counter-attack. For example, a DDoS attack is the
result of a huge number of apparently ‘ordinary’ requests for information.57 It is the
number and the intent of the master computer rather than the one of the controlled
computers that make such requests ‘hostile’. The question about how ‘good’ and ‘bad’
requests can rapidly be distinguished is very difficult and generally requires infor-
mation from private-sector Internet Service Providers (ISPs) on their traffic, which is
usually confidential.
Secondly, there is a variety of potentially relevant cyber attacks that produce very
different effects, such as DDoS attacks (as occurred in Estonia and Georgia), malware
(as occurred in Iran), so-called ‘backdoors’ or ‘trapdoors’ (i.e. undocumented ways of
gaining access to a program, online service or an entire computer system for future
intrusion), etc. Unlike conventional and nuclear weapons, cyber attacks may have very
54
US Department of Defense, ‘Dictionary of Military and Associated Terms’ (Joint
Publication 1-02, 8 November 2010, as amended through 15 November 2013) <http://
www.dtic.mil/doctrine/new_pubs/jp1_02.pdf> accessed 30 November 2013.
55
NATO Standardization Agency, ‘NATO Glossary of Terms and Definitions’ (AAP-6,
2013) 2-C-11 <nsa.nato.int/nsa/zPublic/ap/aap6/AAP-6.pdf> accessed 30 November 2013.
56
The term ‘cyber attack’ (CA) is perhaps the most commonly used, but others are often
found in the literature, in particular Cyber Network Attack (CNA). In the past, Information
Warfare (IW) was also used. Other terms, referring to particular operations in the Net, include
Information Operation (IO), Cyber Network Exploitation (CNE) and Cyber Network Operation
(CNO). See Roscini (n 46) 91–3; Garry D. Brown and Owen W. Tullos, ‘On the spectrum of
cyberspace operations’, Small Wars J. (11 December 2012) <http://smallwarsjournal.com/print/
13595> accessed 30 November 2013. For sake of brevity I will refer to ‘cyber attack’ hereinafter.
For a general overview, see Michael Schmitt, ‘“Attack” as a term of art in international law: The
cyber operations context’ in Christian Czosseck, Rain Ottis & Katharina Ziolkowski (eds.),
Proceedings of the 4th International Conference on Cyber Conflict (CCDCOE 2012) 283–93,
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2184833> accessed 30 November 2013.
57
Hakem Beitollahi & Geert Deconinck, ‘A dependable architecture to mitigate distributed
denial of service attacks on network-based control systems’ (2012) 4 Int’l. J. of Critical
Infrastructure Protection (2012) 107–23.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
10 / Date: 25/3
JOBNAME: Tsagourias PAGE: 11 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
diverse effects, which may or may not cause destruction, so they cannot be treated as a
single homogenous category. For example, a DDoS attack may hit only one single State
(as occurred in Estonia), whereas a malware may propagate thorough the global net (as
occurred with Stuxnet).
Finally, the difference between a ‘cyber attack’ amounting to an ‘armed attack’
(which could possibly justify a military response in self-defence) and ‘cyber crime’58
(which would be treated as an ordinary crime falling within the criminal jurisdiction of
one or more states) is often unclear.
However, not any ‘use of force’ is an armed attack for self-defence purposes.65 Under
Article 51 only an ‘armed attack’ justifies self-defence,66 but the term ‘armed attack’ is
58
See Kastner & Mégret (Ch 9 of this book).
59
See Roscini (Ch 11 of this book).
60
See e.g. Yoram Dinstein, ‘Computer network attacks and self-defense’ (2001) 76 Int’l. L.
Stud. 99, 103.
61
Christopher Joyner & Catherine Lotrionte, ‘Information warfare as international co-
ercion: Elements of a legal framework’ (2001) 12 E.J.I.L. (2001) 825, 855.
62
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep.
226, para. 39.
63
Roscini (n 46) 106.
64
Ibid. 111–13.
65
Waxman (n 44) 421.
66
Oil Platforms (Islamic Republic of Iran v United States) (Judgment of 6 November 2003)
[2003] ICJ Rep. 161 para. 51.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
not defined by Article 51 or any other treaty rule.67 While the term was probably
considered ‘self-evident’ in 1945,68 in the Nicaragua case the ICJ noted that ‘there
appears now to be general agreement on the nature of the acts which can be treated as
constituting armed attacks’.69 Famously, the Court has distinguished ‘the most grave
forms of the use of force from other less grave forms’,70 holding that there are
‘measures which do not constitute an armed attack but may nevertheless involve a use
of force’. In the Court’s view the supply of weapons and logistical support to rebels or
‘a mere frontier incident’ do not qualify as armed attacks under Article 51, although
they are unlawful uses of force under Article 2(4).71 In any event self-defence is
permitted only when the armed attack exhibit certain ‘scale and effects’.72 By such
standard, a cyber attack will constitute an ‘armed attack’ under Article 51 if its scale
and effects meet the threshold corresponding to the ‘most grave’ forms of the ‘use of
force’.73 The Institut de Droit International endorsed this view in its Santiago
Resolution of 2007 on self-defence.74
67
Nicaragua Case (Merits) (n 1) para. 176 (‘a definition of the “armed attack” which, if
found to exist, authorizes the exercise of the “inherent right” of self-defence, is not provided in
the Charter, and is not part of treaty law’).
68
Ian Brownlie, International Law and the Use of Force by States (Clarendon Press 1963)
278.
69
Nicaragua Case (Merits) (n 1) para. 195.
70
Ibid. paras 191, 210; Oil Platforms (n 66) paras 161, 186–187.
71
Nicaragua Case (Merits) (n 1) para. 195.
72
Ibid. paras 191 and 195. For a comment on the terms ‘scale’ and ‘effects’ see Avra
Constantinou, The Right of Self-Defence under Customary International Law and Article 51 of
the UN Charter (Sakkoulas 2000) 63–4.
73
The Legal Advisor U.S. Department of State, Koh (n 49) has recently stated in the
specific context of cyber attacks that:
the United States has for a long time taken the position that the inherent right of self-defense
potentially applies against any illegal use of force. In our view, there is no threshold for a use
of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that
is not to say that any illegal use of force triggers the right to use any and all force in response
– such responses must still be necessary and of course proportionate.
However, the position of one state is irrelevant to general international law: see e.g. the 2006
Jones judgment by the UK House of Lords [2006] UKHL 26, para. 22 (‘one swallow does not
make a rule of international law’ per Lord Bingham of Cornhill), and the 2012 Jurisdictional
Immunities of the State judgment by the ICJ ([2012] ICJ Rep. 99 paras 83 and 88, both
criticizing the (only) Italian jurisprudence favouring a ‘humanitarian exception’ to the jurisdic-
tional immunity of foreign states accused of serious violations of human rights.
74
Institut de Droit International, ‘Present Problems of the Use of Armed Force in
International Law. A. Self-defence’ (10A Resolution, Session de Santiago, 27 October 2007)
para. 5 http://www.idi-iil.org/idiE/resolutionsE/2007_san_02_en.pdf.
An armed attack triggering the right of self-defence must be of a certain degree of gravity.
Acts involving the use of force of lesser intensity may give rise to countermeasures in
conformity with international law. In case of an attack of lesser intensity the target State may
also take strictly necessary police measures to repel the attack. It is understood that the
Security Council may take [effective measures necessary to maintain or restore international
peace and security].
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
While the term ‘use of force’ in Article 2(4) is generally meant to include non-kinetic
action, the term ‘armed’ in Article 51 may be understood as to imply the use of
weapons. However, as hinted earlier, in the 1996 Nuclear Weapons Advisory Opinion
the ICJ stated that Article 2(4), Article 51 and Article 42 UN Charter ‘do not refer to
specific weapons’ and hence ‘apply to any use of force, regardless of the weapons
employed’. According to the Court ‘[t]he Charter neither expressly prohibits, nor
permits, the use of any specific weapon, including nuclear weapons’.75
The question then arises as to when a cyber attack amounts to an ‘armed attack’ and
justifies self-defence. Cyber attacks conducted as part of an overall ‘classic’ military
kinetic operation, such as attacks against enemy command and control or air defence
systems, are subject to the international law rules (concerning the recourse to force and
international humanitarian law) applicable to kinetic armed attacks.76 As for standalone
cyber attacks, many commentators agree that here again the effect- and target-based
approaches to the interpretation of Article 51 should be adopted, although setting the
bar higher: a cyber attack is held to amount to an ‘armed attack’ when it causes death
or injury to persons or damage to property similar in scale and effects to kinetic
attacks,77 which may easily occur when the ‘critical infrastructure’ of the State (or other
political entity such as the EU) is hit,78 such as the shutdown of computers controlling
waterworks and dams leading to the flooding of inhabited areas.79 Rule 13 of the
Tallinn Manual adopts this approach.80 Other kinds of attacks may not reach the
threshold. It has been suggested, for example, that the mere destruction or damage of
data, standing alone, would not suffice since, otherwise, the vast majority of cyber
attacks would qualify as armed attacks and justify self-defence.81 Moreover, an
intention-based approach seems to have only a secondary relevance, what counts being
objective effects, even on a third State which is not the intended target of the attack.82
In Oil Platforms the ICJ specified that an armed attack has to be carried out ‘with the
specific intention of harming’, although it is unclear whether the Court meant a general
requirement for self-defence or merely referred to the instant case. Since cyber attacks
may well hit third States, the Court’s position seems to imply that States other than the
intended target State may not respond in self-defence.83
Whether customary international law, in addition to Article 51 UN Charter, permits
self-defence against cyber attacks is controversial. The question arises because inter-
national customary law still applies ‘separately from international treaty law’.84 Some
75
See Legality of the Threat or Use of Nuclear Weapons (n 62).
76
Schmitt (n 3) 588.
77
For a number of hypothetical examples, see ibid; Dinstein (n 60).
78
For the view that ‘a cyber attack on critical state infrastructure which paralyses or
massively disrupts the apparatus of the State should be equated to an armed attack, even if it
does not cause any immediate human injury or material damage’ see Tsagourias (n 42) 231.
79
Dinstein (n 60) 105; Yoram Dinstein, War, Aggression and Self-Defence (5th edn, CUP
2011) 212 para. 559.
80
Schmitt (n 18) rule 13.
81
Schmitt (n 3) 589.
82
Ibid. 590.
83
Oil Platforms (n 66) para. 64.
84
Nicaragua Case (Merits) (n 1) para. 179.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
scholars have answered the questions negatively.85 Others have countered that even in
the absence of actual practice usus is made up also of ‘verbal acts’ and ‘is more a
qualitative than a quantitative criterion’, and in any event several States and, to use the
ICJ’s language’,86 ‘specially affected’ non-State entities (for example NATO) have
taken a stance in favour of the right to self-defence against cyber attacks and triggered
a process, which is ongoing, which may lead ‘in the forthcoming years’ to the
formation of a customary rule.87 The issue is, however, of little practical relevance
since virtually all States are parties to the UN Charter and, as a specific consequence in
relation to self-defence, it is difficult to imagine a real ‘gap’ between Article 51 and
customary international law. A reaction by a non-State entity not being a party to the
UN Charter, such as NATO, would very likely be seen as a reaction of its Member
States in the form of collective self-defence under Article 5 of the NATO Treaty.88
The notion of ‘critical infrastructure’ is relatively novel and difficult to define.90 It has
to do, inter alia, with ‘national security’ but not any threat to the national security of a
State justifies a response in self-defence and the notion of ‘national security’ itself is
unclear.91 Moreover, the notion of ‘critical infrastructure’ varies in time and space. It
also depends on the very process of State informationalization since what was not seen
as ‘critical’ in the past or under other circumstances may become ‘critical’ as a result of
the State informationalization process itself.92 To complicate matters, in most States
critical infrastructures are often owned by the private sector.93
Broadly speaking, critical infrastructure is defined as the assets that are essential for
the functioning of a society and economy, notably for the supply of essential services.
85
See e.g. Schmitt (n 48) 921 (‘Neither practice, nor opinio juris, is in evidence’);
Shackelford (n 50) 219 (‘it is yet impossible as a matter of customary international law to argue
that IW is illegal, especially given that state practice routinely shows otherwise’).
86
North Sea Continental Shelf (Federal Republic of Germany v Denmark and Federal
Republic of Germany v Netherlands) (Merits) (Judgment of 20 February 1969) [1969] ICJ Rep
4 para. 73.
87
Roscini (n 46) 123–30.
88
See (n 31).
89
See also Roscini (Ch 11 of this book).
90
Eric T. Jensen, ‘Computer attacks on critical national infrastructure: A use of force
invoking the right to self-defense’ (2002) 38 Stanford J. of Int’l. L. 207.
91
Theodore Christakis, ‘L’Etat avant le droit? L’exception de “sécurité nationale” en droit
international’ (2008) 112 R.G.D.I.P. 5, 8–16.
92
UNGA Res 58/199 (23 December 2003) UN Doc A/RES/58/199 recognizes that ‘each
country will determine its own critical information infrastructures’ defined as ‘such as those used
for, inter alia, the generation, transmission and distribution of energy, air and maritime transport,
banking and financial services, e-commerce, water supply, food distribution and public health –
and the critical information infrastructures that increasingly interconnect and affect their
operations’; see also UNGA Res 64/211 (21 December 2009) on the ‘Creation of a global
culture of cybersecurity and taking stock of national efforts to protect critical information
infrastructures’.
93
Roscini (n 46) 118.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
It refers to such infrastructures as power plants, water systems, dams, gas pipelines,
chemical plants and reactors, transports (airlines, ferries, railways, highways, etc,),
energy networks for production, transport and distribution (such as gas pipelines, gas
storage facilities, electric trunks, electric transformers, energy generation plants and
fuel distribution), financial and bank networks, water and food distribution, ICT
networks such as Internet (both its physical and virtual infrastructure), radio, TV
networks, cabled broadcast and satellite communications, the health system, govern-
ment and military networks and emergency networks.
For example, EU Council Directive 2008/114/EC of 8 December 200894 establishes a
procedure for the identification and designation of European critical infrastructures
(‘ECIs’) and a common approach to the assessment of the need to improve their
protection (Art 1), defines ‘critical infrastructure’ as ‘an asset, system or part thereof
located in Member States which is essential for the maintenance of vital societal
functions, health, safety, security, economic or social well-being of people, and the
disruption or destruction of which would have a significant impact in a Member State
as a result of the failure to maintain those functions’ (Art 2(a)). This definition has
recently been reiterated in Directive 2013/40/EU of the European Parliament and of the
Council of 12 August 2013 on attacks against information systems.95
The US ‘Patriot Act of 2001’ defined critical infrastructure as those ‘systems and
assets, whether physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on security,
national economic security, national public health or safety, or any combination of
those matters’.96 It has been suggested that a cyber attack against a State’s military
assets and capability amounts to an armed attack for self-defence purposes97 and that:
cyber attacks on the controlling information technology for a nation’s infrastructure that had
a significant impact on the functioning of that infrastructure (whether or not it caused
immediate large-scale death or destruction of property)would be an armed attack for Article
51 purposes, just as would a kinetic attack that somehow managed to shut down the system
without such immediate secondary effects.98
94
Council Directive 2008/114/EC of 8 December 2008 on the identification and designa-
tion of European critical infrastructures and the assessment of the need to improve their
protection [2008] OJ L 345/75).
95
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013
on attacks against information systems and replacing Council Framework Decision 2005/222/
JHA [2013] OJ L 218/8.
96
Section 1016 (e) of Public Law 107-56 of 26 October 2001, ‘The Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001’ commonly known as the ‘USA Patriot Act’ <http://epic.org/privacy/
terrorism/hr3162.pdf> accessed 30 November 2013.
97
Herbert S. Lin, Kenneth W. Dam & William A. Owens (eds.), Technology, Policy, Law
and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies
Press 2009) 245 (‘cyber attacks that compromise the ability of units of the DOD to perform the
DOD’s mission might well be regarded as an armed attack, and indeed STRATCOM has the
authority to conduct response actions to neutralize such threats’).
98
Ibid. 254.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Others have replied that much depends on the effects of the attack and the military
character of the target is hardly relevant;99 moreover, although this may be the case in
State practice, it is not law as it stands.100 The same definition has been used by
Executive Order No 13636 of 12 February 2013, ‘Improving Critical Infrastructure
Cybersecurity’.101
Unsurprisingly NATO has also considered its own ‘contribution to meet security
challenges to critical infrastructure’, assuming that ‘[t]he impact of attacks against
critical infrastructure can be devastating to the livelihoods of modern societies’ and
‘[t]he increasing reliance on complex and networked technology and access to global
markets make our societies highly vulnerable to disruptions’.102
6. ANTICIPATORY SELF-DEFENCE103
Is anticipatory self-defence permitted against a mere threat of cyber attack or against an
attack which does not reach the threshold of an ‘armed attack’? The question is highly
debated and the ICJ abstained from pronouncing on it in the Nicaragua Case.104 In
Armed Activities in Congo the Court opined that ‘Article 51 of the Charter may justify
a use of force in self-defence only within the strict confines there laid down’ and ‘does
not allow the use of force by a State to protect perceived security interests beyond these
parameters’.105 A few States accept that anticipatory self-defence is permitted, arguing
that technological advances in weapons make anticipatory self-defence a matter of
necessity, whatever the language of Article 51. Most States, however, seem to take the
opposite stand, believing that a broad notion of anticipatory self-defence based on
remote attacks shades off into a justification of aggression, which is unquestionably
prohibited. In its 2007 Resolution on self-defence the Institut de Droit International
99
Schmitt (n 3) 589.
100
Ibid. 604.
101
White House, ‘Improving Critical Infrastructure Cybersecurity’ (Executive Order No
13636 of 12 February 2013) <http://www.whitehouse.gov/the-press-office/2013/02/12/executive-
order-improving-critical-infrastructure-cybersecurity> accessed 25 February 2014.
102
See NATO Emerging Security Challenges Division ‘The World in 2020 – Can NATO
Protect Us? The Challenges to Critical Infrastructure’ (Conference Report 10 December 2012,
Brussels) <http://natolibguides.info/ld.php?content_id=1675627> accessed 3 September 2014.
103
The terminology on self-defence against ‘threats’ rather than (ongoing or already
occurred) attacks is anything but univocal. Different terms are often used and even identical
terms may have different meanings in different authors and in international practice depending,
inter alia, on the nature, level or imminence of the threat. In this chapter the term ‘anticipatory
self-defence’ is used as an umbrella term whereas other terms, such as ‘pre-emptive’ ‘preventive’
and ‘interceptive’ self-defence, will be referred to below with the meanings attached to them by
specific authors or in specific contexts.
104
Nicaragua Case (Merits) (n 1) para. 194 (‘reliance is placed by the Parties only on the
right of self-defence in the case of an armed attack which has already occurred, and the issue of
the lawfulness of a response to the imminent threat of armed attack has not been raised.
Accordingly the Court expresses no view on that issue’).
105
Armed Activities on the Territory of the Democratic Republic of the Congo v Uganda
(Judgment) [2005] ICJ Rep. 168 paras 143 and 148.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
stated that: ‘The right of self-defence arises for the target State in case of an actual or
manifestly imminent armed attack’, there being ‘no basis in international law for the
doctrines of “preventive” self-defence in the absence of an actual or manifestly
imminent armed attack’.106 The Institut thus seems to accept anticipatory self-defence
in case it is necessary to face a ‘manifestly imminent’ – hence, impliedly, not merely
hypothetical or remote – armed attack. This is a reasonable position and is shared by
the UN legal doctrine,107 although the Non-Aligned Movement (NAM) appears firmly
against any form of anticipatory self-defence.108
Article 51, when read literally, seems to require that an attack is underway. As is well
known, the literature is divided. Some argue that self-defence is permitted faced with
an ‘imminent’ threat, relying on US Secretary of State Webster’s famous statement of
1841 in Caroline, which was affirmed by the Nuremberg Tribunal,109 whereby the
necessity for self-defence must be ‘instant, overwhelming, leaving no choice of means,
and no moment of deliberation’.110 Others argue that Article 51 prohibits anticipatory
self-defence.111 Still others have introduced a middle-path notion of ‘interceptive’
self-defence, i.e. a reaction to an attack already launched and about to strike the target
even if the target has not yet been hit.112 The 2002 ‘Bush Doctrine’, reaffirmed by the
US in its ‘2006 National Security Strategy’, admitted anticipatory self-defence in very
broad terms, i.e. even when the threat is not imminent but possible or merely
prospective and linked it with the military reaction to the ‘war on terror’.113 The 2010
National Security Strategy by US President Obama does not mention pre-emption
although it does not reject it either and reserves the right of the US to act unilaterally
if necessary.114
In the 1996 Nuclear Weapons Advisory Opinion the ICJ, noting ‘the fundamental
right of every State to survival, and thus its right to resort to self-defence, in accordance
106
Institut de Droit International (n 74) paras 3 and 6.
107
For example, in its 2004 ‘a more secure world: Our shared responsibility’ Report the
UN-mandated High-Level Panel on Threats, Challenges and Change distinguished between
lawful ‘pre-emptive’ self-defence when the attack is imminent, and unlawful (unless authorized
by the Security Council) ‘preventive’ self-defence when the alleged attack is too remote (UN
Doc A/59/565 paras 188–192). This opinion has apparently been endorsed by the UN
Secretary-General in his ‘In larger freedom: Towards development, security and human rights
forall’ (Report, 21 March 2005) UN Doc A/59/2005 para. 124.
108
UNGA, ‘NAM Comments on the High-level Panel Report’ (28 February 2005) UN Doc
A/59/PV, 43 <http://www.un.int/malaysia/NAM/Positionpaper280205.doc> accessed 25 Febru-
ary 2014.
109
Trial of the Major War Criminals (Judgment) [1946] (1947) 41 A.J.I.L. 172, 205.
110
John B. Moore, A Digest of International Law (Government Printing Office 1906) vol 2,
409–10.
111
E.g. according to Christine D. Gray, International Law and the Use of Force (3rd edn.,
OUP 2008) 165 and 213 (‘[t]here is very little international support for this [Bush] doctrine of
pre-emptive self-defence’).
112
Dinstein (n 79) 203–5.
113
See Christine D. Gray, ‘The Bush doctrine revisited: The 2006 National Security Strategy
of the USA’ (2006) 5 Chinese J. of Int’l. L. 555.
114
White House, ‘National Security Strategy’ (May 2010) <http://www.whitehouse.gov/
sites/default/files/rss_viewer/national_security_strategy.pdf> accessed 3 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
with Article 51 of the Charter, when its survival is at stake’, observed that ‘it cannot
reach a definitive conclusion as to the legality or illegality of the use of nuclear
weapons by a State in an extreme circumstance of self-defence, in which its very
survival would be at stake’.115 It is a fact, however, that Article 51 refers to the
condition that ‘an armed attack occurs’ and it is the provision thus formulated that
binds Member States. The term ‘inherent’, far from indicating that Article 51 resumed
the pre-Charter rule on permissibility of anticipatory self-defence,116 simply seems to
take note that self-defence reflects the universal principle vim vi repellere licet. In the
1981 Osirak incident, many States condemned anticipatory self-defence,117 and they
have eventually continued to do so on other occasions. In the 2004 report A More
Secure World the UN-mandated High-Level Panel distinguished between lawful ‘pre-
emptive’ self-defence when the attack is imminent, and unlawful (unless authorized by
the Security Council) ‘preventive’ self-defence when the alleged attack is too remote,118
an opinion which has apparently been endorsed by the UN Secretary-General119 but
opposed by the Non-Aligned Movement (NAM).120
Article 51 and its expression ‘if an armed attack occurs’ remain, even under the
terms of the ICJ Nuclear Weapon Opinion, the basic parameter. On balance, it seems
that the international community does not accept anticipatory self-defence as a general
rule, but could see it as a justification on a case-by-case basis. The general rule is thus
that anticipatory self-defence is prohibited and that its permissibility depends on the
reaction of the international community as a whole in each case. Any attempt to
articulate the law further goes too far. Thus understood, anticipatory self-defence is not
permitted under Article 51, which has to be read literally, and rather overlaps with the
State of necessity in general international law as a justification for an otherwise
unlawful use of force.121 Not surprisingly preventive self-defence was permitted and
closely linked to self-preservation in the nineteenth century when recourse to force in
general was, unlike today, permitted. It may be condoned ex post by the international
community on a case-by-case basis if the threat to the State proves well-founded on the
basis of the knowledge and inferences which can be drawn at the moment of
115
Legality of the Threat or Use of Nuclear Weapons (n 62) para. 97.
116
D W. Bowett, Self-Defense in International Law (Praeger 1958) 188–92. Against this
view see Brownlie (n 68) 428–36.
117
UN Doc SCOR, 36th year, 2280th-2283rd, 2286th and 2288th meetings, and UNSC Res
487 (1981) (19 June 1981) adopted unanimously, condemning the attack.
118
UNGA, ‘Note by the Secretary-General’ (2 December 2004, A more secure world: Our
shared responsibility, Report of the High-Level Panel on Threats, Challenges and Change) UN
Doc A/59/565 paras 188–192.
119
UNSG, ‘In Larger Freedom (n 107) para 124.
120
‘Comments of the Non-Aligned Movement on the observations and recommendations
contained in the Report of the High-Level Panel on Threats, Challenges and Change’ (28
February 2005) UN Doc A/59/PV 14–15 <http://www.un.int/malaysia/NAM/Positionpaper
280205.doc> accessed 30 November 2013.
121
Cf. Article 25 UN ‘Draft Articles on Responsibility of States for Internationally Wrongful
Acts, with Commentaries’ (2001) GAOR 56th Session Supp. 10, 43. For some further
observations on the point see Carlo Focarelli, International Law as Social Construct: The
Struggle for Global Justice (OUP 2012) 367–8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
122
See Dinstein (n 79).
123
Schmitt (n 48), 932–3.
124
Schmitt (n 3) 592–3.
125
Schmitt (n 48) 932–3.
126
Nicaragua Case (Merits) (n 1) para. 194.
127
Oil Platforms (n 66) paras 161, 183, 196–198.
128
Schmitt (n 18) rule 14.
129
In principle ‘passive’ cyber defences such as firewalls and antivirus software, which
merely block attacks are internationally lawful acts, although they may amount to a violation of
an international law rule other than that prohibiting the use of force.
130
Schmitt (n 3) 586.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
19 / Date: 25/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
that such defences are insufficient to attain the aim of self-defence. For example, the
2020 NATO report states that ‘Over time, NATO should plan to mount a fully adequate
array of cyber defence capabilities, including passive and active elements’.131 It is
worth noting that necessity applies to both kinetic and cyber counter-attacks in
self-defence. In particular, cyber self-defence causing harm similar to kinetic (forceful)
self-defence is permitted only when lesser cyber counter-attacks reasonably capable of
repelling the attack (or deterring an imminent attack if anticipatory defence is accepted)
are unavailable.
Proportionality requires that, once force is deemed to be necessary, the amount of
force used does not exceed what is sufficient to repel or, if anticipatory self-defence is
accepted, to deter the threat of attack. A few States and some commentators have relied
on the ‘accumulation of events’ or ‘pin prick’ doctrine of armed attack so as to justify
an otherwise disproportionate response. In the Nicaragua Case the ICJ seems not to
dismiss this doctrine,132 but avoided explicitly discussing the point in subsequent cases
either.133 It is worth noting that, just like necessity, proportionality applies to both
kinetic and cyber counter-attacks in self-defence. Cyber self-defence causing harm
similar to kinetic (forceful) self-defence is thus permitted only when a smaller amount
of force is insufficient to repel the attack (or to deter an imminent attack). Of course,
cyber self-defence may prove inherently inadequate so that recourse to kinetic
self-defence is not only necessary but also proportionate, provided it is scaled to the
purpose of repelling or, if anticipatory self-defence is accepted, deterring the threat of
attack. It is often believed that a response in kind is inherently proportionate but this
depends on the notion of proportion accepted: e.g., if proportion refers to the harm
suffered it may well be that the same action causes very different levels of harm in
different states.134 As a result proportionality applies also to reactions in kind. The
131
NATO Emerging Security Challenges Division (n 102) 45.
132
Nicaragua Case (Merits) (n 1) para. 231.
133
Gray (n 113) 155–6; Dinstein (n 79) 206–7 and 255.
134
See e.g. Dapo Akande & Thomas Liefländer, ‘Clarifying necessity, imminence, and
proportionality in the law of self-defense’ (2013) 107 A.J.I.L. 563, 566–8, distinguishing three
conceptions of proportionality ‘each ha[ving] different implications’ (no more force than
necessary, commensurability with the attack or the threatened attack, damage inflicted propor-
tionate to the pursued objective). It is worth noting that similar problems exist with non-forcible
countermeasures. In the 1978 Air Services Award the Arbitral Tribunal articulated the condition
of proportionality by observing that countermeasures must have ‘some degree of equivalence
with the alleged breach’ this being ‘a well-known rule’ which both Parties had recognized and
invoked in the instant case; however, in the Tribunal’s view, ‘judging the “proportionality” of
countermeasures is not an easy task and can at best be accomplished by approximation’ taking
into account ‘not only the injuries suffered by the companies concerned but also the importance
of the questions of principle arising from the alleged breach’ (cf. Case concerning the Air
Service Agreement of 27 March 1946 between the United States and France (Award) [1978] 18
Reports of International Arbitral Awards 417 para. 83). What was meant by ‘questions of
principle’ is unclear; still, the Tribunal’s view was unquestionably that damages alone were
inadequate for an accurate assessment of proportionality. See further on this Focarelli (n 121)
351–2.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
20 / Date: 25/3
JOBNAME: Tsagourias PAGE: 21 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
8. COLLECTIVE SELF-DEFENCE
Article 51 permits collective self-defence in addition to individual self-defence, i.e.
armed action against an armed attack by a State other than the attacked State. The
possibility of collective self-defence may be stipulated in a military alliance treaty, as is
the case with Article 5 of the NATO Treaty,137 or more generally in bilateral and
multilateral mutual assistance treaties. However, as the 2020 NATO report pointed out,
‘there may well be doubts about whether an unconventional danger – such as a cyber
attack or evidence that terrorists are planning a strike – triggers the collective defence
mechanisms of Article 5’.138 And yet ‘the risk of a large-scale attack on NATO’s
command and control systems or energy grids could readily warrant consultations
under Article 4 and could possibly lead to collective defence measures under Article
5’.139 Rule 16 of the Tallinn Manual adopts this approach.140
Self-defence in general, including collective self-defence, may be resorted to
unilaterally, without any authorization of the Security Council, although it must cease if
and when the Council takes action. However, it is permitted only – in addition to the
requirements of necessity, proportionality and immediacy – on the basis of a request by
(and hence with and within the consent of) the attacked State, as the ICJ specified in
the Nicaragua Case141 and in Oil Platforms.142 In other words, it is not for third States
to determine whether another State has been the victim of an armed attack. Should the
response not conform to such a requirement, the counter-attack by a third State is an
unlawful use of force.
Cyber attacks may easily spread through networks and it may be difficult to identify
the ‘attacked’ State which has the right to consent to a counter-attack. Many States may
well be considered attacked and entitled to react in individual self-defence. It is also
necessary that all Member States of a mutual assistance treaty agree on considering a
certain cyber attack as an attack justifying collective reaction. Moreover, treaty
135
Roscini (n 46) 120.
136
Schmitt (n 18) rule 15.
137
See (n 31).
138
‘NATO 2020: Assured Security, Dynamic Engagement. Analysis and Recommendations
of the Group of Experts on a New Strategic Concept for NATO’ (17 May 2010) 20
<www.nato.int/strategic-concept/expertsreport.pdf> accessed 30 November 2013.
139
Ibid. 45.
140
Schmitt (n 18) rule 13.
141
Nicaragua Case (Merits) (n 1) para. 199.
142
Oil Platforms (n 66) para. 188.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
21 / Date: 7/5
JOBNAME: Tsagourias PAGE: 22 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
provisions on collective self-defence generally entitle all Member States to react but do
not provide an obligation to do so and it is therefore reasonable to expect that they take
part in the collective response only when it fits with their national interest. For instance,
in the case of Estonia NATO Member States were very slow to agree on responding in
self-defence.143
143
Schmitt (n 3) 598.
144
Noam Lubell, Extraterritorial Use of Force against Non-state Actors (OUP, 2010);
Theresa Reinold, ‘State weakness, irregular warfare, and the right to self-defense post-9/11’
(2011) 105 A.J.I.L. 244.
145
Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory
(Advisory Opinion) [2004] ICJ Rep. 136 para. 139; Armed Activities on the Territory of the
Democratic Republic of the Congo v Uganda (n 105) para. 160.
146
Legal Consequences of the Construction of a Wall (n 145) para. 139.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
22 / Date: 25/3
JOBNAME: Tsagourias PAGE: 23 SESS: 8 OUTPUT: Mon May 18 10:36:31 2015
launched.147 There is in legal doctrine some support for self-defence against non-State
actors accompanied by a trend by its advocates to regard its critics (as well as the ICJ’s
jurisprudence on the matter) as ‘conservative’.148 Another similar trend consists in
admitting self-defence against non-State actors as a corollary of the responsibility to
protect doctrine specifically understood as a ‘duty to prevent’.149 In its 2007 Resolution
on self-defence the Institut de Droit International stated that ‘Article 51 of the Charter
as supplemented by customary international law applies as a matter of principle’ and
provided only ‘some preliminary responses to the complex problems’ arising out of the
matter, concluding that ‘The State from which the armed attack by non-State actors is
launched has the obligation to cooperate with the target State’.150
The debate raged when in Resolution 1368 (2001) and in Resolution 1373 (2001) the
UN Security Council affirmed the inherent right to self-defence without specifying
whether the source of the armed attack had to be a State, apparently suggesting that the
attribution requirement and the concomitant acceptance of the concept of a ‘private’
armed attack could be abandoned.151 There are clear signs of possible abuse and likely
divergence of views among States. For example, according to the Russian Federation,
Resolution 1373 (2001) also covers Chechen rebels and justifies self-defence against
States (such as Georgia) from the territory of which they launch their attacks.152 Not
surprisingly, the Russian appeal to the doctrine of self-defence against non-State actors
was immediately opposed by one of its stronger advocates, the US, each, of course,
147
Cf UN Doc S/PV.5489 of 14 July 2006 and S/PV.5492 of 20 July 2006. See Gray (n 111)
241–4; more generally, see Jörg Kammerhofer, ‘The armed activities case and non-state actors in
self-defence law’ (2007) 20 L.J.I.L. 89.
148
Reinold (n 144) 245, 260, 262 and 285.
149
Lee Feinstein & Anne-Marie Slaughter, ‘A duty to prevent’ (2004) 83 Foreign Affairs
136. See generally Carlo Focarelli, ‘Ahead to the past? Responsibility to protect and the global
system’ (2012) 1 Gro. J. Int’l. L. 1 <grojil.org/0-focarelli.pdf> accessed 30 November 2013.
C. Focarelli, Responsibility to Protect in the Global System, in Peter Hilpold (ed.), Responsibility
to Protect (R2P): A New Paradigm of International Law? (Leiden and Boston: Brill/Nijhoff,
2015), pp. 417–438.
150
Institut de Droit International (n 74) para. 10.
151
See e.g. Thomas M Franck, ‘Terrorism and the right of self-defense’ (2001) 95 A.J.I.L.
839, 840; Christopher Greenwood, ‘International law and the pre-emptive use of force:
Afghanistan, Al-Qaida, and Iraq’ (2003) 4 San Diego Int’l. L. J. 7, 17.
152
The Russian Federation accused Georgia of failure to comply with UNSC Res 1373 (28
September 2001) UN Doc S/RES/1373, pointing out that such failure justified self-defence under
art 51 UN Charter. According to Russia:
If the Georgian leadership is unable to establish a security zone in the area of the
Georgian-Russian border, continues to ignore UNSC Res 1373 (28 September 2001) and does
not put an end to the bandit sorties and attacks on adjoining areas in the Russian Federation,
we reserve the right to act in accordance with Article 51 of the Charter of the United Nations.
Cf. Statement by Russian Federation President Vladimir Putin, ‘Annex to Letter dated 11
September 2002 from the Permanent Representative of the Russian Federation to the United
Nations Addressed to the Secretary-General’ UN Doc S/2002/1012, 2–3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
23 / Date: 7/5
JOBNAME: Tsagourias PAGE: 24 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
being concerned with their own private ‘enemies’.153 In fact, cross-border military
incursions against alleged terrorists operating in neighbouring States are generally
condemned assuming that the crimes committed by the targeted individuals and groups
fall within the law enforcement paradigm and do not justify self-defence against the
territorial State. For example, a Colombian raid against the FARC in the territory of
Ecuador, in 2008, was condemned in the OAS Permanent Council by Resolution 930
(2008).154 Furthermore, the definition of the crime of aggression adopted at the 2010
Review Conference of the ICC Statute of Kampala does not mention the harbouring of
irregular forces. It only includes, by mirroring UN General Assembly Resolution 3314
(XXIX) of 14 December 1974 and in line with the ICJ Nicaragua Case Judgment, the
active sending of armed bands by, or on behalf of, a State to carry out acts of armed
force against another State.155
Furthermore, attribution is very relevant here. In theory, a ‘non-State’ actor is by
definition an entity which acts privately with no connection at all with a State.156
However, ‘sponsorship’ by a State is frequently invoked as a characteristic of
‘self-defence against non-State actors’. On attribution, and more precisely on ‘control’
as an attribution criterion, it is well known that the ICJ and the ILC on the one hand,
and the ICYT on the other, has taken different views albeit in different legal
contexts.157 Attribution may actually take several different forms and degrees of State
involvement, such as tolerance, causality, complicity, etc.158 This ambiguity tends to
153
Steven L. Myers, ‘Echoing Bush, Putin asks U.N. to back Georgia attack’, New York
Times (12 September 2002) A9; ‘US warns Russia over Georgia strike’ BBC News (13
September 2002) <http://news.bbc.co.uk/2/hi/world/europe/2254959.stm> accessed 30 Novem-
ber 2013.
154
OAS Permanent Council Res. 930 of 6 March 2008 <http://www.oas.org/consejo/
resolutions/res930.asp> accessed 30 November 2013.
155
ICC Res RC/Res 6 (11 June 2010) annex I, art 8bis (1) and (2) <http://www.icc-cpi.int/
iccdocs/asp_docs/Resolutions/RC-Res.6-ENG.pdf>. See also Kai Ambos, ‘The crime of aggres-
sion after Kampala’ (2011) 53 German Ybk of Int’l. L. 463; Stefan Barriga and Leena Grover, ‘A
historic breakthrough on the crime of aggression’ (2011) 105 A.J.I.L. 517.
156
On attribution in cyber self-defence see Tsagourias (n 42) 233–43; for the international
evidentiary standard to be applied, see O’Connell (n 4) 202.
157
Prosecutor v. Dusko Tadić (Appeal Judgment of 15 July 1999) [1999] No ICTY-94-1-A
paras 99–145; Nicaragua Case (Merits) (n 1) para. 115; Application of the Convention on the
Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and
Montenegro) (Judgment) [2007] ICJ Rep 43 paras 403–407.
158
The question about the criteria for attributing acts of non-state actors to a state in a
state-orientated interpretation of self-defence have been developed, inter alia, by Elizabeth
Wilmshurst, ‘The Chatham House Principles of International Law on the use of force in
self-defence’ (2006) 55 I.C.L.Q. 963–72; Daniel Bethlehem, ‘Self-defense against an imminent
or actual armed attack by nonstate actors’ (2012) 106 A.J.I.L. 769. In our view these suggestions
are no doubt interesting intellectual exercises but of little relevance (if not occasionally in fact
campaigning for the stronger states) when it comes to establishing existing law. For some
sharable critical comments, see Michael J Glennon, ‘Law, power, and principles’ (2013) 107
A.J.I.L. 378 (‘Bethlehem’s proposed principles … substitute the opinio juris of the powerful for
the practice of all’); ME O’Connell, ‘Dangerous departures’ (2013) 107 A.J.I.L. 380 (‘Bethlehem
offers to rewrite the rules, legalizing practices that today are violations of international law’);
Gabor Rona and Raha Wala, ‘No thank you to a radical rewrite of the jus ad bellum’ (2013) 107
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
24 / Date: 7/5
JOBNAME: Tsagourias PAGE: 25 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
make the issue overlap with that of self-defence against a failure of the State to prevent
cross-border harmful action by private individuals or groups allegedly amounting to an
‘armed attack’ for self-defence purposes.159
There is no doubt that the duty of prevention of private cross-border harmful action
is established in general international law. As famously held in the 1941 Trail Smelter
Award ‘under the principles of international law … no State has the right to use or
permit the use of its territory in such a manner as to cause injury … in or to the
territory of another or the properties or persons therein’.160 Similar dicta had already
been made, in relation to the utilization of international watercourses, by an Arbitral
Tribunal in the 1928 Island of Palmas Award161 and by the PCIJ in the 1929 Oder River
Commission Judgment.162 The principle was later restated by the ICJ in general terms
in the 1949 Corfu Channel Judgment in terms of ‘every State’s obligation not to allow
knowingly its territory to be used for acts contrary to the rights of other States’,163 and,
specifically referring to environmental protection, in the 1996 Nuclear Weapons
Advisory Opinion,164 in the 1997 Gabčíkovo-Nagymaros Judgment,165 and in the 2010
Pulp Mills Judgment,166 as well as in Article 3 of the 1992 Biodiversity Convention.167
The principle has been recently thoroughly analysed by the ILC special rapporteur on
natural disasters.168 Briefly, a State’s failure to prevent private actors on its territory
from causing damage in the territory of another State constitutes an internationally
A.J.I.L. 387 (‘Bethlehem’s proposed principles … would reverse more than a century of
humanitarian and human rights progress’); Dire Tladi, ‘The nonconsenting innocent state: The
problem with Bethlehem’s principle 12’ (2013) 107 A.J.I.L. 570, 576 (Bethlehem’s ‘principle 12
[admitting in certain circumstances the armed reaction against a state without its consent] is
based on an erroneous assessment of customary international law and state practice and on an
acontextual interpretation of Article 51’).
159
Roscini (n 46) 102.
160
Trail Smelter Case (United States v Canada) (Award) [1941] United Nations Reports of
International Arbitral Awards (2006) 1905, 1965 <http://legal.un.org/riaa/cases/vol_III/1905-
1982.pdf> accessed 30 November 2013.
161
Island of Palmas Case (Netherlands v United States) (Award) [1928] United Nations
Reports of International Arbitral Awards (2006) 829, 839 <http://legal.un.org/riaa/cases/vol_II/
829-871.pdf> accessed 30 November 2013.
162
Territorial Jurisdiction of the International Commission of the River Oder (Judgment)
[1929] PCIJ Ser. A. No. 23 27.
163
Corfu Channel (United Kingdom v Albania) (Merits) (Judgment) [1949] ICJ Rep 4 22.
164
Legality of the Threat or Use of Nuclear Weapons (n 62) para. 29, ruling that the
principle ‘is now part of the corpus of international law relating to the environment’.
165
Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) [1997] ICJ Rep 7 paras
53 and 140.
166
Case concerning Pulp Mills on the River Uruguay (Argentina v Uruguay) (Judgment)
[2010] ICJ Rep. 2010 para. 101, holding that ‘the principle of prevention, as a customary rule,
has its origins in the due diligence that is required of a State in its territory’ and reiterating what
the Court had already stated in the 2006 Order (Case concerning Pulp Mills on the River
Uruguay (Argentina v Uruguay) (Provisional Measures Order) [2006] ICJ Rep. para. 72.
167
Convention on Biological Diversity (concluded 5 June 1992, entered into force 29
December 1993) 1760 UNTS 79.
168
See Carlo Focarelli, ‘Duty to protect in cases of natural disasters’ in Rüdiger Wolfrum
(ed.), Max Planck Encyclopaedia of Public International Law (OUP 2013).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
25 / Date: 7/5
JOBNAME: Tsagourias PAGE: 26 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
unlawful act. Non-forcible countermeasures are thus permitted. The point is whether
such a failure amounts to an ‘armed attack’ under Article 51, assuming that it would be
so if directly carried out by (or if attributable to) a State, or in any case if it constitutes
an international unlawful act of the State justifying self-defence.169
Self-defence against a State’s failure to prevent private trans-border harm is distinct
from self-defence against non-State actors as generally understood. The former is
directed against a State’s unlawful act, deriving from its failure to prevent private
individuals and groups from causing cross-border harm through an action that if carried
out by a State would amount to an ‘armed attack’ for self-defence purposes; while the
latter appears as directed against the allegedly responsible individuals and groups as a
response to their action and regardless of any attribution of their conduct to the State
from the territory of which harm has been caused.
It has been argued that in the cyber context States would be willing to apply the
same standard as in the terrorism context.170 One might contend that in cyberspace the
need for self-defence against non-State actors, however theorized, is particularly
compelling. But if this view is accepted then what is talked about is an autonomous
rule applying in cyberspace, a rule which, however, has little if any basis in existing
international law and is thus only promoted, since the data and practice available
concerning physical space are contentious at best. In UN General Assembly Resolution
55/63 of 4 December 2000 States are called upon to ‘ensure that their laws and practice
eliminate safe havens for those who criminally misuse information technologies’, with
no reference to self-defence or means other than those falling within the law
enforcement paradigm.171 It is a fact that ‘substitutive’ or ‘extra-territorial’ law
enforcement by other States is rooted in an imperial global order with the stronger
States (never the weaker ones for obvious reasons) operating as the ‘international
police’, inevitably to further their particular interests, along the lines (or abusing) of the
‘just war’ doctrine.172
It is thus difficult to accept that an armed reaction, whether called ‘self-defence’ or
otherwise, is permitted against a State’s lack of due diligence173 in preventing cyber
attacks from within its jurisdiction. This is not to imply, of course, that failure to
prevent is not internationally unlawful, nor that peaceful remedies against it (such as
countermeasures) are also prohibited. Even more difficult is to accept that an armed
reaction against a State as a whole is permitted insofar as this is the only way to hit
those private individuals who have launched an attack. Some links between the State –
provided that there is a ‘State’ – and the individuals who have launched the attack have
to exist. In other words, the whole debate should focus on the criteria of attribution
actually adopted in international practice, which may well be different in different
contexts, rather than on self-defence against ‘pure’ non-State actors.
169
See Mahmoud Hmoud, ‘Are new principles really needed? The potential of the
established distinction between responsibility for attacks by nonstate actors and the law of
self-defense’ (2013) 107 A.J.I.L. 576, 577–8.
170
Schmitt (n 3) 598–603.
171
UNGA Res 55/63 (4 December 2000) para. 1, on ‘Combating the criminal misuse of
information technologies’.
172
Focarelli (n 121) 358–62.
173
See Antonopoulos (Ch 3 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
26 / Date: 7/5
JOBNAME: Tsagourias PAGE: 27 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
174
For a valuable exception, see O’Connell (n 4).
175
See (n 8).
176
See Directive 2013/40/EU of the European Parliament and of the Council (n 95).
177
Tikk and others (n 35) 29.
178
There seems to be little doubt that the Security Council may use its discretion and
determine that a certain cyber attack amounts to a ‘threat to the peace’ or even to an ‘act of
aggression’ or a ‘breach of the peace’ according to art 39 UN Charter, and take ‘enforcement
measures’ (peaceful sanctions or military response) against the ‘source’ of the cyber attack,
whether a state or a non-state actor. The Council may presumably also take ‘cyber sanctions’ or
impose a ‘cyber blockade’ and it may arguably authorize the use of kinetic force, although art 42
reads ‘by air, sea, or land forces’ which literally would exclude cyber attacks. See Marco Benatar
and Kristof Gombeer, ‘Cyber sanctions: Exploring a blind spot in the current legal debate’ in 4th
European Society of International Law Research Forum (Estonia, 27–28 May 2011) <http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1989786> accessed 30 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
27 / Date: 7/5
JOBNAME: Tsagourias PAGE: 28 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
use of force (‘use of force’, ‘armed attack’ and ‘armed conflict’) do not coincide even
where they are defined by one and the same word. For example, the term ‘attack’ refers
to a particular category of military operations under Article 49(1) of the 1977
Additional Protocol I to the 1949 Geneva Conventions, whereby ‘attacks’ are ‘acts of
violence against the adversary, whether in offence or in defence’, which has a different
legal meaning from the same word used in Article 51 UN Charter. The notions of ‘use
of force’, ‘armed attack’ and ‘armed conflict’ and their different meanings in different
legal settings, together with their inferred ‘equivalents’ in cyber space, make ‘upstream’
the whole picture quite aleatory despite the possible soundness of ‘downstream’
deductions made to identify the rules applicable to one or another hypothetical
scenario. The analogy instrument is here questionable in itself; the parameters of the
analogies made are uncertain even in their kinetic context; and the effect-based test
concerning the notion of ‘armed attack’ may in fact lead to several very different
conclusions depending on the circumstances. It seems that only a case-by-case
assessment of the overall perception by the international community as a whole can
reasonably be expected. Besides, the more likely scenario is an armed response in
kinetic terms to a cyber attack attributed to private individuals or groups, although very
difficult if not impossible to attribute to a State, and here again the rules analogised are
themselves very open to doubt even in their original conventional scenario.
The way forward seems to be the negotiation and creation of ad hoc international
institutions and rules for the Internet. It has been suggested that cyber attacks can
properly be viewed as violations of the non-intervention principle; as such, they would
not justify self-defence but, as international unlawful acts, alternative non-forcible
responses or coercive measures, possibly defensive, such as countermeasures or
measures adopted or authorized by the UN Security Council.179 The regulation of the
Internet is no doubt highly problematic and involves a huge variety of complex issues,
including the corporate private sector as well as States and non-State actors concerned
with online censorship. At the same time some regulation is clearly necessary,
hopefully one in line with international human rights standards. Efforts should be
redoubled to raise global awareness of the scale and effects of crimes committed in the
Internet, especially against critical infrastructure, so as to take appropriate coordinated
steps in preventing and punishing them just as has been done in respect of other very
serious transnational crimes, including international crimes. No ‘global policeman’ can
really and effectively patrol the Net.
Clearly, there is an underlying logic of escalation in cyberwar. The more a State
resorts to cyberspace to get more competitive and stronger vis-à-vis other relevant
actors, the more it becomes vulnerable to cyber attacks, the more it will feel in danger
and be inclined to ‘equate’ cyber attacks to kinetic attacks so as to ‘legitimately’
respond militarily. Most importantly, even assuming that States will exceptionally apply
the existing rules on self-defence described above, they have to meet the necessity
requirement concerning their continuing obligation to implement passive and active
(short of prohibited ‘force’) electronic defences prior to the alleged cyber attack and be
179
O’Connell (n 4) 199 and 202–6; Buchan (n 41) 221–7; Roscini (n 46) 110–11.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
28 / Date: 7/5
JOBNAME: Tsagourias PAGE: 29 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
as far as possible in a position to avoid kinetic force to defend themselves from cyber
operations.180
What is then the ‘cyber use of force’ debate hugely developed in recent years for? In
addition to trying hypothetically to identify reasonable rules, the key purpose so far is
twofold: deterring possible attacks and promoting the rules which could possibly
govern major cyber attacks at the moment when they occur so as to have at that very
moment the international community ‘prepared’ to share the view that the attack is
indeed ‘equivalent’ to a kinetic attack which justifies a kinetic response. By dissemin-
ating the opinion that the law is the one found in most official statements and
publications, their authors and sponsors are being contributing to the belief that this ‘is’
the law. This institutional and doctrinal campaign may prove successful and shape the
law in the future, perhaps and hopefully for the better, although this is different and
should be kept distinct from the law as it stands.181
180
On reducing vulnerability see Jeffrey S. Katz, ‘Smart grid security and architectural
thinking’ (White Paper, IBM) <http://www.ibm.com/smarterplanet/global/files/us__en_us__
energy__smartgridsecurity_and_architecturalthinking_katz.pdf> accessed 30 November 2013.
181
For a socio-constructivist approach to international law along these lines, see Focarelli
(n 121).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter12 /Pg. Position:
29 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
* The author would like to thank Jonathan Herbach and Karel Wellens for their comments
on a draft of this chapter.
1
David E. Sanger and Thom Shanker, ‘Broad powers seen for Obama in cyberstrikes’, New
York Times (3 February 2013) <http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-
obama-in-cyberstrikes.html?pagewanted=all> accessed 2 October 2014. See also (2013) 18(1) J.
Conflict & Sec. L. 1–4.
2
See International New York Times, 7 April 2014. See also ‘Presidential Policy Directive
PPD-20’ (U.S. Cyber Operations Policy, 2012) <fas.org/irp/offdocs/ppd/ppd-20.pdf> accessed 2
October 2014; Glen Greenwald and Ewan MacAskill, ‘Obama orders US to draw up overseas
target list for cyber-attacks’, The Guardian (7 June 2013) <http://www.theguardian.com/world/
2013/jun/07/obama-china-targets-cyber-overseas> accessed 2 October 2014.
3
Zachary Keck, ‘South Korea seeks cyber weapons to target North Korea’s nukes’, The
Diplomat (21 February 2014) <http://seclists.org/isn/2014/Feb/43> assessed 4 June 2014.
284
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
1 / Date: 15/5
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
4
Bruce W. McConnell and Greg Austin, ‘A measure of restraint in cyberspace, reducing
risk to civilian nuclear assets’ (East West Institute, 2014) 10.
5
See section 2 below.
6
Thomas Rid, Cyber War Will Not Take Place (OUP 2013) 42.
7
Ibid.
8
‘The National Security Strategy of the United States of America’ (September 2002)
<www.state.gov/documents/organization/63562.pdf> accessed 2 October 2014.
9
See for instance ‘Pre-Emptive action’, Report by the Netherlands Government’s Advisory
Council on International Affairs (AIV) and the Advisory Committee on Issues of Public
International Law (CAVV), No. 36, AIV/No 15, CAVV, July 2004 <http://www.cavv-advies.nl/
Publications> accessed 2 October 2014.
10
Yoram Dinstein, War, Aggression and Self-Defence (5th edn, CUP 2001) 203–4.
11
‘Editorial’ (2013) 1 J. Conflict & Sec. L.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
reaction with extremely powerful cyber weapons against the possibility of a cyber threat
brings back memories of the early deterrence discussions with regard to nuclear
weapons.12 This chapter looks at the question of whether what we see is indeed a
cyber-deterrent strategy and whether a parallel can be drawn between the deterrent
strategies in the nuclear realm and such a strategy with regard to a possible cyber-attack by
States in cyberspace and projected generic (preventive) replies by States to such threats.
Furthermore, the chapter will deal with the question of whether such a cyber deterrent is
allowed under public international law. This focus on cyber deterrence is a State actor
approach which therefore largely leaves out how to deal with non-State actors, and in
that sense only deals with part of the problem of possible offensive cyber operations.
Although it concerns the question of deterrence and cyber-security in general, I will
finally also look at the question of what we can learn from this discussion with regard
to cyber-security of nuclear assets like nuclear power plants. Does it inform us on
particular ways to improve nuclear security?
Before focusing on deterrence as such, the next section will briefly discuss the issue
of cyber-security of critical structures, especially with regard to such nuclear assets.13
There are many ways in which the security of States could be threatened. On the one
hand the military security14 of a State could be endangered, which refers to security
from interference by military means. The security of a State could for instance be
threatened solely by military kinetic means or it could be done by a combination of
military and cyber means, whereby for instance a cyber operation is aimed at disrupting
the control by radars prior to a military attack on military targets. These security threats
fall within the traditional realm of (collective) self-defence.
Of a different order would be a cyber attack conducted solely on civilian critical
(information) infrastructures that are crucial to the operation of the State and whereby
cyber attacks could range from annoying disruptions of systems, to chaos and
enormous damage comparable to damage caused by an armed attack. This is about
cyber-security, meaning security from interference by cyber means. In both these
instances the central question is how to prevent such interference by either a military
attack or by a comparable cyber operation, a cyber attack for short. And what should be
done to prevent such an attack, or in the case of an actual attack? It will be clear that
12
On the broader use of an information advantage already in 1996 see Joseph S. Nye and
William A. Owens, ‘America’s information edge’ (1996) 75(2) Foreign Affairs 20–36, 20 for
instance, where they remark: ‘This information advantage can help deter or defeat traditional
military threats at relatively low cost.’
13
McConnell & Austin (n 4).
14
On the concept of military security and the ban on the use of force see Eric P.J. Myjer,
‘The law of arms control, military security and the issues: An introduction’ in Eric P.J. Myjer
(ed.). Issues of Arms Control Law and the Chemical Weapons Convention (Martinus Nijhoff
Publishers 2001) 2–4.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
3 / Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
there is a blurring of the lines between these two instances especially since the effects
of such cyber attacks could be comparable to those of an armed attack. After a general
discussion this contribution will, in concluding, also look at cyber security of critical
infrastructures of civil nuclear assets.
15
Barron-Lopez reports that ‘of the roughly 200 cases of hacking attacks the cybersecurity
team at the Department of Homeland Security handled in 2013, more than 40 percent were in
the energy sector’, which showed the energy sector to be the most vulnerable of the critical
infrastructures to attacks. Laura Barron-Lopez, ‘Cyber threats put energy sector on red alert’,
The Hill (12 June 2014) <http://thehill.com/policy/technology/209116-cyber-threats-put-energy-
sector-on-red-alert> accessed 2 October 2014.
16
See also Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17(2) J. Conflict & Sec. L. 231, where the author refers to attacks on critical state
infrastructure. With regard to a definition thereof in his view ‘most definitions agree that certain
services such as security, food, water, transportation, banking and finance, health and energy,
governmental and public services constitute critical infrastructure’. See James C. Mulvenon et.
al., ‘Addressing cyber instability’ (Cyber Conflict Studies Association 2012) 339–63.
17
Commission (EC), ‘Critical Infrastructure Protection in the fight against terrorism’
(communication) COM(2004) 702 final, 20 October 2004.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
18
McConnell & Austin (n 4) 10.
19
UNGA Res 58/199 (30 January 2004) UN Doc A/RES/58/199 on the Creation of a global
culture of cybersecurity and the protection of critical information infrastructures defines the
relationship between critical infrastructures and the critical information infrastructures as
follows: ‘Noting the increasing links among most countries’ critical infrastructures – such as
those used for, inter alia, the generation, transmission and distribution of energy, air and
maritime transport, banking and financial services, e-commerce, water supply, food distribution
and public health – and the critical information infrastructures that increasingly interconnect and
affect their operations’.
20
See for instance ‘Fukushima accident’, World Nuclear Association (16 September 2014)
<http://www.world-nuclear.org/info/safety-and-security/safety-of-plants/fukushima-accident/>
accessed 2 October 2014.
21
See for instance Rid (n 6) 43–5; McConnell & Austin (n 4) 10–11; Russell Buchan,
‘Cyber attacks: Unlawful uses of force or prohibited interventions?’ (2012) 17(2) J. Conflict &
Sec. L. 219–21.
22
McConnell & Austin ibid. See also Rid ibid. 43–6.
23
Commission (EC) ‘A Digital Agenda for Europe’ (Communication) COM(2010)245 final,
19 May 2010.
24
McConnell & Austin (n 4).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
5 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
infrastructures and in particular to reduce the risks to civilian nuclear assets.25 The
report warns of the militarization of cyberspace which ‘drives the urgent need to shield
civilian critical infrastructure from peacetime cyber incidents, whether by accident or
design’26 and underscores the necessity for international agreements.
In what way could for instance the protection of a nuclear power plant be realized?
Protection could of course be improved by making sure that such critical infrastructures
are detached from the general cyber network (system) and has a standalone, solely
facility related cyber network. The report of the EastWest Institute mentions that a
practical beginning may be ‘to quarantine selected critical information infrastructure
(CII) from cyber attacks during peacetime as a measure of restraint’.27
With regard to the protection in peacetime of critical infrastructures, which are of a
civilian nature, it needs to be stressed that in considering its protection in this
contribution we will look at it from the perspective of deterrence and defence, which
both concern ius ad bellum rules. Of course more generally a State’s ‘classic’
deterrence and defence by military means is always aimed at the preservation of a
peacetime situation. With regard to cyber operations that may be threatening critical
infrastructures, however, another focus could have been to focus on the internet as
primarily belonging to the sphere of economic and communications activity where, as
quite rightly argued by Mary Ellen O’Connell, ‘civil law enforcement officials, have
primary jurisdiction’.28 This, however, is not the perspective taken in this chapter,
which is driven by the debate on creeping militarization of cyberspace.29 The Cyber
Conflict Studies Association (CCSA) refers to this approach as the ‘warfare approach’,
which is characterized by a militarized outlook on cyber conflict’.30 Interesting in this
respect is where Thomas Rid, remarks that ‘[w]hat has been militarized is the debate
about cyberspace’.31
The approach taken in this chapter does not mean that all the premises associated
with those32 who draw Cold War parallels with regard to cyber security are automatic-
ally accepted. An important point to take into consideration is Rid’s argument that
cyberspace is not a fifth domain of warfare for it ‘is not a separate domain of military
25
See also the Report of Working Group 2 –Managing Cyber Threat- to the Nuclear
Industry Summit 2014, which was held prior to the 2014 Nuclear Security Summit in The Hague
<https://www.nis2014.org/uploadedfiles/nis2014-wg2report_mct_final.pdf> (accessed 24 April
2015).
26
McConnell & Austin (n 4) 10.
27
Ibid.
28
Mary E. O’Connell, ‘Cyber security without cyber war’ (2012) 17(2) J. Conflict & Sec. L.
188.
29
See Introduction.
30
Mulvenon et. al. (n 16) 290. Other approaches discussed in their report are the technical
approach, the criminal approach and emerging approaches like public health, environmental and
irregular warfare (283– onwards).
31
‘[I]f militarizing cyberspace means establishing robust cyber defences, than cyberspace
has not been militarized. What has been militarized is the debate about cyberspace’. Rid (n 6)
174.
32
On participants in the cyber debate who make comparisons with the Cold War and nuclear
weapons, see ibid. 170.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
activity’,33 which led him to conclude that ‘the debate on national security and defence
would be well served if debating war was cut back to the time tested four domains’.34
One of the questions under consideration in this chapter is how do defensive and
offensive cyber operations fit in, like those mentioned earlier as in the case of the US,35
when considering the protection of critical (information) infrastructures? More specific-
ally could they be regarded as part of a cyber-deterrent strategy, and is such a deterrent
strategy allowed for under public international law?
33
Ibid. 166.
34
Ibid. The four domains refer to land, sea, air and space.
35
See sources mentioned in (n 2).
36
See on deterrence in general Eric P.J. Myjer, Militaire Veiligheid door Afschrikking,
verdediging en het geweldverbod in het Handvest van de Verenigde Naties Military Security via
Deterrence, Defence and the ban on the use of force in the United Nations Charter (in Dutch)
(Kluwer 1980).
37
In international politics:
deterrence refers to efforts to avoid being deliberately attacked by using threats to inflict
unacceptable harm on the attacker in response. The threatened harm can be inflicted by a
stout defense, frustrating the attack or making it too costly to continue, or by turning its
success into a pyrrhic victory. Or it can be inflicted through retaliation. (And through a
combination of the two).
Patrick M Morgan, ‘Applicability of traditional deterrence concepts and theory to the cyber
realm’ in National Research Council ‘Proceedings of a Workshop on Deterring Cyberattacks:
Informing Strategies and Developing Options for U.S. Policy’ (The National Academies Press
2010) 55. See also his early theoretical study on deterrence: Patrick M. Morgan, Deterrence a
Conceptual Analysis, Sage Library of Social Research, Volume 40, 1977. Libicky chooses to
equate deterrence with retaliation and not also with defence. See Martin C. Libicky, Cyber-
deterence and Cyberwar (RAND Corporation 2009) 7:
If deterrence is anything that dissuades an attack, it is usually said to have two components:
deterrence by denial (the ability to frustrate the attacks) and deterrence by punishment (the
threat of retaliation). For purposes of concision, the use of deterrence in this work refers to
deterrence by punishment. This is not to deny that defense has no role to play – indeed, the
argument here is that it does play the greater role and rightfully so. Our discussion of
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
7 / Date: 15/5
JOBNAME: Tsagourias PAGE: 8 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
credible defence in case of attack nothing is wrong, for each State is entitled to defend
itself both under conventional law ex Article 51 UN Charter and under customary law.
An example of this is the recent statement by the Secretary General of NATO, who, in
the context of the Ukraine political standoff, remarked, ‘Today, we will show our
steadfast commitment to NATO’s collective defence. Defence starts with deterrence.’38
He went on, ‘So we will take the necessary steps to make it clear to the world that no
threat against NATO Allies will succeed.’ This case of deterrence via the projection of
defence is about self-defence and is therefore not a forbidden threat to use force ex
Article 2(4) UN Charter, although the distinction sometimes may be rather subtle. Of
course this self-defence needs to answer to principles like necessity, proportionality and
immediacy. A totally different case, however, is threatening retaliation by the projection
of a blatant use of force, meaning use of force breaching these principles. Deterrence
via retaliation, however, is highly questionable from the point of view of public
international law. This, however, did not prevent the nuclear weapon States from
adopting such a strategy. Even since the end of the Cold War this nuclear-deterrence
strategy has been maintained and is still being applied.39 The projected reply in case of
an attack by nuclear means is through retaliation by nuclear means.
Given the fact that next to a defensive cyber capacity at present also a so-called
offensive cyber capacity is being developed,40 the question is whether this might lead to
a similar deterrent strategy in the cyber area, namely a cyber deterrence, that would not
only deter with the projection of a credible defensive capability and a credible will to
apply it in case of an attack (which is not possible in the case of nuclear deterrence, as
will be explained) but also via the projection of retaliation via offensive means? To start
with: Would it be possible to retaliate against a particular (specific) cyber aggressor?
Could the attacker be identified quickly and without any reasonable doubt? And, more
generally, would it be a viable and acceptable strategy? And if so would it be allowed
for under public international law, or is it a forbidden threat with regard to the use of
force?
Before attempting to answer these questions, the next section will first give a short
description of how nuclear deterrence developed with its projection of massive
devastation via retaliation with offensive means, which ultimately leads to Mutual
Assured Destruction (MAD).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
8 / Date: 7/5
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
4. NUCLEAR DETERRENCE
Deterring a potential aggressor by showing a credible capacity for defence or retaliation
and a credible will to apply it in case of an attack as a strategy has existed for a very
long time. Given that defence against nuclear weapons is not possible, nuclear
deterrence with retaliation as its core element started when, after World War II the US
was still the sole possessor of nuclear weapons.
It later became known as the strategy of massive retaliation, in which the US
strategic retaliatory capacity was central. Its prime aim was to deter Soviet aggression.
This strategy originated, to a large extent, from budgetary constraints that made it
difficult to build up US conventional forces to outweigh what were assumed to be the
superior Soviet conventional forces. In his famous speech in January 1954 to the
Council on Foreign Relations the US Foreign Minister, John Foster Dulles, presented
the strategy of deterrence and the role of nuclear weapons. A crucial element in his
so-called massive retaliation speech was where he remarked: ‘The way to deter
aggression is for the free community to be willing and able to respond vigorously at
places and with means of its own choosing.’41 It was, in other words, about organizing
maximum security at minimal costs. Central to this strategy is deterrence via retaliation
not via defence. This strategy is also important because it can be regarded as the first
systematic theory of deterrence in the age of the Cold War.42
Although the Dulles speech took place four years after the first explosion of a Soviet
atom bomb, and a few months after that of a thermo-nuclear weapon, it would still take
some time before the possibility that the Soviet Union could answer with similar means
was taken into consideration. That, however, changed after it became apparent that the
Soviet Union had also developed the capability to deliver nuclear weapons in reply.
This introduced the so-called balance of terror that would, in the end, lead via the
concept of mutual deterrence to that of mutually assured destruction, which still forms
part of present-day security strategy with regard to nuclear weapons, in which
deterrence plays a predominant role. Two elements were crucial in this strategy. The
first is that a nuclear attack would have devastating consequences against which a
proportional defence would be impossible. This made it essential to threaten with
retaliation in kind in case of a nuclear attack (a so-called first strike). For this to be a
credible threat in reply it was essential that such retaliation in a second strike was
possible. This second strike potential was realized via the so called Triad, a combin-
ation of nuclear weapons on submarines, airplanes and on land-based missiles, whereby
an attacker would never be able to make a first strike whereby the full nuclear
inventory of the opponent would be annihilated (destroyed). Next to that a ‘watertight’
defensive shield against incoming missiles was technically not possible, although in the
early 1980s research into this possibility was given a boost under Ronald Reagan with
41
John F. Dulles, ‘The evolution of Foreign Policy’ (1954) 30 Department of State Bulletin.
See Bernard Brodie, Strategy in the Missile Age (Princeton University Press 1971) 241. See also
three months later John F. Dulles, ‘Policy for Security and Peace’ (1945) 32 Foreign Affairs
353–64.
42
Alexander L. George and Richard Smoke, Deterrence in American Foreign Policy, Theory
and Practice, (Columbia University Press 1974) 25. See also Myjer (n 36) 49.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
the Strategic Defense Initiative, or so called ‘Star Wars’ strategy. This led to accepting
mutual vulnerability of which the ABM (anti-ballistic missile) treaty43 was an expres-
sion.
At least at the strategic level this doctrine still operates and answers the basic idea of
deterrence, namely deterring a potential aggressor by mirroring the nuclear reply that
will follow in case of an attack. Given a guaranteed second strike capability of nuclear
weapons with the opposing parties this led to a mutual-deterrence strategy with the risk
in case the deterrence failed of MAD of both nuclear power blocks. This is what this
strategy generally is referred to. Interestingly this survived the Cold War and is still the
current strategy with regard to the nuclear weapons.44 This is still the case in spite of
the fact that in 2002 under George W Bush the US withdrew from the ABM Treaty, in
order to be able to further develop and eventually install missile shields, thereby
bringing into question the US’s willingness to accept the premise of the nuclear-
deterrent strategy, namely to remain vulnerable to a possible nuclear attack. Since to
this day no effective nuclear shield has been developed, there is still this mutual
vulnerability. What is different, however, is that nowadays there are more nuclear
weapons and nuclear weapons States than in the 1950s, with India, Pakistan, Israel and
North Korea now also nuclear weapon States.
On the question of whether this strategy is in conformity with public international
law the International Court of Justice (ICJ) gave its ambivalent advisory opinion (see
below).
43
Treaty between the United States of America and the Union of Soviet Socialist Republics
on the Limitation of Ant-Ballistic Missile Systems (26 May 1972).
44
Whether there still is a situation of MAD or whether the US is developing nuclear
primacy was raised by Keir A. Lieber and Daryl G. Press, ‘The rise of U.S. nuclear primacy’
(2006) 85(2) Foreign Affairs and further developed in Keir A. Lieber and Daryl G. Press, ‘The
end of MAD? The nuclear dimension of U.S. primacy’ (2006) 30(4) Int’l. Sec. 7–44. The Essay
in Foreign Affairs led to a response by a number of authors denying the Lieber and Press thesis
and stressing that there still is a MAD situation. See Peter C. Flory, ‘Nuclear exchange: Does
Washington really have (or want) nuclear primacy? (2006) 85(5) Foreign Affairs.
45
Legality of the threat or use of nuclear weapons (Advisory opinion) [1996] ICJ Rep. 1996
229. Deterrence is also referred to either directly, or indirectly, in the context of the proceedings
instituted on 24 April 2014 by the Republic of the Marshall Islands against the United Kingdom
of Great Britain and Northern Ireland, against the Islamic Republic of Pakistan and against the
Republic of India, re ‘obligation to pursue in good faith and conclude negotiations leading to
nuclear disarmament’. See the respective applications with the ICJ.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
67. The Court does not intend to pronounce here upon the practice known as the ‘policy of
deterrence’. It notes that it is a fact that a number of States adhered to that practice during the
greater part of the Cold War and continue to adhere to it […]46
The argument about deterrence was raised in the context of the question whether there
existed a rule of customary international law prohibiting the threat or use of nuclear
weapons as such. According to the ICJ on the one hand States:
which hold the view that the use of nuclear weapons is illegal have endeavoured to
demonstrate the existence of a customary rule prohibiting this use. They refer to a consistent
practice of non-utilization of nuclear weapons by States since 1945 and they would see in
that practice the expression of an opinio iuris on the part of those who possess such
weapons.47
which assert the legality of the threat and use of nuclear weapons in certain circumstances,
invoked the doctrine and practice of deterrence in support of their argument. They recall that
they have always, in concert with certain other States, reserved the right to use those weapons
in the exercise of the right to self-defence against an armed attack threatening their vital
interests. In their view, if nuclear weapons have not been used since 1945, it is not on account
of an existing or nascent custom but merely because circumstances that might justify their
use have fortunately not arisen.48
Against the background of these arguments the ICJ decided not to pronounce on the
‘policy of deterrence’.
It notes that it is a fact that a number of States adhered to that practice during the greater part
of the Cold War and continue to adhere to it. Furthermore, the Members of the international
community are profoundly divided on the matter of whether non-recourse to nuclear weapons
over the past fifty years constitutes the expression of an opinio iuris. Under these
circumstances the Court does not consider itself able to find that there is such opinio iuris.49
The Court, however, made clear that both the rules of ius ad bellum and of ius in bello
(the humanitarian law of armed conflict) with customary law principles like proportion-
ality and necessity also apply.
Nevertheless the Court considers that it does not have sufficient elements to enable it to
conclude with certainty that the use of nuclear weapons would necessarily be at variance with
the principles and rules of law applicable in armed conflict in any circumstance.50
Also the ‘fundamental right of every state to survival, and thus its right to resort to
self-defence, in accordance with Article 51 of the Charter, when its survival is at
46
Ibid. para. 67.
47
Ibid. para. 65.
48
Ibid. para. 66 [emphasis added].
49
Ibid. para. 67.
50
Ibid. para. 95.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
11 / Date: 25/3
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
stake’,51 was taken into consideration, as was the fact that it could not ignore ‘the
practice referred to as “policy of deterrence”’.52 The Court then concluded, by seven
votes to seven with the President’s deciding vote, what widely is referred to as a
non-liquet,53 that it is ‘led to observe that it cannot reach a definitive conclusion as to
the legality or illegality of the use of nuclear weapons by a State in an extreme
circumstance of self-defence, in which its very survival would be at stake’.54 Given that
deterrence is about projecting the reply in case of attack, with this conclusion regarding
the use of nuclear weapons in self-defence also no definitive conclusion can be drawn
whether the projection of this ‘self defence by nuclear weapons’ is legitimate
self-defence or a forbidden threat to use force ex Article 2(4) UN Charter. In other
words it leaves open the question regarding the legitimacy of nuclear deterrence.
6. CYBER DETERRENCE
This section looks at the question whether a cyber-deterrent strategy comparable to the
nuclear-deterrent strategy is possible. The reason to make such a comparison is because
of some apparently common characteristics of the way the US announced its nuclear-
deterrent strategy and its cyber strategy, namely the prevention of threats of vital
interests via the projection of indiscriminate offensive nuclear means against nuclear
attacks or via offensive cyber means in the case of a cyber attack.
The reason for trying to assess whether in cyberspace one is also witnessing the
development of a strategy of deterrence, however, is not that cyber attacks that occur
can be one-on-one compared with attacks by nuclear weapons. The consequences of
cyber attacks will have to be measured individually.
When looking at some of the central elements of nuclear deterrence the conclusion is
clear that cyber deterrence (deterring cyber attacks with cyber means) by projection of
a cyber threat comparable to the threat under nuclear deterrence is – at present –
technically not possible.
The crucial difference between nuclear deterrence and cyber deterrence is that the
deterrent threat in the former case is retaliation, and in the latter case might be either
defence or retaliation. This is the case in spite of the suggestion by the ICJ in the
Nuclear Weapons case that this might be qualified as a defensive option in cases where
the survival of a State is at stake.55
51
Ibid. para 96.
52
Ibid.
53
See on this for instance I. Dekker and W. Werner, ‘The completeness of international law
and Hamlet’s dilemma’ (1999) 68(3) Nordic J. of Int’l. L. 225.
54
Legality of the threat or use of nuclear weapons (n 45) para. 97. See also the lengthy
dissenting opinion of Judge Weermantry, and in particular on deterrence (VII- pp. 76–9), where
he discusses in particular the concept of deterrence.
55
Ibid. decision E:
It follows from the above-mentioned requirements that the threat or use of nuclear weapons
would generally be contrary to the rules of international law applicable in armed conflict, and
in particular the principles and rules of humanitarian law;
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
In its report Addressing Cyber Instability the CCSA56 looked into the question to
what extent nuclear deterrence and cyber deterrence can be compared. It goes back to
the basics of the strategies on deterrence of theorists like Thomas Shelling or Jerome
Kahn, although the latter author is not explicitly referred to. It concludes that ‘the
current strategic cyber environment is structurally unstable, marked by an inability to
establish credible deterrence [and strong incentives to strike pre-emptively]’.57 To a
great extent the system of nuclear deterrence on the other hand is transparent in that it
is known what the effect of nuclear weapons can be, that it is known who the nuclear
weapon States are, and that the nuclear capacity of these States is known and that these
States and relevant sites, are being monitored via National Technical Means, like
satellites. And given the triad of nuclear launch possibilities, it is generally accepted
that a guaranteed second strike exists. In that sense nuclear deterrence answers
deterrence as formulated by the US Strategic Command:
Deterrence [seeks to] convince adversaries not to take actions that threaten U.S. vital interests
by means of decisive influence over their decision-making. Decisive influence is achieved by
credible threatening to deny benefits and/or impose costs, while encouraging restraint by
convincing the actor that restraint will result in an acceptable outcome.58
However, in view of the current state of international law, and of the elements of fact at its
disposal, the Court cannot conclude definitively whether the threat or use of nuclear weapons
would be lawful or unlawful in an extreme circumstance of self-defence, in which the very
survival of a State would be at stake.
(seven votes to seven, by the President’s casting vote).
56
Mulvenon et. al. (n 16).
57
Ibid. 31.
58
U.S. Department of Defense, ‘Deterrence Operations: Joint Operating Concept’ (Version
2.0 December 2006) <http://www.dtic.mil/futurejointwarfare/concepts/do_joc_v20.doc> ac-
cessed 2 October 2014, as quoted in ‘Reprinted Letter Report from the Committee on Deterring
Cyberattacks’ in National Research Council (n 37) 350.
59
See more details in National Research Council (n 37) 350–9.
60
On the difficulties of attribution see Tsagourias (n 16) 233–onwards; Rid (n 6) 139–62.
61
This may not affect the passive defence of the information structures, but at least the
active defence. This would put a ‘premium’ on a first strike, or even be an incentive to use
kinetic force in reply.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
13 / Date: 25/3
JOBNAME: Tsagourias PAGE: 14 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
completely infecting cyberspace?62 Might it then not ‘blow up in the face’ of the State
reacting with a retaliatory strike since it is the same cyberspace that attacker and
attacked are making use of? If so, it would be a form of cyber retaliation comparable to
retaliation by nuclear weapons and its all-encompassing consequences. And, given that
the system might break down, can a guaranteed second strike capability be projected?
That nuclear deterrence and cyber deterrence are different in character was also made
clear in a report from the Committee on Deterring Cyberattacks
[…] But it is an entirely open question whether cyber deterrence is a viable strategy.
Although nuclear weapons and cyber weapons share one key characteristic (the superiority of
offence over defence), they differ in many other key characteristics, […] What the discussion
below [in the report] will suggest is that nuclear deterrence and cyber deterrence do raise
many of the same questions, but that the answers to these questions are quite different in the
cyber context than in the nuclear context.]63
The conclusion therefore appears clear that a convincing strategy of cyber deterrence
with the projection of a convincing retaliatory cyber threat, at present at least, is not
possible.
However, deterrence is not solely realized via the projection of a retaliatory strike. It
could also be realized via the projection of, in terms of Morgan, a robust64 self-defence
of both a passive and an active nature. In the discussion referred to in the Introduction,
that the US is acquiring an offensive cyber capacity, the suggestion is that such means
are exclusively of an offensive character. Although of course it concerns questions of
specific cyber technology, there also appears to be an element of semantics. For when
a so-called offensive cyber capacity would be used as a means of cyber deterrence via
the threat of retaliation it would not work for reasons discussed above. However, could
not the same cyber technology be used for both offensive and defensive purposes?
In other words, when one considers the application of a restricted use of this
so-called offensive cyber capacity, like the application of traditional military means,
which could both be used offensively or defensively, the logical question appears to be
whether it is possible to make a similar distinction between the way a digital capacity
is used (applied), namely either offensively or defensively, or is an offensive digital
capacity by definition different in character from a defensive digital capacity? If the
former is the case, then it would come down to the way cyber power is being applied
and not what label has been attached to the specific cyber capacity. Would it in that
case not be better to speak of a cyber capacity that can be applied either offensively or
defensively? The different categories that one finds in the leaked Presidential Policy
Directive / PPD-20 of October 201265 in that respect are intriguing for besides Network
62
This follows from the very interconnectivity of cyberspace, which is one of its great
assets, but at the same time also constitutes its greatest vulnerability.
63
U.S. Department of Defense (n 56); Libicky (n 37) iii: ‘Thus, deterrence and warfighting
tenets established in other media do not necessarily translate reliably into cyberspace.’ See also
Ch III, Why Cyberdeterrence is Different, 39–74.
64
I regard this qualification indicating a serious and optimal self-defence, taking into
consideration the applicable principles of public international law.
65
Presidential Policy Directive PPD-20 (n 2); Greenwald & MacAskill (n 2).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
14 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
66
‘Programs, activities, and the use of tools necessary to facilitate them … Network defense
does not involve or require accessing or conducting activities on computers, networks, or
information or communications systems without authorization from the owners or exceeding
access authorized by the owners’. Presidential Policy Directive PPD-20 (n 2) 2.
67
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
71
Legality of the threat or use of nuclear weapons (n 45) para. 39. On the use of force in
cyberspace see Roscini (Ch 11 of this book).
72
Michael Schmitt, ‘Cyber operations in international law: The use of force, collective
security, self-defence, and armed conflicts’ in National Research Council (n 37) 153–60.
73
Michael Schmitt (ed.), Tallinn Manual on The International Law Applicable to Cyber
Warfare (CUP 2013) (Tallinn Manual) Rule 11 (definition of use of force).The Tallinn Manual,
which is the result of a lengthy research project by a group of international experts, at this
moment can be regarded as the most authoritative publication on issues of cyber war and public
international law. See also Michael Schmitt, ‘International law in cyberspace: The Koh speech
and Tallinn Manual juxtaposed’ (2012) 54 Harvard Int’l. L. J. 13–37.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
continuum between economic and political coercion on the one hand and acts which
cause physical harm on the other’.74 Earlier Schmitt identified seven factors that are
likely to be taken into account when assessing whether a cyber operation could be seen
as a use of force, namely: severity; immediacy; directness; invasiveness; measurability;
presumptive legitimacy; and responsibility.75 But even if a cyber operation can be
classified as a clear instance of use of force this leaves us to consider two issues,
namely that Article 2(4) UN Charter not only forbids the use of force, but also the
threat to use force. The other issue is that there is gap between Article 2(4) and Article
51 UN Charter since not all use of force would allow for forceful protective measures
in self-defence, but only use of force that amounts to an armed attack.
The point of departure therefore is that under public international law both the threat
and use of force in international relations are forbidden, and that the only exceptions to
this rule are use of force in self-defence or a mandate to use force by the Security
Council under Chapter VII in case of a threat to the peace, breach of the peace or act
of aggression. Self-defence may only take place in case of an armed attack, as
described in Article 51 Charter. These are the familiar rules in case of a traditional
military (kinetic) armed attack and the possibility of a legitimate military reply. But
how then to determine whether a cyber attack amounts (comes down) to the equivalent
of an armed attack?
According to the Tallinn Manual a cyber operation can be equated with use of force
when its scale and effects are comparable.76 In order to identify cyber operations that
could be described as uses of force (primarily based on Schmitt’s criteria (factors)) the
Tallinn Manual mentions the following as factors that could be taken into consider-
ation: severity, immediacy, directness, invasiveness, State involvement, presumptive
legality measurability of effects and military character.77 Use of force, however, is not
identical to an armed attack. This distinction between use of force in Article 2(4) and
armed attack in Article 51 is apparent from the Charter. It means that in order to be
able to act in self-defence the cyber operation in scale and effects needs to be equal to
an armed attack.
In order to establish that a cyber operation would not only be a forbidden use of
force ex Article 2(4) UN Charter but would amount to an armed attack as meant in
Article 51 UN Charter it would be necessary to not only apply Schmitt’s seven criteria,
but also to decide that the consequence of the application of a cyber operation would be
equal to a ‘traditional’ armed attack. In this Schmitt takes a consequence based
approach. ‘Applying the consequence based approach, armed attack must also be
understood in terms of the effects typically associated with the terms ‘armed’. The
essence of an ‘armed’ operation is the causation, or risk thereof, of death of or injury to
persons or damage to or destruction of property and other tangible objects’,78 like
74
Schmitt (n 72) 155.
75
Ibid. 155–6.
76
Tallinn Manual (n 73) 47. On cyber attacks and self-defence see Focarelli (Ch 12 of this
book).
77
Tallinn Manual ibid. rule 11, paras 9 and 10.
78
Schmitt (n 72) 163.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 18 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
critical infrastructures.79 When the conclusion is that the cyber operation amounts to an
armed attack as meant in Article 51 UN Charter use of force self-defence is allowed
for. With Schmitt, I am of the opinion that such use of force in self-defence could
involve both cyber means as well as kinetic means.80 This use of force would need to
be in accordance with the principles of necessity, proportionality81 and immediacy;82
also the Security Council would need to be informed. Projecting the intention to make
use of this right to self-defence in case of a cyber attack amounting to an armed attack
would be a lawful threat to use force as the ICJ made clear in the Nuclear Weapons
Case: […] if it is to be lawful, the declared readiness of a State to use force must be a
use of force that is in conformity with the Charter’.83 This could be seen as deterrence
via self-defence.
With the conclusion that a cyber attack may amount to an armed attack against
which self-defence is allowed for, which may involve both cyber means and kinetic
means, from the perspective of deterrence this logically would lead to a more refined
model, whereby the deterrent threat of defence (denying of the gains sought by the
cyber attacker) could be done either by cyber means, by a combination of cyber and
kinetic means, or even solely by kinetic means. Opting for such a more comprehensive
deterrence mode risks leading to a definitive militarization of cyberspace. It could, for
instance, be the option for a State that does not have advanced cyber means at its
disposal, but is strong in traditional military (kinetic) hardware.
Furthermore there is the much-debated84 question, whether a State has to wait with
its self-defence until the armed attack of Article 51 UN Charter has materialized, or
whether it may also defend itself in case of an imminent attack. Such imminent armed
attack would, in my opinion, have to be one that is under way, in other words, an
irreversible attack. This position is close to that taken by Dinstein who refers to
interceptive self-defence.85 Where the concept of imminence in the traditional debate
79
See also Tsagourias (n 16) 231.
80
Schmitt (n 72) 167.
81
‘The submission of the exercise of the right to self-defence to the conditions of necessity
and proportionality is a rule of customary international law.’ As the Court stated in the case
concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United
States of America) [1986] ICJ Rep. 1986 para. 176: ‘there is a specific rule whereby self-defence
would warrant only measures which are proportional to the armed attack and necessary to
respond to it, a rule well established in customary international law’. ‘This dual condition
applies equally to art 51 of the UN Charter, whatever the means of force employed’: Legality of
the threat or use of nuclear weapons (n 45) para. 41. See also Judith Gardam, Necessity,
Proportionality and the Use of Force by States (CUP 2004).
82
This is a different criterion than the immediacy principle of Schmitt. Here it refers to the
reaction time and the length of the self-defence operation. Compare also Dinstein (n 10) 233–4.
Schmitt formulates an immediacy principle as one of the principles to decide whether a cyber
operation amounted to a use of force, namely ‘The sooner consequences manifest, the less
opportunity States have to seek peaceful accommodation of a dispute or to otherwise forestall
their harmful effects. Therefore, States harbour a greater concern about immediate consequences
than those which are delayed or build slowly over time’: Schmitt (n 72) 156.
83
Legality of the Threat or Use of Nuclear Weapons (n 45) para. 47.
84
See Dinstein (n 10) 203–onwards.
85
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
on the use of force has already led to much debate because of its inherent complexities,
with regard to the cyber domain it appears even more complex. Also the Tallinn
Manual takes imminence as its criterion for the right to use force in self-defence.86
What then amounts to imminence is a complicated matter. The majority of the
international group of experts that authored the Tallinn Manual rejected an approach
that ‘requires that the armed attack be about to be launched, thereby imposing a
temporal limitation on anticipatory actions’.87 Instead they opted for an approach
whereby ‘it may act anticipatorily only during the last window of opportunity to defend
itself against an attack that is forthcoming’.88 This is a complicated analysis to make
especially with regard to cyber operations that may take place at high speed. The
Tallinn Manual therefore concludes: ‘(T)he lawfulness of any defensive response will
be determined by the reasonableness of the victim-State’s assessment of the situ-
ation.’89 However laudable this may sound, it suggests a transparency that in case a
State has made a wrong judgement that State would always be liable. In most cases,
however, this would be highly unlikely given the character of digital traffic, and the
problems of attribution. And who then could make a final and authoritative determin-
ation of the reasonableness of the assessment after the fact? Given that it concerns
self-defence ex Article 51 that would lead us automatically to the Security Council. But
it seems highly unlikely that it will be able to make such a determination since it will
always involve either a P5 State, or a client State. This interpretation of imminence
therefore risks crossing over into pre-emptive or preventive self-defence,90 which
rightly could be interpreted by another State at which it is directed as an armed cyber
attack, in short offensive use of force which allows for self-defence. This is an
extremely dangerous and circular situation that should be prevented. The criterion of
imminence in cyber defence operations therefore needs to be clarified.
Finally, some observations can be made regarding critical infrastructures in general,
and in particular the production, storage and transport of dangerous goods (e.g.
chemical, biological, radiological and nuclear materials) or energy installations and
networks like those of nuclear power plants. Critical (information) infrastructures as
discussed earlier in Section 2(b) above are clear civilian objects, with civilian workers.
Under the principle of distinction, which is a core principle of humanitarian law, the
civilian population and civilian objects may not be the object of an attack. In the
86
‘The right to use force in self-defence arises if a cyber armed attack occurs or is
imminent. It is further subject to a requirement of immediacy’: Tallinn Manual, rule 15, (n 73)
60.
87
Ibid. 61(4).
88
Ibid.
89
Ibid. 62(6).
90
This would be contrary the position taken in the Tallinn Manual (n 73) 62, where it rejects
preventive strikes: ‘preventive strikes, that is, those against a prospective attacker who lacks
either the means or intent to carry out an armed attack, do not qualify as lawful anticipatory
self-defence’. See also Schmitt, ‘International Law in Cyberspace (n 73) 23–4, where he remarks
‘that the devil is in the detail’ and then discusses positions taken by the Tallinn Manual experts
on anticipatory self-defence. He, however, does not get into the question how in practice to make
the distinction between a situation where anticipatory self-defence is allowed and preventive
self-defence is not. (Furthermore he also discusses the non-state actor’s operations.)
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
19 / Date: 25/3
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
already much-quoted advisory opinion of the ICJ this was stressed in no uncertain
terms.91 That targeting a nuclear power plant, or a critical infrastructure concerning the
production, storage or transport of dangerous goods like chemical, biological, radio-
logical and nuclear materials, may result in similar destruction as when used as a
military means does not make any difference. The rule is clear civilian objects should
not be targeted, neither in offence nor in defence.92
8. CONCLUSION
Having discussed these elements central to the question under discussion, namely
whether a cyber deterrence comparable to nuclear deterrence is possible, and if so,
whether it would be in accordance with public international law, a few observations can
be made. These conclusions concern a State actor approach and therefore largely leave
out how to deal with non-State actors, and in that sense it only deals with part of the
problem of possible offensive cyber operations.
Deterrence in terms of Morgan93 can be realized either via the projection of
‘retaliation’ or of a ‘stout defence’. In both these cases the deterrent threat is realized
by making clear that in case of a cyber attack that amounts to an armed attack there
will be a reply.
It is clear that a cyber-deterrent strategy comparable to a nuclear-strategy, with an
all-out retaliatory strike in case of an (imminent) attack, at present is not possible for
the reasons discussed above, such as not knowing who the opponent is or who to
attribute the attack to. Deterrence by the threat of retaliation in case of an attack would,
furthermore, be contrary to public international law, and some of its essential (basic)
principles. Retaliation points to a possible unlimited use of force that is intended to
harm a potential attacker. It amounts to a threat of force, which is forbidden under
Article 2(4) UN Charter and is different from self-defence since it would be aimed at
punishment and would not be based on necessity and proportionality as central
customary law criteria for self-defence. Therefore an effective cyber-deterrence strategy
via retaliation is not only technically not viable, but even if so, the projection of
retaliation would amount to a forbidden threat of force. Such cyber deterrence by
threatening to retaliate, if it could be done convincingly at all, which at present is not
the case, could not be compared to nuclear deterrence for the simple reason that nuclear
deterrence should be viewed as a category of its own, vested in the political reality of
international relations, and apparently viewed as being ‘above the law’, public
international law, as is clear from the ICJ’s advisory opinion on the use of nuclear
91
‘The cardinal principles contained in the texts constituting the fabric of humanitarian law
are the following. The first is aimed at the protection of the civilian population and civilian
objects and establishes the distinction between combatants and non-combatants; States must
never make civilians the object of attack and must consequently never use weapons that are
incapable of distinguishing between civilian and military targets’. Legality of the threat or use of
nuclear weapons (n 45) para. 78. See Yoram Dinstein, ‘The principle of distinction and cyber
war in international armed conflicts’ (2012) 17(2) J. Conflict & Sec. L. 265–6.
92
Ibid. 264.
93
Morgan (n 37) 55.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
20 / Date: 7/5
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter13 /Pg. Position:
21 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
PART IV
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
Governments have been aggressively pursuing development of cyberweapons in recent
years, most notably the United States,1 China, and Russia. Cyberweapons are a new
kind of weapon.2 As with all new weapons, decisions should be made about how
ethical it is to employ them in various situations. We will focus here on their use by
militaries; so far there has been little threat from nongovernmental groups such as
terrorist organizations, though some businesses have expressed interest in using them
against their foreign competition. There is much debate about how well the current
laws of warfare3 apply to cyberweapons.4 First however we need to identify the ethical
issues involved since they guide lawmaking. Key ethical issues with cyberweapons
arise in their implementation, targeting, and damage recovery. The discussion has
evolved quickly since our earlier survey.5
To limit the size of this chapter, we will focus on characteristics of cyberweapons
that significantly differ from those than conventional weapons. Much also has been
written about the ethics of conventional warfare,6 and much of that can be applied to
cyberweapons.7 But the special characteristics of cyberweapons raise some new ethical
* This work was supported by the U.S. National Science Foundation under grant 1318126
of the Secure and Trustworthy Cyberspace Program. The views expressed are those of the author
and do not represent those of the U.S. Government.
1
Tom Gjelten, ‘First strike: US cyber warriors seize the offensive’ (January/February 2013)
World Affairs Journal <www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-
the-offensive> accessed 8 November 2013, 201.
2
Sanjay Goel, ‘Cyberwarfare: connecting the dots in cyber intelligence’ (2011) 54 (8)
Communications of the ACM 132–40.
3
ICRC (International Committee of the Red Cross), ‘International humanitarian law –
treaties and documents’ <www.icrc.org/icl.nsf> accessed 1 December 2007.
4
Robert Belk and Matthew Noyes, ‘On the use of offensive cyber capabilities: A policy
analysis on offensive US cyber policy’ (March 2012) <http://belfercenter.ksg.harvard.edu/
experts/2633/robert_belk.html> accessed 8 November 2013. See also Gill (Ch 17 of this book),
Bannelier-Christakis (Ch 16 of this book) and Arimatsu (Ch 15 of this book).
5
Neil C. Rowe, ‘The ethics of cyberweapons in warfare’ (2010) 1 (1) Int’l. J. of
Technoethics. 20–31.
6
Michael Walzer, Just and Unjust Wars: A Moral Argument with Historical Illustrations
(Basic Books 2006); S. Lee, Ethics and War: An Introduction (Cambridge, UK: Cambridge
University Press, 2012).
7
Edward T. Barrett, ‘Warfare in a new domain: the ethics of military cyber-operations’
(2013) 12(1) J. of Military Ethics 4–17.
307
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
problems, especially in the conduct of warfare (jus in bellum).8 We shall follow here a
negative utilitarian approach to ethics in which we try to assess the negative cost to
societies of various policies with cyberweapons and try to recommend policies that
result in the least negative cost on average. Negative utilitarianism is appropriate here
because the benefits of cyberattacks are not especially diverse, being confined to
disabling adversary computer systems, networks, and what they control.
The Stuxnet cyberattack on Iran9 provides an example of a problematic cyberattack.
Some have lauded this as an example of ‘clean’ cyberwarfare since it appeared to have
a narrow target and achieved some tactical success against it. The target appears to have
been software for industrial-control machines for Iranian centrifuges used for process-
ing uranium, and the attacks appeared to cause destruction of at least some of the
centrifuges. But to achieve this success, many machines had to be infected with the
malicious code (‘malware’) with the hope of eventually transferring their infection to
the target machines. This mode of infection was like a virus, and the attack code spread
to millions of machines, so the attack involved widespread (albeit small) product
tampering. Because the propagation methods were unreliable, multiple redundant
methods were used. Once the attack was recognized, the new propagation and attack
methods were analyzed and reports were published. This enabled criminal attackers to
exploit these new attacks for their own purposes10. So there was direct collateral
damage from the propagation of the attack (small damage to many machines adding
up) as well as from the criminal applications of the methods.
This case suggests we should be skeptical of claims that cyberweapons are precise
weapons that do not cause significant or lasting collateral damage.11 This should not be
a surprise because precision is often difficult for new weapons. Consider for instance
air targeting with drones in Pakistan12 for which ‘very few’ of the attacks (though it
varies with the estimator) were on militants, and similar results could likely have been
better obtained without violence through judicial proceedings. The problem is that there
are just too many possible errors in targeting when the attacker is not near the target
and does not understand the culture. We suspect cyberattacks will be similarly errant, as
they appear similarly low-risk to a remote perpetrator.
8
Herbert S. Lin, Kenneth W. Dam & William A. Owens (eds.), Technology, Policy, Law,
and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies
Press 2009).
9
Michael J. Gross, ‘A declaration of cyber-war’, Vanity Fair (April 2011) <www.
vanityfair.com/culture/features/2011/04/stuxnet-201104> accessed 12 May 2012. See also Gill
(Ch 17 of this book) and Bannelier-Christakis (Ch 16 of this book).
10
Dan Kaplan, ‘New malware appears carrying Stuxnet code’, SC Magazine (18 October
2011) <www.scmagazine.com/new-malware-appears-carrying-stuxnet-code/article/214707>
accessed 1 August 2012.
11
Please see Gill (Ch 17 of this book).
12
Stanford Law School International Human Rights and Conflict Resolution Clinic and New
York University School of Law Global Justice Clinic, ‘Living under Drones: Death, Injury, and
Trauma to Civilians from U.S. Drone Practices in Pakistan’ (September 2012) <http://
www.livingunderdrones.org/report/> accessed 1 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
2 / Date: 1/4
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
2. DEFINING CYBERWEAPONS
Cyberweapons are weapons that primarily use software to achieve their effects. They
are usually in the form of modified programs to control computers and devices. Usually
these modifications are for the purpose of sabotage, to prevent a victim from using their
computer systems or certain aspects of those systems. A cyberweapon might prevent a
missile defense system from functioning properly so that it will be destroyed by a
missile. A cyberweapon could also delete key data or programs from a computer
system so that it cannot do its tasks, or it could block network access so a system
cannot communicate with others. Usually cyberweapons do not actively create false
data, as that it more difficult to do. So sabotage is usually the goal.
The use of cyberweapons is a special case of a cyberattack. Cyberattacks are any
methods that attempt to subvert computer software for some gain to the perpetrator.
Most cyberattacks today are by criminals and support financial fraud. But they are also
important today to intelligence agencies as a way to automate their collection of
difficult-to-obtain or secret information. The U.S. has been subjected to extensive such
intelligence gathering recently. But these are not cyberweapons because they do not try
to disable systems. Thus they fall within the range of intelligence gathering in the laws
of war, and do not justify counterattack in response.
Military commanders want control of their weapons, so many cyberweapons are
designed to be controlled remotely over the Internet using the techniques of ‘botnets’
where the attacker’s machine sends orders to victim machines to direct their espionage
or sabotage.13 It is reported that the U.S. and China are eagerly pursuing this
approach.14 If a target is not attached to the Internet, timing mechanisms or specifica-
tions of trigger events can be used to control it.15
Software techniques proposed (and occasionally used) for cyberweapons are similar
to those used for criminal cyberattacks.16 These usually involve impersonation to gain
unauthorized access using flaws in the software of computers, followed by installing
malicious software on those computers. However, the ultimate goals of cybercriminals
are different. They mostly want to steal rather than sabotage, and high priorities for
them are stealing bankcard numbers and other personal information and sending spam
(unsolicited email), both good ways to earn quick money. Criminals are becoming
increasingly professional in probing well-known software for flaws and developing
attack methods, and their discoveries are just what cyberweapons developers need.
Some have argued that cyberweapons are ‘nonlethal’ and thus raise few ethical
questions. Mortality is not the only ethics metric in warfare, as people can be
unethically harmed without being killed, an issue we will discuss further here.
However, allegedly ‘nonlethal’ weapons can definitely kill people, as for instance as
13
Christopher Elisan, Malware, Rootkits, and Botnets: A Beginner’s Guide (McGraw-Hill
Osborne 2012).
14
Gjelten (n 1).
15
Randall Dipert, ‘Other-than-Internet (OTI) cyberwarfare: challenges for ethics, law, and
policy’ (2013) 12 (1) J. of Mil. Ethics 34–53.
16
Cameron H. Malin, .James M Aquilina & Eoghan Casey, Malware Forensics Field
Guide for Windows Systems: Digital Forensics Field Guides (Syngress 2012).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
crowd-control foam from which people can suffocate, since nearly any method of
human control can be lethal in unexpected circumstances. Cyberweapons can kill
directly as when they interfere with operations at hospitals or in industry (Iran alleges
that Stuxnet caused an explosion of a centrifuge that killed a worker). Cyberweapons,
like other weapons, can also kill indirectly in many ways by damaging the infrastruc-
ture of a society. For instance, it has been estimated that the damage to Iraqi society by
the U.S. invasion resulted in a 654,000 additional deaths 2003-2006 of which 92
percent were due to violence,17 plus another estimated 300,000 deaths through 2011
due to damage to the Iraqi infrastructure.18 We need to evaluate cyberweapons with
most of the same standards as other weapons to see how harmful they are. Actually,
they have a number of analogies to biological weapons in their dissemination methods
and their difficulty of control,19 and biological weapons are prohibited by several
treaties.
3. PECULIARITIES OF CYBERWEAPONS
We can enumerate several key differences between cyberweapons and most traditional
weapons:
17
Gilbert Burnham et.al., ‘Mortality after the 2003 invasion of Iraq: a cross-sectional cluster
sample’ (2006) 368 (9545) The Lancet 1421–8.
18
Amy Hagopian et. al., ‘Mortality in Iraq associated with the 2003-2011 war and
occupation: findings from a national cluster sample survey by the University Collaborative Iraq
Mortality Study’ (2013) 10 (10) PLoS Medicine <www.plosmedicine.org/article /info%3Adoi%
2F10.1371%2Fjournal.pmed.1001533> accessed 9 November 2013.
19
Rowe (n 5).
20
Neil Rowe et. al., ‘Challenges in monitoring cyberarms compliance’ in Panayotis
Yannakogeorgos and Adam Lowther (eds.) Conflict and Cooperation in Cyberspace: The
Challenge to National Security in Cyberspace (Taylor and Francis 2013) 81–100.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
These features have many ethical implications. In this chapter we will focus on those
which we consider the most important: justifying a cyberattack in cyberwar, the
product tampering required for cyberweapons, the unreliability of cyberweapons, the
difficulty of recovering from the damage of cyberweapons, and the ease of collateral
damage with cyberweapons. These relate to the classic ethical issues in the conduct of
war of having adequate justification for an attack, proportionality22 of the attack to the
provocation, discrimination23 of combatants from noncombatants, and ability to assign
responsibility for conduct.24
21
Adam Segal, ‘The code not taken: China, the United States, and the future of espionage’
(2013) 69 (5) Bulletin of Atomic Scientists 38–45.
22
See also Gill (Ch 17 of this book).
23
See Bannelier-Christakis (Ch 16 of this book).
24
Alexander Moseley, ‘Just War Theory’ (Internet Encyclopedia of Philosophy) <www.iep.
utm.edu/justwar> accessed 14 March 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
5 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
4. JUSTIFYING A CYBERATTACK
Many of the ethical principles about starting traditional warfare (jus ad bellum) apply
to cyberwarfare.25 A nation must be attacked first, suffer serious harm, and have no
other feasible alternatives before it can consider cyberwarfare. But there is a special
problem of the greater difficulty of attribution of a cyberattack compared to conven-
tional attacks. Traditional land, water, and air warfare involve large military entities that
have a clear direction of origin which makes it clear who is attacking whom. This is
less true of cyberwarfare. The malware used will likely have no obvious signs of origin,
and its implantation on victim computer systems may not be recorded; and if the
Internet was used to deliver it, its backtracing will be ambiguous. There are some ways
to prove attribution if the attacking country’s computer systems can be accessed, but
that can be very difficult. To be sure, a country may have suspicions about who
attacked it, but the world community needs legal-quality evidence to endorse a
response following the laws of war. Thus it is very difficult to ethically justify
counterattack in response to a pure cyberattack when applying the ethical principle of
responsibility.
However, it certainly makes sense that a traditional military attack could justify a
cyber-counterattack. Indeed, cyberattack methods could be an important force multi-
plier for military commanders, allowing them to achieve the same results with fewer
forces and with possibly less harm to both sides.26 It also makes sense to combine the
cyber-counterattacks with traditional counterattacks since there are important targets
not in cyberspace. However, achieving less harm with cyberattacks than traditional
attacks is not automatic, and each case needs to be evaluated carefully according to the
criteria we discuss below.
25
Barrett (n 7). See also Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).
26
Dorothy Denning & Bradley Strawser, ‘Moral cyber weapons: the duty to employ
cyberattacks’ in Luciano Floridi and Mariarosaria Taddeo (eds.), The Ethics of Information
Warfare (Springer 2014).
27
Neil C. Rowe, ‘Cyber perfidy’ in Fritz Allhoff, Nicholas G. Evans & Adam Henschke
(eds.), The Routledge Handbook of War and Ethics (Routledge 2013) 394–404.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 9 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
renders materially false or misleading the labeling of, or container for, a consumer
product’. This has a penalty of up three years in prison; tampering that causes bodily
harm receives up to twenty years. These laws apply to software under the classification
of ‘device’ where malicious modification renders misleading the labeling of the
software. Users of software are generally required to sign end-user license agreements
that prohibit tampering with it.
The reason that product tampering is virtually essential to cyberweapons is that
computer systems and digital devices are generally very reliable and strongly resistant
to attempts to subvert them for unanticipated purposes. Attacking a computer system
directly by sending it malicious instructions will usually be ignored. Flooding it with
too much data rarely works because most computer systems limit the rate at which they
accept information or requests. So an attacker must almost always impersonate a
legitimate user of a computer or digital device to perpetrate a cyberattack on it. Usually
the goal is to subvert and impersonate the operating system, the software that controls
the entire computer. Particular targets are the security kernel of the operating system,
the file management system, the update manager, the networking software, and the
electronic mail system. All these are civilian artifacts almost entirely implemented by
civilians, and there are very few alternatives due to the near-monopolies by a few
companies. Making them military targets is similar to poisoning a well that a
community must use.
Unfortunately, that is perfidy if done during war. Perfidy is impersonation of civilians
by military forces, and is prohibited by the laws of war because failing to do so would
result in far higher civilian casualties. Guns, bombs, and missiles do not need to
impersonate people to work, so cyberweapons are fundamentally different. Thus
virtually any cyberweapon installation or use appears to be unethical on the perfidy
criterion.
There are alternatives to perfidy in cyberweapons. Denial-of-service attacks involv-
ing flooding of a victim with information may not require perfidy. Perfidy is also
unnecessary for defense against attacks. Since botnets are the preferred method of
controlling cyberweapons, all the defender need do is interfere with the communica-
tions of the botnet to prevent an attack from being launched; they do not need to get
onto the attacker’s system to stop the attack. Interference can be accomplished by
packet filtering. Even if the attacker encrypts their communications, the sources and
destinations of their packets cannot be encrypted if they are to reach their targets, and
the sizes and signatures of their packets provide clues to recognize them.
One objection to this notion of cyber perfidy is that cyberweapons do not involve as
much threat to human life as perfidy with people would. We disputed this nonlethality
claim above. But the Geneva Conventions do not require a death threat to civilians in
its definition of perfidy; more general harm such as threats of injury and capture are
also included. Just-war theory does permit ‘dual-use’ weapons that harm civilians as
well as military targets when the military benefit is high, but attacking almost-
exclusively civilian targets is considered unethical. Cyberwarfare is questionable
ethically on that basis.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
28
Strawser & Denning (n 26).
29
See Bannelier-Christakis (Ch 16 of this book).
30
See Gill (Ch 17 of this book).
31
Alex J. Bellamy, Just Wars: From Cicero to Iraq (CUP 2006).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
8 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
more problems with identifying the context of a target in cyberspace and meta-
phorically seeing a ‘red cross’.
The unreliability of cyberweapons encourages commanders to use massive and
multifaceted cyberattacks to ensure a desired effect. For instance, Stuxnet used at least
five different novel propagation methods. Overkill tends to result in unnecessary
damage when the attacker underestimates the chances of success, and unnecessary
damage requires more work to repair. Underestimation of effects will be frequent with
cyberweapons because the conditional probabilities of one weapon succeeding when
another succeeds are not independent but positively correlated in unpredictable ways,
since there can be hidden common underlying vulnerabilities that both weapons can
exploit. Thus overkill can easily happen with cyberweapons and can violate the
principle of proportionality in the laws of war.
Another reliability problem is that automated or semi-automated cyberweapons may
not be stoppable after termination of hostilities, a violation of the laws of war regarding
armistices (which derive from the ethical principle of responsibility for warfare).
Cyberweapons not controlled from the Internet, as by a timer, would be examples. But
even for botnet-controlled cyberattacks, once a victim recognizes they are under attack,
they would likely terminate running processes and close network ports; such activity
could very well break the Internet connection being used to control the attack and
prevent it from being stopped. This suggests that an ethical cyberattacker must either
use self-limiting attacks, such as attacks that destroy a set of data and then stop, or use
mechanisms of control that are highly resistant to victim manipulation such as
unsuspected timing channels for conveying commands. (Timing channels convey
information in the time delay between external events such as the appearance of a
packet from a particular address.)
Unreliability also has strategic implications. There is not much deterrence value in
advertising the possession of a cache of cyberweapons, since many of them will not
work, and advertising enables potential victims to better defend themselves since they
can start hardening their defenses and filtering out traffic from the threatening country.
This means a country would get the same deterrence effect whether or not it has
cyberweapons – so there is no point getting them unless intending to use them soon.
But that means cyberweapons are only good for unprovoked attacks, a violation of the
laws of war. Another issue is that unreliable weapons are poor choices in a conflict
since there are many reliable weapons that better ensure proportionate and discrimin-
atory responses. It thus could be unethical for a commander to use a cyberweapon.
The U.S. thinks it has an answer to the unreliability of cyberweapons: It will launch
massive cyberweapons campaigns. This is consistent with U.S. policy to stage massive
traditional attacks, as in Iraq in 2003 to create ‘shock and awe’ (alias terror). It is then
hoping that the victim country cannot respond with counter-cyberattacks on a similar
scale. But the U.S. military does not have the resources it once did due to the declining
U.S. economy in the face of foreign competition. It can no longer rely on enormous
shows of force to advance its national interests. Of course, software vendors promise
the U.S. military all kinds of capabilities. Cyberweapons are a very appealing product
for software vendors to sell to the U.S. government – software that is rarely used, can
be made to look good in artificial test conditions, and will likely fail in real conflict
long after the vendor has been paid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
9 / Date: 25/3
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
32
See Gill (Ch 17 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 13 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
8. COLLATERAL DAMAGE
Perhaps the most serious ethical problem with cyberweapons is their potential for
collateral damage to civilians. This can violate the ethical principle of discrimination of
noncombatants.
Cyberattack methods have been employed so extensively against civilians by
criminals that an important question is how well cyberattacks in cyberwar can be
focused on exclusively military targets. The definition of a civilian is increasingly
unclear in modern warfare,35 and increasing rates of collateral damage in modern
warfare are apparent.36 The U.S. has claimed for many of its drone strikes in Pakistan
that any military-age males killed must be combatants, so we will undoubtedly hear a
similar argument from any aggressor about the victims of their cyberattacks during
cyberwarfare. But we can generally identify civilians as people with not contributing
substantially to warfare by their activities or products.
Cyberattacks involve manipulation of programs and data and there are many ways to do
this. Ideally, a cyberattack should modify a single target program or file on a computer
system, something critical to warfighting. We call these type-0 cyberattacks. This is
consistent with the standard goal of warfare to interfere with a victim’s ability to wage
war, which is a more ethical goal than just damaging a victim by the notion of
proportionality. Consider the software for a missile-defense system as in the Israeli
quasi-cyberattack on Syria in 2007;37 an intelligence operative could put a copy of
software for missile defense on a victim’s system that, unlike a correct copy, will
33
See Buchan (Ch 8 of this book).
34
Rowe (n 20).
35
Pauline Kaurin, ‘When less is more: expanding the combatant/noncombatant distinction’
in Harry Van Der Linden, John W. Lango & Michael W. Brough (eds.) Rethinking The Just War
Tradition (SUNY Press 2007). See also Bannelier-Christakis (Ch 16 of this book).
36
Thomas W. Smith, ‘The new law of war: Legitimizing hi-tech and infrastructural violence’
(2002) 46 Int’l. Stud. Q. 355–374.
37
Richard Clarke & Robert Knake, Cyber War: The Next Threat to National Security and
What To Do About It (HarperCollins 2010).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
38
United States Cyber Consequences Unit, ‘Overview by the US-CCU of the Cyber
Campaign against Georgia in August of 2008: US-CCU Special Report’ (August 2009)
<www.usccu.org> accessed November 2, 2009.
39
David Raymond et. al., ‘A control measure framework to limit collateral damage and
propagation of cyber weapons’ in Karlis Podins, Jan Stinissen & Markus Maybaum (eds.), 2013
5th International Conference on Cyber Conflict (NATO CCD COE Publications 2013).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
This sounds encouraging at limiting the collateral damage of cyberweapons, but this
is illusory. The information that a cyberweapon can extract about its environment will
often be technical information that does not reveal the true nature of a potential target.
Just knowing the Internet (IP) address cannot confirm it is a military target, since even
if it is in a block of addresses owned by the military, it could be a military hospital, a
public-relations office, or a housing complex. Rarely is an explicit statement of purpose
attached to a computer system and visible from inside it. And any potential target
should take pains to ensure its range of critical military addresses is kept secret, so it
will be hard to get useful address information. Furthermore, a potential target may also
distribute false address information, may deliberately create decoys to encourage
attacks on the wrong targets, or may camouflage the right targets, as those are standard
military tactics. Or a criminal may spoof a military site to gain leverage. Cyber-
sabotage could be preceded by a long period of espionage to thoroughly confirm the
identity of a machine before attacking it, but the more espionage done, the more likely
it will be discovered, and the less likely an attack will be effective.
Just knowing what software is on a system is similarly ambiguous. How can it be
proven that a particular software product is used by military organizations? This would
require extensive intelligence to confirm, and the whole appeal of cyberweapons is in
not having to visit the target. Military organizations generally use a considerable
amount of civilian software because it is cheaper than the alternatives. Even if there are
distinctive features of the cyber-environment of a military organization, identically-
named or similarly-named software or data entities could be confused. This is
analogous to the mistargeting of drone strikes when civilians have similar names to
insurgents. A site may also be judged a military target on the grounds of its behavior or
its associations with known military sites, neither of which sufficiently justify the use
of deadly force as per the principle of discrimination.
We should note the unfortunate trend in modern warfare to reclassify civilian targets
as military. Electrical grids are increasingly considered military objectives40. This
created a good deal of collateral damage to civilians in Iraq in 2003-2004 since many
utilities such as communications, water systems, and refrigeration depended on the
electrical grid; in fact, civilians depend more on the electrical grid than militaries do
since militaries have better backups like generators and batteries. Disabling the grid in
Iraq did quickly achieve military results, but it took much time to restore infrastructure
and there was much unnecessary civilian suffering. We should expect to see even more
civilian targeting with cyberweapons since cyberweapons appear more benign.
Denial-of-service attacks on Internet sites involve damage to availability of a network
service for a period of time but where no product tampering need be done. The
cyberattacks on Georgia in 2008 were predominantly denial-of-service attacks against
civilians41. Collateral damage can still occur with them because denial of service is a
rather crude weapon, and it will slow down not just the direct targets but also any sites
trying to connect to the targets, and some of these could be civilian. And again, it may
be difficult to correctly identify a civilian site.
40
Smith (n 36).
41
United States Cyber Consequences Unit (n 38).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
13 / Date: 8/5
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Let us now consider the costs of collateral damage of cyberweapons so we can apply
utilitarian ethics. One category is the direct cost of repair. Recovering from a
cyberattack requires removal of malware-infected files and running malicious pro-
cesses, but this is not often simple, as we discussed above in the section on repair, and
the cost can vary considerably with the system. Restoring an operating system requires
some time, though not all human-supervised, and the people doing it need a certain
level of technical knowledge. If there are backups, some tedious labor will be needed to
find them and restore them. Typically the restoration also destroys the data on the
systems, which will cost additional effort to restore if it can be restored. The people
doing this work need a certain level of technical knowledge, so the overall cost should
be several thousand U.S. dollars per system. However, if there are no backups for some
or all of the files, the cost of permanent data loss can be considerably more. A lack of
backups, in fact, could be a good reason to target a system in cyberwar.
Alternatively, the responder to the attack can try to ‘patch’ (repair) just the programs
and data having unauthorized modifications. Sites such as cert.org provide guidance on
how to do such patches for specific types of attacks with specific indicators. But these
are unlikely to be useful against cyberwar attacks as the attacks are likely to be novel
and resistant to known patch methods. A country that follows a patching strategy will
be subjected to years of repair activities.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
cost of a single cleanup to get the overall cost of an attack. But if pK>1 the propagation
is unbounded, and that was apparently true of Stuxnet. If malware can be analyzed
carefully, its propagation methods may be identified, and its damage might be more
easily traced. This is very time-consuming and may not succeed. To avoid tracing, if an
attack is detected on one computer of a local-area network, the rest of the network
usually receives repair or restoration too. This multiplies the cost of an individual
system repair by the size of the network, which can considerably increase costs.
Countermeasures are eventually found for attacks, and the propagation rate should
decrease over time. However, many computer systems and devices never get any
countermeasures, due to lack of funds, carelessness, or previous cyberattack, and so
there are always a residuum of machines willing and able to spread even an old
cyberattack. This means that propagation of attacks can continue a long time.
If the attack came in over the Internet, it can be politically important to identify the
country that is responsible for the attack. Tracing across the Internet can be difficult
because routing information is generally short-lived and attackers will go to great
lengths to conceal their origins by using proxy servers, spoofed servers, and long
chains of control. But the increasing international cooperation on sharing routing
information can be helpful, and intelligence data comparing attack code to that on
likely sources of the attacks can be helpful in clinching a case against a country. This
kind of investigation requires significant effort, however.
Another important source of collateral damage not often considered is the effort to
understand the cyberattack. This includes analyzing the attack, finding methods to
repair its damage, finding ways to strengthen defenses against it, extracting signatures
of the attack for use by anti-malware software, and publishing and discussing the
findings. It may also include attribution of the source of the attack to enable better
countermeasures. All these steps are considered standard practice for novel attack
methods,42 and cyberweapons will almost invariably use novel methods to increase
their chances of success. As with Stuxnet, methods of cyberattack against military
systems will often be usable against civilian systems, so some degree of reporting and
analysis of military cyberattacks is ethically imperative. And it needs to be done
quickly, since once an attack has occurred its techniques are disseminated quickly and
can be used in copycat attacks.
Cyberweapons will likely incur higher costs for analysis than criminal cyberattacks.
That is because they have the resources of nation-States for their development. Thus
they will be more likely to be novel, will be better tested, will be more likely
obfuscated to make analysis difficult, and will require more work to find counter-
measures. Hence even if cyberattacks on military targets do not propagate much to
civilian systems, they may incur significant cost to civilians.
Will some military victims try to conceal attacks, thereby depriving the world
community of useful intelligence about the attack methods? It is unlikely because most
42
TechRepublic, ‘Flaw finders go their own way’ (26 January 2005) <http://www.
techrepublic.com/article/flaw-finders-go-their-own-way/> accessed 1 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
15 / Date: 7/5
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
victims will be weaker than their attackers (else they would be less likely to be
attacked) and often want all the international help they can get. Even if the attack is on
a secret facility whose details the victim does not want to reveal, often the attacked
software is civilian, and can be fully revealed without violating secrecy. In addition, an
attack on a secret facility may still be detected elsewhere by its collateral damage, as
with Stuxnet.
Much work on analyzing attacks, determining countermeasures, extracting signa-
tures, and disseminating reports about them is done by civilian infrastructure today
since civilians are bearing the brunt of cyberattacks. This kind of work needs to be
done highly trained professionals, so it can be expensive. Initial clues are provided by
observations of odd behavior reported on bulletin boards and blogs such as Bugtraq (at
www.securityfocus.com) and those of software vendors for their user communities.
Discussion on those sites tries to narrow down the circumstances of the behavior and
attribute it to particular features of the software. Professionals at Mitre study these
discussions and decide whether it represents new vulnerability (which is usually due to
a software bug); if so, they give it a CVE number at cve.mitre.org which represents the
vulnerability’s de facto label in subsequent discussions. Security professionals then try
to plan remediation efforts; usually the responsibility is that of the software vendor, but
in the case of serious problems, governments may also be involved. Remediation
usually requires testing by the vendor to find a complete set of fixes. The fixes usually
involve changing the original vulnerable software or its configuration parameters. If the
vulnerability is serious enough, it is posted along with details including signatures for
identifying it and proposed remediation measures at sites such as www.kb.cert.org (the
US-CERT Vulnerability Notes Database) and web.nvd.nist.org, which represent de
facto official recognition.
Attempting to attribute an attack to a particular country or group entails additional
costs. If malware came in over the Internet, log files for the intervening computers can
be inspected for evidence. There will need to be some distinctive features of the
malware for this to work, and malware tries hard to conceal itself, so the success rate in
tracing it will be low. Cyberwar malware will almost certainly be encrypted to
eliminate the possibility of recognizing signatures in its contents, though matching its
occurrences can still be done to trace its path across the Internet. If malware was
installed surreptitiously without coming through the Internet, tracing possible instal-
lation times can be done, and analysis of the text of the malware may suggest
distinctive national or personal code-writing styles. But all this takes a good deal of
time. A thousand hours of the time of trained personnel would be a reasonable guess,
for a total cost of US $100,000.
It thus costs at least $100,000 for the world to analyze and find countermeasures for
a new attack method. Stuxnet was sufficiently novel that considerably more effort was
expended in its analysis, so $1,000,000 is a better figure for it. If Stuxnet were
primarily an Israeli operation, as it appears to be, Israel should be paying this cost to
the professionals around the world for its perpetration of the attacks, since no state of
war exists between Israel and the countries of nearly all those professionals; in fact,
much initial analysis of Stuxnet was done in Russia, so Israel owes Russia a significant
sum. This sort of widespread collateral damage has no counterpart with bombs and
missiles.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Cyberweapons are well suited for inducing mistrust of a victim in their military
systems since attack machinery can be well hidden. When a victim is attacked or
discovers a weapon, they may suspect that other weapons are concealed. Some of the
damage of a cyberattack by a cyberweapon can then be psychological, and this can be
an effective deterrent against the victim going to war.44 Interestingly, this damage can
occur even before going to war, as for instance when many countries overestimate U.S.
cyber capabilities. But the damage is greatest when cyberweapons have actually been
demonstrated on a victim in a convincing manner. This damage can extend well beyond
military systems because an effective cyberattack will likely be reported by the victim
to gain international sympathy, and this reporting will reduce the confidence of
civilians in their digital infrastructure. People may start to blame every problem with
their computers and devices on malware. While from a military effectiveness standpoint
this provides a multiplier on the effect of a weapon, it is bad from a collateral damage
standpoint because the psychological damage may be unpredictable. Militaries prefer
predictable weapons.
Psychological collateral damage is particularly difficult to measure because it may
have little relationship to the actual damage. Overwhelming damage to a country’s
military can have dramatic political consequences, as seen in Argentina after the
Falklands war. Or civilians may just interpret the damage as the military’s own problem
with little impact on themselves. If a country continues to live in fear for a long time
after a cyberattack, this could have profound consequences for people in that country.
43
Sparks et. al., ‘The collateral damage of Internet censorship by DNS injection’ (2012) 42
(3) ACM SIGCOMM Computer Communications Rev. 22–7.
44
Martin C. Libicki, ‘Cyberwar as a confidence game’ (2011) 5 (1) Strat. Stud. Q. 132–46.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The Stuxnet attacks led Iran to retaliate by attacking U.S. targets to very little effect,45
wasting resources that could have better spent elsewhere in Iran. The terrorist attacks
on the U.S. in September 2001 induced an overreaction that has done little good for the
U.S. in light of the few terrorist threats it has had subsequently.46 Cyberweapons, with
their mysterious modes of operation and concealed effects, are even better at inducing
fear in a populace. Cyberweapons with broad psychological damage, such as
unnecessarily powerful cyberweapons that shut down cyberspace for weeks, could be
unethical regardless of their targets.
Many of the costs we have mentioned above can be measured, so we can often apply
utilitarian ethics. Let us take Stuxnet as an example. We conservatively estimate that
10,000,000 machines were infected worldwide by the multiple propagation mechan-
isms. Even though these infections did not sabotage most of the machines, it was not
obvious at first that this was true, so quick detection and removal on each machine was
important. The detection and removal were bundled with handling other threats, and
their amortized time cost was probably around a second of a user’s time, hence their
cost was around 10,000,000 * $100 per hour/3600 seconds = $277,000. The cost of
discovery and mitigation of Stuxnet was at least $1 million as discussed above.
Attempts at attribution probably cost around $100,000 since there was not much
concern about it for this attack. The reuse of the attack methods by criminals probably
resulted in 10,000 incidents worldwide having varying costs but probably averaging at
least $100 per incident for $1,000,000 total. The psychological cost to Iran was at least
$500,000 just from the cost of the wasted attacks on the U.S. Thus the total collateral
damage of Stuxnet was at least $2.9 million. This needs to be compared to the numeric
benefit of Stuxnet, a delay of a few months in Iran’s nuclear development, something
difficult but not impossible to estimate.
Thus the cost of a cyberattack that does not kill anyone could easily reach millions of
U.S. dollars. One much-cited study47 assigns a value to a U.S. human life at $4.7
million based on economic impact, and the U.S. Government has assigned values
ranging from $6 million to $9 million recently.48 Since this value has a large economic
component, it will be less where per capita income is less. The international standard
for insurance purposes is $50,000 per future year of human life,49 which would give a
value of $2 million for an average adult. This value should be decreasing on an
45
Siobhan Gorman & Danny Yadron, ‘Banks seek U.S. help on Iran cyberattacks’ Wall
Street Journal (16 January 2013) <http://online.wsj.com/news/articles/SB100014241278
87324734904578244302923178548> accessed 1 September 2014.
46
Paul R. Kimmel and Chris E. Stout, (eds.), Collateral Damage: The Psychological
Consequences of America’s War on Terrorism (Praeger, 2006).
47
W. Kip Viscusi, ‘The value of life: estimates of risk by occupation and industry’ (2004) 42
(1) Economic Inquiry 29–48.
48
Binyamin Appelbaum, ‘As U.S. agencies put more value on a life, businesses fret’, The
New York Times (16 February 2011).
49
Kathleen Kingbury, ‘The value of a human life: $129,000’, Time (May 20, 2008)
<content.time.com/time/health/ article/0,8599,1808049,00.html> accessed 23 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
18 / Date: 25/3
JOBNAME: Tsagourias PAGE: 21 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
9. CONCLUSIONS
Cyberweapons are yet another step in the institutionalization of cowardice. With them
the attacker is even more remote from their victim than with extrajudicial executions by
drones in Pakistan today. This means further opportunities for errors and misjudgments
in targeting, and further opportunities for collateral and persistent damage. This is
consistent with the argument that modern high-technology warfare will and must
increasingly target civilians.50 Worse, much of the damage will be hidden or dissemin-
ated across networks, so aggressors will not get adequate feedback about what they
have done, and victims may find it difficult to remove the damage after the end of
hostilities. Cyberweapons also embody some serious ethical problems on their own
beyond collateral damage, since they are so close to cyberespionage in methods that it
is very tempting to use them for small provocations,. They also usually demand cyber
perfidy, and their dependence on software flaws makes them unreliable and inviting of
overkill.
Thus a civilized country needs to think carefully before embarking on cyberwarfare.
It is becoming increasingly important to resolve cyberconflicts without the violence of
cyberattacks, as reducing violence is a desirable goal in cyberspace just as for other
forms of warfare.51 Because of this host of ethical challenges associated with
cyberweapons, their use should be discouraged, and international agreements should be
sought to restrict their use, much in the manner of nuclear, chemical, and biological
weapons.
50
Smith (n 36).
51
D.J. Christie et. al., ‘Peace psychology for a peaceful world’ (2008) 63 (6) American
Psychologist 540–52.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter14 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The prospect of cyber warfare has brought to the fore a number of distinct legal
questions that merit further scrutiny. Although existing law is capable of meeting most
of the challenges thrown up by this new domain, it would be unwise to underestimate
the difficulties that cyber is likely to present, not least in respect of determining the
existence of an armed conflict and its classification. As with all law, international
humanitarian law is constituted on a number of assumptions, two of which are pertinent
to classification: the existence of the territorial border and knowledge as to the identity
of the adversary. The cyber domain’s apparent disavowal of the border, forces us to
re-engage with questions that remain contested pertaining to the spatial reach of the law
given its ostensible fidelity to the geographical border. However, in practice, it is
probably the challenge associated with correctly identifying the actor who is respons-
ible for the cyber-attack in question that will prove more problematic. This is because
the type of armed conflict or its ‘classification’ is contingent on knowing the identity of
the adversary and only then can a determination be made as to what rules apply in the
circumstance. What is more, the anonymity that cyber affords has the potential to
deprive us of judgment as to whether international humanitarian law even applies to the
particular situation of violence since the relevant test for operationalizing the law is
contingent on knowledge as to the adversary’s identity.
The history of and reasons for why States insist on classifying armed conflict as a
matter of law has been examined elsewhere and will therefore not be retraced in this
chapter.1 For present purposes, what matters is that international humanitarian law
recognizes two types of armed conflict: international, or those waged between two or
more States; and non-international, which include both those fought between the armed
forces of the State and an organized non-State armed group or between such groups.2
As noted, identifying the character of the conflict is necessary because different rules
apply depending on the type of armed conflict in existence.3 Insofar as the codified law
1
Michael Schmitt, ‘Classification of cyber conflict’ (2012) 17(2) J. Conflict & Sec. L. 245;
Louise Arimatsu, ‘Territory, boundaries and the law of armed conflict’ (2009) 12 Ybk. of Int’l.
Humanitarian L. 157.
2
ICRC, ‘How is the term “Armed Conflict” defined in international humanitarian law?’
(Opinion Paper, March 2008) <http://www.icrc.org/eng/resources/documents/article/other/armed-
conflict-article-170308.htm> accessed 8 December 2013.
3
On classification generally, see Sylvain Vité, ‘Typology of armed conflicts in international
humanitarian law: Legal concepts and actual situations’ (2009) 91 I.R.R.C 69; Elizabeth
Wilmshurst (ed.), International Law and the Classification of Conflicts (OUP 2012); ‘Classifi-
cation of conflicts: Syria, Yemen and Libya’ Chatham House Report (2014, forthcoming).
326
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
is concerned, ‘the differences are vast’.4 This is so not only in regard to the content but
also the sheer volume of rules. The principle treaties governing international armed
conflicts include the 1949 Geneva Conventions, Additional Protocol I of 1977 and the
Regulations annexed to the Fourth Hague Convention of 1907. By contrast, the treaty
rules applicable to non-international armed conflicts are limited to Common Article 3
of the 1949 Geneva Conventions and Additional Protocol II of 1977. That said, the
legal chasm that once distinguished international armed conflict from non-international
armed conflict no longer holds true today. Since the mid-1990s States have embraced
the extension of many of the rules applicable in international armed conflict to
non-international armed conflict. In part this is evidenced by the extension of a number
of weapons treaties to non-international armed conflict; but it has been the evolution of
customary international law that has been game-changing.5 Consequently, there is now
broad agreement that as far as the rules pertaining to the conduct of hostilities are
concerned, the type of conflict being fought matters little. However, the rules diverge
significantly in regard to status. More specifically in the case of international armed
conflict, combatants are entitled to combat immunity and other supplementary rights
principally in the context of detention as set forth in treaty and customary international
law. In contrast, the concept of combat immunity is not known in non-international
armed conflict. Since it is unlikely that States will ever agree to a complete abolition of
the distinction, classifying the conflict – or identifying the type of conflict to which the
particular situation of violence amounts – will remain a critical issue for the
foreseeable future.
It is often suggested that recent wars, from those in the Balkans to the conflict with
Al-Qaeda, have disrupted the clear distinction between the two types of conflict,
making classification even more difficult.6 But even a cursory review of history seems
to cast doubt on this view. What has changed is not how wars are fought but the extent
to which wars are now seen through the prism of the law. And in seeing war through
4
Dapo Akande, ‘Classification of Armed Conflicts: Relevant Legal Concepts’ in Wilmshurst
(n 3).
5
In the case of Prosecutor v. Tadić, the ICTY held:
It cannot be denied that customary rules have developed to govern internal strife. These rules
… cover such areas as protection of civilians from hostilities, in particular from indiscrimin-
ate attacks, protection of civilian objects, in particular cultural property, protection of all
those who do not (or no longer) take active part in hostilities, as well as prohibition of means
of warfare proscribed in international armed conflicts and ban of certain methods of
conducting hostilities.
Prosecutor v. Dusko Tadić (Appeals Chamber Decision on Defence Motion for Interlocutory
Appeal on Jurisdiction) (2 October 1995) IT-94-1-AR72 para. 127 [hereinafter Tadić Appeals
Chamber Decision]. See also Jean-Marie Henckaerts & Louise Doswald-Beck, Customary
International Humanitarian Law Study (CUP 2005).
6
Some commentators have suggested that these conflicts have given rise to a new category
of ‘transnational armed conflict’. For example, see Geoffrey S. Corn, ‘Hamdan, Lebanon, and
the regulation of armed conflict: The need to recognize a hybrid category of armed conflict’
(2006) 40 Vand. J. Trans. L. 295; Geoffrey S. Corn and Eric T. Jensen, ‘Untying the Gordian
Knot: A proposal for determining applicability of the laws of war to the war on terror’ (2008) 81
Temple L. Rev. 787; Geoffrey S Corn, ‘Making the case for conflict bifurcation in Afghanistan’
(2009) 85 Int’l. L. Studies 181.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
one lens, we have unwittingly exposed the shortcomings of the codified law. Hence, the
challenge before us is to remain steadfast to the aims and objectives of this body of law
as we think about how it applies to the cyber domain.
Cyber operations may pose a novel set of questions in respect of how international
humanitarian law rules apply but the resort to cyber means or methods per se by the
parties will have no bearing on the classification of the conflict. This chapter is
therefore concerned exclusively with situations in which there is no pre-existing armed
conflict and the only operations being conducted are through cyber means. Two
overarching questions are addressed. Can cyber operations unaccompanied by the use
of conventional weapons trigger an armed conflict? If so, under what circumstances?
Our conception of what constitutes ‘armed force’ has always assumed the assertion of
physical force in one shape or another principally through the use of conventional
7
For States Party to Additional Protocol I, wars of national liberation or ‘armed conflicts in
which peoples are fighting against colonial domination, alien occupation, or racist regimes in the
exercise of their right of self-determination’ are to be considered international armed conflicts;
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of International Armed Conflicts (8 June 1977) 1125 UNTS 3 art 1(4). The
fact that this provision was drafted with specific situations in mind, many of which have now
been resolved, has led commentators to suggest that the provision no longer holds much
relevance.
8
Convention for the Amelioration of the Condition of the Wounded and Sick in Armed
Forces in the Field (12 August 1949) 6 UST 3114, 75 UNTS 31; Convention for the
Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at
Sea (12 August 1949) 6 UST 3217, 75 UNTS 85; Convention Relative to the Treatment of
Prisoners of War, 12 August 1949, 6 UST 3316, 75 UNTS 135; Convention Relative to the
Protection of Civilian Persons in Time of War, 12 August 1949, 6 UST 3516, 75 UNTS 287.
9
Tadić Appeals Chamber Decision (n 5) para. 70.
10
See Rule 22 Tallinn Manual and accompanying text; Michael Schmitt (ed.), Tallinn
Manual on the International Law Applicable to Cyber Warfare (CUP 2013) [hereinafter Tallinn
Manual].
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
weapons that release kinetic force. Although cyber operations, because intangible, are
in this respect fundamentally distinguishable from traditional notions of ‘armed force’,
it is indisputable that such operations are quite capable of producing destructive or
deadly results, analogous to conventional weapons systems. As Droege vividly sug-
gests: ‘if a computer network attack causes airplanes or trains to collide, resulting in
death or injury, or widespread flooding with large-scale consequences, there would be
little reason to treat the situation differently from equivalent attacks conducted through
kinetic means or methods of warfare’.11 It follows that there is no reason why cyber
operations that result in, or are reasonably expected to result in, death, injury, damage
and destruction would not satisfy the criterion of ‘armed force’.12 This is certainly the
prevailing view among most commentators today.13
Commentators differ, however, in respect to whether the criterion of armed force is
conditioned on an intensity threshold. Those who maintain that the hostilities must
reach a certain level of violence before an armed conflict exists do so on the basis of
State practice. That said, treaty law imposes no threshold requirements either in respect
of duration or intensity.14 As emphasized in the the ICRC Commentaries to common
Article 2 of the Geneva Conventions, ‘[a]ny difference arising between two States and
leading to the intervention of armed forces is an armed conflict … . It makes no
difference how long the conflict lasts, or how much slaughter takes place’.15 This is
reaffirmed in the Commentary to Additional Protocol I which notes that ‘humanitarian
law also covers any dispute between two States involving the use of their armed forces.
Neither the duration of the conflict, nor its intensity, play a role: the law must be
applied to the fullest extent required by the situation of the persons and the objects
protected by it’.16
11
Cordula Droege, ‘Get off my cloud: Cyber warfare, international humanitarian law, and
the protection of civilians’ (2012) 94 I.R.R.C. 533, 546.
12
Tallinn Manual (n 10) rule 30.
13
For example, Michael Schmitt, ‘Wired warfare: computer network attack and jus in bello’
(2002) 84 I.R.R.C. 846; Knut Dörmann, ‘Applicability of the Additional Protocols to computer
network attacks’ (ICRC, 2004) <http://www.icrc.org/eng/resources/documents/misc/68lg92.htm>
accessed 8 December 2013; Nils Melzer, ‘Cyberwarfare and international law’ (UNIDIR
Resources Paper, 2011) <http://www.unidir.ch/pdf/ouvrages/pdf-1-92-9045-011-L-en.pdf>
accessed 8 December 2013. This understanding is consistent with the views expressed by the
drafters of the 1952 ICRC Commentary to art 2, who forcefully maintained that the existence of
an armed conflict was not contingent on ‘the intervention of cumbrous machinery’ given that the
law’s object and purpose was to mitigate the violent effects that are caused as a result of hostile
activities between States. Commentary on the Geneva Conventions of 12 August 1949 (ICRC
1952 – 1958) [hereinafter ICRC Geneva Convention Commentary] vol I 23.
14
In fact treaty law expressly recognizes the possibility for the existence of an international
armed conflict without recourse to any hostilities at all. Art 2 of the Geneva Conventions extends
to cases of ‘partial or total occupation … , even if said occupation meets with no armed
resistance. (Geneva Conventions (n 8) art 2(1))
15
ICRC Geneva Convention Commentary (n 13) vol I 32, vol II 28, vol III 23, vol IV 20.
16
Claude Pilloud et al. (eds.), Commentary on the Additional Protocols of 8 June 1977 to
the Geneva Conventions of 12 August 1949 (ICRC/Martinus Nijhoff 1987) para. 62. But see also
Christopher Greenwood, ‘Scope of application of humanitarian law’ in Dieter Fleck (ed.) The
Handbook of International Humanitarian Law (2nd edn., OUP 2009) 37, 48; Howard S.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Nevertheless, State practice does deviate from this interpretation. Over the years,
there have been quite a number of incidents involving the resort to armed force
between States that have resulted in death, injury and considerable destruction and
damage to property, yet been described by States as ‘sporadic border clashes’ or naval
‘incidents’ rather than armed conflict. It is this tendency on the part of States to dismiss
such confrontations as falling short of armed conflict that has led some to suggest that
both the intensity and duration of the violence does matter.17 The practice of States in
the cyber domain also appears to be paralleling the general trend to downplay incidents
that have resulted in the destruction of property. For example, in neither the case of the
Stuxnet operation against Iran’s nuclear facility nor the Shamoon-Aramco incident
against Saudi Arabia’s State-owned company did either State claim the destruction of
State-owned property as tantamount to triggering an armed conflict.18 However, why
States choose to respond in a particular manner to a particular incident – in whatever
domain – is likely to be exceedingly complex;19 accordingly, it would be prudent to
assume that the threshold is low.20
Implicit in the notion of armed force has always been the assumption that the most
effective way to overcome the enemy is to weaken them through the infliction of
material harm. The transformation of contemporary social life by the advent of this new
technology has given rise to the realization that ‘harm’ in this domain can take radically
different forms. This has consequently opened a debate as to what this might mean in
the context of ‘armed force’.21 In most societies, the provision of essential services
such as water, energy, communication, travel, finance and other government services
including, for example, healthcare and the emergency services are now reliant on a
‘vast array of interdependent information technology (IT) networks, systems, services,
Levie, ‘The status of belligerent personnel “Splashed” and rescued by a neutral in the Persian
Gulf area’ (1991) 31 Virginia J. of Int’l L. 611, 613–14.
17
ILA, ‘The Hague Conference: Final Report on the Meaning of Armed Conflict in
International Law’ (2010) <http://www.ila-hq.org/download.cfm/docid/2176DC63-D268-4133-
8989A664754F9F87> accessed 5 September 2014.
18
The Stuxnet worm reportedly caused damage to uranium enrichment equipment at the
Natanz nuclear facility in Iran with the physical destruction of about one thousand IR-1
centrifuges. For further details, see David Albright, Paul Brannan & Christina Walrond, ‘Did
Stuxnet take out 1,000 centrifuges at the Natanz enrichment plant? Preliminary assessment’
(ISIS Report, 22 December 2010) <http://isis-online.org/isisreports/detail/did-stuxnet-take-out-
1000-centrifuges-at-the-natanz-enrichment-plant/> accessed 8 December 2013; Andrew Foltz,
‘Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate’ (2012) 67 J.F.Q. 40; Russell
Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interventions?’ (2012) 17 J.
Conflict & Sec. L. 211; Ivanka Barzashka, ‘Are cyber-weapons effective? Assessing Stuxnet’s
impact on the Iranian enrichment programme’ (2013) 158 RUSI Journal 48–56. For further
details on the Shamoon-Aramco incident, see Clement Guitton and Elaine Korzak, ‘The
sophistication criterion for attribution’ (2013) 158 R.U.S.I. Journal 62–8. The virus allegedly
rendered useless 30,000 computers which had to be replaced.
19
For a useful analysis on the Stuxnet case, see Gary Brown, ‘Why Iran didn’t admit
Stuxnet was an attack’ (2011) 63(4) Joint Force Quarterly 71 <http://www.ndu.edu/press/why-
iran-didntadmit-stuxnet.html> accessed 8 December 2013.
20
Tallinn Manual (n 10) rule 22, para. 12.
21
Traditional conceptions of ‘armed force’ assume that hostilities, that is the ‘collective
application of means and methods of warfare’, have to take place. See ibid. 82.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
5 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
and resources’.22 These dependencies also create new vulnerabilities. Given this reality,
the question that arises is whether a cyber-operation that disrupts or affects the normal
functioning of a system – and in particular one that was regarded as part of the critical
national infrastructure – would be regarded as ‘armed force’ were it to lead to extensive
and severe effects on the civilian population but not necessarily to death and
destruction. In other words, would the manipulation or disruption of a system which
deprives a State of its ability to perform the basic functions expected of a State, be
regarded as equivalent to the physical destruction of the system?23 Since no such
situation has yet materialized, any answers would be speculative. However, in spite of
the rising incidents of hostile cyber activities,24 many of which are specifically directed
22
Written testimony of NPPD Executive Order 13636 and Presidential Policy Direct 21
Integrated Task Force Director Robert Kolasky for a House Committee on Homeland Security,
‘Oversight of Executive Order 13636 and Development of the Cybersecurity Framework’ (18
July 2013) <http://www.dhs.gov/news/2013/07/18/written-testimony-nppd-house-homeland-
security-subcommittee-cybersecurity> accessed 8 December 2013.
23
In 2013, the Dutch Government endorsed a report it had commissioned on cyber warfare
which had concluded:
if an organised cyber attack (or series of attacks) leads to the destruction of or substantial or
long-lasting damage to computer systems managing critical military or civil infrastructure, it
could conceivably be considered an armed conflict and international humanitarian law would
apply. The same is true of a cyber attack that seriously damages the state’s ability to perform
essential tasks, causing serious and lasting harm to the economic or financial stability of that
state and its people. An example would be a coordinated and organised attack on the entire
computer network of the financial system (or a major part of it) leading to prolonged and
large-scale disruption and instability that cannot easily be averted or alleviated by normal
computer security systems.
Advisory Council on International Affairs and the Advisory Committee on Issues of Public
International Law, ‘Cyber Warfare 20’ (No. 77, AIV/No. 22, CAVV) (December 2011)
<http://www.aiv-advies.nl/ContentSuite/upload/aiv/doc/webversie__AIV77CAVV_22_ENG.pdf>
(accessed 10 September 2014); and Government of Netherlands, ‘Government Response to the
AIP/CAVV Report on Cyber Warfare’ <http://www.rijksoverheid.nl/bestanden/documenten-en-
publicaties/rapporten/2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-
bijlage-regeringsreactie-en.pdf> accessed 10 September 2014.
The ICRC has taken the view that cyber operations that disable an object can constitute an
attack, other commentators have insisted on a higher threshold that is contingent on the need for
physical repair to the system. See also Roscini (Ch 11 of this book).
24
The two primary victims of DDoS attacks have been and continue to be the US and China
(see Arbor Networks, ‘Top daily DDoS attacks worldwide’ (Digital Attack Map, 2013)
<http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16003&view=map>
accessed 10 September 2014. Yet neither have at any time inferred that the cyber operations
directed at them have constituted ‘armed force’ within the meaning of an armed conflict
Likewise, South Korea has not equated the cyber operations conducted against it to amount to
‘armed force’; see for example Symantec, ‘Four Years of DarkSeoul Cyberattacks Against South
Korea Continue on Anniversary of Korean War’ (Symantec, 26 June 2013) <http://www.
symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-
anniversary-korean-war> accessed 10 September 2014; Alex Hern, ‘North Korean ‘cyber-
warfare’ said to have cost South Korea £500m’, The Guardian (16 October 2013) <http://
www.theguardian.com/world/2013/oct/16/north-korean-cyber-warfare-south-korea> accessed 10
September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
6 / Date: 25/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The logic of classification is premised on the fact that the identity of the adversary is
known. The ability of actors to take advantage of the anonymity that cyber furnishes
25
For example, according to the Department for Homeland Security’s Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), attacks against critical national
infrastructure are growing. More than 200 brute-force cyber-attack incidents reported between
October and May 2013, surpassing the 198 total attacks in all of fiscal year 2012. More than half
were against the energy sector. ICS-CERT, ‘ICS-CERT Monitor April/May/June 2013’ (27 June
2013, ICS-MM201306) <https://ics-cert.us-cert.gov/monitors/ICS-MM201306> accessed 10
September 2014.
26
Siobhan Gorman & Danny Yadron, ‘Iran hacks energy firms, U.S. says’, The Wall Street
Journal (23 March 2013) <http://online.wsj.com/news/articles/SB100014241278873233361045
78501601108021968> accessed 10 September 2014.
27
David Shamah, ‘Iran-sponsored cyber-attacks unending, PM says’, The Times of Israel
(9 June 2013) <http://www.timesofisrael.com/iran-sponsored-hack-attacks-unending-pm-says/>
accessed 10 September 2014.
28
For a useful insight into causes and effects see Glenn Shafer, ‘Causality and responsibil-
ity’ (2000) 22 Cardozo L. Rev. 1811.
29
US Department of Defense, ‘Strategy for Operating in Cyberspace’ (July 2011) 3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
7 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
when conducting offensive cyber operations often impedes attribution which con-
sequently presents an acute problem for classification. Future technological advances
may minimize this obstacle but, as with any forensic investigation, information
gathering is likely to remain time-consuming and require considerable resources.30
Moreover, recent history suggests that disputes over attribution are likely to persist
since even when persuasive evidence has been tendered indicating State involvement in
a particular cyber operation or series of operations, public denial remains the dominant
response.31 That said, States have recognized the catastrophic consequences that could
result as a consequence of misidentifying the source of a serious cyber-attack and some
steps have been taken principally in the form of bi-lateral agreements to reduce this
risk.32 It should however be noted that, irrespective of whether the State is involved in
the cyber operation, it is under a legal obligation not to knowingly allow its territory to
be used for acts contrary to the rights of other States and must take appropriate steps to
protect those rights.33 Such obligations aside, the mere failure on the part of a State
to prevent cyber-attacks from its territory – to the extent that the said attacks are not
attributable to it – does not mean that an international armed conflict is triggered
between it and the victim State.34
30
See for example, Mandiant, ‘APT1: Exposing one of China’s Cyber Espionage Units’ (18
February 2013) <http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf> accessed 10 Sep-
tember 2014, which was the outcome of a two-year investigation. But see also statement by US
Secretary of Defense, Leon Panetta that
the department has made significant advances in solving a problem that makes deterring
cyber adversaries more complex: the difficulty of identifying the origins of that attack. Over
the last two years, DoD has made significant investments in forensics to address this problem
of attribution and we’re seeing the returns on that investment. Potential aggressors should be
aware that the United States has the capacity to locate them and to hold them accountable for
their actions that may try to harm America.
(Leon E. Panetta, Remarks by Secretary Panetta on Cybersecurity to the Business Executives for
National Security, New York City’ (11 October 2012) <http://www.defense.gov/transcripts/
transcript.aspx?transcriptid=5136> accessed 10 September 2014).
31
Following the release of the report by Mandiant ibid. which contained considerable
evidence to indicate State involvement in a range of cyber operations, albeit in the context of
cyber espionage, the Chinese Defense Ministry countered with the statement that ‘it is
unprofessional and groundless to accuse the Chinese military of launching cyber attacks without
any conclusive evidence’ (Craig Timberg and Ellen Nakashima, ‘Chinese hackers suspected in
attack on The Post’s computers’, The Washington Post (1 February 2013)) <http://articles.
washingtonpost.com/2013-02-01/business/36685685_1_chinese-hackers-cyberattacks-mandiant>
accessed 10 September 2014.
32
Ellen Nakashima, ‘U.S. and Russia sign pact to create communication link on cyber
security’, The Washington Post (17 June 2013) <http://www.washingtonpost.com/world/national-
security/us-and-russia-sign-pact-to-create-communication-link-on-cyber-security/2013/06/17/ca5
7ea04-d788-11e2-9df4-895344c13c30_story.html> accessed 10 September 2014.
33
Corfu Channel Case (UK v. Albania) (Merits) [1949] ICJ Rep 4, 22; Case Concerning
United States Diplomatic and Consular Staff in Tehran (USA v. Iran) [1980] ICJ Rep 3, paras
67–68; Tallinn Manual (n 10) rule 5 and commentary.
34
The question that remains unanswered is whether there is an international obligation on
States to prevent future harmful cyber operations from being mounted once they are put on
notice that further operations will be conducted from their territory.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
35
Had, for example, the conflict with Libya in March 2011 to enforce UN Security
Council Resolution 1973 opened with a cyber-attack by the US on Qaddafi’s air-defence
system, it may have initiated the international armed conflict between the US and Libya, Eric
Schmitt & Thom Shanker, ‘U.S. debated cyberwarfare in attack plan on Libya’, The New York
Times (17 October 2011) <http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-
against-libya-was-debated-by-us.html?_r=0> accessed 10 September 2014.
36
State organs include ‘any person or entity which has that status in accordance with the
internal law of the State.’ See Draft Articles on Responsibility of States for Internationally
Wrongful Acts, with commentaries [2001] A/56/10 art 4. [hereinafter, Articles on State
Responsibility].
37
Ibid. art 5 reads, ‘empowered by the law of that State to exercise element of the
governmental authority shall be considered an act of the State … provided the person or entity
is acting that capacity in the particular instance’.
38
Ibid. art 8. See also Prosecutor v. Tadić [1999] ICTY Appeals Chamber Judgment,
IT–94–1–A, para. 137 [hereinafter Tadić Appeals Chamber Judgment].
39
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. US) (Merits,
Judgment) [1986] ICJ Rep. 1986.
40
It should be noted that the ‘effective control’ test evolved in the context finding State
responsibility for the acts of non-State actors. See Case Concerning Application of the
Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and
Herzegovina v. Serbia and Montenegro) [2007] ICJ Rep. 43.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
9 / Date: 25/3
JOBNAME: Tsagourias PAGE: 10 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
as would appear to have happened in the case of the 2007 hacktivists cyber campaign
against Estonia, the persons or entity will be deemed de facto organs of the State such
that any cyber operation will fulfil the ‘international’ criterion.41 It should be noted that
in that particular instance, the criterion of ‘armed force’ was not met.
The ICTY has identified one other way in which the acts of private individuals and
entities may be attributed to the State for the purpose of finding an international armed
conflict. According to the tribunal, ‘private individuals acting within the framework of,
or in connection with, armed forces, or in collusion with State authorities may be
regarded as de facto State organs’.42 Although the case law is sparse, this particular
form of attribution has the potential to play a prominent part in the cyber domain given
the close working relationship between public and private sectors.
It is now well-settled in international law that the actions of a non-State organized
armed group43 – as opposed to an individual or group that is not organized, as
discussed above – will be attributed to a State if that State is shown to have overall
control over the group.44 Although the issuing of specific orders or instructions may not
be required, the standard for attribution is high in that the State must have ‘a role in
organising, coordinating or planning the military actions of the military group, in
addition to financing, training and equipping or providing operational support to that
group’.45 The provision of cyber tools – whether in the form of software or hardware –
by a State to a non-State organized armed group together with the supply of specific
intelligence on cyber vulnerabilities of the ‘victim’ State to facilitate a particular attack
would likely suffice.46
41
Tadić Appeals Chamber Judgment (n 38) 133, 137. This principle can be traced to the
judgment of the International Court of Justice in the Tehran Hostages Case (n 33), although the
principle was formulated in the context of State responsibility.
42
Ibid. para. 144.
43
Organised armed group refers to subordinate armed forces or militias or paramilitary
units; see ibid. para. 137.
44
Ibid. paras 131–140, 145. According to the tribunal:
control by a State over subordinate armed forces or militias or paramilitary units may be of
an overall character (and must comprise more than the mere provision of financial assistance
or military equipment or training). This requirement, however, does not go so far as to
include the issuing of specific orders by the State, or its direction of each individual
operation. Under international law it is by no means necessary that the controlling authorities
should plan all the operations of the units dependent on them, choose their targets, or give
specific instructions concerning the conduct of military operations and any alleged violations
of international humanitarian law. The control required by international law may be deemed
to exist when a State (or, in the context of an armed conflict, the Party to the conflict) has a
role in organising, coordinating or planning the military actions of the military group, in
addition to financing, training and equipping or providing operational support to that group.
The International Court of Justice has noted that that the ‘overall control’ is ‘applicable and
suitable’ for the purpose of determining whether or not an armed conflict is international. Case
Concerning Application of the Convention on the Prevention and Punishment of the Crime of
Genocide (n 40) para. 404.
45
Tadić Appeals Chamber Judgment (n 38) para. 137, 145.
46
Tallinn Manual (n 10) Commentary to rule 22, para. 6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
47
Although not in the text, it has always been assumed that the provision applies to
hostilities between government forces and armed groups as well as between such groups. See
Pilloud et al. (n 16) para. 4461.
48
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of Non-international Armed Conflicts (8 June 8 1977) 1125 UNTS 609.
Further insight is provided in the Pilloud and others ibid. which adds, ‘riots, such as
demonstrations without a concerted plan from the outset; isolated and sporadic acts of violence,
as opposed to military operations carried out by armed forces or armed groups; other acts of a
similar nature, including, in particular, large scale arrests of people for their activities or
opinions’ (para. 4474).
49
Prior to the adoption of the Protocol Additional to the Geneva Conventions of 12 August
1949, and Relating to the Protection of Victims of Non-international Armed Conflicts (n 48)
there was already widespread agreement that the existence of a non-international armed conflict
requires ‘open hostilities between armed forces which are organized to a greater or lesser
degree’ (Pilloud and others ibid. para. 4341).
50
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of Non-international Armed Conflicts (n 48) art 1(1).
51
This formula has also been applied by the International Tribunal for Rwanda, the Special
Court for Sierra Leone and the International Criminal Court among others.
52
Tadić Appeals Chamber Decision (n 5) para. 70. There are two types of non-international
armed conflict. All non-international armed conflicts are covered by common art 3 to the Geneva
Conventions; in addition, the provisions of Additional Protocol II, which sets forth far more
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
11 / Date: 25/3
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The element of organization represents the principle that an armed conflict can exist
only between parties that are sufficiently organized to confront each other with military
means.55 State authorities are presumed to have at their disposal armed forces that
satisfy this criterion but the same assumption cannot be made of an armed group
which, by contrast, must demonstrate that it does indeed fulfil this requirement. The
armed group does not have to have an organization structure of a conventional military
unit. As the ICTY has noted ‘some degree of organisation by the parties will suffice’.56
Whether a group is deemed to be ‘organized’ is a factual question and, as repeatedly
detailed rules, apply to non-international armed conflicts fulfilling the additional criteria set forth
in art 1(1) but only in respect of States Parties to that Protocol.
53
Tadić Appeals Chamber Judgment (n 38) para. 562.
54
For example see, Noam Lubell & Nathan Derejko, ‘A global battlefield?’ (2013) 11 J. of
Int’l. Crim. Just. 65–88 and Philip Alston, ‘The CIA and targeted killings beyond borders’
(2011) 2 Harvard Nat. Sec. J. 283. For a different viewpoint, see Robert Chesney, ‘Who may be
killed? Anwar al-Awlaki as a case study in the international legal regulation of lethal force’
(2010) 13 Ybk. of Int’l. Humanitarian L. 360; Ashley Deeks, ‘The geography of cyber conflict:
Through a glass darkly’ (2013) 89 Int’l. L .Studies 1.
55
Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (Judgment) [2008] Case No.
IT-04-84-T para. 60.
56
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (Judgment) [2005] Case No.
IT-03-66-T para. 89.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
57
Other criteria identified by the ICTY include, the nomination of a spokesperson; the
issuing of orders, political statements and communiqués; the establishment of headquarters; the
establishment of a military police and disciplinary rules; the ability to recruit new members;
the creation of weapons distribution channels; the use of uniforms and various other equipment;
and the participation by members of the group in political negotiations.
58
Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (n 55) para. 60.
59
As the commentary to rule 23 of the Tallinn Manual (n 10) notes, ‘the mere fact that
individuals are acting toward a collective goal does not satisfy the organization criterion. For
example, if a website offers malware and a list of potential cyber targets, those who
independently use the site to conduct attacks would not constitute an organized armed group.’
60
The organizational element is satisfied when the group in question operates ‘under a
responsible command structure and has the capability to sustain military operations’ (Tallinn
Manual (n 10) rule 23, para. 11).
61
Schmitt (n 1) 256.
62
It is common practice for the leadership of such groups to publicly declare their intentions
and reasons for a particular cyber operation; issue information on planned actions and execution
dates through video, social media announcements, and pastebin entries; release lists of targets;
provide tools to execute the operation.
63
Pilloud and others (n 16) para. 4453.
64
It should be recalled that the ‘International Group of Experts [involved in the preparation
of the Tallinn Manual] was divided as to whether such difficulty would bar qualification as an
organized armed group’ (Tallinn Manual (n 10) commentary to rule 23).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
13 / Date: 25/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
‘physical control over its members’.65 This raises a number of questions. To what
extent is the capacity to enforce the rules a necessary criterion of organization? Is
physical control a pre-condition to discipline and rule enforcement? Does the law, as
drafted, presuppose physical control precluding its applicability to virtual groups or
should a distinction be drawn between Additional Protocol II and common Article 3
conflicts?
An express reference to the capacity of an organised group to enforce international
humanitarian law only appears in Additional Protocol II which applies
to all armed conflicts which are not covered by Article 1 of [Additional Protocol I] and which
take place in the territory of a High Contracting Party between its armed forces and dissident
armed forces or other organized armed groups which, under responsible command, exercise
such control over a part of its territory as to enable them to carry out sustained and concerted
military operations and to implement this Protocol.66
The requirement in the text that the organized armed group implement this Protocol is
generally accepted as an ability to comply with international humanitarian law. What
matters is that the organized armed group is capable of enforcing the rules rather than
whether it does so or not.67 Insofar as Additional Protocol II conflicts are concerned, it
is clear from the text that the capacity to enforce is a necessary criterion of organization
as is the existence of a responsible command and the ability to carry out sustained and
concerted military operations.68 What is also apparent from the jurisprudence of the
international tribunals is that evidence in support of such a capacity is more often than
not equated to an ability to exert physical control over persons.69 Nevertheless, whether
the capacity to enforce is always contingent on physical control is a matter of debate
since why individuals comply with a rule is a complex matter and may not necessarily
be dependent on the threat of a sanction in the form of physical force but, for example,
on the threat of exclusion from the group as well as ‘exposure’ of their identity to the
authorities by group members.70
Even if absence of physical contact is not a bar to qualification, a closer inspection of
the law presents a further hurdle. Although the virtual organized armed group might be
capable of enforcing discipline amongst its members and insist on adherence to the
rules pertaining to the conduct of hostilities as a condition of membership, it is an
inescapable fact that the group would lack the capacity to implement those rules
concerned with protecting the victims of conflict which arguably represent the very
raison d’être of both common Article 3 and Protocol II. The very characteristic of the
65
Schmitt (n 1) 257.
66
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of Non-international Armed Conflicts (n 48) art 1.
67
Prosecutor v. Ljube Boškoski Johan Tarčulovski (Judgment) [2008] Case No. IT-04-82-T
para 205.
68
Pilloud and others (n 16) para. 4453.
69
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (n 56) paras 114–117.
70
Douglas Heckathorn, ‘Collective sanctions and compliance norms: A formal theory of
group-mediated social control’ (1990) 55 Am. Soc. Rev. 366; Karen Cook & Russell Hardin,
‘Norms of cooperativeness and networks of trust in social norms’ in Michael Hechter &
Karl-Dieter Opp (eds.), Social Norms (Russell Sage Foundation 2001) 327.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
group precludes it from, for example, caring for the wounded and the sick, making
particular provisions for children, or ensuring that detainees were treated humanely
simply because the members would never have any physical contact with one another
let alone with any victims of the hostilities.71 Thus the virtual group presents a
particular problem in that, as traditionally understood, the law does presuppose some
degree of physical contact. Does this mean that international humanitarian law can
never apply to the conduct of a virtual group?
In contrast to Additional Protocol II, common Article 3 contains no analogous
express condition as constituting a requirement of qualification. As the Commentary to
Article 3 notes, the capacity of an organized armed group to respect and ensure respect
for international humanitarian law was one among a number of criteria considered and
rejected by the Diplomatic Conference that drafted the 1949 Geneva Conventions.
Moreover, the Commentary further emphasizes that none of the conditions that were
considered are ‘obligatory and are only mentioned as an indication’.72 Admittedly, in
assessing the organization of an armed group, the ICTY has, when appropriate, taken
into consideration the ‘level of discipline and the ability to implement the basic
obligations of Common Article 3 … such as the establishment of disciplinary rules and
mechanisms; proper training; and the existence of internal regulations and whether
these are effectively disseminated to members’.73 However, the tribunals have also
conceded that ‘none of [the criteria, including the ability to implement the law] are, in
themselves, essential to establish whether the ‘organization’ criterion is fulfilled’.74
This would suggest that no such mandatory condition applies to common Article 3
conflicts. While this view may provoke disagreement, perhaps the most compelling
reason for not rejecting the possibility of common Article 3 applying to a virtual group
is that the consequences of excluding such groups would potentially be counter-
productive. As the drafters of the Commentary to common Article 3 strenuously
maintained, ‘the Article should be applied as widely as possible’ for the very simple
reason that the overriding objective of the provision is to protect the victims of conflict.
Unlike international armed conflict, the hostilities between the parties must reach a
certain level of intensity before a non-international armed conflict is deemed to exist.
The ICTY has identified various indicative criteria to facilitate the determination as to
whether a given situation has met the required intensity threshold. Examples include
the gravity of attacks and their recurrence;75 the temporal and territorial expansion of
violence and the collective character of hostilities;76 the control of territory by
71
Pilloud et al. (n 16) para. 4426.
72
ICRC Geneva Convention Commentary (n 13) vol I 49.
73
Prosecutor v. Ljube Boškoski Johan Tarčulovski (n 67) para. 202.
74
Ibid. para. 198; Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (n 55)
para. 60.
75
Prosecutor v. Slobodan Milošević (Trial Chamber Decision on Motion for Judgment of
Acquittal) [2004] Case No. IT-02-54-T (Rule 98bis Decision) para. 28.
76
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (n 56) para. 94–134
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
3. CONCLUDING COMMENTS
The discourse on cyber is often dominated by the belligerent language of ‘cyber
warfare’ and ‘cyber conflict’. For the international humanitarian lawyer, this represents
a troubling trend in that it conveys a misguided and dangerous understanding of what is
taking place daily in the cyber domain. In the world of the legal expert, such terms
have very grave legal consequences for they assume that the applicable legal regime is
one of war rather than peace. It may be that at some point in the future, there will
indeed be a need to apply the law of war paradigm to a cyber-operation. But as this
chapter has sought to convey, an armed conflict – whether international or non-
international – is unlikely to come into existence solely as a consequence of a
77
Prosecutor v. Slobodan Milošević (n 75) para. 29.
78
Daniel Estrin, ‘AP Exclusive: Israeli tunnel hit by cyber attack’, Associated Press
(27 October 2013) <http://bigstory.ap.org/article/ap-exclusive-israeli-tunnel-hit-cyber-attack>
accessed 10 September 2014.
79
Robin Geiss, ‘Cyber warfare and non-international armed conflicts’ (2013) 89 Int’l. L.
Studies 627, 633.
80
Most commentators have taken the view that a non-international armed conflict is unlikely
to be triggered by a cyber-attack. See for example, Schmitt (n 1) at 258; ibid. 634; Droege (n 11)
551.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
81
Kenneth Geers et al., ‘World War C: Understanding nation-state motives behind today’s
advanced cyber attacks’ (FireEye 2013) <www.fireeye.com/resources/pdfs/fireeye-wwc-report.
pdf> accessed 10 September 2014.
82
Government of Netherlands (n 23).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter15 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
In 2011, in its International Strategy for Cyberspace, the White House stated that
cyberspace can be regulated by the existing positive law and that there is therefore no
need to reinvent new norms to guide States’ behavior.1 The idea that there is no
‘planned obsolescence’ of the existing legal rules in cyberspace is almost unanimously
accepted. From the ICRC2 to the Tallinn Manual3 and the academic community,4 most
agree5 that cyberwar, like any other methods or means of warfare, is subject to the law
of armed conflict. Never perhaps in the history of the war has a new weapon been so
easily accepted as being already ‘covered’ by existing law.
Twenty years ago, in the Legality of the Threat or Use of Nuclear Weapons case6
some States defended an extreme voluntarist position in relation to the application of
1
According to the White House, ‘the development of norms for state conduct in
cyberspace does not require a reinvention of customary international law, nor does it render
existing international norms obsolete. Long-standing international norms guiding state behavior
–in time of peace and conflict – also apply in cyberspace’: The White House, ‘International
Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World’ (Washington
2011) 9.
2
Cordula Droege, ‘Pas de vide juridique dans le cyberespace’, I.C.R.C. (16 August 2011)
<http://www.cicr.org/fre/resources/documents/interview/2011/cyber-warfare-interview-2011-08-
16.htm> accessed 3 October 2014.
3
‘The International Group of Experts was unanimous in its estimation that both the jus ad
bellum and jus in bello apply to cyber operations’: Michael Schmitt (ed.), Tallinn Manual on the
International Law Applicable to Cyberwarfare (CUP 2013) 5.
4
See the conclusions of the International Expert Conference on Computer Network
Attacks and the Applicability of International Humanitarian Law, Stockholm, 17–19 November
2004. As highlights Knut Dörmann, ‘The fact that CNA [Computer Network Attack] developed
only after the adoption of the Protocols does not preclude their applicability. The very existence
of Art. 36 of Additional Protocol I (AP I) is a strong indicator that the drafters of AP I
anticipated the application of its rules to new developments of methods and means of warfare’:
Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network Attacks’, CICR
Resources (19 November 2004) <https://www.icrc.org/eng/resources/documents/misc/68lg92.
htm> accessed 3 October 2014.
5
For opposing views, see examples cited in Jeffrey Kelsey, ‘Hacking into international
humanitarian law: The principle of distinction and neutrality in the age of cyber warfare’ (2008)
106(7) Mich. L. Rev. 1430, 1472 ff. 15-16.
6
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep.
1996 226.
343
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
existing law to nuclear weapons.7 But, the International Court of Justice (ICJ) rejected
this vision of international law based on a very strict and probably incorrect reading of
the old Lotus judgment. Recalling the fundamental principles of international human-
itarian law,8 including the Martens Clause, according to which: ‘In cases not covered
by this Protocol or by other international agreements, civilians and combatants remain
under the protection and authority of the principles of international law derived from
established custom, from the principles of humanity and from the dictates of public
conscience’,9 the Court stated that:
(…) nuclear weapons were invented after most of the principles and rules of humanitarian
law applicable in armed conflict had already come into existence; (…). However it cannot be
concluded from this that the established principles and rules of humanitarian law applicable
in armed conflict did not apply to nuclear weapons. Such a conclusion would be incompatible
with the intrinsically humanitarian character of the legal principles in question which
permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds
of weapons, those of the past, those of the present and those of the future.10
In the same way as nuclear war, cyber-warfare is also subject to the law of armed
conflict and to its ‘cardinal principles’,11 the prohibition of unnecessary suffering and
the principle of distinction.
Initiated by the Lieber Code in 1863,12 and constantly reaffirmed since, the principle
of distinction has received a general formulation in Article 48 of the First Protocol of
1977 additional to the Geneva Conventions.13 According to this Article: ‘In order to
ensure respect for and protection of the civilian population and civilian objects, the
Parties to the conflict shall at all times distinguish between the civilian population and
7
France, for example, stated that:
le principe selon lequel les limitations de souveraineté ne se présument pas a pour
conséquence nécessaire qu’en l’absence de règles prohibant expressément le recours à la
menace ou à l’emploi d’armes nucléaires en toute circonstance, ce recours doit être considéré
comme licite, hors les circonstances particulières où il serait interdit
ICJ Verbatim Record (1 November 1995) CR 95/23 63 [emphasis added]. Russia added that, ‘by
virtue of the principle of sovereignty it is presumed that a State is free to act in absence of a
specific restriction provided for in international law’: ICJ Verbatim Record (10 November 1995)
CR 95/29 41.
8
Especially article 22 of the Convention (IV) respecting the Laws and Customs of War on
Land and its annex: Regulations concerning the Laws and Customs of War on Land. The Hague,
18 October 1907 according to which, ‘The right of belligerents to adopt means of injuring the
enemy is not unlimited’ cited in Legality of the Threat or Use of Nuclear Weapons (n 6) para. 77.
9
Legality of the Threat or Use of Nuclear Weapons (n 6) para. 78. The spelling of the
Martens Clause is extract from art 1§2 of Protocol Additional to the Geneva Conventions of 12
August 1949, and relating to the Protection of Victims of International Armed Conflicts (8 June
1977).
10
Legality of The Threat or Use of Nuclear Weapons (n 6) para. 86 .
11
Ibid. para. 78.
12
Francis Lieber, Instructions for the Government of Armies of the United States in the
Field (Government Printing Office 1898).
13
Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the
Protection of Victims of International Armed Conflicts (8 June 1077) (Protocol I).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
2 / Date: 7/5
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
combatants and between civilian objects and military objectives and accordingly shall
direct their operations only against military objectives’.
The principle of distinction and its implications, which are intended to protect
civilians and civilian properties from ‘the calamities of war’,14 are part of customary
law both for international and non-international armed conflicts.15 Among these, the
most emblematic are expressed under Article 51 of Protocol I. Accordingly, one should
consider, first that: ‘The civilian population and individual civilians shall enjoy general
protection against dangers arising from military operations’;16 second that: ‘The
civilian population as such, as well as individual civilians, shall not be the object of
attack’;17 and third that: ‘Indiscriminate attacks are prohibited’.18
Logically then, one could state that the civilian population and individual civilians
should enjoy general protection against dangers arising from cyber military operations
and that cyber-attacks directed against civilians and civilian objects are prohibited, as
are indiscriminate cyber-attacks.
This prevailing view according to which the cardinal principles of the law of armed
conflict are applicable to cyber warfare is fairly reassuring taking into consideration the
potential significant effects of cyber-weapons. In a 2009 statement, President Obama
showed his concern about what he qualified as a ‘weapon of mass disruption’.19 One
year later, The Economist described in catastrophic terms a new form of warfare
dominated by ‘cyber-weapons’: oil refineries and pipelines that explode, an air
traffic-control system which is out of control, derailed trains and subway trains,
vanished financial data, shut-down power plants – in short the whole of society sinking
while the identity of the hackers and the authors of this mayhem remain anonymous.20
The transposition of the principle of distinction into cyberspace may nonetheless
raise important questions about its ability to curb the effects of this new form of war. It
is true that some of these questions are not entirely new since the implementation of the
principle of distinction has always required more or less subjective and controversial
interpretations.21
14
Declaration Renouncing the Use, in Time of War, of Certain Explosive Projectiles (29
November/11 December 1868).
15
In the Tadić Case, the Appeal Chamber recognized the application of the principle of
distinction both in internal and international armed conflict. Prosecutor v. Dusko Tadić (Decision
on the Defence Motion for Interlocutory Appeal on Jurisdiction) [1995] No ICTY-94-1-A para.
100–27. On classification of armed conflict in cyberspace see Arimatsu (Ch 15 of this book).
16
Protocol I (n 13) art 51 §1.
17
Ibid. art 51§2.
18
Ibid. art 51§4.
19
The White House, ‘Remarks by the President on Securing our Nation’s Cyber infrastruc-
ture’ (Office of the Press Secretary, 29 May 2009) <http://www.whitehouse.gov/the-press-office/
remarks-president-securing-our-nations-cyber-infrastructure> accessed 3 October 2014, cited in
Newton Lee, Counterterrorism and Cybersecurity (Springer 2013) 100.
20
The Economist, ‘War in the Fifth Domain’ (1 July 2010) <http://www.economist.com/
node/16478792> accessed 3 October 2014.
21
As rightly observed Heather H. Dinnis, ‘The principle of distinction has been under
threat before’: Heather Harrison Dinnis, Cyber Warfare and the Laws of War (CUP 2014) 182.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
3 / Date: 8/5
JOBNAME: Tsagourias PAGE: 4 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
But for several reasons cyberwar stretches this debate to its limits.22 This is also due
to the fact that while cyberwar is sometimes presented as capable of leading to a
devastating ‘total war’, it is also sometimes presented under a more reassuring aspect of
a less devastating war through the use of non-lethal and ‘ultimate in precision
weapons’23 that weaken the enemy without necessarily destroying or killing it.24
At the heart of this debate, the prohibition of direct attacks against civilians and
civilian property points out whether this prohibition, developed with reference to
kinetic weapons, can fully apprehend the complexity of non-kinetic attacks whose
effects are in part or completely dematerialized (Part 2). The complexity of cyberwar
may sometimes raise the spectrum of a ‘disintegration’ of the principle of distinction.
This invites us to re-read the principle carefully in order to assess whether it is strictly
focalized on the prohibition of ‘attacks’ against civilians or whether it should also be
interpreted as prohibiting any military cyber-operations against them (Part 3). Cyberwar
also challenges the protective status attributed to civilians by the principle of distinc-
tion. Indeed, the interconnectivity characterizing cyberspace has blurred the distinction
between civilians and the military and makes the enforcement of the principle all the
more challenging (Part 4).
22
According to Dinnis, ‘The additional targeting opportunities offered by computer
network attack capabilities come at a time when there is already an increased tension in the laws
of armed conflict over the continued pre-eminence of the principle of distinction in modern
warfare’: ibid. 181.
23
Kelsey (n 5) 1434.
24
As Michael J. Glennon warned, ‘cyber-operations can in this view be regarded as merely
the latest efforts-the latest successes (…) to afford greater protection to non-combatant (and
combatants), to enhance proportionality- in effect to pursue many of the ends of humanitarian
law’: Michael J. Glennon, ‘The dark future of international cybersecurity regulation’ (2013) 6 J.
Nat’l. Sec. L. & Pol’y 569. See also, Duncan Blake & Joseph S. Imburgia, ‘Bloodless weapons?
The need to conduct legal reviews of certain capabilities and implications of defining them as
‘weapons’’ (2010) 66 Air Force L. Rev. 157.
25
Jonathan A. Ophardt, ‘Cyber warfare and the crime of aggression: the need for individual
accountability on tomorrow’s battlefield’ (2010) 3 Duke L. & Tech. Rev. See also ‘Multinational
Experiment 7 Outcome 3-Cyber Domain: Objective 3.3 – Concept Framework’ (3 October 2012)
9 <http://mne.oslo.mil.no:8080/Multinatio/MNE7produk/33CyberCon> accessed 3 October
2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
4 / Date: 7/5
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
26
‘US Air Force Intelligence Targeting Guide’ (Air Force Pamphlet 14–210, 1 February
1998) <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.131.8965&rep=rep1&type=pdf>
accessed 3 October 2014. According to the lexicon of the Memorandum for Chiefs of the
Military Services Commanders of the Combatant Commands, Directors of the Joint Staff
Directorates:
A hostile act using computer or related networks or systems, and intended to disrupt and/or
destroy an adversary’s critical cyber systems, assets, or functions. The intended effects of
cyber-attack are not necessarily limited to the targeted computer systems or data themselves-
for instance, attacks on computer systems which are intended to degrade or destroy
infrastructure or C2 capability. A cyber-attack may use intermediate delivery vehicles
including peripheral devices, electronic transmitters, embedded code, or human operators.
The activation or effect of a cyber-attack may be widely separated temporally and geographi-
cally from the delivery:
James E. Cartwright, Memorandum for Chiefs of the Military Services Commanders of the
Combatant Commands, Directors of the Joint Staff Directorates (2011) 5, <http://www.nsci-va.
org/CyberReferenceLib/2010-11-joint%20Terminology%20for%20Cyberspace%20Operations.
pdf> accessed 3 October 2014.
27
Michael Schmitt, ‘Wired warfare: computer network attack and jus in bello’ (2002)
84(846) I.R.C.C. 367.
28
Oona A. Hathaway et al., ‘The law of cyber-attack’ (2012) 100 Cal. L. Rev. 822–39.
29
See for example, Heather A. Dinniss, ‘Attacks and operations -The debate over computer
network ‘attacks’’ in New Technologies, Old Law: Applying International Humanitarian Law in
a New Technological Age (The Minerva Center for Human Rights, Jerusalem, 28–29 November
2011, Conference paper 2) <http://www.kas.de/israel/en/publications/29923/> accessed 3 Octo-
ber 2014; Schmitt (n 3) 106–7; Yoram Dinstein, The Conduct of Hostilities under the Law of
International Armed Conflict (CUP 2004) 84. See also, Cordula Droege, ‘Get off my cloud:
Cyber warfare, international humanitarian law, and the protection of civilians’ (2013) 94(886)
I.R.C.C. 557.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
conventional attack. The test of the ‘Kinetic effect equivalency’30 is thus decisive in
order to ‘adapt’ the principle of distinction in a case of cyberwar (2a).
However, the applicability in concreto of this KEE test in order to assess if a
cyber-operation constitutes an ‘attack’ can raise so many difficulties that one might
even wonder if relying exclusively to the ‘Kinetic effect equivalency test’ in this field
does not jeopardize the principle of distinction. Indeed the KEE test could authorize
and legitimize a wide range of military operations against civilians that would have
never been acceptable if they had been carried out by kinetic force (2b).
The law of armed conflict defines ‘attack’ as ‘acts of violence against the adversary,
whether in offence or in defence’.31 According to the KEE test, violence should be
evaluated in terms of effect rather than of means used. On the basis of this test, acts of
violence are acts that cause ‘death or injury of persons or the physical destruction of
objects’.32 This definition of violence makes it possible to qualify acts perpetrated by
non-kinetic weapons as ‘attacks’. For example, as highlighted by Knut Dörmann, ‘the
employment of biological or chemical agents that does not cause a physical explosion,
such as the use of asphyxiating or poisonous gases, would constitute an attack’ because
the resulting effects are violent regardless of the vectors used to achieve them.33
It follows from these elements that cyber-operations that cause death, injury of
persons or physical destruction are to be considered as acts of violence that qualify as
‘attacks’ under the law of armed conflict. According to the Tallinn Manual, ‘a
cyber-attack is a cyber-operation, whether offensive or defensive, that is reasonably
expected to cause injury or death to persons or damage or destruction to objects’.34
The examples of cyber-operations that can therefore be considered as attacks are
numerous.
For example, the intrusion into the computer control system of a nuclear power plant
is not violent in itself, but it could be qualified as an ‘attack’ if its consequences are
violent. One can also imagine a cyber-operation aiming to penetrate the central
computer system of a chemical plant and finally leading to the explosion of the
installation and the atmospheric release of toxic gases. Here again, the intrusion is not
violent, but its effects are violent: the explosion would create damage to property while
toxic gases could have serious consequences on the health of the civilian population.
30
Hereafter ‘KEE’.
31
Protocol I (n 13) art 49 (Definition of attacks and scope of application). This definition is
seen as part of customary law. See, Jean-Marie Henckaerts & Louise Doswald-Beck, Customary
International Humanitarian Law (vol I, Rules, ICRC, CUP 2006) 3–8.
32
See Niels Melzer, Cyberwarfare and International Law (UNIDIR 2011) 26 and footnote,
<http://unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf> accessed 3
October 2014.
33
Dörmann (n 4) 4. See also Prosecutor v. Dusko Tadić (n 15) paras 1214.
34
Schmitt (n 2) Rule 30. According to the Manual: ‘Acts of violence’ should not be
understood as limited to activities that release kinetic force (…), “violence” must be considered
in the sense of violent consequences and is not limited to violent acts’: 106–7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
This act then could be qualified as an attack.35 The hacking of the computer control
system of a dam could also be considered as an ‘attack’ if it enables the hackers to take
control of the dam and to open its valves causing massive flooding downstream. Here,
the installation is not damaged, but the effects on civilians and infrastructure may be
equivalent to a kinetic attack that would have destroyed the dam.36
To the extent that the victims are civilians, these attacks should be considered
contrary to the principle of distinction. It is therefore clear that the KEE test is a useful
one and allows the principle of distinction to cover a wide range of cyber-operations
and to play the protective role expected from it.
The KEE test assumes that damage can be clearly identified. But this assumption
presents some problems. First, the proof of the existence and the precise extent of the
damages caused by cyber-operations could become a real probatio diabolica, especially
if one considers that the effects of cyber-attacks are, contrary to the effects of use of
kinetic weapons, rather indirect (2(b)(i)). Indeed, the KEE test sometimes could even
raise the fundamental question of the very existence of the damage when it is not
strictly physical (2(b)(ii)).
(i) The problem of the assessment of the damage resulting from a cyber-attack
It is sometimes difficult to assess with certainty the collateral damage caused by the
malfunction of civilian facilities.
The direct relationship between the impairment of the functioning of a system and
the damage to the civilian population is often difficult to establish with confidence.37 In
addition, the magnitude and seriousness of these injuries are extremely variable and
depend on parameters as different as the dependence of a society toward certain
systems or the appropriateness of human responses to these events.38 As illustrated by
cyber-operations conducted against Estonia in 2007 and Georgia in 2008, a wired
society such as Estonia may be more vulnerable39 than a ‘less computer relevant’
35
Ibid. 115.
36
Ibid. 107.
37
In 2003, after the blackout occurred on the east coast of the US, 11 direct victims related
to this event were counted. Most of them were victims of accidents caused by malfunctioning of
electrical equipment: vehicle collisions due to the cessation of traffic lights, asphyxia caused by
damaged electrical generators, etc. The indirect effects of the blackout and their consequences in
the mid and long term do not seem to have been evaluated. Indeed it is difficult, if not
impossible, to determine, for example, how many people with serious illnesses could not receive
treatment or how many surgeries were postponed, and what were the implications of these
adjournments and postponements on the health of the patients.
38
David Turns, ‘Cyberwarfare and the notion of direct participation in hostilities’ (2012)
17(2) J. Conflict & Sec. L. 288.
39
As underlined in a Report published in 2010 about Estonia, International Cyber
Incidents: Legal Considerations:
The high availability of public e-services and wide Internet accessibility that the Estonian
population enjoys have, as a negative side effect, also made the country a more attractive
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
society such as Georgia.40 However, it is also possible that less connected countries can
be more heavily dependent on certain facilities and infrastructure. Additionally,
variations in the nature of the operation can lead to significantly different results as
evidenced by military operations against electrical grids in Iraq in 1991 and in Serbia
and Montenegro in 1999.41 Furthermore, one should take into account that the
assessment of damages is even more difficult and controversial due to the fact that the
effect of such damages can be seen in the long term.42 This raises the question of
the critical date for the assessment of the existence of such an ‘attack’? Is it reasonable
to label retrospectively an act as an attack several days, weeks or even months after the
commission of the act?
Thus, depending on the circumstances and a series of hardly identifiable parameters,
the same act could or could not be qualified as an attack.
These questions are, however, not new. They are also to be raised in relation to
kinetic operations when assessing the proportionality of an attack or its indiscriminate
nature. But while a kinetic attack against an installation will cause physical damage to
the facility before any eventual collateral damage, this is not automatically the case for
a cyber-operation.
Indeed, a cyber-operation against a facility can be more insidious to the extent that it
can generate collateral damage without causing direct damage to the targeted instal-
lation. Even worse, a cyber-attack could be conducted against an installation in a
completely concealed and furtive way.
target for cyber-attacks. The dependency of the population on easily accessible online
services has made the society more vulnerable to large scale disruptions in the availability of
Internet access:
Eneken Tikk, Kadri Kaska, & Liis Vihul International Cyber Incidents: Legal Considerations
(CCD COE 2010) 18.
40
Turns (n 38) 287.
41
In a 2003 Report, Human Rights Watch underlined that:
Attacks on electrical generation facilities used by the civilian population would have a
profound and long-term impact on the civilian population in Iraq. During the 1991 Persian
Gulf War, for example, the failure of American war planners to accurately assess the
cascading effects that attacks on electricity would have on the civilian population had
profound humanitarian consequences. These attacks crippled basic civilian services, including
hospital-based medical care, and shut down water-distribution, water-purification, and
sewage-treatment plants. As a result, the most vulnerable members of the population, young
children and adults requiring medical attention, suffered injury and death from the lack of
potable water and poor medical treatment. It was proven in Yugoslavia that attacks on
electrical distribution facilities can achieve the necessary military effect of disrupting power
supply without long-term incapacitation of electrical generation capability. Due to the severe
consequences that followed destruction of electrical generation in Iraq, the US attacked
similar facilities in Kosovo in such a way as to cause only temporary incapacitation’:
Human Rights Watch, ‘International humanitarian law issues in a potential war in Iraq’ (Human
Rights Watch Briefing Paper, 2003) 8–9 <http://www.hrw.org/sites/default/files/reports/Iraq%
20IHL%20formatted.pdf> accessed 3 October 2014.
42
Thomas W. Smith, ‘The new law of war: Legitimizing hi-tech and infrastructural
violence’ (2002) 46 Int’l. Stud. Q. 363.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
In his memoirs of the Cold War, a former Air Force secretary, Thomas Reed, recalls
how, in 1982, a US satellite detected a large blast in Siberia. It was, according to him,
‘the most monumental non-nuclear explosion and fire ever seen from space’. This blast,
he said, ‘was a malfunction in the computer-control system that Soviet spies had stolen
from a firm in Canada. They did not know that the CIA had tampered with the software
so that it would “go haywire”, after a decent interval’.43 Even today, many viruses and
worms remain undetectable in many countries. It will then come as a big surprise to
them that a given malfunction of a facility is the result of a cyber-attack conducted
against it.
Computer network attacks not only increase the number of targets that it is possible to attack
by reducing the collateral damage and hence the proportionality equation in target selection,
they also allow the possibility of operations which cause no physical damage but nonetheless
destroy or merely neutralize the object or system in question. This is an attractive option for
states, particularly in conflicts which will necessitate the reconstruction of the battle-space at
the conclusion of hostilities; it is inefficient to bomb a power generating station if you can
simply turn it off.44
43
Thomas Reed, At the Abyss: An Insider’s History of the Cold War (Presidio Press/
Ballantine Books 2004) 368.
44
Dinniss (n 21) 183–4.
45
Harold Koh (Legal Advisor, U.S. Department of State), highlighted that (about jus ad
bellum and concerning the notion of ‘force’): ‘As you all know, however, there are other types of
cyber actions that do not have a clear kinetic parallel, which raise profound questions about
exactly what we mean by “force”: Harold H. Koh, ‘International Law in Cyberspace’ (U.S.
Department of State, 18 September 2012) <http://www.state.gov/s/l/releases/remarks/197924.
htm> accessed 3 October 2014.
46
Michael Bothe, K. J. Partsch & W. A. Solf, New Rules for Victims of Armed Conflicts:
Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949
(Martinus Nijhoff 1982) 289.
47
Schmitt (n 3) 108.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
9 / Date: 25/3
JOBNAME: Tsagourias PAGE: 10 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
requirements that has been produced due to the malfunctions of the system. According
to this thesis, damage should be physical.48 As a result cyber military operations
conducted against civilians ‘which merely cause discomfort’, or ‘inconvenience’ should
not be considered as ‘attacks’.
However, this interpretation is controversial. For Knut Dörmann, the presence of
physical damage is not an essential requirement for actions to be considered as an
attack. In his opinion:
Given that elsewhere in the same section of AP I [Additional Protocol I], namely in the
definition of a military objective, reference is made to neutralization of an object as a
possible result of an attack, one may conclude that the mere disabling of an object, such as
shutting down of the electricity grid, without destroying it should be qualified as an attack as
well.49
shows that the drafters had in mind not only attacks that are aimed at destroying or damaging
objects, but also attacks for the purpose of denying the use of an object to the enemy without
necessarily destroying it. So, for instance, an enemy’s air defence system could be neutralized
through a cyber-operation for a certain duration by interfering with its computer system but
without necessarily destroying or damaging its physical infrastructure.50
Whatever the arguments put forward by each camp in support of its claims, this
controversy shows that the assimilation of cyberwar in conventional warfare induced by
the KEE test is not always an easy one and may even be perceived as a reductive one.
Faced with the dematerialization of the initial act, we need to ‘re-materialize’ its effects
in order to grasp the phenomenon. But endeavoring by all means to make cyberwar fit
the classical framework could lead to a risk of excluding a wide range of military
cyber-operations directed against civilians and civilian objects. As Michael Schmitt
said:
[I]f the Serbian State television station had been targeted by CNA rather than kinetic weapons
during NATO strikes on Belgrade in April 1999, there might well have been no consequent
injury, death, damage or destruction. In that circumstance, criticism on the basis that a
civilian target had been hit would probably have fallen on deaf ears and thereby avoided the
resulting negative publicity, as well as the resulting litigation in the European Court of
Human Rights.51
48
According to Michael Schmitt, ‘a cyber operation, like any other operation, is an attack
when resulting in death or injury of individuals, whether civilians or combatants, or damage to
or destruction of objects, whether military objectives or civilian objects’: Michael Schmitt,
‘Cyber operations and the jus in bello: Key issues’ (2011) 87 Naval War College Int’l. L. Stud.
94.
49
Dörmann (n 4).
50
Droege (n 29) 558.
51
Schmitt (n 27) 381.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
But if this assertion is true, this could lead us, as Cordula Droege warned, to the absurd
conclusion, ‘that the destruction of one house by bombing would be an attack, but the
disruption of an electrical grid supplying thousands or millions of people would not’.52
Finally it seems true that according to Jeffrey Kelsey, ‘[t]he potentially non-lethal
nature of cyber weapons may cloud the assessment of an attack’s legality, leading to
more frequent violations of the principle of distinction in this new form of warfare than
in conventional warfare’.53
Given this challenge it is useful to examine to what extent the principle of distinction
must be interpreted as prohibiting not only cyber-attacks but, more generally, military
cyber-operations against civilians.
52
Droege (n 29) 558–9.
53
Kelsey (n 5) 439.
54
According to Melzer:
The basic treaty rule of distinction is not formulated in terms of ‘attack’ but in terms of
‘operations’ (…). Therefore, although attacks certainly represent the predominant form of
combat operation, it would be inaccurate to assume that cyber operations not amounting to an
attack are not subject to IHL governing the conduct of hostilities. Accurately understood, the
applicability of the restraints imposed by IHL on the conduct of hostilities o cyber operations
depends not on whether the operations in question qualify as ‘attack’ (that is, the predominant
form of conducting hostilities), but on whether they constitute part of the ‘hostilities‘ within
the meaning of IHL:
Melzer (n 32) 27. See also Dinniss (n 29).
55
According to the Tallinn Manual, ‘[o]nly when a cyber-operation against civilians or
civilians objects (or other protected persons and objects) rises to the level of an attack is it
prohibited by the principle of distinction and those rules of the law of armed conflict that derive
from the principle’: Schmitt (n 3) 112.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
11 / Date: 8/5
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Therefore although attacks certainly represent the predominant form of combat operation, it
would be inaccurate to assume that not amounting to an attack are not subject to IHL
governing the conduct of hostilities. Accurately understood, the applicability of the restraints
imposed by IHL on the conduct of hostilities to cyber operations depends not on whether the
operations in question qualify as ‘attacks’ (that is, the predominant form of conducting
hostilities), but on whether they constitute part of the ‘hostilities’ within the meaning of
IHL.59
This debate about the interpretation of Protocol I and the applicability of the principle
of distinction to all military operations against civilians was probably less important
within the context of the ‘traditional’ use of kinetic weapons. It has nonetheless
acquired a brand new dimension with the progressive development of cyber-weapons.
Indeed, one could think that linking the principle of distinction to hostile cyber-
operations (even if they do not necessarily qualify as ‘attacks’) is probably the best way
to preserve the raison d’être of this principle.
Taking into consideration the potentially dramatic developments of warfare in a
digital world, it would be unreasonable and counterproductive to ‘stick’ to a fixed and
inflexible interpretation of the conditions of applicability of the principle of distinction.
And the general consensus on the submission of cyberwar to the laws of war should not
lead to the absurd conclusion that these rules are irrelevant because they are too ‘old’ to
56
Schmitt (n 27) 376.
57
Michael Schmitt, ‘International law in cyberspace: The Koh Speech and Tallinn Manual
juxtaposed’ (2012) 54 Harvard Int’l. L. J. 26. See also Schmitt (n 48) 91.
58
According to Davidson:
non-military objectives can be targeted by CNAs, as long as the result is not physical danger
to the civilian population or damage to civilian objects and the intention of such action is not
to terrorize the civilian population. This is so, even if the motive of the operation is military
and it is conducted by armed forces:
Osnat Davidson, ‘A legal analysis of computer network attacks under international law’
(2007–2008) 3 I.D.F. L. Rev. 70, 92.
59
Melzer (n 32) 27.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
12 / Date: 8/5
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
deal effectively with new forms of war. The law of armed conflict should on the
contrary be interpreted in an evolutive way in order to adapt to new realities and
possibilities to wage war.
International courts and treaty bodies, faced with changes in technology and science,
have often used methods of dynamic and evolutive interpretation of international
treaties as well as principles of international law to give them their full effect.60 In 1997
in its Gabčikovo-Nagymaros judgment, the ICJ considered that the bilateral agreement
concluded in 1977 between Czechoslovakia and Hungary should be interpreted, not
according to the law and scientific knowledge as they existed in 1977, but dynamically
on the basis of the law and conditions prevailing in 1997.61 Similarly, the Appellate
Body of the World Trade Organization asserted that the words of Article XX(g),
‘exhaustible natural resources’ should be interpreted not in a static manner and on the
basis of knowledge that prevailed in 1947, but in a dynamic manner according to the
knowledge of 1998.62 In these cases, the judges did not want to adopt a grammatical
interpretation that would deprive the treaty of its effects. They interpreted these treaties
in a teleological way so as to give full effect to their provisions. It is also well known
that human rights treaty bodies constantly use evolutionary interpretation as a tool in
order to ‘adapt’ and specify concepts and notions contained in the human rights treaties
in a rapidly evolving world. In the interest of the protected persons these bodies have
60
See Giovani Distefano, ‘L’interprétation évolutive de la norme internationale’ (2011) 112
R.G.D.I.P. 373–96; Rosalyn Higgins, ‘Time and the law: International perspectives on an old
problem’ (1997) 46 I.C.L.Q. 501–20.
61
According to the Court:
Owing to new scientific insights and to a growing awareness of the risks for mankind – for
present and future generations – of pursuit of such interventions at an unconsidered and
unabated pace, new norms and standards have been developed, set forth in a great number of
instruments during the last two decades. Such new norms have to be taken into consideration,
and such new standards given proper weight, not only when States contemplate new activities
but also when continuing with activities begun in the past.
Gabcikovo-Nagymaros Project (HungarylSlovakia) (Judgment) [1997] ICJ Rep. 1997 para. 140.
More recently, in the Case Costa Rica v. Nicaragua, the ICJ, using a dynamic interpretation of
a bilateral agreement concluded in1858, stated that ‘Nicaragua, in adopting certain measures
which have been challenged, in the Court’s opinion, is pursuing the legitimate purpose of
protecting the environment’: Dispute Regarding Navigational and Related Rights (Costa Rica v.
Nicaragua) (Judgment) [2009] ICJ Rep. 2009 para. 89. See also Georg Nolte, ‘Between
contemporaries and evolutive interpretation: The use of subsequent practice in the judgment of
the International Court of Justice concerning the case of Costa Rica v Nicaragua (2009)’ in
Holger P. Hestermeyer (ed.), Coexistence, Cooperation and Solidarity: Liber Amicorum Rudiger
Wolfrum (vol II, Martinus Nijhoff Publishers 2012) 1675–84.
62
According to the Appellate Body of the Dispute Settlement Body of the WTO:
The words of Article XX(g), ‘exhaustible natural resources’, were actually crafted more than
50 years ago. They must be read by a treaty interpreter in the light of contemporary concerns
of the community of nations about the protection and conservation of the environment. (…)
the generic term ‘natural resources’ in Article XX(g) is not ‘static’ in its content or reference
but is rather ‘by definition, evolutionary’:
WTO, US: Import Prohibition of Certain Shrimp And Shrimp Products – Report of the Appellate
Body (12 October 1998) WT/DS58/AB/R paras 129–130.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
constant recourse to the idea that human rights treaties are ‘living instruments’, the
interpretation of which inevitably requires a non-static process. As the former President
of the European Court of Human Rights, Jean-Paul Costa stated:
The fact is that, more or less since the beginning, the Convention organs … have taken the
view that the text should be interpreted, and applied, by adapting it to the changes that have
taken place over time – to changes in society, in morals, in mentalities, in laws, but also to
technological innovations and scientific progress. The Convention is sixty years old: history
has moved inexorably onward during that period and this contextual evolution has been
highly significant. The Convention’s interpreters expressly rejected a static or finite analysis.
I am convinced they were right.63
This dynamic approach has always been part of the law of armed conflict as evidenced
by the Martens clause inserted in various treaties or the famous Article 36 of the
Protocol I. It is also thanks to this dynamic approach that cyberwar is unanimously
regarded as subject to the law of armed conflict. This is the same way in which one
should interpret Articles 48 and 51 of Protocol, taking into account the objectives of the
drafters that were to protect civilians from the effects of the war. As Diniss wrote:
Once the ability to target civilian objects is permitted, it crosses the fundamental philosoph-
ical line enshrined in the 1868 Declaration of St Petersburg, which states ‘the only legitimate
object which States should endeavor to accomplish during war is to weaken the military
forces of the enemy.64
Furthermore it should be recalled that the principle of distinction has both a conven-
tional and customary basis.65 As pointed out by the ICJ in the Nicaragua case, a
conventional rule and a parallel customary rule remain autonomous. The fact that some
interpretations of the principle under the Protocol could be made in conjunction with
other provisions of the Protocol has no impact on the interpretation of the principle in
its customary dimension.66 The principle of distinction can thus receive different
63
European Court of Human Rights, Council of Europe (eds.), Dialogue between Judges
2011: What are the Limits to the Evolutive Interpretation of the Convention? (ECHR 2011) 5.
64
Dinniss (n 21) 202.
65
In our view there is enough State practice and opinio juris to support the customary
nature of the principle of distinction. This conclusion was also confirmed by the ICJ itself in its
advisory opinion Legality of the Threat or Use of Nuclear Weapons (n 6). As the Court said:
The cardinal principles contained in the texts constituting the fabric of humanitarian law are
the following. The first is aimed at the protection of the civilian population and civilian
objects and establishes the distinction between combatants and non-combatants; States must
never make civilians the object of attack and must consequently never use weapons that are
incapable of distinguishing between civilian and military targets. […] [T]hese fundamental
rules are to be observed by al1 States whether or not they have ratified the conventions that
contain them, because they constitute intransgressible principles of international customary
law (paras 78–79).
66
As the ICJ emphasized in the Nicaragua Case: ‘Rules which are identical in treaty law
and in customary international law are also distinguishable by reference to the methods of
interpretation and application’. And the ICJ added that:
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
(a) The Distinction between Civilian Objects and Military Objectives and the
Problem of Dual-use Objects
The law of war does not provide a direct definition of ‘civilian objects’ but only a
definition of the military objective. According to Article 52(2) (General protection of
civilian objects) of Protocol I:
Attacks shall be limited strictly to military objectives. In so far as objects are concerned,
military objectives are limited to those objects which by their nature, location, purpose or use
make an effective contribution to military action and whose total or partial destruction,
capture or neutralization, in the circumstances ruling at the time, offers a definite military
advantage.
By an a contrario reasoning we can thus consider as civilian objects, objects that are
not military objectives. Depending on the circumstances and necessities of the war, the
same object could be considered as a ‘civilian’ one, immunized against attacks by the
principle of distinction, or as a military objective ‘which by their nature, location,
purpose or use make an effective contribution to military action’ and could be
destroyed. If this definition is well established, it is nonetheless well known that the
71
Andreas Wenger & Simon Mason, ‘The civilianization of armed conflict: Trends and
implications’ (2008) 90 (872) I.R.R.C. 835–52.
72
As Vice Admiral Arthur Cebrowski highlighted, ‘There is no logical distinction …
between military or civil systems or technologies. [Therefore] there is also no technical
distinction between exploitation, attack or defense of the information warfare target set’, quoted
in Lawrence T. Greenberg et. al., Information Warfare and International Law (National Defense
University Press 1998) 12.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
16 / Date: 7/5
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
interpretation of the two key elements of the definition is highly subjective. As one
commentator has underlined: ‘Although it seems that the principle of distinction
between military and civilian objects is a straightforward principle, it is often difficult
to apply in practice. The main ambiguity derives from different interpretations of the
terms “effective” and “definite”.’73
Some authors74 but also some States have adopted such a broad interpretation of the
concept of military objective that it profoundly undermines the principle of distinction
itself.
A well-known example is arguably the US Navy Commander’s Handbook on the
Law of Naval Operations which considers as military objectives, not only ‘war-
fighting’ but also ‘war-sustaining’ installations. According to this handbook:
Military objectives are combatants and those objects which, by their nature, location, purpose
or use effectively contribute to the enemy’s war-fighting or war-sustaining capability and
whose total or partial destruction, capture or neutralization would constitute a definite
military advantage to the attacker under the circumstances at the time of attack.75
During NATO airstrikes against Serbia in 1999, Lieutenant General Short of the NATO
Air Component stated it wanted to ‘turn off the lights’ of Belgrade.76 The bombing in
April 1999 of the Serbian Radio Television was also presented as a military objective
because it was seen as the nervous system that kept Milošević in power.77 At the same
time, according to US military sources ‘bridges were often selected for attack for
reasons other than their role in transportation (for example, they were conduits for
communications cables, or because they were symbolic and psychologically lucra-
tive)’.78 This way of interpreting what constitutes a military objective and the way to
73
Davidson (n 58) 94.
74
This doctrinal trend is well illustrated by Charles Dunlap, who argues for a new kind of
total war, stating that:
We need a new paradigm when using force against societies with malevolent propensities. We
must hold at risk the very way of life that sustains their depredations, and we must threaten
to destroy their world as they know it if they persist. This means the air weapon should be
unleashed against entire new categories of property that current conceptions of LOAC put
off-limits,
in Charles J. Dunlap, ‘The end of innocence: Rethinking non-combatancy in the post-Kosovo
era’ (2000) 28(3) Strategic Rev. 9.
75
Department of the Navy, Office of The Chief of Naval Operations, ‘The Commander’s
Handbook on the Law of Naval Operations’ (Edition July 2007) 8.2 (Military Objectives)
<http://www.usnwc.edu/getattachment/a9b8e92d-2c8d-4779-9925-0defea93325c/> accessed 3
October 2014.
76
Cited by Michael Schmitt, ‘The impact of high- and low-tech warfare on the principle of
distinction’ in Roberta Arnold & Pierre-Antoine Hildbrand (eds.), International Humanitarian
Law and the 21st Century’s Conflicts: Changes and Challenges (Edis 2005).
77
ICTY, Final Report to the Prosecutor by the Committee Established to Review the NATO
Bombing Campaign Against the Federal Republic of Yugoslavia (Jun 2000) 26, <http://
www.tpiy.org/x/file/About/OTP/otp_report_nato_bombing_en.pdf> accessed 3 October 2014.
78
Quoted by Jeanne M. Meyer, ‘Tearing down the facade: A critical look at the current law
on targeting the will of the enemy and air force doctrine’ (2001) 51 Air Force L. Rev. 165.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
gain a military advantage was not unique to the crisis in Kosovo. In the current Syrian
crisis, the different possibilities concerning an eventual cyber-attack against the regime
of President Bashar al-Assad included the idea that one of the objectives should be to
‘turn the lights out for Assad’.79
But even if the notion of ‘war-sustaining’ installation remains controversial, it is true
that many facilities, such as chemical and power plants, oil refineries, hydroelectric
dams, telecommunications or transports infrastructure are often qualified as a dual-use
object and as a consequence are targeted during hostilities.80 As Marco Sassòli states:
‘when a certain object is used for both military and civilian purposes, it may be held
that even a secondary military use turns it into a military objective’.81 Since these
facilities are dual-objects they can be the target of kinetic weapons as well as of
cyber-attacks. But while kinetic attacks against dual use objects are often criticized due
to their impact on civilians, cyber-attacks are often presented as more ‘human’.82 The
controversy of targeting dual objects is not a new one but as Cordula Droege said, ‘in
cyber space the consequences could be exacerbated to an extreme point where nothing
civilian remains’.83 The status of computer and computer systems and companies
associated with these systems calls for special attention. Since computer systems are
the heart of modern armies they can be considered as ‘war-fighting’ and thus as
military objectives. But what about the companies designing and producing hardware
or software? Are they dual-use entities and as such could be military targets? According
79
Cited by David E. Sanger, ‘Syria war stirs new US debate on cyberattacks’, The New
York Times (24 February 2014).
80
It is for example interesting to note that according to the Convention for the Protection of
Cultural Property in the Event of Armed Conflict, broadcasting stations are military objectives.
Indeed, under art 8.1:
There may be placed under special protection a limited number of refuges intended to shelter
movable cultural property in the event of armed conflict, of centres containing monuments
and other immovable cultural property of very great importance, provided that they: (a) are
situated at an adequate distance from any large industrial centre or from any important
military objective constituting a vulnerable point, such as, for example, an aerodrome,
broadcasting station, establishment engaged upon work of national defence, a port or railway
station of relative importance or a main line of communication:
Convention for the Protection of Cultural Property in the Event of Armed Conflict (14 May
1954).
81
Marco Sassòli, ‘Legitimate targets of attacks under international humanitarian law’
(Background Paper prepared for the Informal High-Level Expert Meeting on the Reaffirmation
and Development of International Humanitarian Law, January 27–29, 2003) 7 <http://www.
hpcrresearch.org/sites/default/files/publications/Session1.pdf> accessed 3 October 2014.
82
According for example to Kelsey (n 5):
Unlike conventional strikes, which may leave civilians without power for month or even
years, a cyber-strike could disable the power grid for the duration of hostilities yet allow
electrical service to resume immediately once the fighting was over. This result would not be
completely eliminate the public health and safety concerns, but cyber warfare at least offers
the possibility of lessening the damage relative to a conventional attack: 1435.
83
Droege (n 29) 565.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
18 / Date: 25/3
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
to the Tallinn Manual: ‘An object used for both civilian and military purposes-including
computers, computer networks and cyber infrastructure-is a military objective.’84
Should we then consider Microsoft System, IBM or Dell as potential targets?85 And
beyond these companies, could the Internet and social networks, such as Facebook or
Twitter, also be considered as military objectives? In 1995 already, ‘95 percent of the
telecommunications of the Department of Defense traveled through the Public
Switched Network’.86 The Internet and social networks are also of fundamental
importance for many armed groups involved in riots, unrest or civil war.87 In Syria for
example, President Bashar al-Assad was recently suspected of having interrupted
access to the Internet in order to cripple the communication abilities of the rebellion.88
It is thus not very surprising that for many observers, civilian servers used to transmit
military information are military objectives.89 These facilities could, according to these
observers, be subject to cyber-attacks as well as to kinetic attacks. The legal framework
for these attacks comes under the principle of proportionality which prohibits ‘to cause
incidental loss of civilian life, injury to civilians, damage to civilian objects, or a
combination thereof, which would be excessive in relation to the concrete and direct
military advantage anticipated’.90
Even if one is reluctant to consider the Internet as a global military objective on the
basis of the idea that only ‘segments’ used for military purposes should be targeted,91
the interconnection between civilian and military networks is so deep that an attack
strictly limited or ‘proportional’ seems rather illusory. Besides the fact that it can be
difficult to identify the segments used for military purposes, the mere fact of
introducing a virus into a military network or into a military objective via a civilian
network can have effects that spread far beyond the military framework.92 Cyber-
attacks can therefore be indiscriminate as they ‘cannot be directed at a specific military
objective’.93
84
Schmitt (n 3) rule 39 (Objects used for civilian and military purposes).
85
See for example Eric Talbot Jensen, ‘Unexpected consequences from knock-on effects: a
different standard for computer network operations?’ (2002) 18 Am. U. Int’l. L. Rev. 1544,
quoted by Droege (n 29) 566.
86
Greenberg, Goodman & Soo Hoo (n 72) 12, quoting Richard W. Aldrich, ‘The
International Legal Implications of Information Warfare’ (U.S. Air Force Institute for National
Security Studies Occasional Paper 9, April 1996) 11.
87
See examples of Nepal, Myanmar or Egypt given in Dinniss (n 21) 186.
88
Chris Finan, ‘A cyberattack campaign for Syria’, The International Herald Tribune (27
May 2013).
89
Schmitt (57) 27.
90
Protocol I (n 13) art 51§5 b. On proportionality in cyber armed conflict see Gill (Ch 17
of this book).
91
See Schmitt (n 3) 136.
92
The Stuxnet experience shows that ‘although the worm was designed against Iranian’s
nuclear power plant, its spread infected 45 000 computers around the world’: Thomas Erdbrink
& Ellen Nakashima, ‘Iran struggling to contain ‘foreign-made’ computer worm’, The Washing-
ton Post Staff (28 September 2010).
93
Protocol I (n 13) art 51(4)(b). Furthermore, according to Kelsey (n 5) 1438, IHL requires
to ‘know not just where to strike but be able to anticipate all the repercussions of an attack’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
19 / Date: 25/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
In this context one may wonder how the principle of distinction can curb this
phenomenon as cyber-attacks are not always clearly identifiable and their consequences
and authors remain often unknown.
The fate of those involved in cyber-operations is undoubtedly one of the most complex
issues of the law of armed conflict. The principle of distinction assumes that
belligerents can clearly distinguish between civilians and combatants. However, for
various reasons, armed forces increasingly use civilians to perform a wide range of
activities in connection with military cyber-operations. This information technology
outsourcing goes from the simple maintenance of military networks to the exploitation
of weaknesses of computer systems through the development and instillation of worms,
Trojan horses and other viruses. According to Turns: ‘In light of these trends, there is a
high probability that many, if not most, of the personnel substantively involved in
cyber-operations may actually be civilians’.94
What then is the status of these experts involved in these cyber-operations? The
protection against attacks granted by the principle of distinction to civilians is subject
to the fundamental requirement that civilians do not take a direct part in hostilities.95
This condition of ‘innocence’ is inserted in most of the provisions relating to the
principle of distinction and the protection of civilians.96 For example, according to
Article 51(3) of Protocol I: ‘Civilians shall enjoy the protection afforded by this
Section, unless and for such time as they take a direct part in hostilities.’
In the case of direct participation in hostilities, this protection ends and while the
people involved conserve their civilian status, they can lawfully become the target of
attacks. Could a hacker or computer scientist thus become the object of an attack? The
answer to these questions depends on the interpretation of the notion of ‘direct
participation in hostilities’ in the context of cyber-operations.
In this regard, the Interpretive Guidance on the Notion of Direct Participation in
Hostilities published by the ICRC is helpful.97 Although some proposals remain
controversial, the main conclusions of this document seem to be consensual and call for
at least two sets of observations in relation to cyber-operations.
94
Turns (n 38) 292.
95
Claude Pilloud, Commentaires des Protocoles additionnels du 8 juin 1977 aux Conven-
tions de Genève du 12 août 1949 (Martinus Nijhoff Publishers 1986) 633.
96
See for example common art 3 to the four Geneva Convention of 12 August 1949; art.
13(3) of Protocol Additional to the Geneva Conventions of 12 August 1949 relating to the
Protection of Victims of Non-International Armed Conflicts (Protocol II), 8 June 1977; art 38 of
the Convention on the Rights of the Child of 20 November 1989; art 1 of the Optional Protocol
to the Convention on the Rights of the Child on the involvement of children in armed conflict, 25
May 2000; art. 8.2(b)(i) and 8.2(e)(i) of the Rome Statute of the International Criminal Court,
17 July 1998.
97
Niels Melzer (ed.), Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law (ICRC 2009) 85.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
20 / Date: 25/3
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
A first set of observations concerns the meaning of the notion of ‘direct participation
in hostilities’ in a cyber-context. It is first interesting to note that the notion of
‘hostility’ is interpreted widely enough to encompass a large variety of acts. According
to the ICRC’s Guidance: ‘there was wide agreement that the causation of military harm
as part of the hostilities did not necessarily presuppose the use of armed force or the
causation of death, injury or destruction’ but essentially included ‘all acts that adversely
affect or aim to adversely affect the enemy’s pursuance of its military objective or
goal’98.99 In other words, ‘hostilities’ is not synonymous with attack and cyber military
operations that are below the threshold of an attack could be considered as ‘hostilities’.
According to the Tallinn Manual: ‘There is no requirement for physical damage to
objects or harm to individuals. In other words, actions that do not qualify as a
cyber-attack will satisfy this criterion as long as they negatively affect the enemy
militarily.’100 From this point of view, it can be concluded that a wide range of
cyber-operations could fall under the scope of ‘hostilities’.
However, in order to consider an act as a case of ‘direct participation’, three
additional requirements should be met: ‘(1) a threshold regarding the harm likely to
result from the act; (2) a relationship of direct causation between the act and the
expected harm; and (3) a belligerent nexus between the act and the hostilities
conducted between the parties to an armed conflict’.101 Here again, although these
criteria are cumulative, it seems that a broad range of cyber-activities could fit the
definition. According to Interpretive Guidance: ‘Electronic interference with military
computer networks could also suffice, whether through computer network attacks
(CNA) or computer network exploitation (CNE), as well as wiretapping the adversary’s
high command or transmitting tactical targeting information for an attack.’102
As a consequence, this could lead us to a preliminary conclusion that many civilians
involved with military cyber-operations ‘even if they do not actually press the button
that launches a cyber-attack’103 could fit the definition of ‘direct participation in
hostilities’.
The second set of our observations concerns the effects of this ‘(cyber) direct
participation in hostilities’ on the protective status of these civilians. The fact that these
civilians are a legitimate target and might be subject to an attack (cyber or kinetic) is
confirmed. Nonetheless the scope of these attacks raises many questions, both
geographically and temporally.
The interpretation of the expression ‘for such time’ in a cyber-context is particularly
challenging and needs to be clarified. Indeed, should we consider that civilians could
be targeted only when they ‘press’ the button or can they only be targeted when the
cyber-operation is under way? As Schmitt rightly underlined:
This is problematic in that many cyber operations last mere minutes, perhaps only seconds.
Such a requirement would effectively extinguish the right to strike at direct participants.
98
Ibid, pp. 22f, 31
99
Ibid. footnote 97.
100
Schmitt (n 3) 119.
101
Melzer (n 97) 46.
102
Ibid. 48.
103
Quoted by Turns (n 38) 290.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
21 / Date: 25/3
JOBNAME: Tsagourias PAGE: 22 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
On the other hand it could be extremely dangerous to adopt a too broad interpretation
leading to the conclusion that it is possible to launch attacks against these civilians as
long as the effects of their actions exist. To quote Michael Schmitt again: ‘In the cyber
conflict environment, therefore, the only reasonable interpretation of “for such time” is
that it encompasses the entire period during which the direct cyber participant is
engaging in repeated cyber-operations.’105 Balanced and reasonable as it might be, this
interpretation does not resolve all the problems. For example should we consider that
the replication of a worm embodies a ‘repeated cyber-operation’? If so direct
participation in hostilities could then become unlimited. But if the answer to this
questions is no, at what time should we then consider that such a cyber-operation is
over?
The ubiquity of cyber-operations is also extremely challenging for the principle of
distinction. Indeed cyber-operations can be launched simultaneously by thousands of
computers all around the world and the instigators of these operations can be located in
civil areas far away from the ‘battlefield’ (if there are any battlefields at all). The
principle of distinction prohibits indiscriminate attacks but authorizes lethal attacks
against civilians directly participating in hostilities and also collateral damage to people
and properties. This is provided that these damages are not excessive in relation to the
concrete and direct military advantage anticipated.106
In this context, one may wonder whether the notion of direct participation in
hostilities in cyber space could become a kind of Trojan horse (or worm) instilled into
the principle of distinction leading to a kind of ‘total cyber war’.107 The risks of abuse
are however not so obvious. Indeed, as we mentioned, the three criteria of direct
participation are cumulative, bringing the threshold requirement to a fairly high level.
In addition, the second criterion of direct participation requires ‘a relationship of direct
causation between the act and the expected harm’. However, as previous developments
have tried to demonstrate, it is precisely such a link which is difficult to establish in the
context of cyberwar. It is therefore once again the snake biting its tail. As David Turns
noted: ‘In these circumstances, it appears doubtful that CW [cyber warfare] could ever
meet the requirement of direct causation for DPH [direct participation in hostilities],
which suggests that civilians could engage in CW [cyber warfare] with impunity.’108
5. CONCLUSION
The prevailing view according to which cyber warfare, like any other method or means
of warfare, is subject to the law of armed conflict is accurate. However, this welcomed
104
Schmitt (n 48) 102.
105
Ibid.
106
Protocol I (n 13) art 51§5(b).
107
Droege (n 29) 565.
108
Turns (n 38) 288.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
22 / Date: 25/3
JOBNAME: Tsagourias PAGE: 23 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter16 /Pg. Position:
23 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
The applicability of international law to ‘cyber-warfare’ has received significant
attention in recent years. A number of States have presented (semi) official positions on
the question of the applicability of international law to cyber-warfare and several
noteworthy publications have appeared in which the applicability and application of
international law to cyber attacks and other forms of cyber activity have received
attention, including the recently published Tallinn Manual on the Applicability of
International Law to Cyber Warfare.1 Alongside the applicability of the ius ad bellum
governing the permissibility of the use of force and the conditions and modalities
relating to its application in response to cyber attacks, the question of the applicability
of the ius in bello, generally referred to as International Humanitarian Law or the Law
of Armed Conflict (IHL/LOAC), has also received attention, albeit, probably somewhat
less on the whole in relation to cyber attacks, than the law governing the use of force.
1
For examples of State positions on cyber-warfare and the applicability of international law
thereto see, Michael Schmitt (ed.), Tallinn Manual on the Applicability of International Law to
Cyber Warfare (CUP 2013) 2 (hereinafter referred to as Tallinn Manual), citing the national
cyber strategies of, inter alia, Canada, the Russian Federation, the United Kingdom and the
United States. The Netherlands also recently adopted a position which endorsed the findings of
the Advisory Council for International Affairs and the Advisory Committee on Matters of Public
International Law Report on Digital Warfare in which it acknowledged that existing international
law, including the law relating to the use of force and international humanitarian law, fully apply
to cyber-warfare. See for the joint report of the two bodies AIV/CAVV Report 77/22, Cyber
Warfare, December 2011 available online <http://www.aiv-advies.nl/ContentSuite/upload/aiv/
doc/webversie__AIV77CAVV_22_ENG.pdf> accessed 6 March 2015. For the Dutch Govern-
ment’s response, see <http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapport
en/2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-bijlage-regeringsreactie-
en.pdf> accessed 6 March 2015. Alongside State reactions, a considerable amount of literature
has appeared devoting attention to the international legal aspects of cyber-warfare, both in
relation to use of force issues and the application of IHL / LOAC. These are too numerous to
name, but a few examples of recent publications will serve to illustrate. Among these
publications are (2012) 17 (2) J. Conflict & Sec. L. devoted wholly to cyber-warfare; Paul
Ducheine, Frans Osinga and Joseph Soeters (eds.), Cyber Warfare: Critical Perspectives (TMC
Asser Press 2012); (2013) 89 Int’l. L. Studies; and the publications of the NATO Cooperative
Cyber Defence Centre of Excellence (CCD COE), including the aforementioned Tallinn Manual.
366
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Both aspects are, however, dealt with in the aforementioned Tallinn Manual. In this
chapter, I will set out some of the main positions put forward in that study and
elsewhere relating to the application of international humanitarian law to cyber
hostilities and offer some personal views in relation to the question to what extent this
body of law is relevant and applicable to ‘cyber warfare’. In that context, I will devote
specific attention to when, under which circumstances and how the rules of human-
itarian law relating to the conducting of attacks, with a focus on proportionality, would
apply to hostilities carried out wholly or partially in the cyber domain.
This chapter is based on several premises, which however obvious some may seem,
need emphasizing. First, that as a matter of law, IHL/LOAC only applies when the
conditions relating to the threshold of the existence of an armed conflict have been
reached. Secondly, that to date, there has never been a single instance of a ‘stand-alone’
cyber attack or other act of cyber interference or sabotage, which has come close to
meeting that threshold. Thirdly, that the likelihood of such a ‘stand -alone’ cyber attack
reaching that threshold is remote at best.2 Fourthly, and consequently, that if IHL/
LOAC is applicable to ‘cyber-warfare’, it will most likely be in the context of a
‘regular’ armed conflict in which cyber operations are conducted alongside traditional
‘kinetic’ attacks involving the application of IHL/LOAC to the entire spectrum of
operations and attacks which are conducted by any party to the conflict. Fifthly and
finally, that any armed conflict, irrespective of the means and methods of warfare
employed, is subject to the rules and principles of international humanitarian law, and
these rules are equally applicable to any party to such a conflict.3
This chapter is structured as follows. In the following section, a few considerations
will be set out in support of the premises presented above. In the third section, the rules
of IHL/LOAC relating to the notion of ‘attack’, the taking of precautions to spare the
civilian population and civilian objects and the duty to conduct such attacks in
conformity with the principle of proportionality (as it applies within IHL/LOAC) will
be briefly set out. In the fourth section, these rules will be applied in the context of
cyber attacks conducted within the context of an armed conflict. In the fifth and final
section, a number of conclusions will be presented.
2
Thomas Rid, ‘Cyber war will not take place’ in Ducheine, Osinga & Soeters ibid. 73.
3
This follows from the ICJ’s statement that international humanitarian law applies to all
weapons (past, present, and future weapons) in the context of an armed conflict; see Legality of
the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. 226 para. 39.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
may arise as to the applicability of all the rules of IHL treaty and customary law in
relation to isolated, small-scale incidents involving incidental clashes between the
armed forces of two States, it is well established that an international armed conflict
exists when there is a conflict between the armed forces of two or more States and/or
a total or partial occupation of the territory of a State by another State, irrespective of
whether there is armed resistance to such occupation, a situation of declared or factual
war, or greater or lesser loss of life and injury, and damage and destruction.4 In short,
any armed clash above the most inconsequential between two or more States results in
the existence of an international armed conflict and the applicability of IHL/LOAC to
the parties. With regard to non-international armed conflicts, the situation is not as
sharply defined, but on the basis of widely accepted criteria set out in the case law of
the International Criminal Tribunal for the Former Yugoslavia relating to the requisite
degree of organization, intensity and duration, a non-international armed conflict exists
when there are armed clashes of an intensity and duration between an organized armed
group and a State, or between two or more organized armed groups, which rise above
the level of unorganized or sporadic armed violence or civil unrest.5 If these criteria are
met, the rules and principles of IHL/LOAC relating to non-international armed conflict
apply to the parties to the conflict, irrespective of how the conflict is characterized by
either party. Anything below either of these thresholds is not an armed conflict in the
legal sense and IHL/LOAC does not apply as a matter of law, even though either party
may elect to apply certain of its rules as a matter of policy.
Although the geographical scope of armed conflict is not the focus of this
contribution, it deserves mention that in an international armed conflict (i.e. between
two or more States) IHL/LOAC is applicable throughout the territory of any and all
States party to the conflict and in international sea and airspace to the extent military
operations are conducted there. The territory of third States is inviolable unless one of
the parties conducts military operations from the territory of a non-belligerent (neutral)
State and that State fails to uphold its duties as a neutral to prevent and put an end to
such operations.6 In non-international armed conflicts, IHL/LOAC applies within the
territory of the State in question. It will only apply to the territory of a third State to the
extent an armed group (partially) relocates to the territory of a third State and conducts
operations from there, without the government of that State taking necessary and
4
Common art 2 of the Geneva Conventions of 1949, reaffirmed in, inter alia, Jean Pictet
(ed.) Commentary to the First Geneva Convention for the Amelioration of the Condition of the
Wounded and the Sick in Armed Forces in the Field (ICRC, 1952), 32. See also Prosecutor v.
Dusko Tadić (Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction) [1995]
No ICTY-94-1-A para. 70. For discussion whether an international armed conflict results from
an isolated low-level armed incident, see, Christopher Greenwood, ‘Scope of application of
humanitarian law’ in Dieter Fleck (ed.), The Handbook of International Humanitarian Law (2nd
edn., OUP 2008) 48.
5
Prosecutor v. Dusko Tadić (n 4) para. 20; Prosecutor v. Ramush Haradinaj et.al.
(Judgement) [2008] IT-04-84-T para. 60. On the qualification of cyber armed conflict see
Arimatsu (Ch 15 of this book).
6
For the geographic scope of international armed conflict, see e.g. Greenwood (n 4) 59–62;
on neutrality law as it applies under the UN Charter, see e.g. Michael Bothe, ‘The law of
neutrality’ in Fleck (n 4) 571 et. seq. 582–3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
adequate measures to prevent or halt such operations being conducted from its
territory.7 The result in both cases is that barring exceptional circumstances, the
territory of States not party to the armed conflict is inviolable. In relation to
international armed conflicts, this is due to the law of neutrality, alongside rules of
general international law relating to State sovereignty and in relation to non-
international armed conflicts, due to the latter set of rules arising from principles of
State sovereignty and non-intervention, alongside rules and principles arising from the
ius ad bellum.8
Stand-alone cyber attacks have, to date, never met either of these thresholds for the
existence of an armed conflict. No example of cyber espionage, interference, intellec-
tual property theft, or even sabotage has until now even approached the threshold of
either an international or non-international armed conflict.9 As serious as cyber
espionage, cyber interference and cyber theft and crime are, they are not ‘warfare’ in
anything but a semantic sense. Even when States engage in massive cyber surveillance
and espionage, cyber intellectual property theft, cyber interference and cyber non-
armed intervention, the lawful responses are to be found in the law relating to law
enforcement, retorsion and countermeasures, and not the law relating to the use of force
or the humanitarian law of armed conflict. Likewise, cyber terrorism would not
automatically trigger the applicability of IHL/LOAC. This would only occur if it
resulted in the threshold of either an international or non-international armed conflict,
as set out above, being met. There has been, to date, no such example of cyber
terrorism, but its occurrence at some point in the future cannot be ruled out. If the
necessary conditions relating to the degree of organization, intensity and duration were
present, this could result in the applicability of IHL/LOAC, but despite fears of such
cyber terrorism, it would seem unlikely that a terrorist group would resort to cyber
means instead of the type of terrorist attacks that have been used and are being used by
7
The normal situation is that non-international armed conflicts occur within the territory of
the State in question. In some cases, there is ‘spill-over’ of a non-international conflict onto the
territory of one or more other States whence operations are conducted rising to the level of
non-international armed conflict, see, inter alia, Tallinn Manual (n 1) rule 21 and accompanying
commentary 78–9. An example of such a spill-over is the conflict between Turkey and the PKK
movement, which has seen numerous operations by both sides being conducted over the border
in northern Iraq, where the Iraqi Government does not exercise effective control over its territory.
8
The relevance of the principles of sovereignty, non-intervention and the prohibition of the
use of force to this question are self-evident. In addition, international law regulating self-
defence, while not unanimous in State practice and academic opinion, shows considerable
support for the possibility of conducting self-defence in response to armed attack from across an
international frontier by a non-State organized armed group if the State from where the attack
originated either controls or exercises substantial involvement in the attack, or is unable or
unwilling to prevent such attacks being conducted from its territory. This is related to the
principle of necessity within self-defence, which is one of the requirements for its exercise. Only
when the State where the operations are conducted from fails to take adequate measures to
prevent attacks being mounted from its territory, is there a necessity to take action in
self-defence. To the extent these operations rise to the level of a non-international armed
conflict, humanitarian law relating to such conflicts would become applicable. See, inter alia,
Tallinn Manual ibid. 58–9 and 61–6.
9
Rid (n 2) 75 et. seq.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
such groups on a regular basis. This is because cyber vulnerabilities are almost
certainly overstated on the one hand and on the other hand, the necessary economic,
financial and technical resources to achieve massive societal dislocation on a long-term
basis or inflict large-scale casualties by cyber means alone are not readily available to
most, if any, terrorist groups.10
Neither is it likely, in the event of an armed conflict between States, that massive
stand-alone cyber attacks, sometimes referred to as ‘cyber Pearl Harbour’ scenarios,
would be the most likely way in which hostilities were conducted under such
circumstances. In the event a large-scale armed offensive were carried out by a State
against another State, it would seem illogical that such an attack would be confined to
cyber means of warfare. Under such circumstances, the State conducting such an
offensive would be most likely to utilize all means of warfare at its disposal. If one
decides to conduct all-out warfare for whatever reason, why limit oneself to one
weapon alone?11 Nor is it much more likely that a smaller scale armed attack against a
discrete target would be conducted by cyber means alone. The reasons for this are
basically twofold. First, such a stand-alone cyber armed attack would not ensure the
destruction or effective elimination of the target permanently, or for a prolonged period.
If, for example, one wished to take out a particular military capability, platform or
critical installation, it would be exceedingly difficult to ensure long-term effective
damage, destruction or degrading of the targeted object by cyber means alone. In such
a case, cyber techniques of warfare would be much more effective if used in
conjunction with traditional ‘kinetic’ weapons, as was the case in the Israeli attack on
the Syrian nuclear reactor in September 2007, when cyber techniques akin to electronic
jamming were reportedly used as a means to temporarily neutralize Syrian air defences
in order to clear the way for Israeli fighter bombers to attack and destroy the nuclear
installation in northern Syria.12 If, on the other hand, one wished to remain undetected
(at least initially) and below the threshold of an armed attack in order to gather
intelligence or inflict mere sabotage upon a system, as in the case of the Stuxnet
sabotage of Iranian nuclear centrifuges, the threshold of an armed attack or of an armed
conflict, would not be met. In short, cyber means of surveillance, espionage and
sabotage are used regularly by a variety of actors without this being deemed to
constitute ‘warfare’ in either the factual or legal sense.13
Consequently, the most likely way in which cyber means and methods of warfare
would be used within the context of an armed conflict, aside from intelligence
gathering and conducting counter-intelligence and other types of information opera-
tions, such as psychological warfare or the influencing of public opinion, would be as
an adjunct and assist to attacks conducted by traditional means, as was the case in the
10
Sean Lawson, ‘Beyond cyber-doom: Cyber attack scenarios and the evidence of history’
10 (2012) J. Inform. Tech. & Polit. 1, 4.
11
Chinese military strategy is often cited as an example of how cyber methods would likely
be used in conjunction with traditional force in the event of any war between the PRC and
another State, see Han Bouwmeester, Hans Folmer & Paul Ducheine, ‘Cyber security and policy
responses’ in Ducheine, Osinga & Soeters (n 1) 34–7.
12
Rid (n 2) 84–5. See also Terry D. Gill & Paul Ducheine, ‘Anticipatory self-defence in the
cyber context’ (2013) 89 Int’l. L. Studies 438, 461–2.
13
Gill & Ducheine ibid. 459; Rid (n 2) 85–8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
5 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
14
This is the definition of attack under IHL/LOAC as stated in First Additional Protocol to
the Geneva Conventions of 1949 (AP I) art 49 and under customary law.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
6 / Date: 25/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
15
There are at present 173 States Party to AP I. Many, indeed most, of its provisions apply
as customary law to non-parties in international armed conflicts and to all parties to non-
international armed conflicts, alongside its binding effect upon State Parties to it in international
armed conflicts as a matter of treaty law. The provisions of AP I relating to the conduct of
attacks which have obtained customary status are reflected in the ICRC customary law study
(ICRC CLS), which, notwithstanding certain criticism and shortcomings, has a widely recog-
nized authoritative, but not binding status. For the purposes of this chapter, those rules will be
assumed to reflect customary law, since a detailed examination falls outside its scope. The rules
in the ICRC CLS relating to attacks are contained in rules 1–24 thereof.
16
AP I (n 14) art 49. On distinction in cyberspace see Bannelier-Christakis (Ch 16 of this
book).
17
Ibid. art 43 and ICRC Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law (26 February 2009) (IG DPH) 32–3.
18
Ibid. 65.
19
AP I (n 14) art 52:2.
20
Ibid. art 51.
21
Ibid. art 51:5 lit.b.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
7 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
military objective (including enemy personnel) which is likely to affect the civilian
population or civilian objects. An attack which is not likely to affect civilians or civilian
objects is not affected by this principle, while an attack deliberately directed against
civilians or a civilian object, as such, is strictly prohibited and would constitute a war
crime.22
Thirdly, constant care must be undertaken to spare the civilian population as far as
possible and to prevent, or in any case, minimize loss of civilian life, injury of civilians
and damage or destruction of civilian objects resulting from an attack on a military
objective. This requires the taking of all feasible precautions when planning and
conducting an attack and cancelling or suspending an attack whenever the collateral
effects of the attack are likely to be excessive in relation to the concrete and direct
military advantage anticipated. This is proportionality in a somewhat different context,
namely in choosing the time, method and means of attack least likely to cause
excessive collateral injury or damage. The standard here is that of the ‘reasonable
commander/combatant’ acting in good faith and on the basis of information reasonably
available at the time the attack is planned or conducted. It also requires an ongoing
assessment as to whether the attack remains within the bounds of proportionality at all
stages of the attack. Whenever possible, prior warning must be given to civilians likely
to be affected, unless this would completely or largely compromise the attack.23
Fourthly, means (weapons) and methods of attack which are not or cannot be
directed against a specific military objective or objectives or whose effects cannot be
limited to military objectives and are consequently indiscriminate are prohibited. Hence
means and methods of attack which cannot discriminate between military objectives
and civilians and civilian objects are prohibited. Examples of this would be a weapon
such as a ballistic missile without a reliable guidance system, such as the Scud missiles
used by Iraq in the ‘Desert Storm’ campaign, which by their nature could only be
indiscriminately directed against geographical areas rather than a specific target, or a
means of attack, such as setting a fire in an urban area to force enemy personnel into
22
The applicability of the principle of proportionality to attacks upon military objectives
which are likely to affect civilians is clear from the text of art 51:5 lit.b and the scope of the
section of AP I in which it appears and is related to protection of the civilian population. The
weighing of military advantage against likely incidental and collateral effects upon civilians and
civilian objects makes this completely clear. Likewise, since proportionality is only relevant in
attacks upon military objectives whereby civilians may be affected and attacks against civilians
and civilian objects, as such, are prohibited irrespective of any military advantage they might
confer, proportionality is only relevant in relation to attacks upon military objectives whereby
civilians are likely to be affected. Deliberate attacks upon civilians, as such, are simply
prohibited as indiscriminate attacks. Both deliberate attacks upon civilians and disproportionate
attacks upon military objectives resulting in excessive (which is not always synonymous with
extensive and vice versa) civilian casualties or collateral damage to civilian objects are treated as
grave breaches of AP I and constitute war crimes under art 8:2 lit. b (i) and (ii) and (iv)
respectively of the Rome Statute of the International Criminal Court.
23
AP I (n 14) art 57. For the standard of the reasonable commander/combatant, see, inter
alia, the Tallinn Manual (n 1) para.13 of the commentary to rule 51 at 163, citing the ruling of
the ICTY in the Prosecutor v. Stanislav Galic (Judgement) [2003] IT-98-29 T para. 58.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
the open, but which cannot be controlled and is likely to spread indiscriminately
affecting civilians and their property along with the intended target.24
Fifthly, certain objects such as dams, dykes and nuclear power plants capable of
‘releasing dangerous forces’ if struck, may only be targeted if they are directly
converted into a military function and provide significant support to military operations
and no other option is available.25 The targeting of cultural property is likewise
prohibited, except in similar cases and the targeting of objects vital to the survival of
the civilian population, or which would cause long-term, widespread and significant
harm to the natural environment is prohibited.26
Sixthly, weapons or methods of combat which would cause superfluous injury or
suffering to enemy combatants are subject to either (far-going) restrictions or are
completely banned. The former category includes, inter alia, incendiary weapons and
certain types of mines, while the latter includes certain types of munitions (e.g.
expanding or flattening bullets) and poisoned, chemical and biological weapons.27
Finally, attacks of a perfidious nature (feigning non-combatant or protected status
while engaging in attack) are prohibited.28
While this summary is not exhaustive, it covers the most important rules relating to
the conduct of attacks. In addition, other rules relating to the conduct of hostilities are
relevant, such as the duty to refrain from attacks upon protected persons (such as
medical personnel) or persons who are hors de combat (the wounded, sick, ship-
wrecked and aircrew bailing out of a stricken aircraft, or who have surrendered at
discretion and laid down their arms), so long as they refrain from any hostile act, and
the prohibition of denying quarter (not accepting surrender when it is offered or
conducting hostilities in a way to allow for no survivors).29
24
AP I (n 14) art 51:4, lit. a, b and c respectively.
25
Ibid. art 56.
26
Ibid. arts 53, 54 and 55.
27
Hague Regulations on Land Warfare 1907 art 23(e); ibid. art 35 and specific conventions
regulating or banning certain weapons.
28
AP I (n 14) art 37.
29
First Geneva Convention of 1949 art 24; AP I (n 14) arts 41, 42, 40 respectively.
30
Tallinn Manual (n 1) rule 30, with accompanying commentary; AP I (n 14) art 49.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
9 / Date: 25/3
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
operation which does not result in these effects or is intended or reasonably likely to
result in such effects (an unsuccessful attack is still an attack), does not involve the
principle of proportionality, or any of the other IHL/LOAC rules related to the conduct
of attacks. Hence, most military ‘information operations’, such as psychological
warfare, military deception operations designed to mislead the opponent, electronic
warfare aimed at jamming or neutralizing electronic communications and weapons
guidance or target acquisition systems (unless this was a part of an attack), would fall
outside the ambit of ‘attack’, since they rarely cause such physical effects upon either
persons or objects. Likewise the mere gathering of intelligence or conducting of
counter intelligence operations to protect one’s own communications and systems,
would rarely, if ever, qualify as an ‘attack’ within the context of the law of armed
conflict.31 That is not to say that there are no relevant rules within IHL/LOAC relating
to such operations, but only that these are not related to proportionality and the other
rules governing attacks.32
Secondly and related to the first point, any operation which only results or is
intended to result in mere inconvenience without any foreseeable chance of physical
harm or damage, even if this effects the civilian population, equally falls outside the
notion of attack, and is not governed by the principle of proportionality. There are two
reasons for this: first, because ‘attacks’ are defined as ‘acts of violence’ under IHL; and
secondly, because proportionality relates to expected collateral civilian death, injury,
damage or destruction, which is excessive in relation to the anticipated military
advantage from the attack upon a military objective. So if cyber operations resulted in
temporary or more prolonged interference with civilian data systems (say e-mail
communications or financial transactions), without causing or being intended or likely
to cause physical harm (including loss of functionality of the system itself), they would
not likely qualify as attacks and proportionality would not be applicable, even if they
caused a significant degree of inconvenience and affected daily life to an appreciable
extent. Although ‘acts of violence’ are not limited to the release of physical energy (e.g.
chemical weapons are not ‘kinetic’, but an attack with chemical weapons unquestion-
ably qualifies as an ‘attack’), there must be some physical effects involving damage to,
or destruction of, objects, or death or injury of persons for the operation to qualify as
an attack, which would make proportionality potentially relevant, and inconvenience,
even serious inconvenience, does not normally meet this threshold.33 In most cases,
even if such operations resulted in the destruction or loss of data contained on such
systems without resulting in physical harm to persons or damage to objects and without
31
For a description and legal analysis of ‘information and influence operations’, see Blaise
Cathcart, ‘Legal dimensions of information operations’ in Terry D. Gill & Dieter Fleck, The
Handbook of the International Law of Military Operations (OUP 2010) 404 et. seq.
32
Examples of rules and principles of IHL/LOAC which are not directly related to the
conduct of attacks include (but are not limited to) those relating to ruses of war, espionage,
misuse of protected, neutral or enemy indicators or status and the duty to take passive
precautions (avoidance of locating military objectives in the immediate vicinity of civilians and
civilian objects to the maximum extent feasible). These are dealt with in the abovementioned
Tallinn Manual (n 1) in the cyber context in Rules 59 and 61–66 with accompanying
commentary.
33
Tallinn Manual (n 1) rule 30, para. 12 commentary.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
10 / Date: 25/3
JOBNAME: Tsagourias PAGE: 11 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
affecting the functionality of the system itself, it still would not qualify as an attack,
since data in and of itself has no physical properties.34 It is arguable, that if the
consequences of such destruction of data were reasonably severe, that this could qualify
as an act of violence, although this is probably not binding law at present.35 Moreover
if an act were designed to, or likely to result in, the spread of terror or severe mental
anguish amongst the civilian population it would, in any case, be prohibited under IHL/
LOAC, even if it is not directly related to the notion of proportionality and does not
necessarily have any relationship to whether or not data is damaged or destroyed.36
However, the destruction of data which could or would likely result in physical effects
(for example destruction or damage to electronic medical records of patients in a
hospital, or the shutdown of a SCADA system controlling a public utility) would in any
case qualify as an attack, and depending upon whether it was a side effect of an attack
upon a military objective, or simply a deliberate attack upon a civilian system as such,
proportionality could enter into the equation. If it were a (foreseeable or unintended)
side effect of an attack upon a military objective, proportionality would be relevant and
the lawfulness of the attack would (partly) depend upon whether the collateral effects
were excessive in relation to the expected military advantage. If it were simply a direct
attack upon a civilian system as such, proportionality would not be relevant to its
legality, since any such attack is ipso facto illegal to start with.37
Thirdly, any attack not reasonably likely to cause such physical effects upon civilians
or civilian objects falls outside the ambit of proportionality even if it causes or results
in extensive damage to military objectives or death or injury to persons subject to
attack.38 Hence, an attack upon a self-contained military data system, such as an
insulated military communications, target acquisition, or weapons guidance system, as
presumably was the case in relation to the earlier mentioned Israeli attack on the Syrian
air defence system in 2007, would not involve any considerations of proportionality,
since such systems are normally (highly) insulated from civilian systems and little or
no question of likely collateral effects arises. Likewise, if the cyber weapon or
technique used in an attack were specifically designed to effect only (certain features
of) a specific military target and any collateral effects were likely to only be negligible,
proportionality would only enter into the equation if the effects turned out to be
appreciable and could have been reasonably foreseen. For example, the Stuxnet virus,
although used outside the context of an armed conflict, was such a weapon. Although it
apparently subsequently spread to a considerable number of (civilian) computer
systems in the region, its effects upon them were virtually non-existent or negligible,
34
The Group of Experts in the Tallinn Manual ibid. unanimously agreed that whenever an
attack directed against data resulted in physical harm or destruction above a de minimis level it
would qualify as an attack. If this included (possible) harm to civilians and civilian objects,
proportionality would be applicable. The majority also agreed that if the functionality of the
targeted system were affected to a significant extent, requiring physical replacement of
components it could qualify as an attack. See 108–9 for discussion of these issues.
35
Ibid. rule 38 para. 5 of the commentary thereto.
36
AP I (n 14) art 51:2. For discussion of this in the cyber context see, Tallinn Manual ibid.
para. 8 commentary to rules 30 and 36 with accompanying commentaries.
37
See section 3 supra.
38
See (n 22) and accompanying text.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
11 / Date: 25/3
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
since it had been specifically designed to only affect certain components within the
Iranian nuclear programme.39 Had it been used within the context of an armed conflict,
the question of its proportionality would scarcely, if at all, have been relevant.
Finally, to the extent an attack upon a military objective were (partially) conducted
by cyber means, the rules and principles governing attacks would be relevant to the
extent, the target had a dual use function, or there was an appreciable chance of
collateral effects which would meet the threshold of physical damage or personal injury
to civilians or civilian objects. This is perhaps stating the obvious, but there can be no
doubt that the principle of proportionality would then apply. This would be the case,
irrespective of whether the attack were conducted in conjunction with traditional
‘kinetic’ weapons, or by cyber means alone. In the former case, the principle would
apply to all aspects of the attack, including the cyber component thereof, since an
attack has to be viewed as a single act and not chopped into separate segments (e.g.
loading, aiming and firing a weapon is all part of a single act once it has been
completed.) Hence an attack upon a military objective carried out by a combination of
cyber and kinetic means should be assessed as a whole.40 In the latter case involving a
stand-alone cyber attack, proportionality would be applicable whenever and to the
extent such an attack on a legitimate target was reasonably likely to result in
foreseeable collateral physical effects to civilians and civilian objects including damage
or destruction of civilian data systems which could result in physical harm or damage.
In principle, there is no difference in terms of assessing the legality of such an attack in
terms of proportionality from one which was conducted by traditional kinetic weapons.
Consequently, it would be lawful to the extent it did not transgress any of the rules
relating to the conduct of attacks, including the principle of proportionality. In short it
would be disproportionate if the collateral effects, whether intended or simply a
reasonably foreseeable by-product of the attack, were excessive in relation to the
anticipated military advantage, based upon the information reasonably available at the
time the attack was being planned and conducted. Moreover, it would also depend upon
whether all feasible precautions had been taken before and throughout the attack to
limit the effects thereof to the maximum extent possible, and where the situation called
for it, the attack had been cancelled or suspended once it was in progress if the
situation demanded this. Finally, it could also depend upon whether prior warning had
been given to civilians before the attack was undertaken whenever this was possible.
Examples of such attacks involving cyber weapons or techniques (either alone or
alongside traditional weapons) would be against industrial installations, dual-use
objects, such as power plants, or communications systems used for both military and
civilian purposes. Provided these rose to the level of an attack as set out above,
39
Rid (n 2) 84–6. It is likely that in both cases, the cyber weapon (virus, worm, etc) was
inserted into the targeted systems (which were hardly likely to be connected to the Internet) by
means of a removable drive such as a USB stick.
40
An attack is seen as commencing once a person or object is endangered (e.g. laying a
mine is part of an attack long before its detonation). By analogy, a cyber attack commences once
malware is introduced which is reasonably likely to result in physical harm or destruction, even
if the effect is delayed or fails to occur, due to detection or malfunction. See Tallinn Manual
(n 1) paras 14–19 of the commentary to rule 30.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
proportionality would govern such attacks in the same way it governs traditional
attacks. There are few, if any differences in this regard.
Nevertheless, as stated in the opening sections of this chapter, there is probably little
likelihood of such attacks being conducted by purely cyber means alone, aside from
exceptional circumstances) for the reasons stated earlier. Consequently, the assessment
of proportionality, will in most cases, likely be no different than if the attack had been
wholly conducted by kinetic weapons. In any case, the law is the same irrespective of
the (combination of) weapons employed.
5. CONCLUDING REMARKS
The main questions posed in the preceding sections of this chapter were to what extent
would attacks within the context of an armed conflict which were conducted by digital
means, either on their own, or in conjunction with traditional kinetic force, be likely to
qualify as ‘attacks’ under IHL/LOAC (acts of violence resulting in physical harm to
persons or damage to objects) and when and to what extent would this involve the
applicability of the rules of IHL/LOAC governing the conduct of attacks, including in
particular the principle of proportionality in bello? On the basis of the preceding
examination and discussion of these questions a number of conclusions can be drawn.
First, IHL/LOAC only applies in the context of an armed conflict and no cyber attack
on its own has hitherto qualified as reaching the threshold of an armed conflict.
However, on at least one occasion (Israel’s attack on a Syrian nuclear facility in 2007),
cyber means of warfare were reportedly used in conjunction with kinetic force and this
without doubt qualified as an attack which was governed by IHL. Moreover any act
which caused or was intended to or was reasonably likely to cause any appreciable
danger of physical harm or damage would qualify as an attack, if it were carried out
within the context of an armed conflict. This could include attacks conducted by digital
means, provided the threshold of an armed conflict had been met and the act fitted into
the above-mentioned definition and qualification of an ‘attack’.
In that context, it was argued that the most likely scenario in which cyber operations
would be used as a means of attack would be in conjunction with traditional kinetic
weapons as in the example referred to above and that this is more probable within the
context of an international armed conflict than in most armed conflicts of a non-
international character. This was primarily because most armed groups have neither the
capability of mounting a purely digital operation qualifying as an attack, nor do most of
them have the types of sophisticated command, communications and weapons systems
which would be the most likely objects of a digital attack. Moreover, many cyber
operations which are likely to be engaged in any kind of armed conflict, such as
information operations, surveillance and (counter) intelligence do not qualify as attacks
and are not subject to the rules governing attack, including the principle of proportion-
ality. Be that as it may, any act which did amount to an attack would nevertheless be
governed by the IHL/LOAC rules regulating attacks, if an armed conflict were in
progress, irrespective of whether it was of an international or non-international
character.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
After setting out the applicable law relating to the conduct of attacks, it was further
argued that in view of the above-mentioned considerations, seen in context with the
function and purpose of the principle of proportionality, as it applies within IHL/
LOAC, that only attacks upon military objectives, whereby it was foreseeable that
civilians or civilian objects would be affected, would be governed by the principle of
proportionality. Hence attacks upon purely military targets, without any likely appreci-
able consequences to civilians or civilian objects would fall outside the applicability of
proportionality. Likewise in any attack which was directed against purely civilian
objects or the civilian population, as such, would be ipso facto illegal and no
considerations of proportionality would enter into assessing its illegality. Consequently,
cyber attacks (either on their own or in conjunction with more traditional weapons)
upon insulated military systems and similar military objectives, whereby the possible
consequences to civilians or civilian objects were non-existent or negligible and attacks
upon civilians and civilian objects, as such, are not subject to proportionality consider-
ations.
This still leaves a fairly wide scope for the applicability of the principle of
proportionality to attacks in which cyber weapons or techniques could be used. While,
as was discussed, there are some specific considerations relating to how the principle
would be applied if cyber entered the equation (such as whether destruction of data
effecting the civilian population qualifies as an attack), the principle itself and its basic
function along with the conditions relating to whether an attack is carried out in
conformity with the principle of proportionality, are not significantly, if at all, different
when cyber weapons are employed than if they are not. Hence, proportionality applies
in much the same way to cyber attacks conducted within the scope of an armed conflict
as to any other type of attack, using any weapon, traditional, or non-traditional.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter17 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
The phenomenon of neutrality has been in existence as long as organised warfare itself
has characterised less than friendly relations between different peoples, princes and
polities. Defined in its most basic sense, in relation to armed conflicts, as the status of
non-participation either in a given conflict (temporary neutrality) or all conflicts
(permanent neutrality) with consequent legal rights and duties, it has fulfilled the
historically vital function in international relations of legally regulating the co-existence
of political entities that are at peace with those that are at war. The legal rights and
duties that flow from the status of neutrality attach to both belligerent and neutral
powers, and their violation by either party was traditionally seen as a very serious
matter since it could entail, among other things, the entry of a previously neutral power
into a war and the obligation of the relevant power to make reparations for such
violation according to the general international law doctrine of State responsibility. The
importance of neutrality during the Age of Exploration (from the fifteenth to the
seventeenth centuries) and the subsequent rise of the Nation-State in the post-
Westphalian paradigm is not difficult to appreciate: on the one hand, the great
European colonial empires with the foundations of their wealth dependent on maritime
commerce had a vested interest (as non-belligerents) in ensuring that their merchant
shipping would not be unduly caught up in hostile operations during other nations’
conflicts and (as belligerents) in enforcing the rules of maritime neutrality to their own
advantage and to their enemies’ detriment; on the other hand, smaller neutral nations
generally saw the economic opportunities for enhanced trade in wartime commodities
with belligerents – particularly where the latter were subject to blockade.2 Meanwhile,
all States jealously guarded their territorial sovereignty against infringement by any
other States, whether belligerent or not. Classic violations of territorial sovereignty in
the context of neutrality consist of such incidents as the boarding and/or capture by a
belligerent of an enemy ship at anchor in a neutral port – for example, the capture of
the Confederate Navy cruiser CSS Florida by the USS Wachusett in the harbour at
1
This chapter originates in a paper delivered at a Symposium on the Legal Aspects of
Cyber Warfare, held at the Swedish National Defence College in December 2012. All opinions
stated herein are those of the author and do not necessarily represent those of the Government,
Ministry of Defence or Armed Forces of the United Kingdom.
2
For a useful general discussion of historical attitudes to neutrality in the specific context
of naval warfare, see Carl J. Kulsrud, Maritime Neutrality to 1780: A History of the Main
Principles Governing Neutrality and Belligerency to 1780 (Little, Brown and Company 1936).
380
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Bahia in flagrant violation of Brazilian neutrality during the American Civil War,3 and
the boarding by HMS Cossack of the German oil tanker and supply ship Altmark in
Jøssingfjord, at a stage in World War II when Norway was still neutral.4 Other issues
included the impressment of neutral sailors into the naval service of belligerent powers,
such as the British practice, during the Napoleonic Wars, of boarding American-flagged
ships and forcing American seamen who were alleged to be British subjects or deserters
into Royal Navy service.5 Each such incident was a cause célèbre of its day, with
important diplomatic and political, as well as legal, repercussions.
As one of the oldest aspects of public international law relevant to the fundamental
status of war and peace in international relations, the customary international law of
neutrality was largely agreed by the eighteenth century before undergoing progressive
codification – in line with other aspects of the laws of war – as part of the Hague Peace
Conferences at the beginning of the twentieth century. Although its application was
generally considered to be of great practical importance during both World Wars, as in
previous wars down the ages, State practice since the adoption in 1945 of the United
Nations Charter, with its provisions outlawing the use of force and requiring the
co-operation of all Member States with collective security enforcement action man-
dated by the Security Council, has led to a general tendency to dismiss the laws of
neutrality as either at best extant in theory but largely non-applicable in modern
practice, or at worst as entirely obsolescent.6 In the delightful phrase of one commen-
tator, ‘They [the rules of neutrality] have a slightly musty quality to them.’7 With this
background to the body of rules under consideration, one may be forgiven for
wondering how they can possibly be relevant to the future of armed conflict, and
specifically to conflict in cyberspace. On the face of it, neutrality law’s traditional
obsession with protecting the territorial sovereignty of neutral States seems completely
irrelevant in relation to a domain which by definition knows no such concept as either
territory or sovereignty. Moreover, in light of the fact that there is as yet no lex
3
See ‘Report of Lieutenant Morris, C.S. Navy, late commanding C.S.S. Florida, of the
seizure of that vessel by the U.S.S. Wachusett, October 7, 1864 Bahia, Brazil’ in Official Records
of the Union and Confederate Navies in the War of the Rebellion (Series 1, vol. 3, Government
Printing Office 1896) 631–3; note the references to Brazilian neutrality in Enclosure 2 (letter of
protest from Lt Morris to the President of the Province of Bahia), 634–5.
4
See Brian Simpson, ‘The rule of law in international affairs’ (2004) 125 Proceedings of
the British Academy 211, 213–15; Hansard HC Debs vol 357 cols 1161–1164 (20 February
1940); Hansard HL Debs vol 115 cols 576–80 (20 February 1940); ‘Correspondence between
His Majesty’s Government in the United Kingdom and the Norwegian Government respecting
the German Steamer “Altmark”’ (Cmd 8012, 1950) House of Commons Sessional Papers,
Norway No. 1 vol XXV 451–66.
5
See Walter R. Borneman, 1812: The War That Forged a Nation (Harper Collins 2005)
19–25.
6
As will be argued in this chapter, this conclusion is both exaggerated and premature. It is
beyond the scope of this chapter to consider in detail the implications of the adoption of the UN
Charter for neutrality law generally, but for a useful discussion, see Detlev F. Vagts, ‘The
traditional legal concept of neutrality in a changing environment’ (1998) 14 Am. U. Int’l. L. Rev.
83, 88–91.
7
Ibid. 84.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
specialis in international law to govern situations arising in cyberspace, the two topics
might appear on the face of it to be mutually incompatible.
This chapter will suggest that such is not necessarily the case, despite the fact that to
date there have been no explicit invocations of neutrality law in respect of any
international8 cyber conflict. While the existence of neutrality is a matter of fact based
on States’ attitudes to a given conflict, the ever-growing interdependence of the world
community, not least in economic terms, seems to confirm that ‘neutrals cannot simply
ignore a war conducted by other countries. “The very nature of war causes its effects to
extend also to non-participating States and their nationals, whether they wish it or
not.”’9 The chapter will first provide a general overview of the definition, sources and
substance of the law of neutrality, before considering how it might apply to conflicts in
cyberspace, in terms of both the jus ad bellum and the jus in bello. Some concluding
remarks will indicate the author’s views of the possible future for the rules of neutrality
in an age of actual or potential cyber conflict.
8
Although history shows that the laws of neutrality have occasionally been deemed
relevant in certain non-international armed conflicts that have had important international
implications (principally in cases where each of the contending parties is seen as having some
degree of international legitimacy and personality or where the geographical scope of the
conflict is such that it has effects outside the territory where the conflict is taking place, the main
examples being the American and Spanish Civil Wars), doctrinally it has always been the case
that the rules of neutrality are applicable only in conflicts between States.
9
Yoram Dinstein, War, Aggression and Self-Defence (4th edn., CUP 2005) 24–5 (citing
Eric Castrén, The Present Laws of War and Neutrality (Suomalainev Tiedeakemia 1954)).
10
Dieter Fleck (ed.), The Handbook of International Humanitarian Law (3rd edn., OUP
2013) § 1101.
11
During the interwar period the US Congress adopted domestic legislation establishing US
neutrality as a matter of domestic legal obligation: see US Department of State, Office of the
Historian, ‘The Neutrality Acts, 1930s’ <http://history.state.gov/milestones/1921-1936/neutrality-
acts> accessed 26 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
12
One of the most famous historical examples of permanent neutrality being imposed on a
sovereign State by international agreement was Belgium, under the Treaty of London (1839). It
was the violation of this treaty by Germany in 1914 that was the immediate cause of Great
Britain’s involvement in the First World War. The Vatican City State also agreed to permanent
neutrality under art 24 of the Treaty of Conciliation, part of the 1929 Lateran Pacts with Italy, as
a condition of continued papal independence following Italian unification.
13
Swiss Federal Department of Defence, Civil Protection and Sports, Swiss Neutrality (4th
edn) 4–10 <http://www.vbs.admin.ch/internet/vbs/en/home/documentation/publication.parsys.
0008.downloadList.9934.DownloadFile.tmp/neuteebook.pdf> accessed 26 September 2014.
14
Bundesverfassungsgesetz vom 26. Oktober 1955 über die Neutralität Österreichs,
Bundesgesetzblatt für die Republik Österreich Nr. 211/1955.
15
UNGA Res A/50/80 [A] (11 January 1996) UN Doc A/RES/50/80.
16
E.g. the Panama Canal Zone, under art XVIII of the Hay-Bunau-Varilla Treaty (Conven-
tion for the Construction of a Ship Canal, 18 November 1903 <http://avalon.law.yale.edu/20th_
century/pan001.asp> accessed 27 September 2014) was declared ‘neutral in perpetuity’; the first
of the Corrijos-Carter Treaties confirmed this status (Treaty Concerning the Permanent Neutral-
ity and Operation of the Panama Canal (7 September 1977) arts 1–2 <http://www.pancanal.com/
eng/legal/neutrality-treaty.pdf> accessed 27 September 2014).
17
Primarily this would result from a State’s voluntary abolition of its own armed forces:
examples are Liechtenstein (since 1868) and Costa Rica (since 1949). On the other hand, Iceland
has voluntarily had no armed forces since achieving independence from Denmark in 1944, but is
a member of the North Atlantic Treaty Organisation and is thus considered a neutral State
neither de jure nor de facto.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
more other States;18 this is in fact automatically the de jure status of such non-
participating States. As such, temporary neutrality has no legal application outside
international armed conflicts and requires no formal declaration or explicit acknowl-
edgment: its existence is entirely dependent on there being a factual situation of armed
conflict.19 It entails very specific rights and duties in the relationship between neutral
and belligerent States, which arise as a matter of legal obligation under international
law. Being so fact-dependent, it is logical that the laws of neutrality apply only so long
as a conflict lasts, and in relation to any particular State may be further limited by that
State’s attitude to the conflict in question. A State may adopt a position of neutrality at
the outset of a conflict, only to find itself embroiled therein as a belligerent at a later
point in time through hostile action or occupation by one or more belligerents, as in the
cases of Denmark, the Netherlands and Belgium during World War II, following their
1940 invasion by Germany. Similarly, a belligerent State may withdraw from a conflict
and assume the position of a neutral, as in the case of Russia in World War I, following
the 1918 Treaty of Brest-Litovsk with the Central Powers. Finally, although it is
relatively unusual, a State may be a belligerent vis-à-vis certain States but neutral
vis-à-vis others that are allied to those belligerents: during World War II for example,
although the Soviet Union was at war with Germany and Italy in the European theatre
of the war from 1941, legally it remained neutral and at peace in respect of the third
Axis Power, Japan, right up until the last three weeks of hostilities in the Pacific theatre
in 1945.
Temporary neutrality in turn is not to be confused with non-belligerency, which is
the practice certain States have adopted, in specific conflicts, of providing assistance to
one or other of the belligerent parties without becoming directly involved in armed
hostilities; classic examples (all in the context of World War II) include American
economic support and provision of war materiel to Britain under the Lend-Lease
Program20 before America’s entry into the war in December 1941, the very extensive
and wide-ranging forms of practical assistance provided by Ireland to the UK and US
throughout the war (or rather, ‘the Emergency’ – the somewhat Orwellian term coined
by the Irish Government to characterise Ireland’s position of ‘friendly neutrality’
vis-à-vis the Allied Powers),21 and the Spanish provision of volunteer troops – the
famous Blue Division – to fight with the German and other Axis forces, under German
overall command and control, against the Soviet Union on the Eastern Front.
18
Fleck (n 10).
19
At customary international law the generic definition of armed conflict has been
expressed as existing, ‘whenever there is resort to armed force between States or protracted
armed violence between governmental authorities and organized armed groups or between such
groups within a State’: Prosecutor v. Duško Tadić (Decision on the Defence Motion for
Interlocutory Appeal on Jurisdiction) [1995] No ICTY-94-1-A para. 70.
20
An Act to Further Promote the Defense of the United States (Pub L 77–11, H.R. 1776, 55
Stat. 3034, enacted March 11, 1941).
21
See Mervyn O’Driscoll, ‘Keeping Britain sweet: Irish wartime neutrality, political
identity and collective memory’ in E. Grollet, Collective Memory in Ireland and Russia:
Conference Proceedings (Rosspen 2007).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
(b) Sources
In common with much of the modern law relevant to armed conflict, the rules of
neutrality had their origin in customary international law developed over many
centuries before undergoing a process of codification at the beginning of the twentieth
century. In addition to a substantial body of national judicial decisions, many of them
by British and American courts and relating mostly (though not exclusively) to the
application of neutrality rules in warfare at sea,22 the contemporary law of neutrality is
mainly to be found in two treaties that emerged from the Second International Peace
Conference held at The Hague in 1907, along with one earlier document from the
conclusion of the Crimean War (1853–56). The Paris Declaration Respecting Maritime
Law of 16 April 185623 purported to abolish the ancient practice of privateering and
assure the protection of neutral ships and goods at sea; in 1907, detailed rules
regulating the presence and activities of belligerent warships in neutral ports and
territorial waters were laid down in the Hague Convention (XIII) concerning the Rights
and Duties of Neutral Powers in Naval War.24 Extensive equivalent rules for the land
domain in hostilities were stipulated in the Hague Convention (V) Respecting the
Rights and Duties of Neutral Powers and Persons in Case of War on Land25 and have
also in recent years been restated with considerably more modern language and
concepts – albeit not in the internationally binding form of a treaty – for both the
maritime26 and air27 domains of warfare. Notwithstanding the relative antiquity of the
Hague Conventions V and XIII, it was already generally considered at the time of their
adoption that they were declaratory of customary international law;28 that being the
22
For examples, see Leslie C. Green, The Contemporary Law of Armed Conflict (3rd edn.,
Manchester University Press 2008) 302–4.
23
Declaration Respecting Maritime Law (16 April 1856) British State Papers 155–158 vol
LXI.
24
Convention (XIII) concerning the Rights and Duties of Neutral Powers in Naval War
(adopted 18 October 1907, entered into force 26 January 1910).
25
Ibid.
26
Louise Doswald-Beck (ed.), San Remo Manual on International Law Applicable to
Armed Conflicts at Sea (CUP 1995).
27
Harvard Program on Humanitarian Policy and Conflict Research, Manual on Inter-
national Law Applicable to Air and Missile Warfare (Harvard University 15 May 2009) Section
X Rules 165–75 [Harvard Manual] <http://www.ihlresearch.org/amw/manual/> accessed 27
September 2014. Certain provisions of an earlier unratified instrument had previously addressed
aspects of neutrality in respect of the air domain: see The Hague Rules concerning the Control
of Wireless Telegraphy in Time of War and Air Warfare, Part II: Rules of Aerial Warfare (Cmd
2201) House of Commons Sessional Papers, Miscellaneous no. 14 (1924) vol XXVII 1031–76.
Whereas the Hague Rules were neither adopted nor ratified as a treaty although it was originally
hoped that they might attain that legal status, the Harvard Manual does not purport to be a treaty
at all. Although the legal value of these documents might therefore appear questionable, to the
extent that they mirror rules found in the treaties on land and maritime warfare or restate
otherwise pre-existing rules, they may be said to represent customary international law.
28
Adam Roberts & Richard Guelff (eds.), Documents on the Laws of War (3rd edn., OUP
2000) 85 and 127.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
case, and as they remain in force for the State parties,29 their provisions would be of
general applicability in the event of neutrality law being invoked in an international
armed conflict today. Some of the other Hague Conventions adopted in 1907 also touch
on the subject of neutrality, namely Convention (VIII) Relative to the Laying of
Automatic Submarine Contact Mines30 and Convention (XI) Relative to Certain
Restrictions with Regard to the Exercise of the Right of Capture in Naval War,31 and
certain relevant rules are also restated in the military manuals of various States,32
thereby providing further evidence of their customary law status.
With the exception of the modern restatements mentioned – which are not treaties as
such anyway and of which only the Harvard Manual can really be said to belong to the
cyber age – it will be noted that the treaty instruments and the customary rules which
they largely codify are of considerable antiquity; they pre-date even the invention of
computers, let alone the concept of cyber warfare. It has become something of a truism
to make the point that there is no lex specialis in international law specifically
governing activities in cyberspace: the treaties are too old, and State practice – what
little of it that may have been identified to date – is so fragmented and inconsistent that
it is difficult to speak of customary lex lata in this area.33 However, there are two
international documents that make express reference to neutrality in armed conflict and
are applicable, by analogy in the one case and expressly in the other, to cyber war;
these are, respectively, the Hague Rules for the Control of Radio in Time of War,34 and
the Tallinn Manual on the International Law Applicable to Cyber Warfare, Prepared by
the International Group of Experts at the Invitation of the NATO Cooperative Cyber
Defence Centre of Excellence.35 Again, a note of caution is necessary as to their
normative status: the Hague Rules were never opened for signature and ratification as a
binding treaty, while the Tallinn Manual is the work of individuals not purporting to
express the official opinions of any States or organisations;36 technically, therefore,
neither document is legally binding per se. In the case of the Hague Rules, it is not
entirely clear from the General Report of the Commission of Jurists to Consider and
Report upon the Revision of the Rules of Warfare precisely which (if any) provisions of
the rules in Part I were already considered to be customary international law; in many
cases, inevitably in light of the relatively recent development of radio technology at the
time, the rules were derived from conventions which themselves were of comparatively
29
There are 33 State parties to Convention V, and 29 to Convention XIII: see International
Committee of the Red Cross, ‘Treaties and State Parties to Such Treaties’ <http://www.icrc.org/
ihl> accessed 28 September 2014.
30
Declaration Respecting Maritime Law (n 22) art 4.
31
Ibid. 167–74 arts 1, 2 and 5.
32
E.g. Fleck (n 10), which incorporates the 1992 German Joint Services Regulations (ZDv
15/2); UK Ministry of Defence, The Manual of the Law of Armed Conflict (OUP 2004); US
Department of the Navy et al., The Commander’s Handbook on the Law of Naval Operations,
NWP 1–14M (ed July 2007).
33
But see below, text accompanying Tallinn Manual (n 35) rule 5.
34
The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and Air
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) 1021–30.
35
Michael N. Schmitt (ed.) (CUP 2013) [Tallinn Manual].
36
Ibid. 9–10.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
7 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
recent origin.37 The Tallinn Manual is arguably going to be of greater normative value
since it is grounded in the acknowledged existing law, which it seeks to extend to cyber
conflict:
The International Group of Experts was unanimous in its estimation that both the jus ad
bellum and jus in bello apply to cyber operations. Its task was to determine how such law
applied, and to identify any cyber-unique aspects thereof. The Rules set forth in the Tallinn
Manual accordingly reflect consensus among the Experts as to the applicable lex lata, that is,
the law currently governing cyber conflict.38
Rules 91–95 of the Tallinn Manual directly deal with the issue of neutrality in cyber
operations, as will be discussed below.
(c) Substance
Without going into every particular of the general laws of neutrality, for present
purposes, their essential principles may be said to be the ‘two pillars’ of non-
participation and non-discrimination;39 the first principle entails specific rights and
duties for both neutral and belligerent States, while the second is applicable only in
respect of certain actions of neutral States.
Non-participation means that, on the one hand, the territorial sovereignty of a neutral
State must not be violated by any belligerents, while on the other hand, a neutral State
is not allowed actively to participate in armed hostilities or to allow such participation
from its territory. The rule regarding inviolability of territorial sovereignty differs
between the land and maritime domains: whereas the land territory of neutral States is
absolutely inviolable,40 the mere presence of belligerent warships in neutral territorial
waters is not per se unlawful as long as they abstain from ‘[a]ny act of hostility’,41 and
in the decades since 1907 the general international law of the sea has additionally
recognised a right of transit through neutral international straits and archipelagic sea
lanes (in addition to the long-standing customary right of ‘innocent passage’), which
the modern law of armed conflicts at sea expressly preserves.42 Air operations are
correspondingly regulated, according to whether they take place over land or sea:43 for
example, the British dropping of propaganda leaflets over the city of Rome during
World War II elicited a diplomatic protest from Pope Pius XII, who considered the fact
that some of them fell to earth within the precincts of the Vatican to be a breach of the
37
See The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and
Air Warfare, Part II: Rules of Aerial Warfare (n 26) 1021–22.
38
Tallinn Manual (n 35) 5.
39
Dinstein (n 9) 24.
40
HC V, art 1.
41
HC XIII, arts 1 and 2. Belligerent warships may remain in neutral ports for necessary
repair of battle or storm damage; thus, the German pocket battleship Admiral Graf Spee’s
sojourn in Montevideo harbour after the Battle of the River Plate in 1939 fully respected
Uruguayan neutrality (see also ibid. arts 12–14).
42
See Doswald-Beck (n 26) §§ 23–33.
43
See Harvard Manual (n 27) rules 167(a), 170(a) and 172(a)(ii).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Holy See’s neutrality.44 While belligerent powers may not violate neutral territory by
moving troops or military convoys across,45 erecting communications installations on,46
or forming combatant forces in such territory,47 neutral powers are themselves under a
positive duty not to permit such actions to take place within their territory.48 The
corresponding duty of the neutral State in maritime warfare is inevitably less extensive
in view of the permitted presence of belligerent warships in neutral ports and waters,
although it does include the special obligation to prevent the fitting out, arming or
departure of any vessel intended for hostile operations.49
While it is self-evident that neutral States must not participate in hostilities, their
duty of non-discrimination is perhaps less well-known; it requires such States to apply
with complete impartiality, as between the belligerents, certain specific restrictions and
prohibitions. For example, ‘the conditions, restrictions, or prohibitions made by [a
neutral power] in regard to the admission into its ports, roadsteads, or territorial waters,
of belligerent war-ships [sic] or of their prizes’ must be applied impartially to both
sides in a conflict at sea.50 Although by the time of World War II it was generally
understood that the internment of belligerent aircraft and their aircrews shot or forced
down over any neutral State’s airspace was to be applied impartially,51 the Irish practice
of instructing Allied aircrew to report that their flight was on non-combatant duty (so
that they could quietly be sent across the border to Northern Ireland) whilst insisting on
the internment of all German aircraft and aircrew, became a matter of some notoriety.52
Such attitudes, as mentioned above, effectively amount to non-belligerency – also
sometimes referred to as ‘qualified neutrality’ – but still have in common with strict
observance of neutrality the avoidance of active participation in armed hostilities. The
same is true of the requirement that neutral States not give assistance to the parties to
a conflict: this does not extend to a prohibition on selling ‘arms, munitions of war, or,
in general … anything which can be of use to an army or a fleet’53 and the duty of
non-discrimination does not mean that such sales must be extended equally to both
44
See Owen Chadwick, Britain and the Vatican during the Second World War (CUP 1986)
222.
45
HC V, art 2.
46
Ibid. art 3. For the equivalent provision in respect of maritime warfare, see HC XIII,
art 5.
47
HC V, art 4.
48
Ibid. art 5.
49
HC XIII, art 8. This codified the customary law position that had been argued
successfully by the US in its post-Civil War proceedings against Great Britain for the latter’s
failure to prevent the construction in, and departure from, its ports of Confederate commerce
raiders such as the CSS Alabama and CSS Florida: see John B. Moore, History and Digest of the
International Arbitrations to Which the United States Has Been a Party (vol I, Government
Printing Office 1898) ch XIV 495–682 and 653–9; Tom Bingham, ‘The Alabama Claims
Arbitration’ (2005) 54 I.C.L.Q 1.
50
HC XIII, art 9.
51
See The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and
Air Warfare, Part II: Rules of Aerial Warfare (n 26) art 42, and commentary at 1054–55.
52
See O’Driscoll (n 20) 12–14.
53
HC V, art 7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
9 / Date: 8/5
JOBNAME: Tsagourias PAGE: 10 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
sides in a conflict,54 although if a neutral State decides to ban such exports, it must do
so on a non-discriminatory basis.
On a more general level, it has long been accepted that neutral States are absolutely
entitled to defend their territorial sovereignty against any and all infringements by
belligerent forces, but the fact that a State may do so in accordance with the right of
self-defence as a matter of the jus ad bellum does not turn it into a belligerent and
cannot be regarded as a hostile or wrongful act under international law.55 Conversely, if
a neutral State is unwilling or unable to prevent the use of its territory for hostile
operations against a belligerent (a failure which comes within the definition of
aggression in customary international law),56 the latter may be entitled to use force in
self-defence against hostile forces in the neutral State, subject to the normal rules of the
jus ad bellum.
Finally, the effect of the advent of the UN Charter regime (as regards the legality of
the use of force) on the traditional law of neutrality should be noted. As Vagts has
remarked, ‘war and neutrality were both thought rendered obsolete by the coming of
the United Nations and its regime of collective security. That is not quite accurate’.57
The Charter undoubtedly has significance for neutrality in that it requires all Member
States of the UN, on the one hand, to co-operate with collective security enforcement
measures mandated by the Security Council under Chapter VII of the Charter,58 and on
the other hand, to refrain from rendering any assistance to States that are the object of
such enforcement measures.59 The former obligation might suggest that there is no
scope for a State to remain neutral stricto sensu, once the Security Council has ordered
enforcement measures against another State,60 while the latter obligation could imply
the abandonment of impartiality in the provision of any ‘arms, munitions of war, or …
anything which can be of use to an army or a fleet’.61 However, State practice since
1945 has indicated that the traditional law of neutrality continues to be invoked by
States, Chapter VII of the Charter notwithstanding. The Korean War (1950–53) saw
ambivalent stances and contradictory behaviour by several States,62 not least the
54
See below, (n 60).
55
See HC V, art 10; HC XIII, art 26.
56
UNGA Res 3314 (XXIX) (14 December 1974) Annex – Definition of Aggression art 3(f).
Note, however, that this requires the territory to have been ‘placed at the disposal of another
State’: absent such consent – as, for example, in the case of a failed State or one without an
effective government in control of the territory – it is not likely that aggression would be
imputed to the neutral State itself.
57
Vagts (n 6) 84.
58
UN Charter arts 2(5), 25 and 49.
59
Ibid. art 2(5).
60
In support of this view, see Christian Lanz, ‘Is neutrality an appropriate instrument for
domestic security? A European perspective’ (2005) 17 Information & Security 41–9 and 42–3.
61
HC V, art 7. The requirement to comply with an arms embargo at the direction of the
Security Council under art 41 of the Charter, for example, would negate this obligation for
neutral States: see Vagts (n 6) 89.
62
E.g. Operation TP Stole, a Central Intelligence Agency-masterminded takeover of a
Norwegian ship chartered by the Communist Chinese to take Indian medical supplies to North
Korea (Norway and India both proclaimed their neutrality in the Korean War): see Paul M.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
People’s Republic of China, which steadfastly insisted that it was neutral despite the
large-scale combat operations of the ‘Chinese People’s Volunteers’ against the UN
forces whose presence in Korea was mandated by Security Council Resolutions 83 and
84.63 The inconclusiveness of military ground offensives during the Iran-Iraq War
(1980–88) led both belligerents to attack neutral shipping in the Persian Gulf in an
attempt to interdict each other’s oil trade (the so-called ‘Tanker War’), which severely
impeded the right of neutrals to trade with belligerents;64 this, coupled with the overtly
ambivalent attitude adopted by several non-belligerent States in the conflict65 gave rise
to considerable debate as to the relevance and application of the law of maritime
neutrality.66 The Security Council repeatedly condemned all infringements of neutral
States’ territorial waters as well as attacks on neutral shipping,67 which clearly
indicated that the rules of neutrality were deemed to be still applicable; the practice
adopted by certain neutral States of reflagging their merchant vessels for protection by
US and other powerful naval forces – themselves belonging to neutral nations – present
in the Persian Gulf, while not completely uncontroversial, was not viewed as subverting
neutrality law.68
It has been suggested that it was the Security Council’s failure to designate an
aggressor in the Iran-Iraq War that ‘made it possible for other states to assume the
status of traditional neutrality’;69 however, subsequent State practice on point is
extremely limited. During the subsequent crisis and conflict in the Persian Gulf
resulting from the Iraqi invasion of Kuwait (1990–91), the Americans and their
Coalition partners accepted a ‘modified nature of neutrality’ in the situation of
Edwards, Combat Operations of the Korean War: Ground, Air, Sea, Special and Covert
(McFarland and Co. 2010) 165–6.
63
UNSC Res 83 ‘Complaint of aggression upon the Republic of Korea’ (27 June 1950) UN
Doc S/RES/83; UNSC Res 84 ‘Complaint of aggression upon the Republic of Korea’ (7 July
1950) UN Doc S/RES/84. Chinese military participation in the Korean War was characterised by
the General Assembly as aggression: UNGA Res 498(V) (1 February 1951) UN Doc A/RES/498
(V).
64
See A. Gioia and N. Ronzitti, ‘The law of neutrality: Third states’ commercial rights and
duties’ in Iger F. Dekker & Harry G. Post, The Gulf War of 1980–1988: The Iran-Iraq War in
International Legal Perspective (Dordrecht: Martinus Nijhoff Publishers 1992) 221–42. Iraq
expressed the view that neutral merchant ships trading with Iran forfeited their neutral character:
‘Letter dated 20 February 1985 from the Permanent Representative of Iraq to the United Nations
addressed to the Secretary-General’ (20 February 1985) UN Doc S/16972 para. 2.
65
E.g. France supplied arms and military equipment to Iraq only, while the US specifically
denied arms and war materials to Iran only: Gioia & Ronzitti (n 64) 228–9.
66
See, e.g. Francis V. Russo, ‘Neutrality at sea in transition: State practice in the Gulf War
as emerging customary international law’ (1988) 19(5) Ocean Development & Int’l. L. 381;
Boleslaw A. Boczek, ‘Law of warfare at sea and neutrality: Lessons from the Gulf War’ (1989)
20(3) Ocean Development and Int’l. L. 239–71.
67
See Boczek ibid. 260.
68
See Michael H. Armacost, ‘U.S. policy in the Persian Gulf and Kuwaiti reflagging’
(1987) 10(1) Defense Institute of Security Assistance Management J. 11, 14; Margaret G
Wachenfeld, ‘Reflagging Kuwaiti tankers: A U.S. response in the Persian Gulf’ (1988) Duke L.
J. 174–202.
69
Boczek (n 66) 254.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
(a) Generalities
It has been clear from the outset that any discussion of neutrality law in the context of
cyber conflict at this point in time must be highly speculative, to say the least. The
normative sources of neutrality law, as briefly discussed above, date from an era when
computers and cyber networks had not even been imagined, and their substance is
heavily reliant on such tangible constructs as territory, territorial waters and airspace
(above both land and the territorial sea). Cyber networks, by their very nature, are
intangible and appear unsusceptible per se to any exercise of national jurisdiction or
sovereignty. As has been colourfully suggested with reference specifically to maritime
neutrality laws, ‘their dispositions with regard to naval passage through neutral waters
and into neutral ports reflect a world in which sweating teams of stokers moved coal
from bunkers to furnaces beneath boilers’.74 Quite apart from the total lack of clearly
accepted lex scripta regulating cyber neutrality, there is also an equally total lack of any
relevant State practice: as far as is known there have been no purely cyber conflicts to
date, and the only armed conflict in which cyber operations were unquestionably
conducted within the context of the conflict has not resulted in any legal determination
of wrongfulness and/or responsibility for such operations. During the South Ossetia
War (2008), both Russian and Georgian media websites were hacked, as well as
70
UNSC Res 678 (29 November 1990) UN Doc S/RES/678.
71
US Department of Defense, ‘Final Report to Congress: Conduct of the Persian Gulf War,
Appendix O – The Role of the Law of War’ (1992) 31 Int’l. L. Materials 615, 638. As examples
of neutral States’ attitudes, Austria and Switzerland both permitted overflights by US military
transport aircraft, whereas India did not: ibid. 640.
72
Ibid. 639.
73
Ibid. 640.
74
Vagts (n 6) 84.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The global distribution of cyber assets and activities, as well as global dependence on cyber
infrastructure, means that cyber operations of parties to a conflict can easily affect private or
public neutral cyber infrastructure. Accordingly, neutrality is particularly relevant in modern
armed conflict.79
As will be discussed below, the present author believes that there is at least a 50 per
cent probability that this is an accurate assessment of the future for neutrality law in
75
See Noah Shachtman, ‘Estonia, Google Help “Cyberlocked” Georgia (Updated)’, Wired
(8 November 2008) <http://www.wired.com/dangerroom/2008/08/civilge-the-geo/> accessed 27
September 2014; Stephen W. Korns and Joshua E. Kastenberg, ‘Georgia’s cyber left hook’
(2008) XXXVIII(4) Parameters 60–76.
76
See John Markoff, ‘Before the gunfire, cyberattacks’, The New York Times (12 August
2008) <http://www.nytimes.com/2008/08/13/technology/13cyber.html?emand_r=0> accessed 27
September 2014; Paulo Shakarian, Jana Shakarian & Andrew Ruef, Introduction to Cyber-
Warfare: A Multidisciplinary Approach (Syngress 2013) Ch 3.
77
See David L. Willson, ‘An Army view of neutrality in space: Legal options for space
negation’ (2001) 50 Air Force L. Rev. 175, 192–204.
78
Tallinn Manual (n 35) Ch VII para. 1.
79
Ibid. para 3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
13 / Date: 25/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
cyber conflict, notwithstanding the fact that no State has as yet declared neutrality in
any cyber conflict. The Tallinn Manual specifies just five rules of lex lata80 in relation
to cyber neutrality, namely:
Rules 91–93 may be characterised as part of the jus in bello and are derived directly
from the relevant Hague Conventions of 1907 – respectively, Article 1 of both HC V
and HC XIII (Rule 91), Articles 2 and 3 of HC V and Articles 2 and 5 of HC XIII
(Rule 92), and Article 5 of HC V (Rule 93). Rules 91 and 92 are basically opposite
sides of the same coin in that they prohibit violations of neutrality, whether directed
against or emanating from neutral cyber infrastructure. Rule 93 reaffirms the duty of
neutral States, where possible, to prevent violations occurring on their territory. These
Rules clearly reflect only the ‘first pillar’ of the traditional law of neutrality: the
principle of non-participation. While this principle thus remains the bedrock of a
contemporary concept of neutrality, the nature of the modern global economy and
international commercial realities, as illustrated by State practice in the Iran-Iraq and
First Gulf Wars discussed above, as well as the inherent practical and technical
80
Each of the first three rules is claimed to represent a norm of customary international law,
as reflected in the Hague Conventions V and XIII. The fourth, as a form of ‘self-help’, is said to
be ‘generally accepted as customary international law’ (Tallinn Manual (n 35) rule 94, para 1);
although little evidence is cited to justify such an assertion, it may be safely assumed that it
would fall within the category of self-defence under the jus ad bellum (cf. UK Ministry of
Defence (n 32) para 1.43(a)). The fifth is derived from a treaty, namely the UN Charter, under art
103 of which customary law rules that are incompatible with a rule contained in the Charter are
superseded by the latter.
81
The Experts note that they chose to use the term ‘exercise of belligerent rights’ as a
synonym for ‘hostile act’ (the principal term which is used in the Hague Conventions); the
preference is explained by reference to the latter term being ‘an operational term of art’,
although the point is not elucidated further: Tallinn Manual (n 35) Ch VII, para. 6. The present
author considers the sense of the term ‘hostile act’ to be clear enough from the context.
82
Ibid. rule 91.
83
Ibid. rule 92.
84
Ibid. rule 93.
85
Ibid. rule 94.
86
Ibid. rule 95.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
difficulties in the regulation of cyber activity, seem to suggest that the ‘second pillar’ of
non-discrimination may become less important in future applications of neutrality law –
in the cyber context as in more conventional armed conflicts.87
Rules 94 and 95 of the Tallinn Manual are concerned with the cyber dimension of
neutrality in respect of the two Charter-based exceptions to the prohibition of the use of
force in international relations: self-defence (although the Manual does not use that
term at this point) and collective security enforcement measures ordered by the
Security Council in the exercise of its Chapter VII powers. Indeed, it is arguable that
the law of neutrality is of very little relevance to the initiation of cyber conflicts except
in these two respects. It is interesting to note, however, that Rule 94 is concerned with
a belligerent’s right to use force, if necessary, to counter cyber violations of a State’s
neutrality – not with a neutral State’s right to defend its neutrality by armed force,
including cyber operations, if necessary. Perhaps it was assumed by the Experts that the
neutral State’s right of self-defence in such circumstances would be so self-evident as
to render discussion unnecessary. Nevertheless, it bears emphasising that, since every
State always has the inherent right to defend its territorial sovereignty and political
independence from attack,88 the Tallinn Manual repeatedly mentions the unlawful use
of cyber infrastructure on a neutral State’s territory, and the Hague Conventions
expressly recognised that a neutral State’s use of force in defence of its rights is not to
be regarded as a hostile or unfriendly act by the belligerent(s) against which such
action is directed,89 by analogy a neutral State clearly would be permitted to defend its
neutrality against cyber violations.
As regards the precise formulation used in Rule 94, it may be noted that it
presupposes knowledge by the neutral State of the violation. However, the notorious
difficulty of tracing – much less of attributing – cyber activity with any great degree of
precision90 may impose an altogether unreasonable burden on the authorities of a
neutral State, even when the principle of due diligence in preventing violations of
international law is taken into account.91 As opined by the International Court of Justice
(ICJ) in the very first contentious case ever submitted to it for adjudication:
87
Although note that the duty of non-discrimination is acknowledged in that any restric-
tions on the use of open, publically accessible networks (e.g. the Internet) must be ‘impartially
applied to all parties to the conflict’: ibid. rule 93, para. 3. This could apply, for instance, in the
context of restricting belligerent Internet traffic from transiting via servers hosted in a neutral
State – a measure which would surely be remarkably difficult to enforce.
88
UN Charter art 51.
89
HC V, art 10; HC XIII, art 26.
90
See Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17(2) J. Conflict & Sec. L. 229–44, especially at 234.
91
This doctrine, of course, concerns liability of a State for actions of its own official agents;
the position is more complicated where the wrongful acts are committed by non-State actors.
See generally Malcom N. Shaw, International Law (6th edn., CUP 2008) at 785–93.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
it cannot be concluded from the mere fact of the control exercised by a State over its territory
and waters that that State necessarily knew, or ought to have known, of any unlawful act
perpetrated therein, nor yet that it necessarily knew, or should have known, the authors. This
fact, by itself and apart from other circumstances, neither involves prima facie responsibility
nor shifts the burden of proof.92
It is submitted that this may a fortiori be the case in the cyber context, as in the
situation where an agent of a belligerent State briefly enters the territory of a neutral
State and, while present there, opens a laptop computer and sends an e-mail containing
a virus that infects the military command network of an opposing belligerent, before
leaving neutral territory. All this could occur within a period of 24 hours or less. How
precisely could the neutral State’s authorities reasonably be expected to prevent or
terminate such activity without leaving the door open to an aggrieved belligerent to
take hostile action against the neutral State? The ICJ stated further in the Corfu
Channel Case that in light of a victim State’s frequent inability to furnish direct proof
of facts disclosing responsibility for a breach of international law, ‘[s]uch a State
should be allowed a more liberal recourse to inferences of fact and circumstantial
evidence’.93 The formula adopted by the International Group of Experts in the Tallinn
Manual is consonant with that dictum and would seem to entail a presumption very
much in favour of an ‘aggrieved belligerent’s’ rights, to the detriment of those of a
neutral.
The content of Rule 95 would be of interest in the event of the UN Security Council
ordering action against a delinquent State that was engaging in cyber operations that
were deemed a threat to the peace, breach of the peace or act of aggression, in terms of
Chapter VII of the UN Charter. The suggestion is that in such a situation, it would not
be a breach of a neutral State’s obligations under the law of neutrality for it to
participate in cyber operations ordered by the Council,94 consistent with Article 42 of
the Charter. Presumably, if the Council ordered ‘cyber sanctions’ consistent with Article
41, a neutral State could be called upon to comply with them in accordance with its
duty to accept and carry out Council decisions under Article 25 – which, by virtue of
Article 103, would override any inconsistent obligations arising under neutrality law. In
practice, it remains to be seen how – if at all – neutral States would wish to ‘stand on
their neutrality’, or otherwise, in such situations. The precedents set during the First
Gulf War95 suggest that there will be a divergence of opinion between those States that
wish to insist on maintaining an attitude of neutrality (i.e. those most closely affected
by the enforcement action) and those that are participating in any ‘coalition of the
willing’ authorised by the Security Council. Taking the interconnectivity of the cyber
domain into account, however, and the mutual interdependence that it implies, one may
wonder whether it will not be the case that all ‘heavily wired’ States might not come to
view themselves as being closely affected by any cyber sanctions or cyber enforcement
action.
92
Corfu Channel (United Kingdom v. Albania) (Merits) (Judgment) [1949] ICJ Rep. 4 at
18.
93
Ibid.
94
Tallinn Manual (n 34) rule 95 para. 3.
95
Ibid. text accompanying (nn 69–72).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
16 / Date: 7/5
JOBNAME: Tsagourias PAGE: 17 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
A far larger number of provisions of the law of armed conflict (LOAC) potentially
implicate neutrality in the cyber context than is the case in respect of the rules on the
legality of the use of force by States, and there is a correspondingly greater number of
legal provisions in the Hague Conventions V and XIII, and other ‘musty’ instruments,
that might provide useful analogies for the application of neutrality law in the cyber
age. Of particular interest are the various provisions relating to the construction and use
of communications equipment on neutral territory, and those – even less well-known –
from the Hague Rules for the Control of Radio in Time of War,96 covering radio
stations and apparatus. Although imperfectly fitted to the technology of cyber, these
provisions from the first three decades of the twentieth century, with their focus on
what were then modern means of communication, represent perhaps the closest
analogies in settled international law to the types of issues likely to be encountered by
neutral States in the cyber domain.97 On land, belligerents are forbidden to erect on
neutral territory ‘a wireless telegraphy station or other apparatus for the purpose of
communicating with belligerent forces’,98 or to use for purely military purposes any
such apparatus erected before a conflict if it is not ‘opened for the service of public
messages’.99 There is a duty on neutral States not to allow any of these acts to occur on
their territory,100 but they are not required to forbid or restrict belligerent use of any
telegraph, telephone cables or wireless telegraphy apparatus situated on their territory,
irrespective of whether such devices belong to the State itself, to companies or to
private individuals.101 The erection of ‘wireless telegraphy stations or any apparatus for
the purpose of communicating with the belligerent forces’ is equally forbidden in
neutral ports and territorial waters.102 Special provisions regarding radio stations are
enumerated in the Hague Rules for the Control of Radio in Time of War, although it
must be remembered that this instrument was never formally adopted as a binding
treaty or opened for signature or ratification. The erection or operation, by belligerents
or their agents, of radio stations ‘within neutral jurisdiction’ is stated to be a violation
of neutrality; it is worth noting that this was not limited to conduct by belligerents but
is equally a violation if a neutral State permits it to happen.103 In keeping with similar
provisions in Hague Convention V, neutral States were not required to restrict or
prohibit the use of radio stations within their jurisdiction, except in order to prevent
96
The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and Air
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) 33.
97
See, generally, Jeffrey T. Kelsey, ‘Hacking into international humanitarian law: The
principles of distinction and neutrality in the age of cyber warfare’ (2008) 106(7) Michigan L.
Rev. 1427, 1441–6.
98
HC V, art 3(a).
99
Ibid. art 3(b).
100
Ibid. art 5.
101
Ibid. art 8.
102
HC XIII, art 5.
103
The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and Air
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) art 3.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
17 / Date: 7/5
JOBNAME: Tsagourias PAGE: 18 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
104
Ibid. art 4.
105
Ibid. art 5.
106
Ibid. art 8.
107
For an elaborate but far from unrealistic example of a possible scenario involving
neutrality in cyber conflict, see Eric T. Jensen, ‘Sovereignty and neutrality in cyber conflict’
(2012) 35 Fordham Int’l. L. J. 815, 816–17.
108
Thus, they could be analogous to ‘munitions of war’, in which case their movement
‘across the territory’ of a neutral State would be forbidden: HC V, art 2.
109
See Tallinn Manual (n 35) rules 25–29.
110
A better analogy for cyberspace in fact would be outer space, which under public
international law is considered res communis – an area which by definition is not capable of
forming part of the territory of any State: see Treaty on Principles Governing the Activities of
States in the Exploration and Use of Outer Space, including the Moon and Other Celestial
Bodies, UN Doc A/RES/2222 (XXI) (19 December 1966) Annex, arts I and II. An appropriate
analogy may also be drawn with the high seas: see George K. Walker, ‘Information warfare and
neutrality’ (2000) 33 Vand. J. of Trans. L. 1079, 1150–6.
111
As to which generally, see Vaughan Lowe & Christopher Staker, ‘Jurisdiction’ in
Malcolm D. Evans (ed.), International Law (3rd edn., OUP 2010) 313.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
technology do not have any nationality and there are no known rules under inter-
national law for using goods or technology situated abroad as a basis of establishing
jurisdiction over the persons controlling them.’112 On the other hand, 20 years later,
things had moved on enough for criminal jurisdiction to be included in a new treaty
relating to certain aspects of cyber activity.113 We must also bear in mind the very fluid,
intangible nature of the Internet, and the fact that the types of acts which could
constitute violations of cyber neutrality are likely to be transnational in nature: hostile
data could be transmitted from a network in one State and transit the Internet nodes or
hubs of one or more intervening States before arriving at its target. It seems probable
that in the future, States may seek to assert their cyber jurisdiction by reference, not to
a concept of territoriality as emphasised in the Hague Conventions and Rules, but to
one of personality – that is to say, the identity of the person(s) committing a cyber
violation of neutrality may come to be seen as more useful legally than the location
where the act occurs.114 This may be an especially attractive legal possibility when one
considers the ban on forming ‘corps of combatants’ on neutral territory in order ‘to
assist the belligerents’.115 Given the plausible deniability of much State involvement
with malicious activity in cyberspace, and the assertions that so-called ‘patriotic
“hacktivists”’ in Russia were responsible, for example, for DDOS attacks and webpage
defacement in Estonia (2007) and Georgia (2008),116 there could conceivably be scope
for a revival, in the cyber context, of the concept of the levée en masse117 found in the
law of armed conflict.118 Whether ‘hacktivists’ are legally considered civilians directly
participating in hostilities or part of a levée en masse, however, they could arguably fall
within the spirit of the prohibition in Article 4 of HC V.
As to communications with belligerents, this is likely to be of relevance primarily in
the context of cyber espionage,119 an activity which is neither expressly permitted nor
expressly prohibited under public international law; despite the probability that it would
violate the international law of neutrality, it is more likely to be treated as a violation of
national law only, particularly since under LOAC it is defined as occurring in the
112
European Communities: Comments on the U.S. Regulations Concerning Trade with the
U.S.S.R. (1982) 21 International Legal Materials 891, 894.
113
See Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004) art 22.
114
For further technical and jurisdictional possibilities, and very interesting discussion, see
Thomas Schultz, ‘Carving up the Internet: Jurisdiction, legal orders and the private/public
international law interface’ (2008) 19 E.J.I.L. 799. See also Tsagourias (Ch 1 of this book).
115
HC V, art 4.
116
See Piret Pernik, ‘Different tactics, same story’ (RKK/CDS blog, 28 March 2014)
<http://blog.icds.ee/article/255/different-tactics-same-story> accessed 27 September 2014.
117
As most recently defined in Geneva Convention (III) Relative to the Treatment of
Prisoners of War of August 12, 1949 (1950) 75 UNTS 135–285, art 4(A)(6). See also Arimatsu
(Ch 15 of this book) and Bannelier-Christakis (Ch 16 of this book).
118
But see Tallinn Manual (n 34) rule 27. The Commentary to a subsequent rule then makes
it clear that the Experts regard ‘hacktivists’ as civilians directly participating in hostilities: ibid.
rule 35 para. 11. See also David Turns, ‘Cyber warfare and the notion of direct participation in
hostilities’ (2012) 17 J. Conflict & Sec. L. 279.
119
See Buchan (Ch 8 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
4. CONCLUSION
In the early stages of World War II the principal concerns of neutral nations were
overwhelmingly to do with the protection of their territorial sovereignty against
violation. They involved such matters as protesting against the shining of searchlights
from British warships into territorial waters at night (in the case of Norway)122 and
ensuring the departure of the damaged German pocket battleship Admiral Graf Spee
from the neutral harbour of Montevideo after the Battle of the River Plate, which itself
had taken place within a neutral exclusion zone unrecognised by the belligerents (in the
case of Uruguay).123 In the early twenty-first century the main equivalent issues of
preoccupation are likely to be routing or transit of cyber attacks via Internet servers,
nodes or other infrastructure located in or owned by neutral States; thus, the territorial
link remains, despite the intangible nature of the domain. Particular questions are likely
to involve the extent of awareness of the neutral State’s authorities about any cyber
infringement of their neutrality; whether those authorities have the ability to prevent
such infringements from occurring; the source and routing of cyber attacks; and to
whom such infringements are attributable. The same principles as were applicable 100
years ago – the Hague Conventions and customary international law – remain
applicable today, by analogy if not directly.
It would not be unreasonable to assume that the ever-greater interconnectedness of
nations’ affairs, economically and politically, and their increasing mutual inter-
dependence, as well as the all-pervasive nature of the Internet and cyber networks and
the increasing evidence of hostile cyber operations – albeit at a low level, short of
armed conflict – may well lead those States that do not wish to become embroiled in
such situations to emphasise and reinforce their adherence to neutrality law; this may
well be so, even in situations where the international community, acting through the
UN Security Council, has clearly designated an aggressor and ordered collective
security enforcement action. It is therefore entirely possible, the lack of recent and
current State practice notwithstanding, that the international law of neutrality may yet
120
Tallinn Manual (n 35) Rule 66, para. 2. The Experts note that such activities conducted
outside enemy-controlled territory are more correctly classified as computer network exploit-
ation or cyber reconnaissance, doctrinal concepts which in no way violate international law:
para. 3.
121
HC V, art 8.
122
See Simpson (n 4) 219.
123
For a summary of the battle, its background and consequences: see Sydney D. Waters,
The Royal New Zealand Navy (Historical Publications Branch 1956) 45–74.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
20 / Date: 7/5
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
undergo its biggest renaissance since those days of neutral waters and searchlights in a
less wired world. As has been suggested, ‘Undeniably, neutrality as a general concept
has as much vitality today as in the pre-Charter era … [the] opportunity for claims of
neutrality … remains large.’124
124
Walker (n 110) 1197.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter18 /Pg. Position:
21 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
PART V
REGIONAL AND
INTERNATIONAL APPROACHES
TO CYBER SECURITY
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
‘For cyberspace to remain open and free, the same norms, principles and values that the
EU upholds offline, should also apply online. Fundamental rights, democracy and
the rule of law need to be protected in cyberspace.’ This argument lies at the heart of
the 2013 Cybersecurity Strategy of the European Union, adopted jointly by the
European Commission and the High Representative of the European Union for Foreign
Affairs and Security Policy, to underline both the internal and external dimensions of
this new policy area.1 Indeed, cybersecurity initiatives are not only developed at the
global level and they prove to relate to many different areas of the EU’s activities.
Apart from the fundamental rights dimension, the EU refers to an obvious economic
element, which relates to the completion of the so-called ‘Digital Single Market’:
citizens need trust and confidence to engage in new connected technologies and to use
e-commerce facilities.2 At the same time, cybersecurity can be said to form part of the
Common Security and Defence Policy (CSDP) which forms the basis for the Union
external security action.3 In December 2013 the European Council (the Heads of State
or Government) decided to develop a EU Cyber Defence Policy Framework to further
implement the new developments in its security and defence policy.4 More generally,
the 2009 Lisbon Treaty endowed the EU with more legal and institutional competences
1
Commission (EC) and High Representative of the European Union for Foreign Affairs and
Security Policy, ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace’ (joint communication) JOIN(2013) 1 final, 7 February 2013.
2
See also the Commission (EC) 2000/31/EC on certain legal aspects of information society
services, in particular electronic commerce, in the Internal Market [2000] OJ L 178 (Electronic
Commerce Directive), which introduced an Internal Market framework for electronic commerce,
providing legal certainty for business and consumers alike. It established harmonized rules on
issues such as the transparency and information requirements for online service providers,
commercial communications, electronic contracts and limitations of liability of intermediary
service providers.
3
As stated in art 3(5) of the Treaty on European Union (TEU), ‘In its relations with the
wider world, the Union shall uphold and promote its values and interests and contribute to the
protection of its citizens. It shall contribute to […] security […] as well as to the strict
observance and the development of international law, including respect for the principles of the
United Nations Charter.’
4
European Council, ‘European Council conclusions on Common Security and Defence
Policy’ 20 December 2013 <http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/
ec/140214.pdf> accessed 4 April 2015.
403
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
1 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
to realise its ambitions as ‘a global actor’5 and to link internal and external security
policies.6
Indeed, EU cybersecurity forms a prime example of an area in which both internal
and external (global as well as bilateral) policies are connected, thus implying a need to
combine different legal competences of the Union. Over the past decade the EU started
to take its first careful steps in formulating and regulating this new policy area, starting
mainly from an ‘outside-in’ perspective in which global security threats triggered
internal policies.7 With the adoption of the 2013 Strategy it aims to bring together the
different earlier initiatives in a comprehensive fashion while pointing to plans for new
legislation,8 which also reflect a wish to act as a global player and a participant in the
formulation of new global rules. It has rightfully been argued that European cyber-
security policy is formulated and implemented in a multi-level and multi-stakeholder
structure,9 in which legislation is connected to both international developments and
domestic implementation in the EU Member States (‘multilevel regulation’10) and
where both public and private actors11 play a role.
While there seems consensus on the proliferation of incidents and risks related to
cybersecurity,12 one of the key problems underlying the EU initiatives is that ‘cyberse-
curity’ as such is not mentioned as a theme – let alone a competence – in the EU
5
Recent publications on this topic include Bart Van Vooren, Steven Blockmans & Jan
Wouters (eds.), The EU’s Role in Global Governance: The Legal Dimension (OUP 2012); Inge
Govaere et al. (eds.), The European Union in the World: Essays in Honour of Marc Maresceau
(Martinus Nijhoff Publishers 2013).
6
Florian Trauner, ‘The internal-external security nexus: more coherence under Lisbon?’ (10
March 2010) 89 EUISS Occasional Paper; as well as Florian Trauner and Helena Carrapico,
‘The external dimension of EU justice and home affairs after the Lisbon Treaty: Analysing the
dynamics of expansion and diversification’ (2012) 17 Eur. Foreign Aff. Rev. 1.
7
See for instance the Commission (EC), ‘The EU Internal Security Strategy in Action: Five
steps towards a more secure Europe’ (Communication) COM (2010) 673 final, 22 November
2010.
8
Initiatives include a Commission proposal for a Directive concerning measures to ensure a
high common level of network and information security (usually referred to as ‘NIS’) across the
Union (EU Document COM (2013)48 final) as well as an earlier proposal for a General Data
Protection Regulation (COM (2012) 11 final) and a Regulation on electronic identification and
trust services for electronic transactions in the EU internal market (COM (2012) 238 final).
9
Annegret Bendiek & Andrew L. Porter, ‘European cyber security policy within a global
multistakeholder structure’ (2013) 2 E.F.A. Rev. 155. This article also provides a good overview
of the wide scope of the actual problems caused by a lack of cybersecurity.
10
See for instance Nupur Chowdhury & Ramses A. Wessel, ‘Conceptualizing multilevel
regulation in the EU: A legal translation of multilevel governance?’ (2012) 18(3) Eur. L. J. 335;
Andreas Føllesdal, Ramses A. Wessel & Jan Wouters (eds.), Multilevel Regulation and the EU:
The Interplay between Global, European and National Normative Processes (Martinus Nijhoff
Publishers 2008).
11
See for instance the European Cyber Security Group (http://www.cybersecuritygroup.eu)
or the European Network for Cyber Security (https://www.encs.eu).
12
See for instance the report by Neil Robinson et al., ‘Data and security breaches and
cyber-security strategies in the EU and its international counterparts’ (European Parliament,
Directorate-General for Internal Policies, Policy Department A: Economic and Scientific Policy,
September 2013); Javier Argomaniz, ‘The European Union policies on the protection of
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Treaties. Yet, as noted by the European Commission, cybercrime is ‘by its very nature
cross-border’ and hence ‘proper cross-border arrangements’ are required13 which brings
about the jurisdictional question that also emerges in international law.14 In the EU,
however, the ‘principle of conferral’15 may further complicate things and leaves the
Union with two options: it either connects cybersecurity to existing competences in
other fields, or it uses soft law instruments to stimulate Member States and other
relevant actors to implement parts of the Strategy. As we will see in the present chapter,
the Union aims to do both. Yet, with a view to its limited competences and given the
diverging procedural requirements in the different policy areas (ranging from the
internal market or the Area of Freedom, Security and Justice (AFSJ) to the Union’s
Common Foreign, Security and Defence Policy), it is questionable whether the
demands for consistency and effectiveness (arts 13 and 21 TEU) can be met. At the
same time cybersecurity forms an excellent example of an area in which the different
policy fields of the Union need to be combined (a requirement for horizontal
consistency), and where measures need to be taken at the level of both the EU and the
Member States (calling for vertical consistency).16
This chapter will both assess the existing and emerging internal rules related to
cybersecurity as well as the Union’s contribution to the development of a global
regulatory framework. While other policy areas revealed strong links between internal
and external policies (notably the Union’s Common Commercial Policy,17 or the
development of the AFSJ18) the absence of explicit competences in the area of
infrastructure from terrorist attacks: A critical assessment’ (2013) 1 Intelligence and Security; P.
Cornish, ‘Cyber security and politically, socially and religiously motivated cyber attacks’
(European Parliament/Policy Department External Policies, 2009).
13
Commission (EC), ‘Communication on Critical Information Infrastructure – results and
next steps: the path to global security network’ (Communication) COM (2011) 163 final, 3
December 2011.
14
Cf. J. Joachim Zekoll, ‘Jurisdiction in cyberspace’ in Gunther Handl, Joachim Zekoll &
Peer Zumbansen, Beyond Territoriality – Transnational Legal Authority in an Age of Global-
ization (Martinus Nijhoff Publishers 2012).
15
Art 5(2) TEU: ‘Under the principle of conferral, the Union shall act only within the limits
of the competences conferred upon it by the Member States in the Treaties to attain the
objectives set out therein. Competences not conferred upon the Union in the Treaties remain
with the Member States.’
16
On consistency and coherence see for instance Marise Cremona, ‘Coherence in European
Union foreign relations law’ in Panos Koutrakos (ed.), European Foreign Policy: Legal and
Political Perspectives (Edward Elgar 2011); Christophe Hillion, ‘Tous pour un, un pour tous!
Coherence in the External Relations of the European Union’ in Marise Cremona (ed.),
Developments in EU External Relations Law (OUP 2008).
17
Joris Larik, ‘Much more than trade: The common commercial policy in a global context’
in Malcom Evans and Panos Koutrakos (eds.), Beyond the Established Legal Orders: Policy
Interconnections Between the EU and the Rest of the World (Hart Publishing 2011) 13–45;
Marise Cremona, ‘The external dimension of the Single Market: Building (on) the foundations’
in Catherine Barnard & Joanne Scott (eds.), The Law of the Single European Market: Unpacking
the Premises (Hart Publishing 2002).
18
Jorg Monar, ‘The external dimension of the EU’s area of freedom, security and justice:
Progress, potential and limitations after the Treaty of Lisbon’ (Stockholm: SIEPS Report
2012/1); Ramses A. Wessel, Luisa Marin & Claudio Matera, ‘The external dimension of the
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
cybersecurity may form a reason for the Union to take a route other than the traditional
one based on the ‘in foro interno, in foro externo’ principle.19 Particular attention will
be paid to the question of whether the current fragmentation can be overcome on the
basis of the current treaty regime and some new case-law of the Court of Justice of the
European Union. The focus on cybersecurity is not meant to render other cyberspace
policies of the EU less relevant. While over the years the EU has been engaged in the
regulation of the Internet in a broader sense20 – with co-regulation as an important
dimension21 – the scope of this contribution does not aim to present a comprehensive
overview.
Section 2 will first of all define the relevant concepts and set the institutional stage.
The key adopted policies, including the Cybersecurity Strategy will be introduced in
Section 3. Section 4 will assess the existing legal instruments as well as the question of
their legal basis. This will be done mainly from the perspective of the existing
fragmentation in this area. In turn, this fragmentation will form the basis for an answer
to the question as to whether – under the current treaty regime – it is possible for a
consistent body of EU cybersecurity law to develop (Section 5).
EU’s area of freedom, security and justice’ in Christina Eckes, Theodore Konstadinides (eds.),
Crime within the Area of Freedom, Security and Justice: A European Public Order (CUP 2008)
272; Claudio Matera, ‘The European Union area of freedom, security and justice and the fight
against new security threats. New trends and old constitutional challenges’ in Maurizio Arcaric
& Louis Balmond (eds.), Global Governance and the Challenges of Collective Security
(Editoriale Scientifica 2012) 69–87.
19
This principle refers to the system in which the existence (or sometimes the use) of
internal competences implies the existence of external competences. Hence, once the EU would
be allowed to regulate an issue internally, it would also have the competence to include the same
issue in international agreements concluded with third states. The principle played a prominent
role in the landmark case AETR on the existence of external competences of the European
Community in transport. See John Temple Lang, ‘The ERTA Judgment and the Court’s case-law
on competence and conflict’ (1986) 6(1) Ybk. Eur. L. 183–218; Case 22/70, Commission v
Council (European Road Transport Agreement) (ECLI:EU:C:1971:32).
20
Franz C. Mayer, ‘Europe and the Internet: The Old World and the New Medium’ (2000)
11(1) E.J.I.L. 149. According to the European Commission, the EU’s regulatory role has evolved
over the years, to keep pace with the evolving ICT landscape: introducing rules covering all
electronic communications networks and services ensuring fair access to basic services (phone,
fax, internet, free emergency calls) at affordable prices, for all customers – including people with
disabilities stimulating competition by reducing the dominant position that former national
telecom monopolies used to maintained for certain services, like high-speed internet access. The
rules are applied independently by the authorities in each EU country, with national regulators
coordinating their policies at EU level through forums like the Body of European Regulators for
Electronic Communications (BEREC). See for a summary: ‘Information Technology’ (Euro-
pa.eu) <http://europa.eu/pol/infso/index_en.htm> accessed 4 April 2015. See on the role of the
EU in Internet governance also Commission (EC) ‘Internet governance: the next steps’
(Communication) COM(2009) 277 final, 18 June 2009; as well as the overview of activities by
the Commission on ‘Internet, Online activities and ICT standards’ <http://eur-lex.europa.
eu/summary/chapter/information_society.html?root_default=SUM_1_CODED=31> accessed 4
April 2015.
21
Christopher T. Marsden, Internet Co-Regulation: European Law, Regulatory Governance
and Legitimacy in Cyberspace (CUP 2011).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
4 / Date: 8/5
JOBNAME: Tsagourias PAGE: 7 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
The title of the present chapter refers to ‘cybersecurity’. Yet, cyberspace policies
usually also include ‘cybercrime’. Indeed, both the broader notion of ‘cybersecurity’
and the criminal activities falling under ‘cybercrime’ form part of the EU’s policies. In
the 2013 EU Strategy they are described as follows:22
Cybersecurity commonly refers to the safeguards and actions that can be used to
protect the cyber domain, both in the civilian and military fields, from those
threats that are associated with or that may harm its interdependent networks and
information infrastructure. Cybersecurity strives to preserve the availability and
integrity of the networks and infrastructure and the confidentiality of the
information contained therein.
Cybercrime commonly refers to a broad range of different criminal activities
where computers and information systems are involved either as a primary tool or
as a primary target. Cybercrime comprises traditional offences (e.g. fraud,
forgery, and identity theft), content-related offences (e.g. on-line distribution of
child pornography or incitement to racial hatred) and offences unique to comput-
ers and information systems (e.g. attacks against information systems, denial of
service and malware).
Hence, while cybersecurity refers to the range of safeguards and actions that can be
used to protect the cyber domain, cybercrime reflects to the actual criminal activities,
thus following the descriptions laid down in the Council of Europe Convention on
cybercrime.23 According to the European Commission, one million people become
victims of Internet crime daily.24 Yet, as we will see, it is difficult, both institutionally
and substantively, to separate the two concepts and, indeed, the two are combined in
the already existing cooperation between the EU and the United States, which can be
said to form a basis for the new and more comprehensive approach foreseen by the EU.
Despite the description of both policy areas by the EU and other actors, the current
definitions have met with some criticism. In 2001 the EU established the position of
European Data Protection Supervisor (EDPS), to make sure that all EU institutions and
bodies respect peoples’ right to privacy when processing their personal data. In its 2013
advisory report on the issue,25 the EDPS notices (with some regret) that some concepts,
22
For other (non-EU) definitions see Ducheine (Ch 10 of this book); Kastner & Mégret (Ch
9 of this book).
23
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004).
24
Commission (EC), ‘EU Centre to combat cyber crime and consumer protection in
electronic commerce’ (press release) IP/12/317, 28 March 2012 <http://europa.eu/rapid/
pressReleasesAction.do?reference=IP/12/317> accessed 4 April 2015.
25
The European Data Protection Supervisor, ‘Opinion of the European Data Protection
Supervisor on the Joint Communication of the Commission and of the High Representative of
the European Union for Foreign Affairs and Security Policy on a “Cyber Security Strategy of the
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
such as cyber resilience (adding the element of the ability of a system to recover from
the effects of a security incident to full operational capacity) and cyber defence (related
to increasing the resilience of the communication and information systems supporting
Member States’ defence and national security interests) are not defined in the EU
Strategy or the proposed Directive on NIS. More in general, it noted that:
Although the Communication is a non-binding policy document, it would have been helpful
to define these notions more precisely so that there is a clear common understanding of what
is being referred to and a clear common understanding of the scope of the actions planned in
the Joint Communication. […] From a data protection perspective, the issue of taxonomy is
particularly important since these terms are being used as a justification for certain special
measures which could cause interference with fundamental rights, including the rights to
privacy and data protection.26
European Union: an Open, Safe and Secure Cyberspace” and on the Commission proposal for a
Directive concerning measures to ensure a high common level of network and information
security across the Union’ (The European Data Protection Supervisor report) 14 June 2013
<https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2013/
13-06-14_Cyber_security_EN.pdf> accessed 4 April 2015.
26
The European Data Protection Supervisor report (n 25) points 22–23.
27
Cf. Bendiek & Porter (n 9) 158.
28
Commission (EC), ‘EU-U.S. Summit 20 November 2010, Lisbon – Joint Statement’
MEMO/10/597, 20 November 2010. See also Maria Grazia Porcedda, ‘Transatlantic Approaches
to cyber-security and cybercrime’ in Patryk Pawlak (ed.), ‘The EU-US Security and Justice
Agenda in Action’ (EUISS Chaillot Paper, No. 127, 30 December 2011).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
EC3 thus aims to become the focal point in the EU’s fight against cybercrime, through
building operational and analytical capacity for investigations and cooperation with
international partners in the pursuit of an EU free from cybercrime. Yet, for the
development of actual legislation, it is necessary for the European Commission and the
European External Action Service to be involved. For that reason EC3 liaison offices
have been placed at those institutions and to other relevant agencies, including the
European Network and Information Security Agency (ENISA).32 This latter agency
also works to improve cooperation between Member States to implement emergency
response plans, conduct regular emergency drills, and develop a European Information
Sharing and Alert System (EISAS) to guard against attacks on critical infrastructure.33
Overall, however, it is questionable whether this somewhat loose institutional frame-
work will allow the Union to actually regulate the field of cybersecurity.
29
Bendiek & Porter (n 9) 169.
30
On this role of the Court of Justice see Alec Stone Sweet, ‘The European Court of Justice’
in Paul Craig & Gráinne de Búrca (eds.), The Evolution of EU Law (2nd edn., OUP 2011) Ch 6.
31
Council conclusions on the establishment of a European Cybercrime Centre, 3172nd
Justice and Home Affairs Council meeting Luxembourg, 7 and 8 June 2012.
32
Commission Regulation (EC) No 460/2004 establishing the European Network and
Information Security Agency [2004] OJ L 77.
33
‘EISAS’ (ENISA) <http://www.enisa.europa.eu/activities/cert/other-work/eisas_folder>
accessed 4 April 2015.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Given the fact that the large majority of network and information systems are
privately owned and operated, the involvement of private actors is essential and
occasionally also institutionalized, as exemplified by the European Public-Private
Partnership for Resilience (EP3R).34
The relatively slow acknowledgement of the need to regulate cyberspace is not only
related to the absence of competences on the side of the EU, but also to the early notion
that by its very nature ‘cyberspace’ could and should not be regulated. It could not be
regulated because of the fact that the phenomenon sits uneasily with traditional notions
of territorial jurisdiction and it should not be regulated because ‘regulatory efforts […]
would unduly restrict the great potential of the Internet’.35 Yet, ‘this ‘first generation
thinking’ […] proved to be a fallacy’36 and both the EU and its Member States realized
that ‘if information flows freely, it is because we allow it to do so’.37 Indeed, in the EU,
cybersecurity became an element of existing or new policies in related areas.38 To
mention a few influential documents, in 2001 the Commission issued in the Communi-
cation ‘Network and Information Security: proposal for a European Policy approach,39
updated in 2006 by its Strategy for a Secure Information Society,40 in which the
necessary additional steps are assessed to improve network and information security
(NIS). Key policy documents further include the 2010 Stockholm Programme (and the
subsequent Action Plan by the Commission41), the comprehensive multi-annual (2010-
2014) programme in relation on issues of the Union’s AFSJ’, in which the European
Council called for the promotion of ‘legislation that ensures a very high level of
network security and allows faster reactions in the event of cyber attacks’ (s 4.2.3). In a
34
Launched in 2009. See Commission (EC), ‘Protecting Europe from large scale cyber-
attacks and disruptions: enhancing preparedness, security and resilience’ (Communication)
COM(2009) 149 final, 30 March 2009.
35
Zekoll (n 14) 342–3.
36
Ibid. 343.
37
Horatia M. Watt, ‘Yahoo! cyberspace-collision of cultures: Who regulates’ (2003) 24
Mich. J. Int’l. L. 673, 683. Also quoted in Zekoll ibid. 344.
38
See for the early emergence of a EU policy on cybercrime from the perspective of
comparative federalism (the US, Switzerland): Fernando Mendez, ‘The European Union and
cybercrime: Insights from comparative federalism’ (2005) 12(3) J. of Eur. Pub. Pol’y 509–27.
39
Commission (EC), ‘Network and Information Security: Proposal for A European Policy
Approach’ (Communication) COM(2001) 298 final, 6 June 2001.
40
Commission (EC), ‘A strategy for a Secure Information Society – Dialogue, partnership
and empowerment’ (Communication) COM(2006) 251.
41
Commission (EC), ‘The EU Internal Security Strategy in Action: Five steps towards a
more secure Europe’ (Communication) COM(2010) 673 final, 22 November 2010.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
special section on cybercrime (s 4.4.4.), it also called upon the Commission and
the Member States to take the initiative for new concrete actions to guarantee
cybersecurity.
In the same year, the European Commission published the Digital Agenda for Europe
(DAE), ‘to deliver sustainable economic and social benefits from a digital single market
based on fast and ultra fast internet and interoperable applications’.42 In section 2.3 a
number of concrete actions were mentioned, including measures aiming at a reinforced
and high level NIS policy, including legislative initiatives such as a modernised ENISA,
and measures allowing faster reactions in the event of cyber attacks, including a
Computer Emergency Response Team (CERT) for the EU institutions; and measures,
including legislative initiatives, to combat cyber attacks against information systems by
2010, and related rules on jurisdiction in cyberspace at European and international
levels by 2013.
Early initiatives also related to consumer protection and jurisdictional issues. Thus,
the 2001 ‘Brussels Regulation’, inter alia, enables consumers to sue at their domicile
(and requires plaintiffs to sue the consumer there) if the defendant (or plaintiff) ‘directs
[its professional or commercial online activities] to that Member State’.43
In relation to international security, the 2003 European Security Strategy did not
refer to cybersecurity, but the 2008 Report on the Implementation of the European
Security Strategy briefly did as it referred to attacks at IT systems ‘as a potential new
economic, political and military weapon’.44
The 2013 Cybersecurity Strategy can be seen as a continuation of the internal and
external policies that have been developed by the EU in the area of Network and
Information Security (NIS), inter alia, resulting in the 2001 Commission Communi-
cation on ‘Network and Information Security: Proposal for a European Policy
Approach’ and the 2006 ‘Strategy for a Secure Information Society’45 – and in the
framework of the EU-US WGCC. Part of the Cybersecurity Strategy is related to
linking core EU values that exist in the ‘physical world’ to the ‘digital world’:
promoting fundamental rights, freedom of expression, personal data and privacy; access
for all; democratic and efficient multi-stakeholder governance; and a shared respons-
ibility to ensure security. Other elements relate to other policy areas of the EU,
including the internal market or defence policy. As the new Strategy forms the key
42
Commission (EC), ‘A Digital Agenda for Europe’ (Communication) COM(2010) 245
final/2, 26 August 2010. See also: ‘Digital Agenda for Europe’ (European Commission)
<http://ec.europa.eu/digital-agenda/> accessed 4 April 2015.
43
Council Regulation (EC) 44/2001 on ‘Jurisdiction and the Recognition and Enforcement
of Judgments in Civil and Commercial Matters’ [2000] OJ L 012. Also referred to in Zekoll
(n 14) 345.
44
Council of the European Union, ‘Report on the Implementation of the European Security
Strategy – Providing Security in a Changing World’ (S407/08, 11 December 2008).
45
See ‘Network and Information Security: Proposal for A European Policy Approach’ (n 39)
and ‘A strategy for a Secure Information Society – Dialogue, partnership and empowerment’
(n 40) respectively.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
framework for the planned actions and new legislation in the coming years, we will
briefly assess its main points.
As an express legal basis cannot be found in the EU Treaties, the Strategy rightfully
acknowledges that ‘it is predominantly the task of the Member States to deal with
security challenges in cyberspace’. Yet, five strategic priorities are mentioned to
enhance the EU’s overall performance in this area:
46
A new Regulation to strengthen ENISA and modernize its mandate is being negotiated by
the Council and the European Parliament. See Commission (EC), ‘Proposal for a Regulation of
the European Parliament and of the Council Concerning the European Network and Information
Security Agency (ENISA)’ COM (2010) 521, 30 September 2010.
47
European Parliament and Council Directive 2011/93/EU on combating the sexual abuse
and sexual exploitation of children and child pornography, and replacing Council Framework
Decision 2004/68/JHA [2011] OJ L 335/1.
48
European Parliament and Council Directive 2013/40/EU on attacks against information
systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L 218/8.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
10 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Given the fact that competences are mainly in the hands of Member States, at EU
level the fight against cybercrime will have to take the form of coordination only. In
that respect the Strategy foresees a role for the EU to facilitate bringing together law
enforcement and judicial authorities and public and private stakeholders from the EU
and beyond, for instance by supporting initiatives of the European Cybercrime Centre
(EC3), Europol, Eurojust, and the European Police College (CEPOL).
49
See for instance Ramses A. Wessel, ‘The state of affairs in European Security and Defence
Policy: The breakthrough in the Treaty of Nice’ (2003) 8(2) J. Conflict & Sec. L. 265–88;
Ramses A. Wessel, ‘Common Foreign, Security and Defence Policy’ in Dennis M. Patterson
(ed.), Wiley-Blackwell Companion for European Union Law and International Law (Wiley-
Blackwell 2015) (forthcoming); and Panos Koutrakos, The EU Common Security and Defence
Policy (OUP 2013).
50
Peter Van Elsuwege, ‘EU External action after the collapse of the pillar structure: In
search of a new balance between delimitation and consistency’ (2010) 47(4) C.M.L. Rev. 987.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
market demand for highly secured products, but also for the development of security
standards. Security should be part of the whole supply chain and also be integrated in
Research and Development. The EU funding programs will give specific attention to
this.
4. EU CYBERSECURITY LAW
The fact that cybersecurity as such is not mentioned as a theme in the EU Treaties has
not prevented the EU from being quite active in slowly regulating this policy field. The
last few years in particular have shown some new initiatives. The aim of this section is
not to substantively assess or criticize the proposed and existing legislation,51 but rather
to point to the piecemeal approach taken by the Union as it has to rely on different
legal bases.
51
Criticism is often related to the focus on tackling security threat without a clear attention
for the protection of individual liberties. See for instance studies by NGO’s and others pointing
to weaknesses or dangers in the (upcoming) legislation: Cedric Burton & Anna Pateraki, ‘Status
of the proposed EU Data Protection Regulation: Where do we stand?’ (JD Supra Business
Advisor, 9 February 2013) <http://www.jdsupra.com/legalnews/status-of-the-proposed-eu-data-
protectio-29569/> accessed 4 April 2015. With regard to the role of the European Parliament see
also Aidan Wills & Mathias Vermeulen, ‘Parliamentary Oversight of Security and Intelligence
Agencies in the European Union’ (PE 315.238, Study commissioned by the European Parlia-
ment, 2011): ‘It may seem incredible, but in key strategic documents that have been adopted by
the European Council, the Council and the Commission, the European Parliament apparently is
simply ignored. While such an omission would appear strange before the Treaty of Lisbon, it is
now … all the more inexplicable.’
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
12 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The European Parliament and the Council may, by means of directives adopted in accordance
with the ordinary legislative procedure, establish minimum rules concerning the definition of
criminal offences and sanctions in the areas of particularly serious crime with a cross-border
dimension resulting from the nature or impact of such offences or from a special need to
combat them on a common basis.
These areas of crime are the following: terrorism, trafficking in human beings and sexual
exploitation of women and children, illicit drug trafficking, illicit arms trafficking, money
laundering, corruption, counterfeiting of means of payment, computer crime and organised
crime.
Judicial cooperation in criminal matters is not the only possible legal basis for
legislative measures in the area of cybersecurity. In February 2013 the Commission
also issued a proposal for a Directive concerning measures to ensure a high common
level of network and information security across the Union.54 According to the
explanatory memorandum:
The aim of this Directive is to ensure a high common level of network and information
security (NIS). This means improving the security of the Internet and the private networks
and information systems underpinning the functioning of our societies and economies. This
will be achieved by requiring the Member States to increase their preparedness and improve
their cooperation with each other, and by requiring operators of critical infrastructures, such
as energy, transport, and key providers of information society services (e-commerce plat-
forms, social networks, etc), as well as public administrations to adopt appropriate steps to
manage security risks and report serious incidents to the national competent authorities.
This time, however, the Commission uses economic rather than security arguments and
opts for the functioning of the internal market as the legal basis, arguing that under
52
Council (EC) Framework Decision 2005/222/JHA on attacks against information systems
[2005] OJ L 69.
53
Ibid.
54
Commission (EC), ‘Proposal for a Directive of the European Parliament and of the
Council concerning measures to ensure a high common level of network and information
security across the Union’ COM(2013) 48 final (7 February 2013).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
13 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Article 114 TFEU, the EU can adopt ‘measures for the approximation of the provisions
laid down by law, regulation or administrative action in Member States which have as
their object the establishment and functioning of the internal market’.
Network and information systems play an essential role in facilitating the cross-border
movement of goods, services and people. They are often interconnected, and the internet is
global in nature. Given this intrinsic transnational dimension, a disruption in one Member
State can also affect other Member States and the EU as a whole. The resilience and stability
of network and information systems is therefore essential to the smooth functioning of the
Internal Market. […] The disparities resulting from uneven NIS national capabilities, policies
and level of protection across the Member States lead to barriers to the Internal Market and
justify EU action.55
Concerning the question of whether ultimately the internal market forms the ‘centre of
gravity’ in the set of objectives behind the network and information security (see the
legal basis discussion below), substantively, the Directive indeed aims at establishing a
cooperative network mechanism for information exchange and at creating binding
obligations for key providers of information society services, as well as public
administrations to adopt appropriate steps to manage security risks and report serious
incidents to the national competent authorities.
Enhancing trust in the internal market is also pursued by the proposal for a
Regulation on electronic identification and trust services for electronic transactions in
the EU internal market.56 This proposal is also based on Article 114 TFEU, which
concerns the adoption of rules to remove existing barriers to the functioning of the
internal market.
That cybersecurity is not just related to the AFSJ or to the internal market is
underlined by the proposal for a General Data Protection Regulation.57 Again a
completely different legal basis is used as the proposal is based on Article 16 TFEU,
which is the new legal basis for the adoption of data protection rules introduced by the
Lisbon Treaty. This provision allows for the adoption of rules relating to the protection
of individuals with regard to the processing of personal data by Member States when
carrying out activities which fall within the scope of Union law. It also allows the
adoption of rules relating to the free movement of personal data, including personal
data processed by Member States or private parties. Currently, personal data protection
is regulated mainly by the 1995 Directive 95/46/EC3, with two objectives in mind: to
protect the fundamental right to data protection and to guarantee the free flow of
personal data between Member States. It was complemented by Framework Decision
2008/977/JHA as a general instrument at Union level for the protection of personal data
in the areas of police cooperation and judicial cooperation in criminal matters.
55
Ibid. Explanatory memorandum.
56
Commission (EC), ‘Proposal for a Regulation of the European Parliament and of the
Council on electronic identification and trust services for electronic transactions in the EU
internal market’ COM (2012) 238 final, 4 June 2012.
57
Commission (EC), ‘Proposal for a Directive of the European Parliament and of the
Council on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final, 25
January 2012.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Rapid technological developments have brought new challenges for the protection of personal
data. The scale of data sharing and collecting has increased dramatically. Technology allows
both private companies and public authorities to make use of personal data on an
unprecedented scale in order to pursue their activities. Individuals increasingly make personal
information available publicly and globally. Technology has transformed both the economy
and social life.
The aim of the new Regulation therefore is to prevent ‘fragmentation in the way
personal data protection is implemented across the Union, legal uncertainty and a
widespread public perception that there are significant risks associated notably with
online activity.’ This also explains the choice for a Regulation (that would be directly
applicable in all EU Member States) over a Directive (on the basis of which it would be
more difficult to coherent data protection framework that can also be enforced).
Decision-making on the proposal is being followed closely by multinational companies,
nongovernmental organisations, academics, and foreign governments as the new
Regulation will have global implications. It is believed to serve as a model for other
regions of the world and have extraterritorial effects on data controllers located outside
the EU.58
The Cybersecurity Strategy also mentions one particular field of cooperation related
to the so-called ‘solidarity clause’ laid down in Article 222 TFEU.59 On the basis of
that provision
The Union and its Member States shall act jointly in a spirit of solidarity if a Member State
is the object of a terrorist attack or the victim of a natural or man-made disaster. The Union
shall mobilise all the instruments at its disposal, including the military resources made
available by the Member States, to:
(a) + prevent the terrorist threat in the territory of the Member States;
+ protect democratic institutions and the civilian population from any terrorist attack;
+ assist a Member State in its territory, at the request of its political authorities, in the
event of a terrorist attack;
(b) assist a Member State in its territory, at the request of its political authorities, in the
event of a natural or man-made disaster.
Indeed, cybersecurity is not mentioned explicitly. Yet, it easily fits under some of the
headings. In a 2012 Resolution, the European Parliament even explicitly mentioned
cybersecurity as falling within the scope of the solidarity clause: it called for ‘an
adequate balance between flexibility and consistency as regards the types of attacks and
disasters for which the clause may be triggered, so as to ensure that no significant
threats, such as attacks in cyberspace, pandemics, or energy shortages, are overlooked
[…]’.60 In fact, the European Parliament even went a step further and also mentioned
58
Burton & Pateraki (n 51).
59
See for instance Malcolm Ross & Yuri Borgmann-Prebil (eds.), Promoting Solidarity in
the European Union (OUP 2010).
60
European Parliament resolution 2012/2223(INI) on the EU’s mutual defence and solidar-
ity clauses: political and operational dimensions [2012] para. 20.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
cyberattacks as a reason to invoke the so-called ‘mutual defence clause’ laid down in
Article 42(7) TEU, containing a provision comparable to Article 5 of the NATO Treaty:
If a Member State is the victim of armed aggression on its territory, the other Member States
shall have towards it an obligation of aid and assistance by all the means in their power, in
accordance with Article 51 of the United Nations Charter. This shall not prejudice the specific
character of the security and defence policy of certain Member States.
that even non-armed attacks, for instance cyberattacks against critical infrastructure, that are
launched with the aim of causing severe damage and disruption to a Member State and are
identified as coming from an external entity could qualify for being covered by the clause, if
the Member State’s security is significantly threatened by its consequences, while fully
respecting the principle of proportionality […].61
While in the case of the solidarity clause it may be argued that there needs to be a link
with ‘terrorism’, the mutual defence clause refers to ‘armed aggression’, which in
international law terms may rule out certain cyber attacks.62 Hence, in both cases the
application of the clauses to situations of cybersecurity is not always obvious. In
practice, however, invoking a solidarity or a mutual defence clause will most probably
be driven more by political incentives than by legal doctrinal analysis.
While large parts of the debates still pertain to internal EU competences and to the
Union’s struggle to regulate the Internet in the territory of its Member States,63 the
discussion on cyberattacks underlines the need for global approaches as well. When
‘the next war will begin in cyberspace’,64 calls for a multilateral cyber warfare treaty
are understandable.65 In the EU’s external relations, the main guiding legal document is
the already mentioned Council of Europe Convention on Cybercrime (Budapest
Convention).66 Currently, this the only binding international instrument on this issue. It
serves as a guideline for any country developing comprehensive national legislation
against cybercrime and as a framework for international cooperation between the,
currently, 41 parties to this treaty. The Convention is also open to states that are not a
member of the Council of Europe and the list of signatories includes Australia,
Dominican Republic, Japan and the US. While the EU Member States are a party to the
Convention, the EU as such is not. Yet, it participates in the Cybercrime Convention
61
European Parliament resolution 2012/2223(INI) (n 60) para. 13. This view is not normally
held by international lawyers.
62
See for examples of cyber attacks Alexander Klimburg & Heli Tirmaa-Klaar, ‘Cyber
Security and Cyber Power: Concepts, Conditions and Capabilities for Cooperation for Action
within the EU’ (PE 433 828, study commissioned by the European Parliament, April 2011).
63
Mayer (n 20).
64
Gen. Keith B. Alexander, upon accepting the post to lead the first United States
Cyber-Command (USCYBERCOM). Quoted by Rex Hughes, ‘A Treaty for Cyberspace’ (2010)
86(2) Int’l. Affairs 523.
65
Ibid.
66
Convention on Cybercrime (n 23). Cf. also Mike Keyser, ‘The Council of Europe
Convention on Cybercrime’ (2003) 12(2) J. Transnat’l L. & Pol’y 287.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 19 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Committee (T-CY). Despite the fact that the Convention in its current version refers to
participating ‘states’ only, a further development of the EU’s activities in relation to
cybercrime may call for an intensified involvement of the EU in this area. Yet, at this
stage it would be difficult to find a legal basis for full participation as the EU Treaties
do not deal with cybercrime as such and the Union’s activities so far are mainly of a
coordinating nature.
Most importantly, perhaps, is the notion mentioned in the Cybersecurity Strategy to
mainstream cyberspace issues into EU external relations. When successful, this will
allow the EU to link its internal policy initiatives and legislation to its external action,
also in the area of foreign and security policy. Yet, as we have seen, the different
legislative initiatives are based on legal provisions located in different parts of the
treaties, with different rules being applicable. While linking security issues to the
internal market may offer possibilities for the EU to legislate cybersecurity domestic-
ally, it has always proved to be difficult to do the same externally. Connecting security
and international trade has seldom led to a coherent external policy.67 In his Opinion in
the so-called Mauritius case, AG Bot underlined the need for a link between internal
policies and foreign policy objectives to allow for a correct use of the Union’s CFSP to
serve as a legal basis. At the same time, as he pointed out, ‘Agreements under the CFSP
may include purely incidental aspects of other Union policies where these are so
limited in scope that they do not justify an additional legal basis.’68 Yet – as further
elaborated below – more intensive combinations of policy areas remain difficult due the
varying procedural rules for different policy areas and the division of competences
between the Union and its Member States. The question is to what extent the resulting
piecemeal approach will result in a consistent body of EU cybersecurity law. Apart
from the question of the correct legal basis (see below), it is also difficult in practice to
separate internal and external dimensions. As observed by Bendiek and Porter:
The distinct separation between domestic and foreign policy in European security policy
compromises the EU’s ability to respond to cyber attacks. Not only may Internet-based
attacks on critical infrastructure originate in Ghana, Russia or elsewhere, but also often it is
difficult (if not impossible) to identify the source of the attack. […] An appropriate response
to such an attack requires cross-border cooperation between authorities. It is here that the
current division of responsibilities between civil defence, military defence, and law enforce-
ment falters.69
(b) The Choice of Legal Basis and the Role of the Court of Justice
67
See Fabienne Bossuyt, Lotte Drieghe & Jan Orbie, ‘Living apart together: EU compre-
hensive security from a trade perspective’ (2013) 18(4) E.F.A. Rev. 63.
68
Case C-658/11 European Parliament v Council of the European Union (ECLI:EU:C:
2014:41), para. 25.
69
Bendiek & Porter (n 9) 156–7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
17 / Date: 7/5
JOBNAME: Tsagourias PAGE: 20 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
70
Cf. Panos Koutrakos, ‘Legal Basis and Delimitation of Competence in EU External
Relations’ in Marise Cremona & Bruno de Witte (eds.), EU Foreign Relations Law: Constitu-
tional Fundamentals (Hart Publishing 2008) 171-198.
71
See Christophe Hillion, ‘A powerless Court? The European Court of Justice and the
common foreign and security policy’ in Marise Cremona & Anne Thies (eds.), The ECJ and
External Relations: Constitutional Challenges (Hart Publishing 2014); cf. also on the role of
principles in relation to the Court’s jurisdiction: Thomas Horsley, ‘Reflections on the role of the
Court of Justice as the motor of European integration: Legal limits to judicial lawmaking’ (2013)
50(4) C.M.L. Rev. 931.
72
See Stone Sweet (n 30).
73
See role of the Court in CFSP for instance: Stefan Griller, ‘The Court of Justice and the
Common Foreign and Security Policy’ in A. Rosas, E. Levits & Y. Bot (eds.), Court of Justice of
the European Union – Cour de Justice de l’Union Européene, The Court of Justice and the
Construction of Europe: Analyses and Perspectives on Sixty Years of Case-law – La Cour de
Justice et la Construction de l’Europe: Analyses et Perspectives de Soixante Ans de Jurispru-
dence (T.M.C. Asser Press 2013) 675–92; and Maja Brkan, ‘The Role of the European Court of
Justice in the Field of Common Foreign and Security Policy after the Treaty of Lisbon: New
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 21 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Treaty seems to have changed this and it can be argued that it even reversed the
situation: ‘the Court has jurisdiction except where the latter is explicitly excluded.
Hence, any lack of jurisdiction is now framed as an exception to that rule which, like
any exception in EU law, is arguably to be interpreted restrictively’.74 This, allegedly,
would allow for a more extensive role of the Court in some situations involving CFSP
and would (again allegedly) allow for a more comprehensive approach towards
cross-cutting policy areas such as cybersecurity (see further below).
The legal basis is not just relevant for internal legislation, but also for the Union’s
external action. Yet, this also reveals a problem in relation to creating a comprehensive
and consistent body of EU cybersecurity law. While the choice for an Internal Market
or an AFSJ legal basis may largely lead to similar legal instruments and a similar
involvement of the Institutions, the choice for a legal basis in the Union’s CFSP or
CSDP implies a choice for completely different legal instruments and largely different
roles of the Institutions.75 Most importantly, a CFSP/CSDP legal basis excludes the
adoption of Directives and Regulations, the key instruments that so far have also been
used in regulating cybersecurity. Indeed, ‘legislative acts’ are excluded (art 24(1) TEU),
and only ‘Decisions’ can be adopted as formal CFSP instruments, either by the
European Council (art 26(1) TEU) or the Council (art 26(2) TEU). Furthermore,
because of some procedural differences, it remains difficult to combine CFSP/CSDP
with other policy areas when negotiating international agreements (art 37 TEU), despite
the overall unification of the procedures in Article 218 TFEU.
One may argue that in those cases a choice will have to be made between either a
CFSP/CSDP or another instrument. While this is correct in principle, it stands in
contrast to the comprehensive approach that is heralded by the Cybersecurity Strategy
as well as by the EU Treaties themselves, which – since the Treaty of Lisbon – have
brought EU external action under one heading and in one combined objective (see in
particular art 21 TEU). The Treaties offer a rule to decide on the correct legal basis in
the sense that CFSP/CSDP decisions should not affect other policy areas, and vice
versa (art 40 TEU; sometimes referred to as the ‘non-contamination clause’).76 The
Court’s jurisdiction with respect to CFSP/CSDP is limited, and includes for instance
the monitoring of the compliance with the dividing line between CFSP and non-CFSP
Challenges for the Future’ in Paul J. Cardwell (ed.), EU External Relations Law and Policy in
the Post-Lisbon Era (TMC Asser Press 2012) 97–115.
74
Hillion (n 71). In this article Hillion convincingly argues that a wider competence of the
Court in relation to certain CFSP acts is foreseen in the current treaty regime.
75
See in general on the different nature of CFSP: Bart Van Vooren & Ramses A. Wessel, EU
External Relations Law: Text, Cases and Materials (CUP 2014).
76
Art 40 TEU:
The implementation of the common foreign and security policy shall not affect the
application of the procedures and the extent of the powers of the institutions laid down by the
Treaties for the exercise of the Union competences referred to in Articles 3 to 6 of the Treaty
on the Functioning of the European Union.
Similarly, the implementation of the policies listed in those Articles shall not affect the
application of the procedures and the extent of the powers of the institutions laid down by the
Treaties for the exercise of the Union competences under this Chapter.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
19 / Date: 25/3
JOBNAME: Tsagourias PAGE: 22 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
matters laid down in Article 40 as well as the review of the legality of the external
restrictive measures laid down in Article 275(2) TFEU (art 24(1) TEU).77
Will Article 40 help in deciding on the correct legal basis for a cybersecurity
measure? And, perhaps more importantly, does the establishment of the correct legal
basis help in creating a consistent body of cybersecurity law? The landmark case on the
choice between a CFSP/CSDP and another legal basis is ECOWAS (or Small Arms and
Light Weapons).78 In the event, the Court found that by using a CFSP Decision on the
EU support to Economic Community of West African States (ECOWAS) in the fight
against the proliferation of small arms and light weapons (SALW), the Council had
encroached upon the EC competence in the field of development cooperation, thus
violating the provisions of Article 47 TEU (now art 40 TEU). While Article 47 revealed
a clear priority for a non-CFSP legal basis in case of a conflict, current Article 40 does
not make that choice and simply leads to the rule that in adopting CFSP/CSDP
decisions the Council should be aware of the other external policies, and vice versa.
Despite its ‘balanced’ approach, Article 40 implies that foreign policy measures are
excluded once they would interfere with exclusive powers of the Union, for instance in
the area of Common Commercial Policy. This may seriously limit the freedom of the
Member States in the area of restrictive measures (see below) or the export of ‘dual
goods’ (commodities which can also have a military application).79
The text of Article 40 TEU thus forces the Court to take a different view on the
relationship between CFSP/CSDP and other areas of external action. No longer should
an automatic preference be given to a non-CFSP legal basis whenever this is possible.80
Whereas it has been argued that CFSP may be envisaged as lex generalis while other
external policies, allegedly including other security policies set out in the TFEU, would
amount to lex specialis,81 this would not answer all delimitation problems. Indeed,
cybersecurity offers a prime example of an area where measures may lie at the
77
See more extensively: Hillion (n 71).
78
Case C-91/05 Commission v Council (Small Arms/ECOWAS) [2008] ECR I-3651. See
more extensively Christoph Hillion and Ramses A. Wessel, ‘Competence distribution in EU
external relations after ECOWAS: Clarification or continued fuzziness?’ (2009) 46 C.M.L. Rev.
551–86; as well as Joni Heliskoski, ‘Small arms and light weapons within the Union’s pillar
structure: An analysis of Article 47 of the EU Treaty’ (2008) 33 Eur. L. J. 898; Bart Van Vooren,
‘EU–EC external competences after the Small Arms Judgment’ (2009) 14 E.F.A. Rev. 7; Bart Van
Vooren, ‘The Small Arms Judgment in an age of constitutional turmoil’ (2009) 14(2) E.F.A. Rev.
231.
79
Council Regulation 1334/2000/EC setting up a Community regime for the control of
exports of dual-use items and technology [2000] OJ L159/1; in the meantime replaced by
Council Regulation 428/2009/EC setting up a Community regime for the control of exports,
transfer, brokering and transit of dual-use items [2009] OJ L134/1. Exception was only made for
certain services considered not to come under the CCP competence. For these services (again) a
CFSP measure was adopted: Council Joint Action 2000/401/CFSP concerning the control of
technical assistance related to certain military end-uses [2000] OJ L159/216.
80
See more extensively Hillion (n 71).
81
Cf. Alan Dashwood, ‘Article 47 TEU and the relationship between first and second pillar
competence’ (70–103) and Marise Cremona, ‘Defining competence in EU external relations’ in
Alan Dashwood & Marc Maresceau (eds.), Law and Practice of EU External Relations – Salient
features of a Changing Landscape (CUP 2008) 34-69.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
20 / Date: 25/3
JOBNAME: Tsagourias PAGE: 23 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
crossroads of CFSP and non-CFSP. Yet, parts of the foreseen new cybersecurity rules
relate to cyberdefence, which would need a legal basis in CSDP, a sub-chapter of CFSP.
As argued by Hillion, CSDP is much more specific than CFSP and could perhaps also
be seen as a lex specialis, including its own purposes, particularly in Articles 42 and 43
TEU: ‘Disagreement on the CSDP v TFEU legal basis could thus be solved on the
basis of the traditional ‘centre of gravity’ approach’.82 In relation to the topic of the
present chapter this would imply that decisions which would mainly be dealing with
cyberdefence would find their basis in CSDP. Obviously, this would exclude legislative
measures and the diverging decision-making procedures would preclude combining
cyberdefence with, for instance cybercrime or trade measures in one single decision.
An answer to the question of how to square a comprehensive approach to security
with the diverging procedures for CFSP and non-CFSP issues was given by the Court
of Justice in a case initiated by the European Parliament.83 The case concerns the
signing and conclusion of the Agreement between the EU and the Republic of
Mauritius on the conditions of transfer of suspected pirates and associated seized
property from the EU-led naval force to Mauritius and on the conditions of suspected
pirates after transfer. The European Parliament argued that the chosen legal bases for
the Council Decisions (arts 37 TEU and 218(5) and (6) TFEU), are not correct as the
agreement does not relate exclusively to the CSFP, but also pertains to judicial
cooperation in criminal matters, police cooperation, and development cooperation.
Opting for a CFSP Decision has deprived the European Parliament of the right of
consent it has in relation to the non-CFSP issues in the agreement. The Court held that
– despite the fact that the EP should be kept informed – a CFSP legal basis was
sufficient given the foreign policy context of the operation. Again external and internal
security policies remained separate.84
Overall and from an external perspective, however, the EU’s obsession with the
correct legal basis is not particularly helpful in combining different policy areas. It is,
in particular, the fact that a choice has to be made that may prevent consistent policies
from emerging in cross-cutting areas. As Blockmans and Spernbauer rightfully argue:
the legal dichotomy between the spheres of CFSP and non-CSFP policies, Member State
preferences for a legal basis that provides them with veto ower in decision-making
procedures, the two-way ‘non-contamination clause’ of Article 40 TEU, and the absence of
judicial review from the realm of the CFSP effectively stand in the way of ‘mixing’ EU
measures in cross-over fields of external security action […].85
82
Hillion (n 71).
83
Case C-658/11, European Parliament v Council (ECLI:EU:C:2014:2025).
84
See more extensively: C. Matera and R.A. Wessel, Context or Content? A CFSP or AFSJ
Legal Basis for EU International Agreements – Case C-658/11, European Parliament v Council
(Mauritius Agreement), Revista de Derecho Comunitario Europeo, 2014, pp. 1047–1064. See
also Steven Blockmans and Martina Spernbauer, ‘Legal obstacles to comprehensive EU external
security action’ (2013) 18(4) E.F.A. Rev. 7–24.
85
Blockmans & Spernbauer (n 84) 11.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
21 / Date: 15/5
JOBNAME: Tsagourias PAGE: 24 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
This means that the Court will have quite a task in deciding on the correct legal basis
for security measures, including ones on cybersecurity combining different internal and
external policies.
In a 2012 judgment the Court was given the opportunity to address a similar issue. In
Case C-130/10 European Parliament v Council of the European Union, the European
Parliament challenged a Council Regulation imposing certain specific restrictive
measures directed against certain persons and entities associated with Usama bin
Laden.86 One question is particularly relevant for the present contribution: would it be
possible to combine CSDP decisions (for instance on cyberdefence) with for instance
AFSJ decisions (on cybercrime) or should future decisions (and international agree-
ments) be based on separate parts of the EU Treaties, accepting fragmentation and
possible inconsistencies? The Court held that EU restrictive measures (sanctions)
related to CFSP should be based on Article 215 TFEU and not on Article 75 TFEU
(relating to AFSJ) as argued by the European Parliament. A key argument seemed to be
that these anti-terrrorism measures are so much part of the Union’s external action that
not placing them in the framework of CFSP would in fact render the latter policy area
redundant in relation to anti-terrorism. And, following the AG’s Opinion in the
Mauritius case mentioned above, an additional argument could be that these are not
stand-alone measures, but that they form part of a global scheme in which also other
international organisations – notably the UN Security Council – play a role.
While this case was about anti-terrorism measures, a similar case could occur in
relation to cybersecurity as another area in which both AFSJ and CFSP/CSDP measures
are (planned to be) adopted. While the new treaty rules may provide some indication of
the correct legal basis, the wide variation in cybersecurity measures will continue to
form an obstacle on the route to a comprehensive and consistent policy in that area.
86
Case C-130/10 Parliament v Council (ECLI:EU:C:2012:472).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
22 / Date: 7/5
JOBNAME: Tsagourias PAGE: 25 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
87
Blockmans & Spernbauer (n 84) 23.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter19 /Pg. Position:
23 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
The end of the Cold War coincided with several strategic decisions of the United States
(US) Government and with technical developments which laid the foundations for the
transformation of the academic research networks, which were mainly geographically
based in the US, into the Internet as it is known today.1 Two decades later, the Internet
is deemed a truly global network, indispensable to political, economic, social and
cultural life in post-industrial States. At the same time, a revival of Cold War metaphors
in the context of cyberspace is perceivable in the media and in political and legal
science.2 Indeed, the perception of cyber security, formerly viewed as an exclusively
technical and organisational challenge, has undergone a strategic shift. Cyber security
* This contribution is based on open source materials only and reflects the personal opinions
of the author.
The present chapter was finalised in December 2013 and does not reflect NATO’s Enhanced
Cyber Defence Policy endorsed in June 2014. For information on the new policy see NATO,
‘Cyber Defence’ <http://www.nato.int/cps/en/natohq/topics_78170.htm> accessed 12 October
2014 and NATO, ‘Wales Summit Declaration’ (issued by the Heads of State and Government
participating in the meeting of the North Atlantic Council in Wales, 5 September 2014) paras 72
and 73 <http://www.nato.int/cps/en/natohq/official_texts_112964.htm> accessed 12 October
2014.
1
The US decommissioned the Advanced Research Projects Agency Network (ARPANET),
initially developed by the US Department of Defence for collaboration in the context of
scientific defence research projects (28 February 1990), and disconnected the US Computer
Science Network (CSNET) (October 1991). The US agency National Science Foundation (NSF)
opened the succeeding main network (NSFNET), which subsequently built the backbone of the
Internet, for uses other than academia or education (March 1991). The introduction of the first
World Wide Web service of hyperlinked documents, i.e. websites, by a CERN scientist shaped
the current feature of the net (6 August 1991). See Johann-Christoph Woltag, ‘Internet’ in
Rüdiger Wolfrum (ed.), The Max Planck Encyclopedia of Public International Law [hereafter
MPEPIL] (Oxford University Press 2008, online edition) MN 2 <http://opil.ouplaw.com/home/
epil> accessed 2 December 2013; National Science Foundation, ‘A Brief History of NSF and the
Internet’ (Factsheet, 13 August 2003) <http://www.nsf.gov/news/news_summ.jsp?cntn_id=
103050> accessed 2 December 2013; Vincent Cerf, ‘How the Internet came to be’ (1993)
<http://www.virtualschool.edu/mon/Internet/CerfHowInternetCame2B.html> accessed 2 Decem-
ber 2013; CERN, ‘The birth of the web’ <http://home.web.cern.ch/about/birth-web> accessed 2
December 2013.
2
E.g. Noah Schachtman & Peter W. Singer, ‘The wrong war: The insistence on applying
Cold War metaphors to cybersecurity is misplaced and counterproductive’ (Brookings Institution
Paper, 15 August 2011) <http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_
shachtman.aspx> accessed 2 December 2013; David Singer, ‘In cyberspace, New Cold War’,
426
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
has become an inherent part of national security, as is evident from the multitude of
national cyber security strategies issued since 2008,3 and thus also a matter of
international peace and security. Consequently, cyber security is currently on the
agendas of many of international and security organizations including the North
Atlantic Treaty Organization (NATO). With the NATO Policy on Cyber Defence of
2008 (revised in 2011), the organization was the first to deal with the challenges of
cyber threats as pertinent to national and international security.
NATO is a collective self-defence alliance with the nature of a politico{military
international organization.4 Emerging in the post{World War II era as a collective
security mechanism, since the end of the Cold War it has evolved into an organization
with a comprehensive definition of security and an almost global outreach through its
partnership programmes. Non-conventional and non-military threats such as cyber
threats were recognized as relevant to the Alliance’s security and play a prominent role
as one of the four5 ‘emerging security challenges’ which the organization is address-
ing.6
These developments are consistent with the broad mandate of NATO as endorsed in
Article 2 of the North Atlantic Treaty of 1949. The provision obliges Member States to
‘contribute toward the further development of peaceful and friendly international
relations’ by, inter alia, ‘promoting conditions of stability’. A broad interpretation of
the organization’s mandate reflects the major changes in the Alliance’s self-perception
since the end of the Cold War;7 it is vindicated in the preamble of the treaty, paragraph
X of which stipulates that NATO Member States:
[…] are determined to safeguard the freedom, common heritage and civilisation of their
peoples, founded on the principles of democracy, individual liberty and the rule of law. They
seek to promote stability and well-being in the North Atlantic area. They are resolved to unite
their efforts for collective defence and for the preservation of peace and security.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
2 / Date: 25/3
JOBNAME: Tsagourias PAGE: 3 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Before elaborating on NATO’s cyber defence endeavours, two important aspects need
to be stated. They refer to the expressions ‘NATO decision’ and ‘NATO operation’,
often used in media and in scholarly writings, which lead to a misperception of the
organisation’s nature and function.
Every decision made within NATO structures is made by consensus among its 28
Member States; NATO never makes decisions. A ‘NATO decision’, as often referred to
in media and academia, reflects the collective will (and compromise) of all 28
sovereign States.8 As a politico-military international organization, the Alliance does
not have legislative or regulatory powers comparable to the supra-national organization
which is the European Union (EU). Thus, the subsequent implementation of the
decisions is also in the hands of the 28 sovereign members.
Secondly, NATO does not generally dispose of troops or military equipment.9 In a
NATO-led military operation Member States, possibly alongside others,10 contribute
military contingents and equipment as necessary for the operation and agreed on within
the organisation. Thus, a ‘NATO operation’ is a military operation conducted by NATO
Member States, possibly with others, in which the political or military decisions are
made within the organization’s structures, and for which the NATO military head-
quarters structure, education and training centres and standardized processes are used.
Against this background it is neither within NATO’s responsibility nor in accordance
with its nature and purpose to build up military ‘offensive cyber capabilities’, as is
sometimes claimed in media and scholarly writings.11
Bearing this in mind, the evolution of cyber defence in NATO, the key aspects of
NATO’s current cyber defence endeavours and the remaining challenges for the
organization will be presented.
8
NATO (n 4).
9
There is one notable exception. NATO owns 17 Boeing E-3A ‘Sentry’ Airborne Warning
and Control System (AWACS) aircraft which provide the Alliance with an immediately available
airborne command and control, air and maritime surveillance and battlespace management
capability. The aircraft are operated at NATO Air Base Geilenkirchen, Germany. See NATO,
‘AWACS: NATO’s “Eye in the Sky”’ (29 July 2014) <www.nato.int/cps/en/natolive/topics_
48904.htm> accessed 28 September 2014.
10
For example, the NATO-led operation ISAF in Afghanistan was supported with troops by
14 non-NATO States, see NATO, ‘ISAF Troop Contributing Nations’ <http://www.nato.int/ISAF/
structure/nations/index.html> accessed 2 December 2013.
11
Jason Healey & Leendert van Bochoven, ‘NATO’s cyber capabilities: Yesterday, today,
and tomorrow’ (Atlantic Council Issue Brief, February 2012) 6f.
12
Alexander Klimburg & Heli Tiirmaa-Klaar, ‘Cybersecurity and cyberpower: Concepts,
conditions and capabilities for cooperation for action within the EU’ (European Union, European
Parliament, Directorate-General for External Policies of the Union, Directorate B, Policy
Department, Study EXPO/B/SEDE/FWC/2009-01/LOT6/09; PE 433.828; April 2011) 24.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
3 / Date: 25/3
JOBNAME: Tsagourias PAGE: 4 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The first malicious cyber activities directed against NATO networks occurred during
Operation Allied Force in Kosovo in 1999. Pro-Serbian hacktivist groups conducted
distributed denial of service attacks which blocked email accounts and disrupted NATO
websites for some days. These experiences led to the implementation of the NATO
Cyber Defence Programme in 2002, sometimes referred to as the ‘Prague Capabilities
Commitment’, as the decisions were made during NATO’s Summit in Prague.
Thereafter the NATO Computer Incident Response Capability (NCIRC) was estab-
lished, which addressed the technical protection of NATO networks.
The malicious cyber activities conducted in 2007 against information and communi-
cations technology (ICT) in Estonia led to a broader understanding of the necessity for
cyber defence, as Estonia requested emergency assistance to protect its digital
infrastructure targeted by hacktivists.13 The need for a policy and doctrine became
apparent and cyber defence entered the political arena of the Alliance.
In 2008, shortly after the events in Estonia, the first NATO Policy on Cyber Defence
was adopted. That policy aimed at bolstering the cyber defence capabilities of NATO’s
own networks and established initial mechanisms for consultations with Member States
on cyber defence issues.14
Malicious cyber activities conducted in 2008 mainly against government and media
websites in Georgia, and which were seemingly coordinated with troop movements of
the Russian Federation in East Ossetia, demonstrated that ‘cyber attacks’ have the
potential to become a major component of conventional warfare.15 The potential threat
to national and Euro-Atlantic security and stability from the use of cyber tools
represented a strategic shift and led to the understanding that the Alliance needed to
strengthen not only the cyber defences of the organization, but those across the Alliance
as a whole.16
Accordingly, NATO Member States recognized in the Strategic Concept for the
Defence and Security of the Members of the North Atlantic Treaty Organisation of
November 2010 that malicious cyber activities ‘can reach a threshold that threatens
national and Euro-Atlantic prosperity, security and stability’.17 In order to assure the
13
Vincent Joubert, ‘Five years after Estonia’s cyber attacks: lessons learned for NATO?’
(NATO Defence College, Research Paper No 76, May 2012) 2; Liina Areng, ‘International cyber
crisis management and conflict resolution mechanisms’ in Katharina Ziolkowski (ed.), Peacetime
Regime for State Activities in Cyberspace. International Law, International Relations and
Diplomacy (NATO CCD COE 2013) 565, 577.
14
Joubert, ibid.
15
NATO, ‘NATO and cyber defence’ <http://www.nato.int/cps/da/natolive/topics_78170.
htm> accessed 2 December 2013.
16
Ibid.
17
NATO, Active Engagement, Modern Defence. Strategic Concept for the Defence and
Security of the Members of the North Atlantic Treaty Organisation (adopted by Heads of State
and Government at NATO, 19–20 November 2010, Lisbon) para. 12 <http://www.nato.int/
strategic-concept/pdf/Strat_Concept_web_en.pdf> accessed 2 December 2013 NATO Strategic
Concept.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
4 / Date: 25/3
JOBNAME: Tsagourias PAGE: 5 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
We will ensure that NATO has the full range of capabilities necessary to deter and defend
against any threat to the safety and security of our populations. Therefore, we will: […]
develop further our ability to prevent, detect, defend against and recover from cyber attacks,
including by using the NATO planning process to enhance and coordinate national cyber-
defence capabilities, bringing all NATO bodies under centralized cyber protection, and better
integrating NATO cyber awareness, warning and response with member nations […].19
The NATO Lisbon Summit declaration, also issued in November 2010, stated the intent
to revise the Alliance’s cyber defence policy by June 2011.20 In March 2011, a NATO
Concept on Cyber Defence was drafted for Defence Ministers, which formed the
conceptual basis of the revised NATO Policy on Cyber Defence.21 On 8 June 2011 a
revised policy, the key aspects of which will be presented in detail below, was approved
and accompanied by a detailed Action Plan for its implementation. The Action Plan is
a living document that is continuously updated to ensure that NATO is at the forefront
of developments in cyberspace and maintains the necessary flexibility to meet the
challenges which they pose.
At the Chicago Summit in May 2012, NATO Member States’ Heads of Government
reaffirmed their commitment to improve the Alliance’s cyber defences by bringing all
of NATO’s networks under centralized protection and implementing a series of
technical and organizational upgrades.22
18
ibid para. 4.a); see also NATO, ‘Defending the networks. The NATO Policy on Cyber
Defence’ (Factsheet, 2011) <http://www.nato.int/nato_static/assets/pdf/pdf_2011_09/20111004_
110914-policy-cyberdefence.pdf> accessed 2 December 2013 (NATO Cyber Defence Policy
Factsheet).
19
NATO Strategic Concept (n 17) para. 19.
20
NATO, Lisbon Summit Declaration (20 November 2010) para. 40 <http://www.nato.int/
cps/en/natolive/official_texts_68828.htm> accessed 2 December 2013.
21
NATO Policy on Cyber Defence Factsheet (n 18).
22
Ibid.
23
NATO Cyber Defence (n 15).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Council will be appraised of major cyber incidents and ‘attacks’ and will exercise
principal decision-making authority in cyber defence related crisis management.24 The
Defence Policy and Planning Committee, a senior advisory body to the NAC and a key
committee bringing together defence counsellors from all national delegations, provides
Allies’ oversight and advice on the Alliance’s cyber defence efforts at the expert level.25
At the working level, the NATO Cyber Defence Management Board (CDMB)
coordinates cyber defence throughout NATO’s civilian and military bodies. It com-
prises the leaders of the political, military/operational and technical staffs in diverse
NATO headquarters, agencies and other entities with responsibilities for cyber
defence.26 This body operates under the auspices of the Emerging Security Challenges
Division (ESCD) in NATO Headquarters. ESCD was created in 2010 within the
International Staff, thus at the political level, following an initiative by NATO Secretary
General, Anders Fogh Rasmussen. It focuses on cyber defence and three other areas
identified as ‘emerging security challenges’: terrorism, the proliferation of weapons of
mass destruction and energy security.27 The Division brings together various strands of
expertise already present in different parts of NATO Headquarters, providing greater
focus on and visibility of these topics at the political level, and providing NATO with a
strategic analysis capability to monitor and anticipate international developments that
could affect Allied security.28
The NATO Consultation, Control and Command (NC3) Board is the main body for
consultation on the technical and implementation aspects of cyber defence.29 The
NATO Military Authorities (NMA) and the NATO Communications and Information
(NCI) Agency bear specific responsibilities for identifying the statement of the
operational requirements, acquisition, implementation and operation of NATO’s cyber
defence capabilities.30
Through its NCIRC Technical Centre, the NCI Agency is responsible for the
provision of technical and operational cyber security services throughout NATO.31
NCIRC is a two-tier functional capability where the NCIRC Technical Centre consti-
tutes NATO’s principal technical and operational capability and has a key role in
responding to any cyber aggression against the Alliance.32 It processes millions of
security events each day, including serious cases that require immediate follow-up by
cyber defence experts.33 The NCIRC Technical Centre is currently undergoing a €58
24
Ibid.
25
NATO, ‘Defence Policy and Planning Committee’ <http://www.nato.int/cps/en/natolive/
topics_69128.htm> accessed 2 December 2013.
26
NATO Cyber Defence (n 15).
27
NATO, ‘New NATO division to deal with Emerging Security Challenges’ (News, 4 August
2010) <http://www.nato.int/cps/en/natolive/news_65107.htm> accessed 2 December 2013.
28
Ibid.
29
NATO Cyber Defence (n 15).
30
Ibid.
31
Ibid.
32
Ibid.
33
NATO, ‘NATO Cyber Defence’ (Media Backgrounder, October 2013) <http://www.nato.
int/nato_static/assets/pdf/pdf_2013_10/20131022_131022-MediaBackgrounder_Cyber_Defence_
en.pdf> accessed 2 December 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
6 / Date: 25/3
JOBNAME: Tsagourias PAGE: 7 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
The goals and aims of NATO’s cyber defence are preconditioned by the nature and core
tasks of the organization, which are to provide structures, mechanisms and leadership
for collective self-defence and crisis management as decided upon by its Member
34
Ibid.
35
NATO Cyber Defence (n 15). On the EU’s approach to cybersecurity see Wessel (Ch 19 of
this book). On the UN’s approach to cyber security see Henderson (Ch 22 of this book).
36
Ibid.
37
Ibid.
38
NATO Policy on Cyber Defence Factsheet (n 18).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
7 / Date: 25/3
JOBNAME: Tsagourias PAGE: 8 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
States.39 In order to fulfil those core tasks, NATO needs to ensure its functionality,
which in the cyber context means maintaining a secure ICT infrastructure on which it
can operate. Consequently, the organization must ensure the availability, integrity and
confidentiality of its communication lines within the organization itself, with its
agencies, its multitude of operational headquarters and temporary missions and with the
capitals of its Member States and partners. This includes encrypted communication
lines for transmission of classified data. ‘NATO’s principal focus is therefore on the
protection of its own communication and information systems.’40 Within the NATO
structure there are currently about 70,000 computers in 58 different locations in 31
States. These computer networks are probed hundreds of times each day.41 Incident
response and mitigation of malicious cyber activities conducted against NATO’s
information infrastructure is the (now centralized) responsibility of NCIRC.
To a degree, NATO and national governmental networks are interconnected. Thus,
security for these national computer systems, which support NATO networks or process
NATO data, also needs to be provided. National networks are, however, within the
sovereignty of the respective Member States. NATO is currently working in
cooperation with Member States to identify critical ICT interdependencies and to
develop minimum standards of cyber defence for the respective national computer
networks.42 The implementation of any cyber defence measures will need to be
undertaken by each sovereign Ally.
The defence of national IT-systems and computer networks remains, as with any
other national defence endeavour, the responsibility of each NATO member. This is
understandable when bearing in mind the nature of NATO. The organization is an
Alliance of 28 sovereign States. Those States bear the primary responsibility for the
defence of their territory and population, and may or may not use NATO and its
structures in cases of self-defence or other crises. The cyber threats faced daily by
Allies are for the most part of non-military nature, and can mostly be classified as
cyber crime including politically motivated cyber crime, or ‘hacktivism’, and cyber
espionage. The countermeasures necessary to deter those threats are civilian in nature
and NATO would certainly not be the appropriate entity to ensure the national cyber
security of its Member States against such threats.
However, malicious cyber activities conducted against the national ICT of Member
States can reach a level threatening the national security of the victim and thus become
relevant to the Alliance’s security. This is especially the case with regard to ICT
supporting national critical infrastructures such as the energy supply system or the
banking system. When requested, NATO will therefore assist its members in achieving
a minimum level of cyber defence to reduce vulnerabilities to national critical
infrastructure.43 This commitment is of major significance when considering the
different levels of sophistication among NATO Member States with regard to the use of
39
Ibid.
40
Ibid [emphasis in the original].
41
NATO, Public Diplomacy Division, ‘Tackling New Security Challenges’ (NATO Briefing
2012) 11.
42
NATO Policy on Cyber Defence Factsheet (n 18); NATO Cyber Defence (n 15).
43
NATO Policy on Cyber Defence Factsheet, ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
8 / Date: 25/3
JOBNAME: Tsagourias PAGE: 9 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
ICT, and the existence and advance of national cyber security frameworks. The Alliance
consists of States ranging alphabetically from Albania to the United States of America,
and displaying major differences in the complexity, use and resilience of national ICT.
As an Alliance is only as strong as its weakest member, the organization is concerned
about the cyber defence level of its members, but less advanced Member States can
only be encouraged to build up a minimum of national cyber security frameworks
within their sovereign areas; NATO can only provide assistance.
Apart from preventive cyber defence measures aimed at strengthening the resilience
of NATO networks and, partly, national networks, NATO also offers its members and
its partners (on a case-to-case basis) a system of cyber crisis management.
NATO offers its members different mechanisms of crisis management, ranging from
diplomatic measures to collective self-defence. Those crisis management mechanisms
also apply to cyber crises. As stated in the Strategic Concept of 2010, the Alliance is
committed to defending the territory and populations of its Member States against all
threats, including emerging security challenges such as cyber threats.44 However,
NATO will maintain strategic ambiguity and flexibility on how to respond to different
types of crises that include a cyber component.45 Some different modalities of cyber
crisis management which NATO offers to its members will be presented below.
The Parties agree that an armed attack against one or more of them in Europe or North
America shall be considered an attack against them all and consequently they agree that, if
such an armed attack occurs, each of them, in exercise of the right of individual or collective
self-defence recognised by Article 51 of the Charter of the United Nations, will assist the
Party or Parties so attacked by taking forthwith, individually and in concert with the other
Parties, such action as it deems necessary, including the use of armed force, to restore and
maintain the security of the North Atlantic area.
In the past, it was debated whether or not this provision applied to malicious cyber
activities. Neither a legal definition nor a universally accepted definition of the term
‘armed attack’ exists, and the term is open to interpretation. NATO Member States
consider that malicious cyber activities can potentially constitute an ‘armed attack’ and
trigger the right to collective self-defence. In the NATO Strategic Concept of 2010 they
declared that ‘[c]yber attacks […] can reach a threshold that threatens national and
Euro{Atlantic prosperity, security and stability’ and committed itself to continuing to
44
Ibid.
45
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
fulfil its essential core tasks, inter alia, to ‘deter and to defend against […] emerging
security challenges’, including cyber threats.46
Some authors47 assert that the Alliance needs to specify which malicious cyber
activities will likely be deemed to constitute an ‘armed attack’ and judge the lack of
such a declaration as a deficiency of the organization. However, the absence of such a
specification can be considered as a politically wise and therefore favourable option.
Drawing ‘red lines’ with regard to interpretations of key international security terms
such as ‘armed attack’ is not always sensible. Retaining strategic ambiguity may
maintain or support a deterrent effect. Accordingly, there is no ‘check-list’ specifying
the level of tolerance of the 28 Member States with regard to traditional (e.g. kinetic)
military activities directed against an Ally, and thus claiming the necessity of such a
‘check-list’ with regard to malicious cyber activities is unconvincing. Furthermore, the
decision as to whether an armed attack is present will always be highly political and
will never occur outside of a certain political context. Therefore, the determination
whether a certain situation is or is not covered by Article 5 can only be undertaken on
a case-by-case basis after comprehensive consultation between and by consensus of the
organization’s 28 Member States, taking into consideration the political and security
environment as well as all facts and circumstances of the case.
The decision about whether an ‘armed attack’ in the meaning of Article 5 is present
and how the Alliance wants to respond would be determined by Member States on a
submission made by an Ally. The decision will be taken within the organization’s
highest decision-making body, the NAC, and would require consensus between all 28
Allies.48 The attacked Ally would have to request NATO’s assistance, as opposed to a
request directed at an individual Ally outside the organization’s structures. However,
each individual Member State decides which ‘action […] it deems necessary […] to
restore and maintain […] security’ and thus the nature and scope of ‘assistance’ it
desires to grant. Thus, the assistance of an Ally can, in theory, range from a political
statement of condemnation of the attack to deployment of armed forces, according to
the circumstances of the case and the capabilities at the disposal of the assisting Ally.
As, in general terms, (collective) self-defence measures do not need to mirror the
means used by the aggressor, an ‘armed attack’ conducted by cyber means could be
responded to with kinetic military action. However, the assistance granted to an Ally
cannot exceed what the victim State formally requested, but it is likely that the request
and the assistance would be informally agreed on between Allies beforehand.
In the six decades of the Alliance’s history Article 5 has been invoked only once, in
response to the terrorist attacks on 11 September 2001, reflecting the determination of
the Member States, as expressed in the NATO Strategic Concept of 1999, that terrorism
is one of the threats affecting the Alliance’s security. The case was an significant
precedent with regard to the procedural steps which can be of utmost importance in
cases of ‘armed attacks’ conducted by cyber means. Almost immediately after the
terrorist attacks occurred, NATO Member States invoked ‘the principle of Article 5’.
46
NATO Strategic Concept (n 17) para. 12 and 4.a); NATO Policy on Cyber Defence
Factsheet, ibid.
47
Joubert (n 13) 2.
48
NATO Policy on Cyber Defence Factsheet (n 18).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
On 2 October 2001, after a determination that the perpetrators and responsible entities
were ‘extraterritorial’, the decision was confirmed and Article 5 invoked. As malicious
cyber activities will only seldom be immediately attributable to a State, the procedure
used will be invaluable in cases of ‘cyber armed attacks’.
The cyber defence debate should not centre on questions of ‘armed attack’ and
‘self-defence’. Admittedly, some States emphasize the risk of cyberspace transforming
into a new global battlefield,49 and several countries consider cyberspace the fifth
domain of warfare, in addition to land, sea, air and space.50 It is undeniable that several
States have, or are thought to have, offensive cyber capabilities at their disposal or
under development. However, only a very few51 have issued publicly available cyber
security or defence strategies for the military sector, and only one52 directly addresses
offensive cyber activities. In general, States rather emphasize the dependency of the
armed forces on the availability, integrity and confidentiality of ICT and thus cyber
security. The discussion of cyber warfare as perceived in media and scholarly writings
is, to a certain extent, driven by an overestimation of the scope and consequences of
malicious cyber activities, and by an underestimation of the technical expertise,
operational sophistication and development time required to launch a ‘cyber attack’.
Questions of the complexity and accessibility of potential target computer systems are
widely disregarded.53 As the vast majority of the current malicious cyber activities are
49
E.g. the Chinese statement at the United Nations General Assembly, noting that the
‘international community […] must work to prevent the information space from becoming a
“new battlefield”’, UN Doc A/DIS/3467 (1 November 2012); Sergey Fedosov, ‘Statement by the
Russian participant at the UNIDIR Cyber Security Conference (Conference “What does a stable
cyber environment look like?”’, UNIDIR, Geneva, 8–9 November 2012) <http://www.unidir.ch/
files/conferences/pdfs/pdf-conf1922.pdf> accessed 30 November 2013; Noah Schachtman,
‘Darpa looks to make cyberwar routine with secret “Plan X”’ (Wired, 21 August 2012)
<http://www.wired.com/dangerroom/2012/08/plan-x/> accessed 30 November 2013.
50
E.g. United States of America, ‘Department of Defense Strategy for Operating in
Cyberspace’ (July 2011) 5; The Netherlands, Ministry of Defence, ‘The Cyber Defence Strategy’
(June 2012) 4; Japan, Ministry of Defence, ‘Toward Stable and Effective Use of Cyberspace’
(September 2012) 3.
51
These are Russia, the US, the Netherlands and Japan. See Russian Federation, Ministry of
Defence, ‘Conceptual Views Regarding the Activities of the Armed Forces of the Russian
Federation in the Information Space’ (2011, unofficial translation) 4ff <http://www.ccdcoe.org/
strategies/Russian_Federation_unofficial_translation.pdf> accessed 2 December 2013 (see, for
example, the definitions of military conflict in information space, information war and
information weapons); United States of America (n 50) 5 (‘Given its need to ensure the ability to
operate effectively in cyberspace and efficiently organize its resources, DoD established U.S.
Cyber Command (USCYBERCOM) […]’); The Netherlands (n 50) 11 (‘Focal Point 3:
Offensive’); Japan (n 50) 4 (‘The MOD and SDF [Self Defence Forces] must aim to acquire
cutting-edge capabilities in cyberspace just as they do for other domains in order to fulfil its
missions such as national defense.’).
52
The Netherlands ibid.
53
John B. Sheldon, ‘Achieving mutual comprehension: why cyberpower matters to both
developed and developing countries’ in Kerstin Vignard (ed.), Confronting Cyberconflict
(UNIDIR Disarmament Forum Series 2011/4) 41; Tom Gjelten, ‘Is all the talk about cyberwar-
fare just hype?’ GBP News (15 March 2013) <http://www.gpb.org/news/2013/03/15/is-all-the-
talk-about-cyberwarfare-just-hype> accessed 2 December 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
(ii) Consultation
Another mechanism of crisis management which NATO offers to its members is
consultation according to Article 4 of the North Atlantic Treaty which states: ‘The
Parties will consult together whenever, in the opinion of any of them, the territorial
integrity, political independence or security of any of the Parties is threatened.’ Informal
or formal consultations occur constantly on different topics and at all levels of the
organization’s structure; they are an indispensable preparatory step for all decision-
making within the organization, which is by consensus. Article 4 refers to consultations
between NATO Member States within the NAC, i.e. the highest political level, with
regard to national security issues of utmost importance. This formal consultation
process reinforces the Alliance’s political dimension and gives NATO an active role in
preventive diplomacy by providing the means to help avoid military conflict.55
In the history of the Alliance, Article 4 has been invoked only three times, each time
by Turkey: in February 2003 in response to a threat to its population or territory
resulting from the armed conflict in neighbouring Iraq, and twice in 2012 after one of
Turkey’s fighter jets was shot down by Syrian air defence forces and five Turkish
civilians were killed by Syrian shells.56 In both situations NATO agreed to deploy
troops and equipment.57
The malicious cyber activities directed against some networks located in Estonia in
2007 led to the adoption of the first NATO Policy on Cyber Defence and raised
awareness within the Alliance with regard to cyber threats, but did not trigger Article 4
consultations; although the malicious cyber activities were discussed in the NAC,
Article 4 was not invoked. At such a high political level, procedural steps are not
omitted by accident. It is likely that the possibility of invoking Article 4 was discussed
informally within diplomatic circles after enquiries by Estonia, and the decision not to
use Article 4 was a cognizant political choice. The incidents were taken seriously and
were discussed at the highest political decision-making level, but not invoking Article 4
54
E.g. Ryan Singel, ‘White House Cyber Czar: “There is no cyberwar”’, Wired Magazine (4
March 2010) <http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/> accessed 2
December 2013; Myriam D. Cavelty, ‘The militarisation of cyber-space: Why less may be better’
in Christian Czosseck, Rain Ottis and Katharina Ziolkowski (eds.), Proceedings of the 4th
International Conference on Cyber Conflict (NATO CCD COE 2012) 141; Mary E. O’Connell,
‘Cyber security without cyber war’ (2012) 17(2) J. Conflict & Sec. L. 187, 195–8; Thomas Rid,
‘Cyber war will not take place’ (2012) 35(1) J. of Strategic Studies 5.
55
NATO, ‘The consultation process and Article 4’ <http://www.nato.int/cps/en/natolive/
topics_49187.htm> accessed 2 December 2013.
56
Ibid.
57
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
12 / Date: 25/3
JOBNAME: Tsagourias PAGE: 13 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
showed that neither Estonia nor the Alliance considered the incidents to threaten
Estonia’s national security.
The events, although gaining much media and subsequent scholarly attention, in a
way creating a ‘cyber war hype’, did not have damaging effects on a scale and intensity
which would threaten Estonia’s national security. The denial of service attacks targeted
some computer networks supporting critical infrastructure in the highly ‘wired’ State,
however, in a ‘surgical’ and temporally limited way; for example, the online services of
two banks were interrupted during the campaign on three occasions for between one
and a half and two hours.58 Some disruptions of other services such as online news
services and defacement of a political party’s website also occurred.59 Impairment of
the communications of emergency services was not reported. All in all, the situation,
possibly also due to effective cyber defence measures undertaken by the State and the
‘international cyber security community’, could be deemed a nuisance rather than a
threat to national security.
58
Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber Incidents: Legal Consider-
ations (NATO CCD COE 2010) 22.
59
Ibid. 20–23.
60
NATO, ‘Euro-Atlantic Disaster Response Coordination Centre (EADRCC)’ <http://www.
nato.int/cps/en/natolive/topics_52057.htm> accessed 2 December 2013.
61
Ibid.
62
Areng (n 13) 575.
63
Ibid. 575.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
13 / Date: 25/3
JOBNAME: Tsagourias PAGE: 14 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
64
Ibid. 576.
65
Ibid.
66
Ibid.
67
NATO Policy on Cyber Defence Factsheet (n 18).
68
NATO Cyber Defence (n 15).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
14 / Date: 25/3
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
the NATO Parliamentary Assembly, said in 2011: ‘The less advanced NATO nations
must realize that in the cyber domain there cannot be a free ride.’69
By the end of 2013, as far as is publicly known, two RRTs were being set-up but had
yet to be deployed.70 In practical terms, it seems rather illusory that an RRT would be
granted access to critical IT infrastructure of a nation and provide technical ‘hands-on’
assistance. First, only the IT personnel of the targeted computer network will know the
architecture, applications and other peculiarities of the network and be able to
undertake technical changes in order to defend it. Second, it seems likely that a
sovereign State will not be willing to share information about the architecture and
details of such networks with outsiders. Thus, the support of the RRT would probably
consist of general consultations and recommendations.
Apart from assistance in cases of malicious cyber activities, NATO is committed to
providing assistance to individual Allies to improve the cyber defence of its national
critical infrastructure systems.71 The nature of the assistance will depend on the
individual request of and the cyber security situation in the particular country. Thus, it
is not clear how far the assistance will reach in each individual case. Any decisions in
this respect will be made within the organization’s highest political levels, and it can be
assumed that the assistance would probably consist mainly of consultations, and the use
of common funds to, for example, build up the technical level of cyber defence would
be vetoed.
Much of the time NATO provides ‘soft’ assistance to its Member States and Partners
through projects aimed at supporting nations in strengthening the national cyber
security and resilience. It offers opportunities for technical cyber defence exercises, and
supports research, training and education to develop the necessary expertise to
complement the related technology.72
Since 2008 NATO has organized an annual three-day cyber exercise named ‘Cyber
Coalition’. It is a technical exercise on the level of Computer Emergency Response
Teams (CERTs) focusing on defending own networks against intrusion. The exercise
aims to train technical personnel and their leadership, and to test the ability of Allies
and partners to coordinate their actions and cooperate in warding off multiple simulated
‘cyber attacks’.73 In 2013 more than 30 Nations were involved, with about 380 cyber
defence experts participating from their home countries. The participants were drawn
from national armed forces, law enforcement and relevant ministries, as well as from
civilian and military staff at NATO headquarters. In line with the commitment to
cooperation with NATO partner countries and other international organizations, five
69
NATO Parliamentary Assembly, Lord Jopling (United Kingdom), General Rapporteur,
‘Information And National Security’ (Draft Report, 21 April 2011) para. 56.
70
NATO Cyber Defence – Media Backgrounder (n 33).
71
NATO Policy on Cyber Defence Factsheet (n 18).
72
See for more information NATO Cyber Defence (n 15).
73
NATO, ‘NATO holds annual cyber defence exercise’ (NATO News, 26 November 2013)
<http://www.nato.int/cps/en/natolive/news_105205.htm> accessed 2 December 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
15 / Date: 25/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
74
NATO, ‘NATO conducts annual crisis management exercise (CMX) and cyber coalition
exercise’ (Press release [2012] 131 of 31 October 2012) <http://www.nato.int/cps/en/natolive/
news_91115.htm?mode=pressrelease> accessed 2 December 2013.
75
NATO CCD COE, ‘Exercises, Locked Shields’ <https://www.ccdcoe.org/401.html>
accessed 2 December 2013.
76
NATO CCD COE, ‘Cyber defence exercise Locked Shields 2013’ (After Action Report,
2013) 41f <http://www.ccdcoe.org/publications/LockedShields13_AAR.pdf> accessed 2 Decem-
ber 2013.
77
NATO Cyber Defence (n 15).
78
NATO CCD COE, ‘Training’ <http://www.ccdcoe.org/236.html> accessed 3 November
2013.
79
NATO CCD COE, ‘International Law of Cyber Operations Seminar’ <http://www.
ccdcoe.org/352.html> accessed 3 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
16 / Date: 25/3
JOBNAME: Tsagourias PAGE: 17 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
NATO ACT. Within its headquarters, specific working groups focus on the topic of
cyber defence, producing research papers intended to enhance the cyber defence
endeavours of the organization and Member States.
NATO’s Science for Peace and Security Programme, ‘a policy tool for enhancing
cooperation and dialogue with all partners, based on civil science and innovation, to
contribute to the Alliance’s core goals and to address the priority areas for dialogue and
cooperation identified in the new partnership policy’80 focuses on ‘emerging security
challenges’, including cyber threats. With the support of this programme, in 2012
NATO CCD COE published a National Cyber Security Framework Manual 81 to
support NATO Member States and partner nations in building up a framework of
political documents, laws and regulations, organizational an administrative measures,
communication and crisis management procedures, and technical protection measures
in order to improve the ability to appropriately address cyber threats.
NATO CCD COE also supports education and training endeavours by organizing an
annual International Conference on Cyber Conflict (CyCon), by supporting NATO
ACT, and by publishing research papers and publications such as the recent ‘Peacetime
Regime for State Activities in Cyberspace. International Law, International Relations
and Diplomacy’.82 This volume offers, inter alia, an interpretation of public inter-
national law with regard to the rights and obligations of States in the cyber realm
during peacetime. The topics covered range from the notion of territorial sovereignty in
cyberspace through international aviation, space and economic law restrictions to
matters of State responsibility.
As cyber threats transcend State borders and organizational boundaries, the NATO
Policy on Cyber Defence also stresses the need for cooperation of the Alliance with
NATO partner countries.83 NATO Member States reinforced the importance of inter-
national cooperation by stating in the Chicago Summit Declaration of 2012 that ‘[t]o
address the cyber security threats and to improve our common security, we are
committed to engage with relevant partner countries on a case{by{case basis […] in
order to increase concrete cooperation’.84
Since the 1990s NATO has established several cooperation programmes with NATO
non-Member States. Those are the Partnership for Peace programme (22 States,
including Russia), the Mediterranean Dialogue (seven States), the Istanbul Cooperation
80
See NATO, ‘Science for Peace and Security Programme’ <http://www.nato.int/cps/en/SID-
51871B1B-CD538A0D/natolive/topics_85373.htm?> accessed 8 August 2013.
81
Alexander Klimburg (ed.), National Cyber Security Framework Manual (NATO CCD
COE 2012).
82
Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. Inter-
national Law, International Relations and Diplomacy (NATO CCD COE 2013).
83
NATO Cyber Defence (n 15).
84
NATO, Chicago Summit Declaration (issued by the Heads of State and Government
participating in the meeting of the North Atlantic Council in Chicago on 20 May 2012) para.
49 <http://www.nato.int/cps/en/SIDD03EFAB6-46AC90F8/natolive/official_texts_87593.htm?
selectedLocale=en> accessed 2 December 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
17 / Date: 25/3
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Initiative (four States), Membership Action Plan (three States) and the Individual
Partnership Cooperation Programme (six States). Cooperation is based on documents
which detail the political guidance agreed by NATO Member States as to the goals and
possibilities of cooperation in the cyber realm. Such cooperation will be based on
shared values and common approaches and could encompass awareness-raising
activities and sharing of best practices. The details of the cooperation are decided on in
each case at the highest political level of the organization. Although NATO views its
partner-outreach in global terms, the cooperation with regard to cyber defence is
currently, by nature, limited to those partner countries which can contribute and thus
offer mutual benefit. Importantly, NATO endeavours within its cooperation with
partners to promote complementarity and not to duplicate efforts already undertaken
within other international organisations.
The cooperation in the context of cyber defence and security is also envisioned with
other international organizations, with academia and with industry.85 Cooperation with
the EU seems especially important, as the organizations have a significant overlap in
membership. Because of the different foci of the organizations, many opportunities for
complementarity can be identified and duplication of effort avoided. However, the
cooperation seems to be challenged by political aspects. High-Level Staff Talks have
been conducted in the past and were renewed mid 2013 following the publication of the
EU cyber security strategy. The EU was invited to the ‘Cyber Coalition’ exercise of
NATO as an observer, and an invitation from side of EU to their cyber exercises is to be
expected. Those are first promising steps.
Developing genuine partnerships with industry, which owns approximately 80 per
cent of the Internet infrastructure worldwide, is widely recognized as vital in ensuring
effective cyber defence both across the Alliance and also for the organization.86 In 2012
the NATO Industrial Advisory Group (NIAG), a high-level consultative body of senior
industrialists from NATO Member States, examined how the private sector could best
assist NATO in carrying out its responsibilities for cyber defence, particularly with
regard to the organization’s role in assisting Member States which are victims of
malicious cyber activities.87 In 2013 and 2014, the NIAG conducts an in-depth study of
actions NATO should take in collaboration with industry to facilitate NATO cyber
defence during crises.88
85
NATO Cyber Defence (n 15).
86
Ibid.
87
Ibid.
88
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
18 / Date: 8/5
JOBNAME: Tsagourias PAGE: 19 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
can decide to keep rare IT and cyber defence talent within their own national structures.
Second, in times of economic crisis, NATO is not immune to financial austerity. It is
unclear how the concept of ‘smart defence’ – cooperation between Allies in developing,
acquiring and maintaining military capabilities known as pooling and sharing – will
apply in the cyber defence arena. The Malware Information Sharing Platform (MISP),
which will be developed by Belgium, seems a rather peculiar project. The Belgian
national platform is already shared with some nations and with the NCIRC. A legal
framework for mutual sharing of information about malware is still to be developed,
and sharing information about malware discovered in a nation’s own national networks
will certainly be voluntary. Allies will also seek to receive information from their
industry; an illusory idea but the only one that could lead to the creation of a joint
cyber threat picture for the Alliance.
NATO is also facing challenges specific to the organization. The 28 NATO Member
States show an enormous variation in the sophistication and use of the cyber realm. The
differences are set out in the national cyber security frameworks which are in place or
missing, usually addressing strategic and political decisions on cyber security; laws and
regulations; organizational and administrative measures, including communication and
crisis management procedures; and technical protection measures. That diversity is
mirrored in the different levels of national cyber defence capabilities and in the interest
of the Member States toward cyber defence. Consequently, taking any decision on the
topic within the organization is a challenge and implementation can be hampered by a
lack of interest or capability. NATO does conduct some ‘soft’ programmes aiming at
building up the cyber defence capabilities of the less ‘cybered’ Member States, as the
Alliance can be only as strong as its weakest member. However, it seems this support
will not result in providing a ‘free ride’ for the less developed members in terms of, for
instance, building up national IT structure and cyber security framework by using
common funding, or with regard to providing cyber defence through the organization
instead of the member. National cyber defence is determined within the NATO policy
as the individual responsibility of each Ally. The differences in cyber defence
sophistication equally present a challenge for cooperation with partner nations.
Cooperation cannot be one-sided, but must be of mutual benefit to all parties involved.
As only some partner nations show both a level of sophistication and common values,
only a minority of NATO partners will be eligible for cooperation in cyber security or
cyber defence.
Meaningful cooperation with industry would require information sharing between the
organization and the companies, which should also be mutually beneficial. This would
require all NATO Member States to agree on information sharing possibilities, which
would consider national security interests and the security interests of the Alliance as
well as national regulations with regard to sharing of governmental information.
Considering the different interests and legal frameworks of the 28 members, this will
be a considerable challenge.
NATO’s comprehensive and multi-stakeholder approach to cyber defence govern-
ance, and the necessary implementation of cyber defence across all the levels and
entities of the Alliance, could impair the ability of governing bodies to take quick
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
19 / Date: 25/3
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
decisions in cyber crisis situations.89 Any further insight and lessons learned with
regard to this aspect must be left to future developments.
Despite all the challenges NATO faces with regard to the complex topic of cyber
defence, the organization can be deemed relatively advanced when compared to other
international organizations dealing with international security issues. NATO was the
first international organization to deal with cyber threats and the mechanisms which the
organization offers can, despite appearances, prove very effective. The organization has
a good and solid crisis management system which can be used in situations of cyber
crisis. The future practice of NATO and its Member States will show in which aspects
the Alliance needs to adapt its mechanisms in order to provide effective cyber defence.
The organization has proved, since its establishment in 1949, that it is able to swiftly
adapt to new security environments, and it has good prospects to build up and improve
the existing crisis management mechanisms and the ‘hands-on’ as well as ‘soft’
assistance it is prepared to provide its members and partner countries.
However, the cyber security environment of the Alliance as a whole depends on the
national cyber security situation and cyber defence capabilities of its members. In this
regard, much remains to be done.
89
See Areng (n 13) 578.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter20 /Pg. Position:
20 / Date: 25/3
JOBNAME: Tsagourias PAGE: 1 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
Cyber threats have been characterised as the Asia-Pacific’s chief security problem.1 As
Information and Communications Technology (ICT) dependence has continued to
permeate Asia-Pacific societies, the significance of securing cyberspace has increas-
ingly been recognised by regional authorities. Though efforts remain at ‘varying levels
of maturity’,2 the development and implementation of domestic cyber security strat-
egies has become a top priority for many Asia-Pacific nations. A number of countries in
the region have already adopted new cyber security policies, including Australia,3
Japan,4 Malaysia,5 Singapore,6 and the New Zealand.7 The rapidly increasing sophis-
tication, diversity and ingenuity of cyber threats in the region has meant that such
policies must remain dynamic and responsive; hence, for example, experts called for an
update to the Australian Government’s 2009 Cyber Security Strategy as a matter of
urgency,8 and the government itself acknowledged the importance of responsive
approaches to malicious cyber actors who are adaptive and agile.9
1
See, e.g., Robert K. Ackerman, ‘Diverse Pacific Nations share concerns’ (2011) 65(5)
Signal 59, 62.
2
James A. Lewis, ‘Asia: The Cybersecurity Battleground’ (Statement before the Sub-
committee on Asia and the Pacific, House Foreign Affairs Committee, US Congress, Washing-
ton, 23 July 2013) 6.
3
Commonwealth of Australia, ‘Cyber security strategy’ (2009) <http://www.ag.gov.au/
RightsAndProtections/CyberSecurity/Documents/AG%20Cyber%20Security%20Strategy%20-%
20for%20website.pdf> accessed 20 November 2013.
4
Japanese Government Ministry of Defence, ‘Defence of Japan 2013’ (2013) 80 <http://
www.mod.go.jp/e/publ/w_paper/2013.html> accessed 28 November 2013; Japanese Government
Information Security Policy Council, ‘Cyber security strategy’ (2013) <http://www.nisc.go.jp/
active/kihon/pdf/cybersecuritystrategy-en.pdf> accessed 28 November 2013.
5
Malaysian Government Ministry of Science, Technology and Innovation, ‘National
cyber-security policy’ (2006) <http://nitc.mosti.gov.my/nitc_beta/index.php/national-ict-policies/
national-cyber-security-policy-ncsp> accessed 22 November 2013.
6
Infocomm Development Authority of Singapore, ‘Singapore continues to enhance cyber
security with a five-year national cyber security masterplan 2018’ (Press Release, 24 July 2013).
7
New Zealand Government Department of Communications and Information Technology,
‘New Zealand’s cyber security strategy’ (June 2011) <http://www.dpmc.govt.nz/dpmc/
publications/nzcss> accessed 22 November 2013.
8
See Peter Jennings & Tobias Feakin, ‘Special Report: The emerging agenda for
cybersecurity’ (Australian Strategic Policy Institute, 29 July 2013).
9
Australian Government Department of the Prime Minister and Cabinet, ‘Strong and
secure: A strategy for Australia’s national security’ (2013) 40–41 <http://www.dpmc.gov.au/
national_security/docs/national_security_strategy.pdf> accessed 28 November 2013.
446
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 7 OUTPUT: Mon May 18 10:36:31 2015
With the majority of the world’s Internet users residing in the Asia-Pacific,10 cyber
security in this region is an issue that demands close scrutiny. According to analysis by
the Organisation for Economic Co-operation and Development (OECD), most domestic
cyber security policies focus on achieving two interconnected objectives: ‘strengthening
cyber security for the Internet economy to further drive economic and social prosperity;
and protecting cyber-space reliant societies against cyber-threats’.11 Therefore, it is in
the best interests of States to promote regional cooperation, as the growing regional
dependence on ICT infrastructure and various opportunities heralded by the digital age
mean that countries ‘now have a large stake in a … stable and secure internet’.12 This
chapter reviews cyber security policy initiatives by regional institutions in the Asia-
Pacific with a view to considering how regional cyber security efforts are hampered by
interaction with traditional security challenges that confront many States in the region.
10
922.2 million of the 2.1 billion Internet users around the world are located in Asia:
European Commission (EC), ‘Commission Staff Working Document: Impact Assessment
accompanying the document – Proposal for a Directive of the European Parliament and of the
Council concerning measures to ensure high level of network and information security across the
Union’ (SWD(2013) 32 final, 7 February 2013) 147 <http://eeas.europa.eu/policies/eu-cyber-
security/cybsec_impact_ass_en.pdf> accessed 28 November 2013.
11
OECD, ‘Cybersecurity policy making at a turning point: Analysing a new generation of
national cybersecurity strategies for the Internet economy’ in OECD Digital Economy Papers
(No. 211, OECD Publishing 2012) 6.
12
Australian Government, ‘Australia in the Asia Century’ (White Paper, October 2012) 238
<http://www.asiaeducation.edu.au/verve/_resources/australia-in-the-asian-century-white-paper.
pdf> accessed 28 November 2013.
13
See generally, Robert K. Ackerman, ‘Cyber security dominates Asia-Pacific agenda’
(2011) 65(5) Signal 59; Nicholas Rees, ‘EU and ASEAN: Issues of regional security’ (2010) 47
Int’l. Politics 402.
14
See OECD (n 11) 7.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
2 / Date: 15/5
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
cyber security as threats to their ‘national security’.15 For example, Australia’s 2009
and 2013 Defence White Papers recognise that malicious cyber activity could compro-
mise national security if directed towards ‘defence, government or commercial infor-
mation networks’.16 In light of this, the 2013 Defence White Paper emphasises the need
to develop capabilities that will allow the Australian Defence Force ‘to gain an
advantage in cyberspace, guard the integrity of our information, and ensure the
successful conduct of operations’.17 Similarly, New Zealand’s Cyber Security Strategy,
adopted in 2011, notes that a targeted cyber attack could disrupt critical services,
negatively impact the national economy, and ultimately endanger the security of the
State.18 Japan’s 2013 Cyber Security Strategy envisages the strengthening of its
Self-Defence Force’s ability to counter cyber attacks, as part of its goal to create a
‘resilient’ cyberspace,19 and South Korea views cyberspace as ‘another operational
domain like the nation’s territories on land, air and sea that need a State-level defense
system’.20 Indonesia is reportedly developing a ‘cyber army’ to tackle its own cyber
insecurities.21
These national security approaches to cyber security are tethered to the pre-existing
geopolitical conditions that shape each State’s national defence strategies, and even
have the potential to unnecessarily increase regional security tensions. The unique
characteristics of offensive cyber tools – for example, unlimited geographical coverage
of attacks and the difficulty of identifying the attacker – make them an attractive option
to achieve strategic objectives in disguise.22 As Ackerman notes, ‘[t]raditional area
geopolitical rivalries are enhanced by the potential for cyber operations, and nations
once secure behind rugged borders or vast bodies of water now face potential threats to
their national infrastructure through a realm that knows no borders’.23 Indeed, regional
States, particularly the US, have expressed growing concerns about increased ‘cyber
intrusions … tied to the Chinese government and military’ in the region.24 Regional
15
See generally, Michael Portnoy & Seymour Goodman (eds.), Global Initiatives to Secure
Cyberspace: An Emerging Landscape (Springer 2009).
16
Australian Government Department of Defence, ‘Defence White Paper 2013’ (2013)
para. 2.82 (Australian Defence White Paper 2013) <http://www.defence.gov.au/whitepaper2013/
docs/WP_2013_web.pdf> accessed 28 November 2013.
17
Ibid.
18
New Zealand’s ‘Cyber security strategy’ (n 7).
19
Japanese ‘Cyber security strategy’ (n 4). See also ‘Defence of Japan’ (n 4) 80.
20
Lee Youkyung, ‘S. Korea charts out national cyber security strategy’ Yonhap News
Agency (Online, 8 August 2011) <http://english.yonhapnews.co.kr/techscience/2011/08/08/45/
0601000000AEN20110808006500320F.HTML> accessed 20 November 2013.
21
See Abu Hanifah, ‘Indonesia to create its own “cyber army”’ Xinhua News Agency
(Online, 29 May 2013) <http://news.xinhuanet.com/english/world/2013-05/29/c_132416837.
htm> accessed 20 November 2013.
22
This raises an issue of attribution under international law. See, e.g., Nicholas Tsagourias,
‘Cyber attacks, self-defence and the problem of attribution’ (2012) 17 J. Conflict & Sec. L. 229.
23
Ackerman (n 13) 59.
24
International Institute for Strategic Studies, ‘The Shangri-La Dialogue Report 2013’ (8
August 2013) 20, quoting United States Secretary of Defense Chuck Hagel <http://www.iiss.org/
en/publications/conference%20proceedings/sections/shangri-la-aa36/the-shangri-la-dialogue-2013-
395b> accessed 28 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
3 / Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
25
James A. Lewis & Katrina Timlin, ‘Cybersecurity and cyberwarfare: Preliminary
assessment of national doctrine and organization’ (Centre for Strategic and International Studies,
2011) 6, 8–9, 13, 16, 18.
26
Ubaidillah Masli, ‘Cooperation needed on cybersecurity’, The Brunei Times (Brunei-
Muara, 24 May 2013) A01, quoting Colonel (Rtd) Pg Dato Paduka Hj Azmansham Pg Hj
Mohamad, speaking at the opening of the 10th ASEAN Regional Forum Security Policy
Conference. See also, Council of Security Cooperation in the Asia Pacific (CSCAP), ‘Ensuring
a safer cyber security environment’ (Memorandum No 20, 2012).
27
Nicholas Thomas, ‘Cyber security in East Asia: Governing anarchy’ (2009) 5 Asian
Security 3, 4.
28
See, e.g., Caitríona H. Heinl, ‘Regional cyber security: Moving towards a resilient
ASEAN cyber security regime’ (Working Paper No 263, S Rajaratnam School of International
Studies, 9 September 2013) 7.
29
See, e.g., Kwon Haeryong, ‘The ARF perspectives on TCBMs: Future work’ (Presented
at United Nations Institute for Disarmament Research Cyber Security Conference, Geneva, 8–9
November 2012).
30
Chinese Assistant Foreign Minister, Zheng Zeguang, quoted in Tobias Feakin, ‘ARF, and
how to change the tune of the cyber debate’, The Strategist (14 October 2013) <http://
aspistrategist.org.au/arf-and-how-to-change-the-tune-of-the-cyber-debate/> accessed 20 Novem-
ber 2013.
31
‘Australia in the Asian Century’ (n 12) 238.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
4 / Date: 7/5
JOBNAME: Tsagourias PAGE: 5 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Third, cyber security threats might emanate not just from nation States and
State-sponsored actors, but also from non-State actors, such as terrorist groups and
individuals.32 Contemporary cyber threats emerge in a multitude of forms and reflect a
range of motivations, from moneymaking to cyber espionage, sabotage, destabilisation,
and other strategic and tactical military advantages. Indeed, concerns have more
recently been raised over the growing threat of cyber intrusion by organisations, as
opposed to individual hackers.33 In addition, the increasing volume, complexity,
seriousness, and professionalism of such attacks further complicate any efforts to
secure and stabilise cyberspace.
The transnational nature of cyber security threats means that mere unilateral
responses and countermeasures are ineffective. This is particularly problematic in a
region like the Asia-Pacific where, as Nicholas Rees explains, ‘there are a number of
weak states with limited political and institutional capacity to address [cross-border]
threats’.34 Thus, transnational cyber security concerns have increasingly become focal
points of key regional bodies, particularly Association of Southeast Asian Nations
(ASEAN), its ASEAN+ progenies, the ASEAN Regional Forum (ARF), and the
Asia-Pacific Economic Cooperation (APEC).35
Ultimately, the ‘digital divide’ and the lack of homogeneity amongst Asia-Pacific
nations, not just economically but also politically and socio-culturally, poses a
challenge to the ability of regional forums and institutions to galvanise members into
collective action against cyber security threats.36 However, this disparity can also be
considered an advantage within the regional framework, as it means that developing
countries can work within and seek assistance and guidance from regional institutions
in overcoming inadequacies in ICT capacity and meeting challenges posed by cyber
security threats from the outset.37 As the Council for Security Cooperation in the
Asia-Pacific stresses, holistic domestic cyber security policies and regional collective
measures of cooperation comprise the two essential measures required to ‘maximise
protection against cyber threats and also maximise the regional benefits of the digital
32
See Thomas (n 27) 5.
33
See, e.g., Voltaire Gazmin, ‘New trends in Asia-Pacific security’ (Speech delivered at the
Asia Security Summit, Shangri-La Hotel, Singapore, 2 June 2013) <http://www.iiss.org/en/
events/shangri%20la%20dialogue/archive/shangri-la-dialogue-2013-c890/fourth-plenary-session-
0f17/gazmin-1599> accessed 20 November 2013.
34
Rees (n 13) 408.
35
Regional leaders consider these institutions to be key players in regional cyber security
policy development, as expressed at the 7th East Asia Summit (EAS), in which they specifically
noted ‘the efforts of ASEAN, the ARF and APEC in addressing cyber security matters’:
‘Chairman’s Statement of the 7th East Asia Summit’ (7th EAS, Phnom Penh, Cambodia, 20
November 2012) <http://www.asean.org/images/documents/Final_Chairman%20Statement%20
of%20the%207th%20EAS%20(Final).pdf> accessed 28 November 2013. Other regional cyber
security initiatives such as the Asia-Pacific Telecommunity (APT) and the United Nations
Economic and Social Commission for Asia and the Pacific have a more technical focus on ICT
regulation in general. See generally, Portnoy and Goodman (n 15) Ch 4.
36
See Rees (n 13) 408.
37
See Heinl (n 28) 7 and 11 (citing Chris Finan, former Director for Cybersecurity
Legislation and Policy, US National Security Staff at the White House, ‘Effective and Credible
Cyber Deterrence’ (CENS Cybersecurity Workshop, 27 May 2013)); Thomas (n 27) 11.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
economy’.38 The critical question relevant to this chapter is to what extent existing
regional institutions in the Asia-Pacific have contributed to attaining these competing
goals within their institutional framework.
ASEAN was founded by Indonesia, Malaysia, the Philippines, Singapore and Thailand
with the aim ‘to ensure their stability and security from external interference in any
form or manifestation’.40 From its inception, ASEAN has served its role as a political
platform with dual regional security functions – committing themselves to collective
efforts to remove external interference, on the one hand, and entering into reciprocal
arrangements to ensure the internal stability and security of the government in each
member State, on the other – forming the basis for the development of ASEAN as a
‘security community’.41 Both are based on the 1976 Treaty of Amity and Cooperation
in Southeast Asia:42 the former is embedded in the regional principle of non-
interference in Article 2(c), whereas the member States’ commitment to ‘endeavour to
strengthen their respective resilience in … security fields’ (emphasis added) in Article
11 supports the latter role. The ASEAN Charter, adopted in 2007, reaffirms these
38
CSCAP (n 26) 1.
39
See generally, e.g., Mely Caballero-Anthony, Ralf Emmers & Amitav Acharya (eds.),
Non-Traditional Security in Asia: Dilemmas in Securitization (Ashgate 2006).
40
The Bangkok Declaration (Bangkok, 8 August 1967) <http://www.asean.org/news/item/
the-asean-declaration-bangkok-declaration> accessed 22 November 2013. ASEAN has expanded
its membership since then, adding Brunei Darussalam, Cambodia, Laos, Myanmar and Vietnam.
At the time of writing, a bid for membership by Timor-Leste is being considered.
41
For details, see especially, Amitav Acharya, Regionalism and Multilateralism: Essays on
the Cooperative Security in the Asia-Pacific (Eastern Universities Press 2003) 227–30.
42
Treaty of Amity and Cooperation in Southeast Asia (24 February 1976, entered into force
15 July 1976) 1025 UNTS 319.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
6 / Date: 7/5
JOBNAME: Tsagourias PAGE: 7 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
43
Charter of the Association of Southeast Asian Nations (20 November 2007, entered into
force 15 December 2008) arts 1 and 2(2)(b).
44
Thomas (n 27) 11.
45
See generally ASEAN Secretariat, ‘ASEAN Economic Community Blueprint’ (2008)
<http://www.asean.org/archive/5187-10.pdf> accessed 22 November 2013.
46
See e-ASEAN Framework Agreement (2001) art 2 <http://www.asean.org/news/item/e-
asean-framework-agreement> accessed 22 November 2013.
47
Hanoi Plan of Action (adopted by the 6th ASEAN Summit, Hanoi, Vietnam, 15
December 1998) para. 3.1.1 <http://www.asean.org/news/item/hanoi-plan-of-action> accessed 28
November 2013.
48
See ASEAN TELMIN, ‘Singapore Declaration’ (3rd TELMIN, September 2003);
ASEAN TELMIN, ‘Joint Media Statement of the Third ASEAN Telecommunications and IT
Ministers’ (3rd TELMIN, Singapore, 19 September 2003) para. 4 <http://www.asean.org/
communities/asean-economic-community/category/press-releases-13> accessed 28 November
2013; Heinl (n 28) 34–5.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
AIM2015 calls for the development of a common framework for network security, the
establishment of common minimum standards for network security to ensure a high level of
preparedness and integrity of networks across ASEAN, a network security ‘health screening’
program for ASEAN to be implemented at regular intervals, the development of best practice
models for business continuity and disaster recovery for all sectors, and the establishment of
a multi-stakeholder ASEAN Network Security Action Council (ANSAC) to promote Com-
puter Emergency Response Team cooperation and sharing of expertise.55
ANSAC has met annually since 2012, and its tasks so far have included reviewing the
ASEAN Telecommunication Regulators’ Council (ATRC) Framework for Cooperation
on Network Security, through which ASEAN TELMIN’s work is largely completed.
Thus, in pursuing enhanced regional cyber capacity, interconnectivity and ICT
infrastructure within the region, ASEAN leaders started seeing comprehensive cyber
security efforts as increasingly vital. Cyber security featured in TELMIN’s 2012
49
ASEAN TELMIN, ‘Joint Media Statement of the Third ASEAN Telecommunications and
IT Ministers’ ibid.
50
See ‘ASEAN Economic Community Blueprint’ (n 45) para. 51.
51
Heinl (n 28) 6.
52
Dato’ Seri Dr Ahmad Zahid Hamidi, ‘New forms of warfare – Cyber, UAVs and
emerging threats’ (Speech delivered at the Asia Security Summit, Shangri-La Hotel, Singapore, 3
June 2012) <http://www.iiss.org/en/events/shangri%20la%20dialogue/archive/sld12-43d9/fourth-
plenary-session-1353/dato-seri-dr-ahmad-zahid-hamidi-b13b> accessed 28 November 2013.
53
Heinl (n 28) 12.
54
ASEAN Secretariat, ‘ASEAN ICT Masterplan 2015’ (2011) 26 <http://www.asean.org/
resources/publications/asean-publications/item/asean-ict-masterplan-2015> accessed 22 Novem-
ber 2013.
55
Heinl (n 28) 29.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
8 / Date: 7/5
JOBNAME: Tsagourias PAGE: 9 SESS: 6 OUTPUT: Mon May 18 10:36:31 2015
+ cooperate and participate in the building and promotion of a safe, secure and
trusted online environment;
+ harmonise ICT rules and regulations;
+ facilitate the presence of a robust and resilient information infrastructure; and
+ enhance policy framework development, cooperation, and sharing of best prac-
tices on the protection of data and information infrastructures.57
The Declaration also seeks to boost cyber security through strengthening the regional
CERT programs – for example, ASEAN CERT Incident Drills, aimed at enhancing
‘incident investigation and coordination amongst [ASEAN and other regional]
CERTs’.58 However, these efforts for a regional comprehensive framework based on
national-level cyber security programs, at least so far, remain piecemeal and frag-
mented and show a lack of region-wide cohesiveness.59
ASEAN has also sought to address cyber insecurities along with other regional
security issues through its Political-Security Community, whose aim is to establish a
‘cohesive, peaceful, stable and resilient region with shared responsibility for compre-
hensive security’.60 Within this Community, cyber security has primarily been the
domain of the ARF, as will be further examined in the next section. However, through
ASEAN Defence Ministers Meetings (ADMMs), it has also been seeking to ‘enhance
ASEAN’s capacity and develop capabilities to contribute to operational effectiveness in
addressing non-traditional security challenges’.61 At the 7th ADMM in May 2013, for
example, the ASEAN Defence Ministers endorsed the establishment of a regional
‘Logistics Support Framework’.62 During the same meeting, Vietnamese Minister of
National Defence Phung Quang Thanh reportedly called on ASEAN to deepen ties with
the two major powers of the region, the PRC and the US.63
It has been suggested that an expanded regional arrangement with major powers
would be beneficial for the entire region, given that ASEAN’s perception as a ‘neutral
56
ASEAN TELMIN, ‘Mactan Cebu Declaration: Connected ASEAN – Enabling Aspira-
tions’ (12th TELMIN, the Philippines, 15–16 November 2012) <http://www.asean.org/news/
asean-statement-communiques/item/mactan-cebu-declaration-connected-asean-enabling-
aspirations> accessed 28 November 2013.
57
Ibid. paras 7–14.
58
Ibid. para. 16.
59
Heinl (n 28) 2.
60
ASEAN Secretariat, ‘ASEAN Political-Security Community Blueprint’ (2009) para. 10
<http://www.asean.org/archive/5187-18.pdf> accessed 22 November 2013.
61
ASEAN Secretariat, ‘ASEAN Defence Ministers Strengthen Cooperation Ties’, ASEAN
Secretariat News (8 May 2013) <http://www.asean.org/news/asean-secretariat-news/item/asean-
defence-ministers-strengthen-cooperation-ties> accessed 20 November 2013.
62
Ibid.
63
‘ASEAN chiefs work closely on security issues’, Việt Nam News (8 May 2013)
<http://vietnamnews.vn/politics-laws/239041/asean-chiefs-work-closely-on-security-issues.html>
accessed 20 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
9 / Date: 8/5
JOBNAME: Tsagourias PAGE: 10 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
broker’ positions it well to mitigate tensions between the two powers,64 particularly in
relation to cyber incidents. It is notable in this context that ASEAN developed the
ASEAN Cooperation Plan, which supports joint projects between the US and ASEAN
and relevantly includes the promotion and enhancement of cyber security in the
region.65 In August 2013, ASEAN Defence Ministers and eight ASEAN Dialogue
Partners discussed what role the defence sector has to play in addressing emerging
non-traditional security threats, including cyber security, at the Second ADMM+
meeting held in Brunei Darussalam.66 There is also a prospect that the issue of cyber
defence and cyber warfare will be put on the agenda for ADMMs in the future.67
The ARF was established by ASEAN in 1994 to help promote peace and prosperity
across the region,68 and currently has a membership base of 27 nations.69 Although it
originally emerged as a cooperative platform for confidence building and preventive
diplomacy,70 it has further institutionalised with a common security vision based on the
ideas of cooperative security and comprehensive security, as enshrined in the 2009
Vision Statement.71 It has been designated in Bali Concord II, adopted in 2003, as ‘the
primary forum in enhancing political and security cooperation in the Asia-Pacific
64
Heinl (n 28) 3.
65
See Office of the Spokesman, US Department of State, ‘US ASEAN Cooperation Plan’
(Fact Sheet, 29 July 2005).
66
ASEAN Secretariat, ‘ASEAN Defence Ministers and their Plus Counterparts Reaffirm
Commitment for Regional Peace and Security at the 2nd ADMM-Plus’ ASEAN Secretariat News
(3 September 2013) <http://www.asean.org/news/asean-secretariat-news/item/asean-defence-
ministers-and-their-plus-counterparts-reaffirm-commitment-for-regional-peace-and-security-at-the-
2nd-admm-plus> accessed 20 November 2013. The eight ASEAN dialogue partners were
Australia, India, Japan, New Zealand, the PRC, Russia, the Republic of Korea, and the US.
67
Remarks made by Purnomo Yusgiantoro, Minister of Defence, Indonesia, at Shangri-La
Dialogue 2013 Third Plenary Session: Military Modernisation and Strategic Transparency, 1
June 2013, available via <www.iiss.org> accessed 18 August 2013.
68
See, e.g., ‘The ASEAN Regional Forum: A Concept Paper’ (adopted by the ASEAN
Regional Forum Ministerial Meeting 1 August 1995) para. 5 (‘1995 Concept Paper’) <http://
aseanregionalforum.asean.org/files/library/Terms%20of%20References%20and%20Concept%20
Papers/Concept%20Paper%20of%20ARF.pdf> accessed 22 November 2013.
69
The 27 members are the ten ASEAN member nations (Brunei Darussalam, Cambodia,
Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam),
the ten ASEAN dialogue partners (Australia, Canada, the European Union, India, Japan, New
Zealand, the PRC, Republic of Korea, Russia and the US), one ASEAN observer (Papua New
Guinea), and the Democratic People’s Republic of Korea, Mongolia, Pakistan, Timor-Leste,
Bangladesh and Sri Lanka.
70
1995 Concept Paper (n 68) para. 6; ‘The First ASEAN Regional Forum Ministerial
Meeting’ (Chairman’s Statement, Bangkok, Thailand, 25 July 1994) para. 4 <http://www.
asean.org/archive/arf/ARF-Doc-Series-2004/Chapter-1.pdf> accessed 28 November 2013.
71
‘ASEAN Regional Forum Vision Statement’ (16th ARF, Phuket, Thailand, 23 July 2009)
<http://aseanregionalforum.asean.org/files/library/ARF%20Chairman’s%20Statements%20and%
20Reports/The%20Sixteenth%20ASEAN%20Regional%20Forum,%202008-2009/ARF_Vision_
Statement.pdf> accessed 22 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
region’.72 As Joshua Kurlantzick notes, while the ARF ‘has no authority beyond
ASEAN’s, it provides an opportunity for increased dialogue and interaction’ between
major regional actors.73 One of the ARF’s key focuses is counterterrorism and
transnational crime, and inter-sessional meetings are held on this topic. It is within this
framework that cyber security is addressed, with Australia, Malaysia, and the Russian
Federation co-leading cyber security efforts.
Since 2004, the ARF has conducted regular seminars and workshops on cyberspace,
with particular focus on cyber terrorism, incident response, capacity building, and the
threat of proxy actors. In 2006, the ARF member States issued the Statement on
Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyberspace,74 which
encouraged enhanced national and regional cyber security regimes on the grounds that
‘an effective fight against cyber-attacks and terrorist misuse of cyber space requires
increased, rapid and well-functioning legal and other forms of cooperation’.75 This
policy was endorsed in the Hanoi Plan of Action to Implement the ARF Vision
Statement by the ARF senior officials’ meeting in May 2010.76
ARF cyber security efforts thus follow the 2006 Statement that envisaged cyber
security threats posed by non-State actors and transnational crimes as common security
challenges within the region. Along this line, the 2012 ‘Workshop on Cyber Security
Incident Response’ hosted by Australia and Singapore, for example, explored the ability
of participating States to cooperate in the event of a regional cyber security incident,
focusing specifically on ‘the benefits of consistent offences and information sharing
mechanisms with law enforcement agencies and computer emergency response
teams’.77 Also, at the 10th ARF Security Policy Conference held in Brunei in May
2013, senior defence policy officials considered a number of cyber security cooperation
opportunities, including ‘the sharing of best-practices, the conducting of professional
exchanges and education on cyber security, as well as streamlining efforts in enhancing
cyber security between different policy areas’.78
72
‘Declaration of ASEAN Concord II’ (9th ASEAN Summit, Bali, Indonesia, 7 October
2003) para. 6 (‘Bali Concord II’) <http://www.asean.org/news/item/declaration-of-asean-
concord-ii-bali-concord-ii> accessed 28 November 2013.
73
Joshua Kurlantzick, ‘ASEAN’s Future and Asian Integration’ (Council on Foreign
Relations, November 2012) 6.
74
‘ASEAN Regional Forum Statement on Cooperation in Fighting Cyber Attack and
Terrorist Misuse of Cyberspace’ (13th ARF, Kuala Lumpur, Malaysia, 28 July 2006) <http://
www.mofa.go.jp/region/asia-paci/asean/conference/arf/state0607-3.html> accessed 28 November
2013.
75
Ibid.
76
‘Hanoi Plan of Action to Implement the ASEAN Regional Forum Vision Statement’
(endorsed by ARF SOM on 20 May 2010) para. 2 <http://aseanregionalforum.asean.org/library/
arf-chairmans-statements-and-reports.html> accessed 28 November 2013.
77
‘ASEAN Regional Forum Work Plan for Counter-Terrorism and Transnational Crime
2011–2012’ in ASEAN Regional Forum at Twenty: Promoting Peace and Security in the
Asia-Pacific (World Affairs Press 2013) 214 <http://aseanregionalforum.asean.org/library/arf-
publication.html> accessed 29 November 2013.
78
‘10th ASEAN Regional Forum Security Policy Conference’ (ASEAN Summit 2013,
23 May 2013) <http://asean-summit-2013.tumblr.com/post/51724122815/10th-asean-regional-
forum-security-policy-conference> accessed 20 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
However, there is evidence of a shift away from this policy in favour of a greater
national cyber security focus. In the ARF Statement on Cooperation in Ensuring Cyber
Security, adopted at the 19th ARF on 12 July 2012, an emphasis was placed on the
need to pursue measures that will ‘further intensify regional cooperation on security in
the use of ICTs’ through, inter alia: dialogue on strategies to address cyber threats in a
way ‘consistent with international law’; enhanced regional cooperation in realising a
‘culture of cyber security’; and the promotion of cyber ‘confidence-building, stability,
and risk reduction measures’.79 Despite its common security foundations set by the
2006 Statement, this document implicitly recognises the growing correlation between
cyberspace and national security concerns, hence emphasising ‘confidence-building and
other transparency measures’ necessary to ‘reduce the risk of misperception, escalation
and conflict’.80 In keeping with this growing national security concern in cyberspace,
discussion currently continues on a proposed ‘ARF Seminar of Experts on the
Development of Cyber CBMs’.81
As South Korean Ambassador to the UN Conference on Disarmament, Kwon
Haeryong observes, Asia-Pacific States are in general ‘rather unengaged’ on issues
relating to the international governance of cyberspace.82 In the ARF context, where
many nations’ own cyber security strategies are still in their nascent form, this is
unsurprising. The present and future uncertainties about the cyber security landscape
and its implications for geopolitical rivalry between ARF member States are reflected
in the fundamental differences between their cyber security approaches. These uncer-
tainties and divergent policy approaches undermine the ARF’s ability to galvanise
members into collective action on cyber security.83
Indeed, the line of division became evident at the ARF ‘Workshop on Measures to
Enhance Cyber Security – Legal and Cultural Aspects’ held in Beijing on 11–12
September 2013. Throughout the workshop, Chinese and Russian delegations refer-
enced their jointly drafted International Code of Conduct, which maintained that
‘policy authority for Internet-related public issues is the sovereign right of States’.
Many Western States have criticised the Code as inconsistent with international
practices and instruments, including the Universal Declaration of Human Rights.84
According to Tobias Feakin, this reflects a familiar tension in the quest to secure the
cyber realm, whereby ‘China and a selection of partners, including Russia, advocate a
State-led legal approach, while most Western States advocate the “multi-stakeholder”
79
‘Chairman’s Statement of the 19th ASEAN Regional Forum’ (19th ARF, Phnom Penh,
Cambodia, 12 July 2012) Annex 4: ‘ARF Statement on Cooperation in Ensuring Cyber
Security’.
80
Ibid.
81
See ‘Chairman’s Statement of the 20th ASEAN Regional Forum’ (20th ARF, Bandar Seri
Begawan, Brunei Darussalam, 2 July 2013) para. 33 <http://aseanregionalforum.asean.org/
library/arf-chairmans-statements-and-reports.html> accessed 29 November 2013.
82
Haeryong (n 29).
83
See Rees (n 13) 408.
84
See ‘Co-Chair’s Summary Report on ARF Workshop on Measures to Enhance Cyber
Security – Legal and Cultural Aspects’ (Beijing, the PRC, 11–12 September 2013) paras 33–37
<http://asean regionalforum.asean.org/library/arf-chairmans-statements-and-reports.html> acces-
sed 29 November 2013.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
12 / Date: 7/5
JOBNAME: Tsagourias PAGE: 13 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
approach which shies away from legally binding agreements and advocates the
promotion of norms of behaviour in cyberspace’.85 Indeed, during the 12th Asia
Security Summit (Shangri-La Dialogue) held in Singapore on 31 May to 2 June 2013,
concerns were raised about ‘ideological and political differences’ inhibiting the
development of a cohesive international legal framework for addressing cyber issues
and increasingly militarising the cyber domain.86
85
Feakin (n 30).
86
International Institute for Strategic Studies (n 24) 46.
87
‘1989 APEC Ministerial Meeting’ (Joint Statement, Canberra, Australia, 6–7 November
1989) <http://www.apec.org/Meeting-Papers/Ministerial-Statements/Annual/1989/1989_amm.
aspx> accessed 22 November 2013.
88
APEC TEL, ‘Telecommunications and Information’ (APEC, 2013) <http://www.
apec.org/Groups/SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups/Telecommunications-and-Information.aspx> accessed 19 November 2013.
89
Thomas (n 27) 13 [footnotes omitted].
90
APEC Leaders, ‘Bandar Seri Begawan Declaration – Delivering to the Community’
(Bandar Seri Begawan, Brunei Darussalam, 16 November 2000) paras 15–17 <http://www.apec.
org/Meeting-Papers/Leaders-Declarations/2000/2000_aelm.aspx> accessed 29 November 2013.
91
Ibid. Annex 1: ‘Action Agenda for New Economy’.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
society’,92 and in 2001 the e-APEC Task Force expanded on it in the e-APEC
Strategy.93 The e-APEC Strategy details three cyber-focus areas, namely: creating an
‘environment for strengthening market structures and institutions’; facilitating an
‘environment for infrastructure investment and technology development’; and enhan-
cing ‘human capacity building and promot[ing] entrepreneurship’.94
The events of 9/11 precipitated a shift in APEC’s dialogue on cyber issues. A little
over a month after the attacks, APEC leaders issued a statement condemning inter-
national terror, noting that it posed a ‘direct challenge to APEC’s vision of free, open
and prosperous economies, and to the fundamental values that APEC members hold’.95
Furthermore, APEC leaders acknowledged the ‘imperative to strengthen international
cooperation at all levels in combating terrorism in a comprehensive manner’,96
including enhanced critical sector protection in the area of telecommunications
infrastructure.97 A year later, this time in the wake of the ‘Bali bombings’, the APEC
Leaders Statement on Fighting Terrorism and Promoting Growth recognised the need
for enhanced cyber security, noting that ‘the global communications network is only as
secure as its weakest link’.98
APEC’s Counter Terrorism Action Plans (CTAPs), whose development stemmed
from these counterterrorism statements, devote a section to ‘promoting cyber security’
and reaffirm commitments to ‘counter … terrorism by implementing and enhancing
critical information infrastructure protection and cyber security to ensure a trusted,
secure and sustainable online environment’.99 The CTAPs provide a space where
member economies can record their APEC commitments to the promotion of cyber
security, as well as the past and future measures they have taken or intend to take to
meet these commitments.100 With a view to strengthening regional ICT infrastructure,
the Plans also ask members to detail cyber capacity building needs, and areas of cyber
security expertise that might assist other APEC members.
92
APEC Electronic Commerce Steering Group (ECSG), ‘e-APEC Strategy’ (Report,
October 2001) 1 <http://publications.apec.org/publication-detail.php?pub_id=584> accessed 29
November 2013.
93
Ibid.
94
Ibid. 1–2. See also APEC Leaders, ‘Bandar Seri Begawan Declaration – Delivering to the
Community’ (n 90).
95
‘APEC Leaders Statement on Counter-Terrorism’ (Shanghai, China, 21 October 2001)
para. 2 <http://www.apec.org/Meeting-Papers/Leaders-Declarations/2001/2001_aelm/~/media/
Files/LeadersDeclarations/2001/01_ldrs_counterterror.pdf> accessed 29 November 2013.
96
Ibid. para. 4.
97
Ibid. para. 6.
98
‘APEC Leaders Statement on fighting terrorism and promoting growth’ (Los Cabos,
Mexico, 26 October 2002) <http://www.apec.org/Meeting-Papers/Leaders-Declarations/2002/
2002_aelm/statement_on_fighting.aspx> accessed 29 November 2013.
99
See APEC, ‘Counter terrorism action plans’ (APEC, 2013) <http://www.apec.org/Groups/
SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Task-Groups/~/link.aspx?_
id=6B7B2BAA018C48A98F733314CF7CA193&_z=z> accessed 20 November 2013. The plans
also include the 2010 commitment, to ‘enhance mutual cooperation on countering malicious
online activities and engage in efforts to increase cybersecurity awareness’.
100
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
14 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
In August 2002, the US delegation to APEC TEL submitted the APEC Cybersecurity
Strategy at its 26th meeting, which reportedly laid the foundation for the Shanghai
Declaration,101 in which APEC TELMIN emphasised the importance of network
security and the development of IT security standards and best practice guides.102 It
also directed APEC TEL to ‘give special priority to and facilitate within APEC work on
the protection of information and communications infrastructures’.103 To this end, the
SPSG has been working towards promoting and realising security in the cyber realm.104
In October 2002, APEC Leaders also made commitments to enact domestic laws
governing cyber security and cybercrime,105 and agreed that cyber-laws and policy
should be consistent with international legal instruments, including the Council of
Europe’s Convention on Cybercrime,106 and United Nations General Assembly Resolu-
tion 55/63.107 They supported the development of national CERTs, in order to enable
the ‘exchange [of] threat and vulnerability assessment’.108
In 2005, the APEC Senior Officials recognised in the APEC Strategy to Ensure
Trusted, Secure and Sustainable Online Environment (‘2005 Cybersecurity Strategy’)
that the ability of members and their citizens to harness ICT’s full potential, as
envisaged in the 2000 Brunei Goals and 2001 e-APEC Strategy, had become increas-
ingly dependent on the ‘integrity and security’ of cyberspace.109 They considered that
cyber security sat firmly within APEC’s core mandate, given that ‘most traditional
economic and social activities in many APEC Member Economies have become
dependent on the online environment’.110 In light of this, the 2005 Cybersecurity
Strategy sought to:
101
APEC TELMIN5, ‘Shanghai Declaration’ (Shanghai, the PRC, 29–30 May 2002)
<http://www.apec.org/Meeting-Papers/Ministerial-Statements/Telecommunications-and-
Information/2002_tel.aspx> accessed 22 November 2013.
102
Ibid. Annex A: ‘Program of Action’, and Annex B: ‘Statement on the Security of
Information and Communications Infrastructures’.
103
Ibid. Annex B.
104
See APEC TEL, ‘Security and Prosperity Steering Group’ (APEC, 2013) <http://www.
apec.org/ Groups / SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups / Telecommunications-and-Information/Security-and-Prosperity-Steering-Group.aspx>
accessed 19 November 2013.
105
See ‘APEC Leaders Statement on fighting terrorism and promoting growth’ (n 98).
106
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004). On cybercrime see Kastner and Mégret (Ch 9 of this book).
107
UNGA Res 55/63 (4 December 2000) UN Doc A/RES/55/63. On the UN’s approach to
cybersecurity see Henderson (Ch 22 of this book).
108
‘APEC Leaders Statement on fighting terrorism and promoting growth’ (n 98).
109
APEC TEL, ‘APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environ-
ment’ (endorsed by the APEC Senior Officials, November 2005) <http://www.apec.org/Groups/
SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-Groups/~/media/
Files/Groups/TEL/05_TEL_APECStrategy.pdf> accessed 29 November 2013.
110
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
15 / Date: 7/5
JOBNAME: Tsagourias PAGE: 16 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The goals and commitments of these core cyber security documents have formed the
basis of subsequent TELMIN statements and APEC cyber strategies. In its Strategic
Action Plan: 2010–2015, adopted by TELMIN8 in 2010, the Telecommunications and
Information Working Group re-affirms its commitment to cyber security capacity
development, ‘including through distribution of best practice approaches, information
sharing, technical cooperation, training and education’.112 This Strategic Action Plan,
along with the TELMIN8 Okinawa Declaration, reflect two emerging focal points for
APEC’s cyber security policy: cyber threats posed to vulnerable groups, particularly
children; and consumer protection measures, particularly in relation to ‘personal
information protection’.113 However, APEC’s engagement with cyber security is by no
means confined to private security in cyberspace. Indeed, at the opening session of the
44th meeting of APEC TEL in 2011, Malaysia raised concerns about ‘negative acts’ in
the cyber realm that ‘threaten the stability of Government’.114 Also, in its 2012 CTAP,
Mexico listed ‘technical support regarding Advanced Persistent Threats against govern-
ment’ as a building need for them.
One of the striking aspects of APEC’s cyber security approach is its proactive
engagement with the private sector through its various workshops and training
programs.115 The steering groups operating under the Telecommunications and Infor-
mation Working Group run various projects and workshops aimed at promoting and
enhancing cyber security amongst member economies.116 Most notably, the SPSG has
111
‘APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment’ (n 109).
112
APEC TEL, ‘TEL Strategic Action Plan: 2010–2015’ (2010/TELMIN/024, endorsed by
TELMIN8, Okinawa, Japan, 30–31 October 2010) 4 <http://aimp.apec.org/Documents/2010/
MM/TELMIN/10_telmin8_024.pdf> accessed 29 November 2013.
113
APEC TELMIN8, ‘Okinawa Declaration: ICT as an engine for new socio-economic
growth’ (Okinawa, Japan, 30-31 October 2010) para. 19. See also APEC TEL, ‘TEL Strategic
Action Plan: 2010–2015’, ibid. 4; APEC TELMIN10, ‘Saint Petersburg Declaration: Building
confidence and security in the use of ICT to promote economic growth and prosperity’ (St.
Petersburg, Russia, 7–8 August 2012) para. 26 <http://www.apec.org/Meeting-Papers/
Ministerial-Statements/Telecommunications-and-Information/2012_tel.aspx> accessed 29 Nov-
ember 2013.
114
Ministry of Information, Communications and Culture Malaysia, ‘Malaysia Urges APEC
TEL to Intensify Cybersecurity Cooperation’ (Press Release, 26 September 2011).
115
See Thomas (n 27) 14.
116
Ongoing TEL cyber security projects include the APEC Training Program for Preventa-
tive Education on ICT Misuse; Computer Security Incident Response Team (CSIRT) Capacity
Building and Cooperation; Security of Mobile Devices; Cyber Security Awareness Raising
Project; and the International PKI and e-Authentication Training Program. Examples of
workshops include: Comparing Approaches to Combating Botnets (2013); Cyber Security Policy
Development in the APEC Region (2011); the ISP Voluntary Cyber Security Code of Practice
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
16 / Date: 7/5
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
been working to develop cyber security related guidelines for member countries such as
the Guiding Principles for PKI-based Approaches to Electronic Authentication and
Implementation Guidelines for Action Against Spam, both of which were adopted in the
2005 Lima Declaration by TELMIN6.117 APEC has also been working closely with
other institutions such as the OECD, the International Telecommunications Union, and
ASEAN, in many cyber security areas including ‘security of information systems and
networks, awareness raising, malware, the protection of children online and botnets’.118
Through such engagement, as well as facilitating cyber cooperation between countries
at the CERT level, APEC ensures that its critical activities in the field of cyber security
have ‘the widest possible input and support’, extending its reach even to Taiwan and
Hong Kong – ‘two of the most networked economies in the region’ – filling the gap of
ASEAN-based approaches in regional security architecture.119
(2010). See APEC TEL, ‘Telecommunications and Information’ (APEC, 2013) <http://www.
apec.org/Groups/SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups/Telecommunications-and-Information.aspx> accessed 19 November 2013; APEC TEL,
‘Security and Prosperity Steering Group’ (APEC, 2013) <http://www.apec.org/Groups/SOM-
Steering-Committee-on-Economic-and-Technical-Cooperation / Working-Groups/Telecommunications-
and-Information/Security-and-Prosperity-Steering-Group.aspx> accessed 19 November 2013.
117
See APEC TELMIN6, ‘Lima Declaration’ (Lima, Peru, June 2005) paras 39–40, also
Annexes D and E <http://www.apec.org/Meeting-Papers/Ministerial-Statements/Telecommunications-
and-Information/2005_tel.aspx> accessed 29 November 2013.
118
OECD (n 11) annex 1, 36.
119
Thomas (n 27) 14.
120
International Institute for Strategic Studies (n 24) 47.
121
See OECD (n 11) 4.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
17 / Date: 7/5
JOBNAME: Tsagourias PAGE: 18 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
the PRC’s official cyber policy, which envisages the imposition of law and order
including the ban on the use of the Internet ‘to incite ethnic hatred and separatism, to
promote cult and to distribute salacious, pornographic, violent or terrorist infor-
mation’.122 As the Chinese Assistant Foreign Minister, Zheng Zeguang, reportedly
noted in his opening address to the ARF ‘Workshop on Measures to Enhance Cyber
Security’, the Chinese Government’s position is based on the firm legal understanding
that ‘[i]nternational cyber governance should follow the principles of state sovereignty
and non-interference in other’s internal affairs’.123
Second, as the cyber infrastructure develops at an alarmingly rapid pace and the
government and the whole of society becomes reliant on it, some regional States are
increasingly concerned by the potential vulnerability of governments in cyberspace.124
Such recognition of government vulnerability in cyberspace has a logical fit with the
ethos of ASEAN, which was indeed established to cooperatively ensure the legitimacy
of government in each member State. ASEAN-related cyber security initiatives such as
the 2006 ARF Statement, as well as the 2002 Shanghai Declaration and the 2005
Cybersecurity Strategy adopted by APEC, are in this respect a reflection of the
traditional cooperative security policy in the Asia-Pacific.
Third, the increased recognition of cyberspace as the fifth domain of warfare poses
challenges to the development of regional cyber security architecture. As discussed in
Section 2 above, hostile or malicious use of cyberspace has the potential to amplify the
existing tensions between regional States and could even trigger a spiral of conflict. In
the ARF, while the need to ‘reduce the risk of misperception, escalation and conflict’ is
clearly recognised among member States,125 each State’s strategic considerations, as
well as different approaches to the legal regulation of cyber security, pose challenges to
regional efforts to develop a code of conduct for cyberspace.126 Realistically, States do
not find any strong political motive towards strict rules on cyber security while
uncertainty remains as to their implications for the geopolitical landscape and the full
potential of cyberspace for strategic and tactical use is being explored to advance own
national interests. In the interim, attention will have to be given to an international or
regional dialogue on ‘rules of engagement’ in cyberspace and confidence building
measures to reduce the risk of misperception, escalation and conflict as a matter of
priority. The political agreement reached in June 2013 by the 15 nations Group of
Governmental Experts on Information Security that States would not use proxies to
engage in malicious cyber activities,127 can be considered a significant first step
towards establishing such ‘rules of engagement’.
122
‘ASEAN Regional Forum Annual Security Outlook’ (vol 14, 2013) 46 <http://
aseanregionalforum.asean.org/library/arf-publication.html> accessed 29 November 2013.
123
Quoted in Feakin (n 30).
124
See above Ministry of Information, Communications and Culture Malaysia (n 114) and
accompanying text.
125
‘Chairman’s Statement of the 19th ASEAN Regional Forum’ (n 79).
126
See ‘Co-Chair’s Summary Report on ARF Workshop on Measures to Enhance Cyber
Security – Legal and Cultural Aspects’.
127
See UNODA Secretary General, ‘Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of International Security’ (24
June 2013) UN Doc A/68/98 para. 23. See also Lewis (n 2) 6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
18 / Date: 7/5
JOBNAME: Tsagourias PAGE: 19 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
5. CONCLUSION
Attempts to secure and stabilise cyberspace at domestic and regional policy levels in
the Asia-Pacific region have resulted in successful regional cooperation. First, regional
institutions, particularly ASEAN and APEC, have made concerted efforts to galvanise
regional States into collective action in improving regional ICT infrastructure and cyber
capacity, particularly in developing States. In doing so, they have sought to maximise
the regional and national socio-economic benefits of the digital age, while at the same
time reducing the risk of cyber intrusion and destabilisation via potential ‘weak links’
in an increasingly interconnected regional cyber infrastructure. Second, States have
united against the serious threat posed by malicious cyber activities conducted by
non-State actors, often across national borders. In particular, ASEAN, the ARF and
APEC have sought to prevent, regulate, and mitigate the effects of malicious use of the
Internet for criminal and terrorist purposes, largely through enhancing information
sharing between national CERTs as well as domestic law enforcement agencies, and by
setting regional standards for national cyber-related laws and policy.
However, these measures only go some way to addressing regional cyber security
concerns, and their effectiveness is threatened by new challenges, in particular the
emerging pre-eminence of sovereignty considerations in cyber policy-making. The
strategic and tactical advantages that States can gain from the exploitation of cyber-
space, as well as the difficulty of attributing cyber attacks and intrusions, amplify
existing geopolitical tensions in the Asia-Pacific. The potential for State-sponsored
cyber intrusions has seen cyber security increasingly characterised as a matter of
national security, and as such dialogue on it has become increasingly militarised.
Despite the efforts of regional forums, the transposition of cyber security into a national
security concern threatens to inhibit the realisation of strong and secure regional cyber
architecture. Therefore, it is imperative for regional leaders to intensify their efforts to
formulate and adopt ‘rules of engagement’ in cyberspace in order to reduce the risk of
misperception, escalation and conflict as a matter of priority.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter21 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
1. INTRODUCTION
The importance of cyberspace in today’s interconnected and highly complex world
cannot be overstated. It has become central to the smooth running of the world
economy, the carrying out of daily business transactions, political communications, as
well as for social networking. The late 1990s saw an exponential growth in the use of
the Internet with over 2.5 billion users across the world today.1
While in general the development of cyberspace has undoubtedly proved to be in an
immensely positive development, its rise has also been accompanied by a more sinister
side, in that the development of information and communication technologies (ICTs)
has given rise to various risks to individuals, societies and States more broadly.
Although ‘governments have attempted to address these issues by creating national-
level mechanisms, the very transnational nature of cyberspace has forced the inter-
national community to debate and form norms or rules that should promote good
behavior in cyberspace’.2 Activity in this respect has been occurring in various
institutional and regional forums for some time. For example, the Council of Europe’s
Budapest Convention on Cybercrime entered into force in 2004 and is seen as a
positive precedent in the regulation of this element of cyber-security.3
Activity within the UN to address cyber-security issues begun when the Russian
Federation introduced a draft resolution into the UN General Assembly (UNGA) in
1998 on ‘[d]evelopments in the field of information and telecommunications in the
context of international security’.4 Subsequent initial activity within the UN proved
somewhat ‘dull without much movement … towards dealing with issues in cyber-
space’.5 Yet, ‘mounting reports of disruptions and the increasing potential of cyber
attacks disturbing the peace in the real world led countries to examine these challenges
* The author wishes to thank April Longstaffe for her research assistance in preparing this
chapter.
1
World Internet Usage and Population Statistics, Internet World Stats, 30 June 2012
<http://www.internetworldstats.com/stats.htm> accessed 28 September 2014.
2
Rahul Prakash and Darshana M. Baruah, ‘The UN and Cyberspace Governance’ (ORF
Issue Brief 86, February 2014) 1. <http://orfonline.org/cms/export/orfonline/modules/issuebrief/
attachments/issuebrief68_1394871027354.pdf> accessed 28 September 2014.
3
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004).
4
UNGA Res 53/70 (4 December 1998) UN Doc A/RES/53/70.
5
Prakesh and Baruah (n 2) 1.
465
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
1 / Date: 7/5
JOBNAME: Tsagourias PAGE: 2 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
more seriously within the UN’.6 Indeed, the Distributed Denial of Service Attacks
(DDoS) on Estonia (2007) and Georgia (2008), the Stuxnet worm attack upon Iran
(2010) and the Edward Snowden revelations (2013) regarding the use of ICTs by States
to spy upon one another brought to light in dramatic fashion the realities of cyberspace
being used in unscrupulous ways and raised the profile of cyber-security on the UN’s
agenda. In light of these events, it is fair to say that ‘[t]he issue of cyber security is
quickly making its way up the agenda of global public policy issues demanding
attention’.7
While one might, nonetheless, take the view that ‘[t]here has been only limited U.N.
action on the issue of cyber-security’,8 this is arguably down to the fact that there have
been fundamental differences on fundamental issues between Eastern and Western
States. The main sticking points appear to be whether there should be a free flow of
information or whether there should be governmental restrictions upon it; whether the
focus should be on economic espionage and criminal activity or upon the use of
cyberspace to carry out attacks; and whether existing international law applies to
cyber-security issues or whether new rules and norms need to be developed, perhaps in
the form of a new treaty. In this respect, the UN ‘has been working for over a decade
to eliminate these differences and create a mechanism to ensure the security and
stability of cyberspace’.9 As this chapter will attempt to highlight, the UN, through its
work on both issues of cyber-warfare and cyber-crime,10 is now moving with some
momentum.
The UN’s activities in this area are highly fragmented with a very complex system of
bodies and with expertise scattered throughout the system meaning that a full analysis
is beyond the limited scope of this chapter. The purpose of this chapter is thus twofold.
Its primary aim is to provide an overview of UN activities and initiatives concerning
the regulation of cyberspace and cyber-security. The chapter also attempts to discern
whether any regulatory norms have emerged in this field of activity. While it will touch
upon issues such as the use of force in cyberspace and cyber-crime, these have been
dealt with in-depth in other chapters of this Handbook.11
6
Ibid. 1–2.
7
Paul Meyer, ‘Cyber security takes the floor at the UN’, opencanada.org (12 November
2013) <http://opencanada.org/features/the-think-tank/comments/cyber-security-takes-the-floor-at-
the-un/> accessed 28 September 2014.
8
Oona A Hathaway and others, ‘The law of cyber-attack’ (2012) 100 Cal. L. Rev. 817,
865.
9
Prakesh and Baruah (n 2) 1.
10
While there is an obvious overlap between the two, cyber-warfare is mainly concerned
with how ‘[information] technologies and means can potentially be used for purposes that are
inconsistent with the objectives of maintaining international stability and security and may
adversely affect the security of States’ (see A/RES/53/70) while cyber-crime, on the other hand,
is concerned in general with ‘the criminal misuse of information technologies’ (See UNGA Res
55/63 (22 January 2001) UN Doc A/RES/55/63).
11
See Roscini (Ch 11 of this book); Kastner and Mégret (Ch 9 of this book).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
2 / Date: 7/5
JOBNAME: Tsagourias PAGE: 3 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The First Committee of the UNGA – the Disarmament and International Security
Committee – is concerned with disarmament and related international security ques-
tions and was the first committee to engage with issues of cyber-security. Indeed, the
issue of information security has been on the agenda of the UN since 1998 when the
Russian Federation introduced its draft resolution in the First Committee on ‘[d]evel-
opments in the field of information and telecommunications in the context of
international security’, which was subsequently adopted without a vote.14 This resolu-
tion built upon previous work on the ‘[r]ole of science and technology in the context of
security, disarmament and other related fields’15 and has been subsequently introduced
every year since. Its key elements are that it:
+ mentions the dual use of developments in the area and the military potential of
ICTs for the first time;16
+ expresses concern about the use of such technology ‘inconsistent with the
objectives of maintaining international stability and security’;17
+ notes the need for broad international cooperation;18
+ calls upon Member States to promote at multilateral levels the consideration of
existing and potential threats in the field of information security;19
12
UN Charter (1945) arts 10–17.
13
The six main committees of the UNGA are: First Committee (Disarmament and
International Security Committee); Second Committee (Economic and Financial Committee);
Third Committee (Social, Humanitarian and Cultural Committee); Fourth Committee (Special
Political and Decolonization Committee); Fifth Committee (Administrative and Budgetary
Committee); and Sixth Committee (Legal Committee).
14
UNGA Res 53/70 (4 December 1998) UN Doc A/RES/53/70.
15
UNGA ‘Role of science and technology in the context of security, disarmament and other
related fields’ (18 November 1998) UN Doc A/53/576.
16
UNGA Res 53/70 (n 14) preamble.
17
Ibid.
18
Ibid.
19
Ibid. para. 1.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
3 / Date: 7/5
JOBNAME: Tsagourias PAGE: 4 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
20
Ibid. preamble.
21
Ibid. para. 2.
22
Christopher A Ford, ‘The trouble with cyber arms control’ (2010) 29 The New Atlantis: A
J. of Technology and Society 52, 65.
23
Ibid. 67.
24
China was initially relatively quiet on this issue but subsequently appeared to align itself
with the position of Russia.
25
See UNGA, Developments in the field of information and telecommunications in the
context of international security: Report of the First Committee (16 November 2005) UN Doc
A/60/452.
26
Ibid.
27
See UNGA, Developments in the field of information and telecommunications in the
context of international security – Armenia, Belarus, China, Kazakhstan, Kyrgyzstan, Myanmar,
Russian Federation, Tajikistan and Uzbekistan: draft resolution (11 October 2006) UN Doc
A/C.1/61/L.35.
28
UNGA, Developments in the field of information and telecommunications in the context
of international security: Report of the First Committee (9 November 2006) UN Doc A/61/389.
29
Tim Maurer, ‘Cyber norm emergence at the United Nations: An analysis of the activities
of the UN regarding cyber-security’ (Belfer Center for Science and International Affairs,
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
4 / Date: 7/5
JOBNAME: Tsagourias PAGE: 5 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
+ omission of the reference to, and attempts to come up with, definitions that were
perceived as a first step towards a cyber arms control treaty; and
+ substitution of the reference to ‘international principles’ with references to what
was perceived as more benign language in the form of ‘international concepts’
and ‘possible measures’.
The Second Committee – the Economic and Financial Committee – is concerned with
economic questions, so might not immediately be seen to be relevant in discussions
regarding cyber-security. However, while it is fair to say that the First Committee has
tended to focus upon issues of cyber-warfare and the Third Committee upon issues of
cyber-crime,34 the Second Committee has addressed both through its ‘Global Culture of
Cyber-security’ initiative. The three resolutions of the UNGA’s Second Committee on
this initiative are concerned with both cyber-warfare and cyber-crime and all reference
the resolutions of both the First and Third Committees.35
In light of the decision of the Third Committee to no longer focus on cyber-crime,
the US introduced a new draft resolution in the Second Committee in 2002 entitled
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
5 / Date: 7/5
JOBNAME: Tsagourias PAGE: 6 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
36
UNGA, Macroeconomic policy questions: science and technology for development:
Report of the Second Committee (21 December 2002) UN Doc A/57/529/Add.3. China did not
co-sponsor the resolution.
37
UNGA Res 57/239 (n 35).
38
See section 2(d) of this chapter.
39
UNGA Res 57/239 (n 35) para 5.
40
Ibid. para. 3.
41
Ibid. appendix.
42
Maurer (n 29) 44.
43
UNGA Res 58/199 (n 35). See appendix for the expanded elements.
44
Ibid. annex, element 1.
45
Ibid. annex, element 3.
46
Ibid. annex, element 4.
47
Ibid. annex, element 9.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
6 / Date: 26/3
JOBNAME: Tsagourias PAGE: 7 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
secure critical information infrastructures.48 The resolution, and the included elements,
was co-sponsored by 69 countries, this time including China but not Russia.49
Nonetheless, the broadening of the elements could be perceived as a progressive step
towards the formation of a regulatory cyber-security regime.50
The final resolution was adopted in 2010 after the US policy shift.51 It was sponsored
by the US on behalf of 39 States, although not Russia or China. This resolution was
entitled the ‘[c]reation of a global culture of cybersecurity and taking stock of national
efforts to protect critical information infrastructures’ and included an annex outlining a
‘[v]oluntary self-assessment tool for national efforts to protect critical information
infrastructures’. This is explained as ‘a voluntary tool that may be used by Member
States, in part or in its entirety, if and when they deem appropriate, in order to assist in
their efforts to protect their critical information infrastructures and strengthen their
cybersecurity’.52 These include ‘[t]aking stock of cybersecurity needs and strategies’,
‘[s]takeholder roles and responsibilites’, ‘[p]olicy processes and participation’,
‘[p]ublic-private cooperation’, ‘[i]ncident management and recovery’, ‘[l]egal frame-
works’, and ‘[d]eveloping a global culture of cybersecurity’.53 Notably, these highlight
the importance of cooperation among States, including through ‘international
information-sharing and collaboration’.54
The Third Committee – the Social, Humanitarian and Cultural Committee – is, as its
title suggests, concerned mainly with social and humanitarian issues, but in the context
of cyber-security and cyber-crime. Two years after the Russian Federation introduced
its resolution in the First Committee in 1998 the Third Committee discussed a draft
resolution introduced by the US and 38 other States entitled ‘[c]ombating the criminal
misuse of information technologies’.55 It was co-sponsored by the Russian Federation,
but not China, with a further 19 Member States subsequently co-sponsoring it and was
adopted without a vote on 22 January 2001.56
The key objective of this resolution was to establish a ‘legal basis for combating the
criminal use of information technologies’.57 In attempting to realize this objective, the
resolution had several key elements. First, it ‘recogniz[ed] that the free flow of
information can promote economic and social development, education and democratic
governance’.58 Second, it ‘[e]xpress[ed] concern that technological advancements ha[d]
48
Ibid. annex, element 10.
49
UNGA, Macroeconomic policy questions: science and technology for development:
Report of the Second Committee (15 December 2003) UN Doc A/58/481/Add.2.
50
Maurer (n 29) 44.
51
UNGA Res 64/211 (n 35).
52
Ibid. n.2.
53
Ibid. annex.
54
Ibid. preamble.
55
UNGA A/55/593, 16 November 2000.
56
UNGA 55/63 (4 December 2000) UN Doc A/RES/55/63.
57
UNGA A/57/529/Add.3 (n 36).
58
UNGA A/RES/55/63 (n 56) preamble.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
7 / Date: 7/5
JOBNAME: Tsagourias PAGE: 8 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
created new possibilities for criminal activity, in particular the criminal misuse of
information technologies’.59 Third, it ‘recogniz[ed] the need for cooperation between
States and private industry in combating the criminal misuses of information tech-
nologies’.60 Lastly, it noted the value of ten measures to combat the criminal misuse of
information technologies including, inter alia, eliminating safe havens for those who
criminally misuse information technologies;61 law enforcement cooperation amongst
concerned States;62 information sharing;63 the appropriate training of law enforcement
personnel;64 protecting the confidentiality, integrity and availability of data and
computer systems and ensuring criminal misuse is penalized;65 the preservation of and
quick access to electronic data pertaining to particular criminal investigations;66 the
timely investigation and exchange of evidence of the criminal misuse of information
technologies;67 increasing public awareness of the need to prevent and combat
criminality in this area;68 the designing of information technologies to help detect and
prevent criminal misuse, trace criminals and collect evidence;69 the development of
solutions taking into account both the protection of individual freedoms and privacy;
and the preservation of the capacity of governments to fight such criminal misuse.70
In 2001, a follow-up resolution – again, entitled ‘[c]ombating the criminal misuse of
information technologies’ – was introduced by the US and 73 other Member States,
again including the Russian Federation but not China, with eight Member States
joining later, and was adopted without a vote on 23 January 2002.71 This took note of
the measure set forth above, and again invited Member States to take them into account
in their efforts to combat the criminal misuse of information technologies.72
Several resolutions, sponsored by Italy, entitled ‘[s]trengthening the United Nations
Crime Prevention and Criminal Justice Programme, in particular its technical
cooperation capacity’ drew attention to the issue of ‘cyber crime’ and ‘the use of new
information technologies to abuse and exploit children’, and ‘invit[ed] the United
Nations Office on Drugs and Crime to explore, within its mandate, ways and means of
addressing these issues.’73
59
Ibid.
60
Ibid.
61
Ibid. para. 1(a).
62
Ibid. para. 1(b).
63
Ibid. para. 1(c).
64
UNGA A/RES/55/63 (n 56) para 1(d).
65
Ibid. para. 1(e).
66
Ibid. para. 1(f).
67
Ibid. para. 1(g).
68
Ibid. para. 1(h).
69
Ibid. para. 1(i).
70
Ibid. para. 1(j).
71
UNGA Res 56/121 (19 December 2001) UN Doc A/RES/56/121.
72
Ibid. para. 2.
73
UNGA Res 63/195 (18 December 2008) UN Doc A/RES/63/195; UNGA Res 64/179 (10
December 2009) UN Doc A/RES/64/179; UNGA Res 65/232 (21 December 2010) UN Doc
A/RES/65/232; UNGA Res 66/181 (25 July 2011) UN Doc A/RES/66/181, UNGA Res 67/189
(20 December 2012) UN Doc A/RES/67/189; UNGA Res 68/193 (18 December 2013) UN Doc
A/RES/68/193.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
8 / Date: 7/5
JOBNAME: Tsagourias PAGE: 9 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Lastly, the Third Committee adopted a resolution in 2013 entitled ‘[t]he right to
privacy in the digital age’.74 The Edward Snowden revelations earlier in the year were
a key reason for the adoption of this resolution. It was in this sense no surprise that its
two key sponsors were Brazil and Germany, the leaders of which were the main victims
of NSA surveillance operations. While it was first thought that the response of these
two States would be ‘an initiative on the international security front at the UN, in the
end, Brazil and Germany decided it was best to present the matter in the context of
respect for international human rights law and the right to privacy in particular’.75 In
this regard, the resolution emphasizes that ‘illegal surveillance of communications,
their interception and the illegal collection of personal data constitute a highly intrusive
act that violates the right to privacy and freedom of expression and may threaten the
foundations of a democratic society’.76 The resolution recalls the obligation of States to
‘ensure that measures taken to counter terrorism comply with international law’ and
recalls the privacy provisions of the International Covenant on Civil and Political
Rights as well as the Universal Declaration of Human Rights.77 The resolution calls
upon States ‘to take measures to put an end to violations of those rights’78 and, in doing
so, ‘establish independent national oversight mechanisms capable of ensuring trans-
parency and accountability of state surveillance of communications, their interception
and collection of personal data’.79 The resolution also requests that the UN High
Commissioner for Human Rights reports ‘on the protection of the right to privacy in the
context of domestic and extraterritorial surveillance of communications, their inter-
ception and collection of personal data’ and for a final report to be submitted by the
High Commissioner to the 2015 Session of the General Assembly.80
While this was undoubtedly an important development in the context of cyber-
security, it is also arguably true that ‘[t]he difficult political and legal questions
underlying references to “unlawful interference with privacy” and constraints on
“extraterritorial surveillance” will keep lawyers and diplomats busy for months if not
years to come’.81
Overall, and as demonstrated by the above sections, the UNGA has been active in
regards to discussing principles, elements, good practice, etc regarding the behaviour of
Member States in the context of cyber-security. However, what the above also arguably
shows is that ‘[a]t the multilateral level, the UN will have to begin to address the cyber
security issue in a more coherent fashion. The General Assembly can ill afford to have
two deliberative streams (i.e. the First and Third Committee) acting in ignorance of one
another’.82 Indeed, ‘[t]he airing of declaratory policy at the annual General Assembly
74
UNGA Res 68/167 (18 December 2013) UN Doc A/RES/68/167.
75
Meyer (n 7).
76
UNGA A/RES/68/167 (n 74) preamble.
77
Ibid.
78
Ibid. para. 4(b).
79
Ibid. para. 4(d).
80
Ibid. para. 5.
81
Meyer (n 7).
82
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
9 / Date: 7/5
JOBNAME: Tsagourias PAGE: 10 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
sessions should not substitute for purposeful action by states in more operational
forums to tackle the pressing problems raised by destabilizing state conducted cyber
operations’.83 In this respect, the establishment of several Groups of Governmental
Experts has been a significant development. Four GGEs have been established since
2004 that have examined the existing and potential threats from the cyber-sphere and
possible cooperative measures to address them. The purpose of this section is to give an
overview of the work of these groups.
Request[ed] the Secretary-General to consider existing and potential threats in the sphere of
information security and possible cooperative measures to address them, and to conduct a
study on [relevant international concepts aimed at strengthening the security of global
information and telecommunications systems], with the assistance of a group of governmental
experts, to be established in 2004, appointed by him on the basis of equitable geographical
distribution and with the help of Member States in a position to render such assistance, and
to submit a report on the outcome of the study to the General Assembly at its sixtieth
session.85
Yet, over the course of three meetings the GGE failed to even find the smallest
common denominator of agreement. It is perhaps quite unusual for such an outcome to
occur at the UN where an activity is usually only initiated when it is clear before it
starts that there is at least some smallest denominator that everyone can agree on.86 Yet,
the UN Secretary-General concluded in 2005 that it was due to ‘the complexity of the
issues involved’ that ‘no consensus was reached on the preparation of a final report’.87
A member of the Russian delegation at the GGE meetings claimed that ‘[t]he main
stumbling block was the question of whether international humanitarian law and
international law sufficiently regulate the security aspects of international relations in
cases of “hostile” use of ICTs for politicomilitary purposes’.88 The issue of whether
existing law sufficiently regulated cyber-threats is, as noted above, something that has
been an issue between Russia and the US. While Moscow urged the development of
83
Ibid.
84
Russia noted in its report to the UN Secretary-General that ‘the group will give the
international community a unique opportunity to examine the entire range of issues involved’.
UNGA ‘Developments in the field of information and telecommunications in the context of
information security: Report to the Secretary General’ (17 September 2003) UN Doc A/58/373.
85
UNGA Res 58/32 (8 December 2003) UN Doc A/RES/58/32 para. 4. The eventual GGE
consisted of governmental experts from 15 States: Belarus, Brazil, China, France, Germany,
India, Jordan, Malaysia, Mali, Mexico, the Republic of Korea, Russia, South Africa, UK, and
US. They unanimously elected Andrey V. Krutskikh of Russia as its Chairman.
86
Maurer (n 29) 22.
87
UNGA, Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security: Report of the Secretary-
General (5 August 2005) UN Doc A/60/202, 2.
88
Maurer (n 29) 22.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
10 / Date: 7/5
JOBNAME: Tsagourias PAGE: 11 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
new norms and rules Washington was of the opinion that ‘the law of armed conflict and
its principles of necessity, proportionality and limitation of collateral damage already
govern the use of such technologies’.89
Furthermore, the group was not able to agree on whether the discussions should
focus on ‘information content or information infrastructures’.90 The US and EU were,
as noted above, suspicious of the motives of Russia, more specifically that it was
attempting to limit the freedom of information under the guise of increasing infor-
mation and telecommunications security. Washington had clear concerns regarding any
‘extension to governments of the right to approve or ban information transmitted into
national territory from outside its borders should it be deemed disruptive politically,
socially or culturally’.91 Indeed, ‘US apprehensions stemmed from concerns that
authoritarian regimes would attempt to control the free flow of information using such
a mechanism and restrict freedom of speech and expression.’92
However, despite the lack of agreement, ‘the work of the GGE was not in vain as it
successfully raised the profile of the relevant issues on the international agenda’.93 In
addition, despite its notable failure the first GGE had initiated a certain momentum
within the UN to consider cyber security. As such, during the 60h session of the
UNGA, when the first GGE had been due to report, Member States adopted a
resolution in which they
The momentum that had developed as a result of the GGE initiative could only be
increased by the fact that between the adoption of the resolution in 2005 requesting the
establishment of a second GGE and its actual establishment in 2009 cyber-warfare had
begun to make the headlines, with the DDoS attack against Estonia in 2007 and then, in
2008, with cyber-conflict issues during the Georgian-Russian war.95 Yet, these events
89
UNGA, Developments in the field of information and telecommunications in the context
of information security: Report to the Secretary General (28 December 2004) UN Doc
A/59/116/Add.1.
90
‘Fact Sheet – Developments in the Field of Information and Telecommunications in the
Context of International Security, United Nations Office for Disarmament Affairs’ <http://unoda-
web.s3.amazonaws.com /wp-content / uploads/2013/06/Information_Security_Fact_Sheet.pdf>
accessed 28 September 2014.
91
UNGA A/59/116/Add.1 (n 89).
92
Prakesh and Baruah (n 2) 2.
93
Maurer (n 29) 22.
94
UNGA Res 60/45 (8 December 2005) UN Doc A/RES/60/45 para 4 [emphasis added].
95
It is perhaps worth noting that the classification of these two incidents as examples of
‘cyber-warfare’ is not absolutely certain and is still dependent to an extent on the emerging
consensus as to how to classify such incidents. See, in general, Michael Schmitt (ed.), Tallinn
Manual on the International Law Applicable to Cyber Warfare (CUP 2013).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
11 / Date: 7/5
JOBNAME: Tsagourias PAGE: 12 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
did not mean that agreement amongst the second group of experts was assured. On the
contrary, given the intensity of the situations and the parties involved things might
equally have gone the other way. As it happened, however, a consensus began to
emerge within the group with the inclusion in its report of some progressive steps.
96
The eventual GGE consisted of governmental experts from 15 States: Belarus, Brazil,
China, Estonia, France, Germany, India, Israel, Italy, Qatar, the Republic of Korea, Russia, South
Africa, UK, and US. Mr. Andrey V. Krutskikh (Russia) was unanimously elected to Chair the
Group.
97
UNGA, Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security: Note by the Secretary-General
(30 July 2010) UN Doc A/65/201.
98
Hathaway and others (n 8) 49.
99
UNGA A/65/201 (n 97) 2.
100
Ibid.
101
Ibid. 7. For more on this concept see section 2(b) above on the work of the Second
Committee.
102
Ibid. 6.
103
UNGA A/65/201 (n 97).
104
Ibid.
105
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
12 / Date: 7/5
JOBNAME: Tsagourias PAGE: 13 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
although ‘[g]iven the unique attributes of ICTs, additional norms could be developed
over time’.106
Arguably the most significant developments in the report of the second GGE,
however, were the five recommendations it made ‘for the development of confidence-
building and other measures to reduce the risk of misperception resulting from ICT
disruptions’107:
+ dialogue among States to discuss norms pertaining to State use of ICTs, to reduce
collective risk and protect critical national and international infrastructures;
+ confidence-building, stability, and risk reduction measures to address the impli-
cations of State use of ICTs, including exchanges of national views on the use of
ICTs in conflict;
+ information exchanges on national legislation, national ICT security strategies
and technologies, policies and best practices;
+ identification of measures to support capacity-building in less developed coun-
tries; and
+ the elaboration of common terms and definitions in connection with information
security.
With these recommendations, the GGE had begun to cement four progressive themes of
an emerging regulatory framework for cyber-security within the UNGA: common
understandings of acceptable State behaviour, practical cooperation, confidence-
building measures, and capacity-building measures. Though perhaps vague and, as the
UN Secretary-General noted, the international community had ‘only begun to develop
the norms, laws and modes of cooperation needed’,108 ‘these recommendations
represent real progress in overcoming a long impasse between the US and Russia over
how to address cyber-security issues. The cooperation may even suggest possibilities
for a future multilateral treaty under the auspices of the UN which Russia has been
advocating for some time’.109
However, in 2010, the year in which the report had been issued and during which
time the major WikiLeaks releases occurred and the Stuxnet attack against Iran had
begun to unfold, a further important turning point arose in enabling the work of the UN
to progress further and, in particular, establish further cooperation and normative
understandings. Indeed, as noted above, it was at this point that the US decided to
engage with other States to address the concerns it had over cyberspace and, in
particular, for the first time to co-sponsor the Russian draft resolution in the First
Committee.110 Overall, the US’s ‘support of the UN Resolution of 2009 (co-sponsored
with Russia) as well as the successful completion of the second GGE were signs
106
Ibid. 8.
107
Ibid. 8.
108
UNGA A/65/201 (n 97) 4.
109
Hathaway and others (n 8) 50.
110
UNGA Res 65/41 (8 December 2010) UN Doc A/RES/65/41. The resolution was
sponsored by three dozen counties including China.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
13 / Date: 7/5
JOBNAME: Tsagourias PAGE: 14 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
indicting this change’.111 Furthermore, and in an attempt to build upon the substantial
progress made in the report of the second GGE, the 2010 version of the resolution also
included a new request to the Secretary-General to establish a further GGE in 2012
which was to submit a report at the 68th session of the UNGA in 2013.112
111
Prakesh and Baruah (n 2) 4.
112
UNGA A/RES/65/41 (n 110), para. 4. Similar to previous resolutions noted above, this
paragraph stated that the UN Member States:
Request[ed] the Secretary-General, with the assistance of a group of governmental experts, to
be established in 2012 on the basis of equitable geographical distribution, taking into account
the assessments and recommendations contained in the above-mentioned report, to continue
to study existing and potential threats in the sphere of information security and possible
cooperative measures to address them, as well as [relevant international concepts aimed at
strengthening the security of global information and telecommunications systems], and to
submit a report on the results of this study to the Assembly at its sixty-eighth session.
Again, in 2011 the UNGA unanimously approved a resolution calling for a follow up to the last
GGE (See UNGA Res 66/24 (2 December 2011) UN Doc A/RES/66/24).
113
The following Member States participated in the GGE: Argentina, Australia, Belarus,
Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, Russia, UK and USA.
Ms. Deborah Stokes (Australia) was unanimously elected to Chair the Group.
114
UNGA, Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security: Note by the Secretary-General
(24 June 2013) UN Doc A/68/98.
115
UNGA, Letter dated 12 September 2011 from the Permanent Representatives of China,
the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the
Secretary-General (14 September 2011) UN Doc A/66/359, see appendix.
116
‘China, Russia and Other Countries Submit the Document of International Code of
Conduct for Information Security to the United Nations’, Foreign Ministry of People’s Republic
of China (13 September 2011) <http://nz.chineseembassy.org/eng/zgyw/t858978.htm> accessed
29 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
14 / Date: 7/5
JOBNAME: Tsagourias PAGE: 15 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
heart, it calls for multilateral governance of the Internet that would replace the
multistakeholder approach, where all users have a voice, with top-down control and
regulation by states’.117
The Code reflected the concerns of its sponsor States, in particular it restricted its
signatories from using ‘ICTs including networks to carry out hostile activities or acts of
aggression and pose threats to international peace and security. Not to proliferate
information weapons and related technologies’.118 However, the US was of the opinion
that
the draft Code appears to propose replacing existing international law that governs the use of
force and relations among states in armed conflict with new, unclear, and ill-defined rules and
concepts. Indeed, one of the primary sponsors of the draft Code has stated repeatedly that
long-standing provisions of international law, including elements of jus ad bellum and jus in
bello that would provide a legal framework for the way that states could use force in
cyberspace, have no applicability. This position is not justified in international law and risks
creating instability by wrongly suggesting the Internet is an ungoverned space to which
existing law does not apply.119
Furthermore, the Code suggested ‘that policy authority for Internet-related public issues
is the sovereign right of States, which have rights and responsibilities for international
Internet-related public policy issues’. The Code contained clauses curbing ‘dissemina-
tion of information which incites terrorism, secessionism, extremism or undermines
other countries’ political, economic and social stability, as well as their spiritual and
cultural environment’.120 However, the US was clear that:
Ultimately, there was little support for the draft Code of Conduct which had little
impact upon the report of the third GGE. However, the third GGE ‘made significant
progress on agreeing on some of the defining aspects’ of cyber-security.122 As with the
report of the second GGE and resolutions of the three committees of the UNGA, the
report again noted the immense benefits brought by ICTs but also recognized their
dual-use capabilities in that they could be used ‘for purposes that are inconsistent with
international peace and security’.123 Similarly, it again noted the problem whereby the
117
Statement by Delegation of the United States of America, ‘Other Disarmament Issues and
International Security Segment of Thematic Debate in the First Committee of the Sixty-seventh
Session of the United Nations General Assembly’ (2 November 2013) <http://www.state.gov/t/
avc/rls/200050.htm> accessed 28 September 2014.
118
International Code of Conduct for Information Security (n 16).
119
Statement by Delegation of the United States of America (n 117).
120
International Code of Conduct for Information Security (n 16).
121
Statement by Delegation of the United States of America (n 117).
122
Prakesh and Baruah (n 2) 5.
123
UNGA A/68/98 (n 114) 6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
15 / Date: 26/3
JOBNAME: Tsagourias PAGE: 16 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
actors involved ‘often act with impunity’ and their malicious use of ICTs ‘is easily
concealed and attribution to a specific perpetrator can be difficult’.124
The report then focused on building upon the four progressive themes of the
emerging regulatory framework for cyber-security within the UNGA: practical
cooperation, common understandings of acceptable State behaviour, confidence-
building measures, and capacity-building measures, and offered recommendations in
respect to each including the important role of the private sector and civil society in any
efforts. Where perhaps the report made most progress, however, was in its recom-
mendations on ‘norms, rules and principles of responsible behavior by States’. It was
first noted that ‘[t]he application of norms derived from existing international law
relevant to the use of ICTs by States is an essential measure to reduce risks to
international peace, security and stability’.125 This was important, given the debate
noted above between the US and the Russian Federation on this issue. If the report had
left it at that, question marks would have remained over what the GGE had meant when
it referred to ‘existing international law’. However, it went on to note that ‘international
law and in particular the United Nations Charter, is applicable and is essential to
maintaining peace and stability and promoting an open, secure, peaceful and accessible
ICT environment’.126 This affirmation of the UN Charter, and perhaps in particular its
rules on the non-use of force and self-defence, was significant. As the report noted
further, ‘State sovereignty and the international norms and principles that flow from
sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction
over ICT infrastructure within their territory.’127
On this subject, the report was also clear that ‘State efforts to address the security of
ICTs must go hand-in-hand with respect for human rights and fundamental freedoms
set forth in the Universal Declaration of Human Rights and other international
instruments.’128 This was a significant step that allayed some of the fears of Western
States with regard to attempts by certain States to curb free use of the Internet. Lastly
on the subject of the applicability of existing international law the report noted that
‘States must meet their international obligations regarding internationally wrongful acts
attributable to them.’129
However, the report was clear that further work was needed in this context. Indeed, it
stressed, again, that ‘[c]ommon understandings on how such norms shall apply to State
behavior and the use of ICTs by States requires further study’.130 What was also
notable was its recognition that ‘[g]iven the unique attributes of ICTs, additional norms
could be developed over time’, something which was arguably attributable to the efforts
of some States to do just that.131
124
Ibid.
125
Ibid. 8 [emphasis added].
126
Ibid.
127
Ibid.
128
Ibid.
129
Ibid.
130
Ibid.
131
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
16 / Date: 26/3
JOBNAME: Tsagourias PAGE: 17 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
In his Foreword to the new report, the UN Secretary-General noted the ‘broad
recognition that misuse [of ICTs] poses risks to international peace and security’.
However, he also specifically
appreciate[d] the report’s focus on the centrality of the Charter of the United Nations and
international law as well as the importance of States exercising responsibility. The recom-
mendations point the way forward for anchoring ICT security in the existing framework of
international law and understandings that govern State relations and provide the foundation
for international peace and security.132
132
Ibid. 4. The centrality of the UN Charter in this context has also been noted by several
commentators: ‘At the heart of the system is the UN Charter. It provides the legal framework
which is the most accurate way to conceptualize the relationships between its various entities.’
See Maurer (n 28) 12.
133
UNGA Res 68/243 (27 December 2013) UN Doc A/RES/68/243.
134
Meyer (n 7).
135
Ibid.
136
UN Charter (1945) art 25.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
17 / Date: 7/5
JOBNAME: Tsagourias PAGE: 18 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
+ identify and bring together stakeholders and partners on the abuse of the Internet
for terrorist purposes, including using the web for radicalization, recruitment,
training, operational planning, fundraising and other means;
+ explore ways in which terrorists use the Internet;
+ quantify the threat that this poses and examine options for addressing it at
national, regional and global levels; and
+ examine what role the UN might play.
The work of the Working Group began with a ‘mapping exercise of relevant laws,
conventions, resources and initiatives’.141 This was based on information provided by
various Member States, interviews conducted with various stakeholders, and publicly
available information. A stakeholders’ meeting was held in November 2008 which
‘focused on creating common understanding among sectors which may have divergent
ideas on countering use of the Internet for terrorist purposes, with the ultimate aim of
determining what if any international action might be appropriate’.142
As a result, the Working Group published its first report in February 2009 which
analyzed information provided by Member States and reflected the conclusions of the
137
UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373 para 6.
138
This was endorsed by the UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/
288 para 5.
139
Ibid. sec II, para 12.
140
See Counter-terrorism Implementation Task Force, ‘Working Group on Countering the
Use of the Internet for Terrorist Purposes’ <http://www.un.org/en/terrorism/ctitf/wg_
counteringinternet.shtml> accessed 28 September 2014.
141
Ibid.
142
Ibid.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
18 / Date: 26/3
JOBNAME: Tsagourias PAGE: 19 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
+ States that apply existing cyber-crime legislation to terrorist use of the Internet;
+ States that apply existing counter-terrorism legislation to Internet-related acts; and
+ States that have enacted specific legislation on terrorist use of the Internet.
143
UN Counter-terrorism Implementation Task Force, Report of the Working Group on
Countering the Use of the Internet for Terrorist Purposes (February 2009) <http://www.un.org/
en/terrorism/ctitf/pdfs/wg6-internet_rev1.pdf> accessed 28 September 2014.
144
UN Counter-terrorism Implementation Task Force, Countering the Use of the Internet for
Terrorist Purposes: Legal and Technical Aspects (May 2011) <http://www.un.org/en/terrorism/
ctitf/pdfs/WG_Compendium-Legal_and_Technical_Aspects_2011.pdf> accessed 28 September
2014.
145
For the conference summary and follow-up/recommendations see UN Counter-terrorism
Implementation Task Force, ‘CTITF Working Group on Use of the Internet for Terrorist
Purposes Riyadh Conference on “Use of the Internet to Counter the Appeal of Extremist
Violence’ (January 2011) <http://www.un.org/en/terrorism/ctitf/pdfs/ctitf_riyadh_conference_
summary_recommendations.pdf> accessed 28 September 2014.
146
Ibid. 1.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
19 / Date: 7/5
JOBNAME: Tsagourias PAGE: 20 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
identifying the target audience, crafting effective messages, identifying credible mes-
sengers, and using appropriate media to reach vulnerable communities’.147 The
Conference ‘agreed that Governments might not always be best placed to lead this
work and needed the cooperation of civil society, the private sector, academia, the
media and victims of terrorism’.148 Importantly, it was also agreed that ‘[g]iven the
global nature of terrorist narratives and the need to counter them in the same space,
there was a special role for the United Nations in facilitating discussion and action’.149
The Commission on Crime Prevention and Criminal Justice (CCPCJ) was established
by ECOSOC in 1992 and acts as the principal policymaking body of the UN in the
field of crime prevention and criminal justice.151 The first session of the Commission
took place in 1992 with its work focusing on, as its name might suggest, crime and
justice. In this respect, in 1998 the Commission requested the UNGA to include in the
agenda of the Tenth Crime Congress a workshop on ‘crimes related to the computer
network’.152 The following year, in 1999, the Commission also proposed a draft
resolution for ECOSOC on the ‘Work of the United Nations Crime Prevention and
Criminal Justice Programme’ requesting the Secretary-General to conduct a study on
effective measures that could be taken at national and international levels to prevent
147
UN Counter-terrorism Implementation Task Force (n 145).
148
Ibid.
149
Ibid.
150
See ECOSOC, ‘2010 ECOSOC General segment briefing on “Cyber security: emerging
threats and challenges” – Background note’ <http://www.un.org/en/ecosoc/julyhls/pdf10/gs_
briefing_background_note.pdf> accessed 28 September 2014. and ECOSOC, ‘Special Event on
Cybersecurity and Development – Informal summary’ (9 December 2011) <http://www.un.org/
en/ecosoc/cybersecurity/summary.pdf> accessed 28 September 2014 respectively.
151
ECOSOC Res 1992/1 (6 February 1992). This was upon a request of the UNGA Res
46/152 (18 December 1991) UN Doc A/RES/46/152.
152
ECOSOC E/1998/30-E/CN.15/1998/11.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
20 / Date: 26/3
JOBNAME: Tsagourias PAGE: 21 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
and control computer-related crimes in light of the workshop at the Tenth Crime
Congress and to report on his results at CCPCJ’s tenth session.153
The ultimate result of the consideration given to such crimes at the Tenth Crime
Congress in 2000 was the adoption by the UNGA of the Vienna Declaration on Crime
and Justice, in which Member States
At the CCPCJ’s tenth session in 2001 a plan of action for implementing the Vienna
Declaration was adopted including ‘[a]ction against high-technology and computer
related crime’ which recommended a series of national and international measures.155
What was noticeable is that up until this point the focus had been on computer crime as
opposed to ‘cyber’ crime and security.156 Indeed, it was only in the CCPCJ’s 2002
report that the term ‘cyber’ was mentioned for the first time,157 with a call for a UN
convention on ‘cybercrime’ appearing in its 2004 report.158 However, despite this
activity it was only in 2010 that cyber-crime became a prominent theme in its annual
reports, with some speakers again bringing up the possibility of global convention
against cyber-crime.159 It was also notable the extent to which cyber-issues were
prominent in the various issues discussed, including in the use of information
technologies to exploit children, economic fraud and identity-related crime, and
activities relating to combating cyber-crime including technical assistance and capacity-
building. Subsequent reports have included discussion on, for example, cyber-crime in
connection with the trafficking of cultural property,160 and organized crime.161
Furthermore, ECOSOC and the UNGA requested the CCPCJ to establish, in line
with paragraph 42 of the Salvador Declaration on Comprehensive Strategies for Global
Challenges: Crime Prevention and Criminal Justice Systems and Their Development in
a Changing World, an open-ended intergovernmental expert group on cyber-crime.162
This group was to conduct a comprehensive study of the problem of cyber-crime and
responses to it by Member States, the international community and the private sector,
153
ECOSOC Res 1999/23 (28 July 1999). For the report of the UN Secretary General see
ECOSOC E/CN.15/2001/4.
154
‘Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-first
Century, UNGA Res 55/59 (4 December 2000) para. 18.
155
ECOSOC E/2001/30/Rev.1-E/CN.15/2001/13/Rev.1
156
Maurer (n 28) 37.
157
ECOSOC E/2002/30-E/CN.15/2002/14.
158
ECOSOC E/2004/30–E/CN.15/2004/16. This was by the representative of Thailand.
159
ECOSOC E/2011/30-E/CN.15/2011/21.
160
ECOSOC E/2014/30 E/CN.15/2014/20.
161
Ibid.
162
ECOSOC Res 2010/18 (22 July 2010); UNGA Res 65/230 (21 December 2010) UN Doc
A/RES/65/230.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
21 / Date: 7/5
JOBNAME: Tsagourias PAGE: 22 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The Commission on Narcotic Drugs has focused on the use and abuse of the Internet
only from a drug trafficking perspective in line with its functional mandate and did so
as early as 1996.166 In 2000 the Commission eventually adopted a resolution solely
focused upon and titled ‘Internet’ which was brought to the attention of ECOSOC.167
After the adoption of this resolution there was no further specific resolution on the
Internet or cyber-issues, although repeated references were made to it as part of
the Commission’s discussions. However, in 2004, in reference to the 2000 resolution,
the Commission prepared a draft resolution for ECOSOC on the ‘Sale of inter-
nationally controlled licit drugs to individuals via the Internet’.168 In 2005, the
Commission prepared a further resolution for ECOSOC entitled ‘Strengthening inter-
national cooperation in order to prevent the use of the Internet to commit drug-related
crimes’169 while in 2007 prepared a similar resolution on ‘International cooperation in
preventing the illegal distribution of internationally controlled licit substances via the
Internet.’170
163
The report on that meeting is contained in document UNODC, ‘Report on the meeting of
the open-ended intergovernmental expert group to conduct a comprehensive study of the
problem of cybercrime held in Vienna from 17 to 21 January 2011’ (31 March 2011) UN Doc
UNODC/CCPCJ/EG.4/2011/3.
164
UNGA A/RES/67/189 (n 73).
165
The report on that meeting is contained in document UNODC ‘Open-ended inter-
governmental expert group on cybercrime: Draft report’ (28 February 2013) UN Doc UNODC/
CCPCJ/EG.4/2013/L.1.
166
ECOSOC ‘Commission on Narcotic Drugs: Report on the forty-second session’ (1999)
UN Doc E/1999/28/Rev.1.
167
ECOSOC CND Res 43/8 (15 March 2000).
168
ECOSOC Res 2004/42 (21 July 2004).
169
ECOSOC CND Res 48/5 (2005).
170
ECOSOC CND Res 50/11 (2007).
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
22 / Date: 7/5
JOBNAME: Tsagourias PAGE: 23 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
+ legal measures;
+ technical and procedural measures;
+ organizational measures;
+ capacity-building; and
+ international cooperation.
+ developing model legislation for Member States to adopt. The ITU has also
developed a tool kit for cyber-crime legislation with sample language including
171
Maurer (n 28) 30.
172
See ITU, ‘Global Cybersecurity Agenda (GCA)’ <http://www.itu.int/osg/csd/cyber
security/gca/global_strategic_report/global_strategic_report.pdf> accessed 28 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
23 / Date: 7/5
JOBNAME: Tsagourias PAGE: 24 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
The ITU Secretary-General has taken on a particularly visible role in the cyber-security
agenda of the ITU. For example, at the 2010 World Telecom Development Conference
in Hyderabad he proposed a ‘no first attack vow’ for cyberspace and that States ‘should
undertake not to harbour cyberterrorists and attackers in their country unpunished’173 as
well as drafting five principles of cyber-peace.174 More recently in 2014, the ITU, along
with the United Nations Children’s Fund, and partners of the Child Online Protection
Initiative, released updated Guidelines to strengthen online protection for children.175
The ITU’s initiatives in the context of Child Online Protection have ‘been identified as
an effort whose merit all states agree on and where trust can be built so that
socialization effects could potentially produce positive spill over effects for the broader
cyber-security agenda’.176
173
Henning Wegener, ‘Cyber peace’ in International Telecommunication Union and World
Federation of Scientists, The Quest for Cyber Peace (ITU 2011) 81 <http://www.itu.int/dms_
pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf> accessed 28 September 2014.
174
Ibid. 78.
175
See ITU, ‘COP Guidelines’ <http://www.itu.int/en/cop/Pages/guidelines.aspx> accessed
28 September 2014.
176
Maurer (n 28) 30.
177
See United Nations Institute for Disarmament Research, ‘Cyber’ <http://www.unidir.org/
est-cyber> accessed 28 September 2014.
178
Maurer (n 28) 28.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
24 / Date: 7/5
JOBNAME: Tsagourias PAGE: 25 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
Although cyber-security is not formally within the domain of the UN Office on Drugs
and Crime (UNODC), the Third Committee of the UNGA first requested for UNODC
to become involved in technical assistance specifically relating to ‘cyber crime’ in
2008.180 Member States officially requested UNODC to work on the use of the Internet
for terrorist purposes for the first time at the 20th session of the Commission on Crime
Prevention and Criminal Justice in April 2011 after it was first mentioned at the 19th
session the year before. UNODC’s Terrorism Prevention Unit contributed to a CTITF
publication in 2012 for law enforcement investigators and criminal justice officers in
connection with cases involving ‘[t]he use of the internet for terrorist purposes’.181 It
also took the lead in the 2013 Global Programme on Cybercrime which, as described
above,182 had been initiated by the CCPCJ and which aimed to assist Member States in
strengthening existing national and international legal responses to cybercrime.
6. CONCLUSION
As with many areas of international life, events within the UN in the context of
cyber-security have arguably been overtaken by events on the ground, and the UN is
struggling to catch up. The functioning of the UN in this or, indeed, any area of
activity, is down to the will and ability of its Member States. While there remains a
clear divide within the international community regarding the focus of any emerging
regulatory framework and the underlying approach to govern cyberspace there has been
a discernable shift in the will among States to take action to regulate activity within
cyberspace in some form. Indeed, we have witnessed a distinct shift in activity, and
perhaps momentum towards something substantial and meaningful being achieved
within and by the UN.
Finnemore and Sikkink perceptively observed that ‘[n]orms do not appear out of thin
air; they are actively built by agents having strong notions about appropriate or
desirable behaviour in their community’.183 While this chapter has only been able to
offer a somewhat limited account of the activities of the UN and its Member States in
this area, achievements can be seen in the number of UNGA resolutions adopted in
various committees, the increasing number of sponsors of these resolutions, the
179
Ibid.
180
UNGA A/RES/63/195 (n 37).
181
UNODC, ‘The use of the internet for terrorist purposes’ (UN, 2012) <http://
www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf> accessed 28
September 2014.
182
See section 4(a) above on the CCPCJ.
183
Martha Finnemore and Kathryn Sikkink, ‘International norm dynamics and political
change’ (1998) 52(4) Int’l. Organization 887, 894–6.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
25 / Date: 7/5
JOBNAME: Tsagourias PAGE: 26 SESS: 5 OUTPUT: Mon May 18 10:36:31 2015
progressive work of the GGEs, and the work on the issue of cyber-security taking place
across a range of organs, agencies and bodies. Furthermore, while certain concerns
have been continuously repeated in the UNGA since 1998, in particular the need for
advancing ICTs but with caution over their dual-use nature, there has also been
continuous, if sometimes sluggish, progress in finding common ground and elaborating
upon it. Indeed, the need for practical cooperation between not just States but also
between States and other stakeholders, the need to develop common understandings of
acceptable State behaviour, and the need for confidence-building, transparency and
capacity-building measures have become themes cemented most visibly within the
discourse of the GGEs but also discernable in the work of the other UN organs.
Dialogue and communication between the various UN organs, bodies and groups now
needs to be improved to enable further integrated concerted action and norm develop-
ment.
Yet, it would be shortsighted to think that a regulatory framework can emerge solely
within the forum of the UN. Indeed, the UN itself has continuously noted the valuable
efforts that have been made by international organizations and regional entities in this
area, such as the African Union, ASEAN, the Council of Europe, ECOWAS, the EU,
and the Shanghai Cooperation Organization, to name a few. However, States have also
begun to act bilaterally in seeking to cooperate, come to common understandings, and
build confidence and transparency between them in their operations in cyberspace. A
good example of this is the working group on cyber-security recently established
between the US and China.184 With US concerns regarding a new international
regulatory framework in the form of a treaty still visible, the application of existing
international rules and norms along with the existence of softer, albeit complex,
regulation in this area looks set to continue for some time yet.
184
BBC News, ‘US and China to set up cyber security working group’ (13 April 2013)
<http://www.bbc.co.uk/news/world-asia-china-22137950> accessed 28 September 2014.
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter22 /Pg. Position:
26 / Date: 7/5
JOBNAME: Tsagourias PAGE: 1 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index
491
Nicholas Tsagourias and Russell Buchan - 9781782547389
Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 1 / Date: 8/5
JOBNAME: Tsagourias PAGE: 2 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 2 / Date: 8/5
JOBNAME: Tsagourias PAGE: 3 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 493
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 3 / Date: 8/5
JOBNAME: Tsagourias PAGE: 4 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 4 / Date: 8/5
JOBNAME: Tsagourias PAGE: 5 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 495
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 5 / Date: 8/5
JOBNAME: Tsagourias PAGE: 6 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 6 / Date: 8/5
JOBNAME: Tsagourias PAGE: 7 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 497
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 7 / Date: 8/5
JOBNAME: Tsagourias PAGE: 8 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 8 / Date: 8/5
JOBNAME: Tsagourias PAGE: 9 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 499
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 9 / Date: 8/5
JOBNAME: Tsagourias PAGE: 10 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 10 / Date:
8/5
JOBNAME: Tsagourias PAGE: 11 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 501
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 11 / Date:
8/5
JOBNAME: Tsagourias PAGE: 12 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
information sharing and mutual assistance European Court of Human Rights (ECtHR)
412 Balan v Moldova 72
institutional framework 408–10 Infopaq 82, 86
international cyberspace policy, intellectual property rights 77
establishment of coherent 414 national differences on freedom of
Internet regulation 406 expression 100, 101
Lisbon Treaty 403–4, 413, 416, 420–21 originality for computer programs and
policies on cybercrime and cybersecurity databases 86
410–14 Yildirim v Turkey 53, 101
principle of conferral 405, 419–20 see also EU cybersecurity law
private actor involvement 410, 412 European Court of Justice (CJEU)
States’ operational capability, strengthening
Donner (Free Movement of Goods) 45
412
ECOWAS (Small Arms and Light Weapons)
Stockholm Programme 410
technological resources, development of 422
413–14 European Parliament v Council of the
TEU mutual defence clause 418 European Union 424
TEU ‘non-contamination clause’ 421–3 Gambelli 41–2
TEU, ‘Union’s External Action’ 413 Google Spain v Agencia Española de
TFEU data protection rules 416–17 Protección de Datos 44–5
TFEU on establishment and functioning of L’Oréal v eBay International 45
the internal market 416 Mauritius 419, 423
TFEU on judicial cooperation in criminal Pammer and Hotel Alpenhof 45–6
matters 415 Pinckney v KDG Mediatech 46
TFEU solidarity clause 417–18 role of see EU cybersecurity law, legal basis
see also European Court of Human Rights choice and role of Court of Justice
(ECtHR); European Court of Justice Wintersteiger v Products 4U 48
(CJEU) see also EU cybersecurity law
EU cyber security law, legal basis choice and European Network and Information Security
role of Court of Justice 419–24 Agency (ENISA) 258
‘centre of gravity’ approach’ 423 European Parliament and solidarity clause
comprehensive approach, need for 421–4 417–18
cyber defence issues 423, 424 European Patent Convention (EPC) 78, 81,
principle of consistency 420 83–4, 91
EU cyber security law, legal instruments, extradition 199–200
fragmentation in 414–19 see also Snowden (Edward) revelations
Directive proposal for measures to ensure a
high common level of network and Fanelli, R 232
information security 415–16 Fassbender, B 175
EU Framework Decision on attacks against Fawcett, J 72, 73, 82, 83
information systems 415 Feakin, T 446, 449, 457, 458, 463
European Parliament and solidarity clause Fedosov, S 436
417–18 Feinstein, L 277
General Data Protection Regulation Fenrick, W 132
proposal 416–17 Ficsor, M 74
judicial cooperation 415 Fidler, D 94–117, 172, 174, 178, 179, 188,
mainstream cyberspace issues into EU 189, 203, 223, 226
external relations proposal 419 Fildes, J 261
Regulation proposal on electronic Finnemore, M 489
identification and trust services for Fitzmaurice, G 32
electronic transactions 416 Fleck, D 226, 382, 384, 386
European Convention on Human Rights Fleming, P 148, 150
(ECHR) 100, 199, 204 Flory, P 293
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 12 / Date:
8/5
JOBNAME: Tsagourias PAGE: 13 SESS: 3 OUTPUT: Mon May 18 10:36:31 2015
Index 503
Focarelli, C 75, 148, 188, 226, 228, 241, Gill, T 134, 149, 161, 183, 214, 224, 226,
255–83, 300, 312 228, 307, 308, 311, 314, 316, 361,
Føllesdal, A 404 366–79
Foltz, A 330 Gillet, M 138
force Gioia, A 390
armed force and conflict see armed force Gjelten, T 97, 307, 309, 436
and conflict Glennon, M 278, 346
cyber operations as use of see cyber global commons see cyberspace, legal status,
operations as use of force cyberspace as global commons
Forcese, C 185 Global Network Initiative (GNI) 115
Ford, C 468 Goel, S 307
Forowicz, M 134 Goetz, M 212
Forseberg, T 18 Goldsmith, J 13, 16, 21, 119, 125, 126, 131,
France 38, 78, 110 139, 187, 241
Franck, T 277 Gombeer, K 281
Franzese, P 182 Goodman, S 448
Freedman, L 215 Google cyber attack 168, 184
Friedman, A 213 Gorman, S 324, 332
Gosnell Handler, S 236
Gable, K 165 Govaere, I 404
Garcia-Mora, M 185 Graber, C 21
Gardam, J 301 Graham, M 256
Garside, J 52 Gray, C 271, 274
Gasser, H-P 161 Green, L 385
Gattegno, I 164 Greenberg, L 358, 361
Gazmin, V 450 Greenwald, G 284, 297
Geers, K 342 Greenwood, C 120, 277, 329, 368
Geiss, R 125, 132, 133, 134, 135, 137, 341 Griller, S 420
Gellman, B 115 Grimm, D 23
Geneva Conventions Gross, D 256
armed conflict and attack 122, 123–4, 142, Gross, M 308
241–2, 282, 327, 328, 329, 352, 367–8, Grotius, H 25, 76
371–2, 376, 398 Guelff, R 385
civilians taking ‘direct part in hostilities’ 128 Guitton, C 330
collateral damage to civilian objects 373,
374 Haaster, J van 23, 211, 227, 230, 231
and international humanitarian law 120, hackers 56, 157, 158, 213, 334–5, 348–9, 398
129, 130, 131, 134, 135, 136, 137, 172, see also botnets and remote control;
343, 371–2 malware; virus attacks
non-international armed conflict 126, 161, Hagopian, A 310
336, 339–40, 362 Hague Convention 134, 327, 385–7, 391, 393,
principle of distinction 130, 133, 344, 345, 394, 396–7, 398, 399
362 Hanifah, A 448
principle of precaution 136, 137 Hankel, G 134
principle of proportionality 134, 135 Hanspach, M 212
Georgia, cyber attacks 56, 243, 260–62, 277, Hardin, G 28
319, 349–50, 391–2, 439, 466, 475–6 Hardin, R 339
Germany 38, 39–40, 41, 43 Hardt, S 228
and US NSA cyber espionage 62–3, 113, Haslam, E 123, 124
178, 179–80, 184, 473 Hathaway, O 118, 122, 125, 126, 127, 131,
Gervais, M 138–9 135, 139, 347, 466, 476, 478
Gharibi, H 234 Healey, J 219, 223, 428
Gibson, W 22 Heath, K 75, 147–67, 191
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 13 / Date:
15/5
JOBNAME: Tsagourias PAGE: 14 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 14 / Date:
8/5
JOBNAME: Tsagourias PAGE: 15 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 505
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 15 / Date:
8/5
JOBNAME: Tsagourias PAGE: 16 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
International Criminal Court see Prosecutor v Tadić 60, 121, 125, 126, 127,
International Criminal Court (ICC) 278, 327, 328, 334, 335, 336–7, 345,
international criminal responsibility concept 348, 368, 384
120 international humanitarian law
jurisdiction for cyber attacks 120 and classification of cyber warfare 326–7,
Tallinn Manual see Tallin Manual 331–2, 335, 336, 339–40
see also cybercrime international criminal responsibility, cyber
international criminal responsibility, cyber attacks as war crimes 129–37
attacks and crime of aggression 120, principal of distinction see principle of
137–41 distinction
‘act of aggression’ 137, 138–41 see also human rights
leadership clause 137–8 international humanitarian law applied to
use of any weapons 139 cyber warfare 366–79
use of armed force 138–9 attacks of a perfidious nature, banning of
international criminal responsibility, cyber 374
attacks as war crimes 121–37 collateral effects and feasible precautions
armed conflict, existence of 121–6 373
civilians lose immunity from attack if they conducting of attacks, law of armed
take ‘direct part in hostilities’ 128 conduct relating to 371–4
cyber attacks causing excessive collateral cyber attacks as adjunct to traditional means
damage and principle of 370–71
proportionality 134–6 cyber surveillance and espionage 369
data as a protected object 131 cyber terrorism 369–70
delimitation problems and principle of Geneva Convention see Geneva Convention
distinction 130–31 geographical scope of armed conflict 368–9
determining whether armed force has been International Humanitarian Law or Law of
applied 122–3 Armed Conflict (IHL/LOAC) 366–71
dual-use of cyber infrastructure and non-international armed conflicts 368
principle of distinction 131–3 principle of distinction 372
duration of participation 124–5, 129 principle of proportionality in attacks
and Geneva Convention see Geneva against civilians or civilian objects
Convention 372–3
geographical scope of armed conflict 126–7 prohibition of means of attack not directed
intensity of attack 124–5 at specific military objectives 373–4
interconnectivity between military and rules relating to the targeting of persons and
civilian computer systems 131–3 objects 372
international humanitarian law (IHL) self-defence in response to armed attack
principles 129–37 369
minor disruptions 124 stand-alone cyber attacks 369–70
principle of distinction 130–33, 135 targeting of objects directly converted into a
principle of precaution 136–7 military function 374
principle of proportionality 134–6 weapons or methods of combat which
prohibition of indiscriminate attacks and would cause superfluous injury to
principle of distinction 133 enemy combatants, restrictions on 374
quality of attacks 124–5 international humanitarian law applied to
responsible agent 127–9 cyber warfare, principle of
violent effects of CNA producing lasting proportionality in attacks employing
harmful result 123–4 cyber weapons 374–8, 379
International Criminal Tribunal for the Former any attack not reasonably likely to cause
Yugoslavia (ICTY) physical effects upon civilians or
armed conflict definition 121–2 civilian objects 376–7
Prosecutor v Galic 135, 161, 373 data destruction 375–6
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 16 / Date:
8/5
JOBNAME: Tsagourias PAGE: 17 SESS: 4 OUTPUT: Mon May 18 10:36:31 2015
Index 507
dual use function and collateral effects see also computer systems; cyber attacks
377–8 Iran 169, 182, 390
military ‘information operations’ not Iran–US Claims Tribunal, Yeager v Islamic
considered as attack 375 Republic of Iran 60–61
operations considered as mere Stuxnet attack 56, 133, 153, 212, 243, 261,
inconvenience 375 288, 308, 310, 315, 316, 318, 322, 324,
International Law Commission (ILC) 57–9, 330, 361, 370, 376–7, 466
66, 125–6 Iraq 141, 350, 390–91
international law and cyber espionage see Israel 276–7, 285, 341
cyber espionage and international law
International Multilateral Partnership Against Jacobs, D 61
Cyber Threats (IMPACT) 257 James, A 16
international obligation breach, and State Jamnejad, M 183, 250, 252
responsibility see State responsibility, Janczewski, L 229
international obligation breach Japan 448
international peace and security threat, cyber Jaycox, M 223
espionage see cyber espionage and Jennings, P 446
international law, as threat to Jennings, R 182, 186
international peace and security Jensen, E 268, 291, 327, 361, 397
international relations, and cyberspace see Jewkes, Y 157
human rights, international relations and Johnson, D 2, 13, 16, 37–8
cyberspace Johnson, R 245
international substantive law, and cybercrime Jordan, D 227
192–8 Joubert, V 429, 435
International Telecommunication Regulations Joyner, C 236, 265
(ITRs) 111–12 jurisdiction see cyberspace jurisdiction
International Telecommunication Union (ITU)
165, 257 Kaesling, K 81
International Tribunal of the Law of the Sea Kahn, J 296
(ITLOS), due diligence concept 66 Kamal, A 29
Internet Kammerhofer, J 277
access as new human right 109–10 Kanuck, S 19
blocking network services 20, 319, 323 Kaplan, D 308
censorship 100–102 Kastenberg, J 392
and cyberspace, differences in meaning Kastner, P 148, 149, 190–207, 223, 265, 407,
55–6 460, 466
and data transmission, law of neutrality Katz, J 283
398, 399 Kaurin, P 317
domain names 21–2, 74, 76, 79, 92, 116 Kegel, G 78
freedom and Internet sovereignty contrasts Keller, H 134
111 Kelsey, J 343, 346, 353, 360, 361, 396
general use by terrorist groups 150 Kemp, G 139
‘Internet sovereignty’ perspective 98 Ker, P 159
neutrality 476 Kerr, O 201
online gambling 40–42, 47 Kessler, O 119, 123, 125, 139
regulation 111–12, 220–21, 406 Keyser, M 418
service providers, liability and Kimmel, P 324
responsibility 203, 205 kinetic effects equivalency (KEE) test see
social networks as targets 361 principle of distinction, relevance of,
technology, and human rights see human kinetic effects equivalency (KEE) test
rights, Internet technology and Kingbury, K 324
international politics Kirkpatrick, D 219
territorial fragmentation 52–3 Kirsch, S 156
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 17 / Date:
15/5
JOBNAME: Tsagourias PAGE: 18 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 18 / Date:
8/5
JOBNAME: Tsagourias PAGE: 19 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 509
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 19 / Date:
8/5
JOBNAME: Tsagourias PAGE: 20 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 20 / Date:
8/5
JOBNAME: Tsagourias PAGE: 21 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 511
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 21 / Date:
8/5
JOBNAME: Tsagourias PAGE: 22 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 22 / Date:
8/5
JOBNAME: Tsagourias PAGE: 23 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 513
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 23 / Date:
8/5
JOBNAME: Tsagourias PAGE: 24 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 24 / Date:
8/5
JOBNAME: Tsagourias PAGE: 25 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 515
regulation of cyber security see UN and the Groups of Governmental Experts (GGEs),
regulation of cyber security, General Second Group, ICT disruptions and
Assembly (UNGA) risk 477, 480–81
Resolution on misuse of information Groups of Governmental Experts (GGEs),
technologies 280 Third Group 478–81
UN Global Counter-Terrorism Strategy 151 Second Committee (Economic and
UN Hostages Convention 154 Financial Committee) and Global
UN Internationally Protected Persons Culture of Cyber-security initiative
Convention 154 469–71
UN Office of Drugs and Crime (UNODC), Second Committee, global culture of cyber
cyber terrorism definition 147, 150 security 470–71
Second Committee, voluntary
UN and the regulation of cyber security
self-assessment tool for national efforts
465–90
471
differences on fundamental issues between Third Committee (Social, Humanitarian and
Eastern and Western States 466 Cultural Committee) 471–3, 489
Economic and Social Council (ECOSOC) Third Committee (Social, Humanitarian and
484–6 Cultural Committee), resolution
emerging regulatory framework for cyber combating the criminal misuse of
security 477 information technologies 471–2
information security 467–9, 474–81 Third Committee (Social, Humanitarian and
International Code of Conduct for Cultural Committee) resolution on
Information Security 478–81 right to privacy in the digital age 473
International Telecommunications Unit, Third Committee (Social, Humanitarian and
Global Cyber-Security Agenda 487–8 Cultural Committee) and UN Crime
International Telecommunications Unit, Prevention and Criminal Justice
online protection for children 488 Programme 472
Internet neutrality 476 Vienna Declaration on Crime and Justice
norms, rules and principles of responsible 485–6
behaviour by States, recommendations UN Reports of International Arbitral Awards
for 480 (RIAA)
UN Charter affirmation and rules on the Island of Palmas Case (US v Netherlands)
non-use of force and self-defence 480 17, 279
Trail Smelter 279
UN Global Counter-Terrorism Strategy 482
UN ‘Right to Privacy in the Digital Age’ draft
UN Institute for Disarmament Research
resolution 113
(UNIDR) 488–9 UN Security Council Resolutions
UN Office on Drugs and Crime (UNODC) inherent right to self-defence 277–8
489 regulation of cyber security 481–4
UN Security Council (UNSC) 481–4 and terrorism 150–51, 156, 158
UN and the regulation of cyber security, UN Special Tribunal for Lebanon 155–6, 158
General Assembly (UNGA) 467–81 UN Terrorist Bombings Convention 154–5
First Committee (Disarmament and US
International Security) 467–9, 474–6, botnets 319
477–8, 488 Cable News Network LP v cnnews.com 47,
Groups of Governmental Experts (GGEs) 52
469, 470, 473–81 Caroline 271, 273
Groups of Governmental Experts (GGEs), Comprehensive National Cybersecurity
First Group 474–6 Initiative (CNCI) 258–9
Groups of Governmental Experts (GGEs), CompuServe v Patterson 19, 20
Fourth Group 481 Computer Associates v Altai 89
Groups of Governmental Experts (GGEs), Computer Software Act 84
Second Group 476–8 copyright authorship and lex originis 79
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 25 / Date:
8/5
JOBNAME: Tsagourias PAGE: 26 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 26 / Date:
8/5
JOBNAME: Tsagourias PAGE: 27 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Index 517
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 27 / Date:
8/5
JOBNAME: Tsagourias PAGE: 28 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 28 / Date:
8/5