Tsagourias 2015

JOBNAME: Tsagourias PAGE: 1 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015
RESEARCH HANDBOOK ON INTERNATIONAL LAW

AND CYBERSPACE
Nicholas Tsagourias and Russell Buchan - 9781782547389

Downloaded from Elgar Online at 03/27/2017 08:53:03PM
via University of Melbourne
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Prelims /Pg. Position: 1 / Date:
26/3
RESEARCH HANDBOOKS IN INTERNATIONAL LAW

This highly original series offers a unique appraisal of the state-of-the-art of research and thinking
in international law. Taking a thematic approach, each volume, edited by a prominent expert,
covers a specific aspect of international law or examines the international legal dimension of a
particular strand of the law. A wide range of sub-disciplines in the spheres of both public and
private law are considered; from international environmental law to international criminal law,
from international economic law to the law of international organisations, and from international
commercial law to international human rights law. The Research Handbooks comprise carefully
commissioned chapters from leading academics as well as those with an emerging reputation.
Taking a genuinely international approach to the law, and addressing current and sometimes
controversial legal issues, as well as affording a clear substantive analysis of the law, these
Handbooks are designed to inform as well as to contribute to current debates.
Equally useful as reference tools or introductions to specific topics, issues and debates, the
Handbooks will be used by academic researchers, post-graduate students, practicing lawyers and
lawyers in policy circles.
Titles in this series include:
Research Handbook on International Sports Law

Edited by James A.R. Nafziger and Stephen F. Ross
Research Handbook on International Conflict and Security Law
Jus Ad Bellum, Jus in Bello and Jus Post Bellum
Edited by Nigel D. White and Christian Henderson
Research Handbook on International Law and Migration
Edited by Vincent Chetail and Céline Bauloz
Research Handbook on International Energy Law
Edited by Kim Talus
Research Handbook on International Law and Terrorism
Edited by Ben Saul
Research Handbook on the Law Treaties
Edited by Christian J. Tams, Antonios Tzanakopoulos and Andreas Zimmermann
Handbook of Space Law
Edited by Frans G. von der Dunk
Research Handbook on International Law and Cyberspace
Edited by Nicholas Tsagourias and Russell Buchan

26/3
Research Handbook on International

Law and Cyberspace
Edited by
Nicholas Tsagourias
Professor of International Law, University of Sheffield, UK
Russell Buchan
Senior Lecturer in International Law, University of Sheffield, UK
RESEARCH HANDBOOKS IN INTERNATIONAL LAW
Cheltenham, UK + Northampton, MA, USA

26/3
© The Editors and Contributors Severally 2015
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical or photocopying, recording,
or otherwise without the prior permission of the publisher.
Published by
Edward Elgar Publishing Limited
The Lypiatts
15 Lansdown Road
Cheltenham
Glos GL50 2JA
UK
Edward Elgar Publishing, Inc.

William Pratt House
9 Dewey Court
Northampton
Massachusetts 01060
USA
A catalogue record for this book

is available from the British Library
Library of Congress Control Number: 2015930151
This book is available electronically in the

Law subject collection
DOI 10.4337/9781782547396
ISBN 978 1 78254 738 9 (cased)

ISBN 978 1 78254 739 6 (eBook)
Typeset by Columns Design XML Ltd, Reading

Printed and bound in Great Britain by T.J. International Ltd, Padstow

01
26/3
Contents
List of contributors vii

Preface xiii
Table of cases xiv
Table of legislation xx
Introduction 1
Michael Schmitt
PART I CYBERSPACE AND GENERAL PRINCIPLES OF

INTERNATIONAL LAW
1 The legal status of cyberspace 13

Nicholas Tsagourias
2 Jurisdiction in cyberspace 30
Uta Kohl
3 State responsibility in cyberspace 55
Constantine Antonopoulos
4 Cyberspace and intellectual property rights 72
Andreas Rahmatian
5 Cyberspace and human rights 94
David P. Fidler
6 International criminal responsibility in cyberspace 118
Kai Ambos
PART II CYBER THREATS AND INTERNATIONAL LAW
7 Cyber terrorism 147

Ben Saul and Kathleen Heath
8 Cyber espionage and international law 168
Russell Buchan
9 International legal dimensions of cybercrime 190
Philipp Kastner and Frédéric Mégret
PART III CYBER ATTACKS AND THE JUS AD BELLUM
10 The notion of cyber operations 211

Paul Ducheine
11 Cyber operations as a use of force 233
Marco Roscini
v
8/5
vi Research handbook on international law and cyberspace
12 Self-defence in cyberspace 255

Carlo Focarelli
13 Some thoughts on cyber deterrence and public international law 284
Eric Myjer
PART IV CYBERWAR AND THE JUS IN BELLO
14 Distinctive ethical challenges of cyberweapons 307

Neil C. Rowe
15 Classifying cyber warfare 326
Louise Arimatsu
16 Is the principle of distinction still relevant in cyberwarfare? 343
Karine Bannelier-Christakis
17 International humanitarian law applied to cyber-warfare: Precautions,
proportionality and the notion of ‘attack’ under the humanitarian law
of armed conflict 366
Terry D. Gill
18 Cyber war and the law of neutrality 380
David Turns
PART V REGIONAL AND INTERNATIONAL APPROACHES TO

CYBER SECURITY
19 Towards EU cybersecurity law: Regulating a new policy field 403

Ramses A. Wessel
20 NATO and cyber defence 426
Katharina Ziolkowski
21 Cyber security in the Asia-Pacific 446
Hitoshi Nasu and Helen Trezise
22 The United Nations and the regulation of cyber-security 465
Christian Henderson
Index 491

26/3
Contributors
Kai Ambos, Professor of Criminal Law, Criminal Procedure, International Criminal

Law and Comparative Law at Georg-August-Universität Göttingen, Germany; Judge
District Court Göttingen; Director Centro de Estudios para Derecho Penal y Proceso
Penal Latinoamericano (CEDPAL).
Constantine Antonopoulos, LL.B (Thrace), LL.M (Cantab), Ph.D (Nottingham):

Associate Professor of Public International Law, Faculty of Law, Democritus Univer-
sity of Thrace, member of the ILA Committee on the Use of Force and author of
Counterclaims before the International Court of Justice (Asser Press-Springer 2011).
Louise Arimatsu has been an Associate Fellow with the International Law Programme
at Chatham House since 2009. Dr Arimatsu’s areas of expertise include International
Humanitarian Law, international Criminal Law, Refugee Law and International Human
Rights Law. Between 2006 and 2011, she taught International Law at University
College London and the London School of Economics. She was the Managing Editor
of the Yearbook on International Humanitarian Law from 2009 until 2012.
Karine Bannelier-Christakis is Associate Professor of International Law at the

Faculty of Law of the University of Grenoble-Alpes (France) and Director of the
Master’s Degree on International Security and Defence Studies. She holds a PhD in
International Law from the University of Paris Panthéon- Sorbonne. Her main areas of
interest include International Law of Armed Conflicts, Use of Force, International
Criminal Law, Cybersecurity and International Environmental Law. She has published
or co-edited six books [Le Recours à la Force Autorisé par le Conseil de Sécurité:
Droit et Responsabilité, Pedone, Paris, 2014; The ICJ and the Development of
International Law – The Lasting Impact of the Corfu Channel Case, Routledge 2011;
La nécessité en droit international, Paris, Pedone, 2007; L’intervention en Irak et le
droit international, Paris, Pedone, 2004; Le droit international face au terrorisme,
Paris, Pedone, 2002; La protection de l’environnement en temps de conflit armé, Paris,
Pedone, 2001] and more than 30 articles and books chapters on international law. She
is currently co-editing a book on the 70 years of the UN System [70 ans des Nations
Unies: quel rôle dans le monde actuel?, Pedone, Paris, 2014 (forthcoming)].
Russell Buchan is a Senior Lecturer in International Law at the University of

Sheffield. Dr Buchan has published in leading academic journals in the field of Public
International Law, with a focus on Collective Security, International Humanitarian Law
and Cyber Security. Russell sits on the editorial board of the Journal of the Use of
Force in International Law and the International Community Law Review. His
monograph was published by Hart Publishing in 2013 and is entitled International Law
and the Construction of the Liberal Peace, and was the recipient of the American
vii
6/5
viii Research handbook on international law and cyberspace
Society of International Law’s Francis Lieber Prize for an outstanding monograph in

the field of the law of armed conflict for 2014. Russell is co-Rapporteur for the
International Law Association’s Study Group on Cybersecurity, Terrorism and Inter-
national Law.
Paul Ducheine (Colonel) LL.M., MSc (Army Legal Service) is Professor of Cyber
Operations at the Netherlands Defence Academy (Faculty of Military Sciences) and
Professor of the Law of Military Cyberoperations at the University of Amsterdam, and
researcher at the Amsterdam Centre of International Law.
David P. Fidler is the James Louis Calamaras Professor of Law at the Indiana
University Maurer School of Law, a Senior Fellow at the Indiana University Center for
Applied Cybersecurity Research, and Chair of the International Law Association’s
Study Group on Cybersecurity, Terrorism, and International Law.
Carlo Focarelli is Professor of International Law, University of Perugia and LUISS

Guido Carli University of Rome; and a member of the National Committee for the
Grant of National Scientific Qualification in International Law. Among his latest works
are: International Law as Social Construct: The Struggle for Global Justice (Oxford:
Oxford University Press, 2012); La persona umana nel diritto internazionale (Bologna:
Il Mulino, 2013).
Terry D. Gill (1952): BA 1982, LLM 1985, PhD (cum laude) 1989, is Professor of
Military Law at the University of Amsterdam and the Netherlands Defence Academy
and was first Assistant and later Associate Professor of Public International Law at
Utrecht University from July 1985 until February 2013. He is Director of the Research
Program on the Law of Armed Conflict and Peace Operations at the Amsterdam Centre
for International Law and of the Netherlands Research Forum on the Law of Armed
Conflict and Peace Operations (LACPO). Professor Gill is editor in chief of the
Yearbook of International Humanitarian Law and a member of the editorial boards of
the The Military Law Review (Militair Rechtelijk Tijdschrift), the Journal of Conflict &
Security Law and the Journal of International Peacekeeping and Chairman of the Study
Group of the International Law Association (ILA) on the Conduct of Hostilities in the
21st Century. He was a member of the expert group on ‘Direct Participation in
Hostilities’ convened by the ICRC and TMC Asser Institute between 2003–2008, and
the Manual on International Law Applicable to Cyber Warfare (also known as The
Tallinn Manual), drafted with support of NATO’s Cooperative Cyber Defence Centre of
Excellence (CCDCOE) between 2010–2013, and has contributed to several military
manuals in use by the Netherlands armed forces. He co-edited and co-authored the
Handbook of the International Law of Military Operations, published by Oxford
University Press in 2010.
Kathleen Heath is a researcher at the Sydney Centre for International Law. She has a
Bachelor of Laws with First Class Honours and the University Medal (2013) from the
University of Sydney.

6/5
Contributors ix
Christian Henderson is currently Senior Lecturer in Public International Law at the

University of Liverpool where he teaches mainly within the field of International Law
and his specific areas of research interest, including Public International Law, Inter-
national Peace and Security and International Humanitarian Law. He is the Director of
the Human Rights and International Law Unit and Deputy Director of Learning and
Teaching within the Liverpool Law School. In addition to authoring articles and
contributions to edited collections he published The Persistent Advocate and the Use of
Force: The Impact of the United States upon the Jus ad Bellum in the Post-Cold War
Era in 2010 and co-edited (with Professor Nigel White) the Research Handbook on
International Conflict and Security Law: Jus ad Bellum, Jus in Bello, and Jus post
Bellum in 2013. He is co-editor-in-chief of the Journal on the Use of Force and
International Law, general editor of the Journal of International Humanitarian Legal
Studies and book review editor of the Journal of Conflict and Security Law. He has
held visiting positions at the Universities of Reading and Virginia and is a member of
the International Law Association’s Committee on the Use of Force.
Philipp Kastner is an Assistant Professor at the Faculty of Law of the University of

Western Australia and holds graduate degrees in law from McGill University (LL.M.
and D.C.L.) and the University of Innsbruck, Austria (Dr. iur.). His research focuses on
the Resolution of Armed Conflicts, International Criminal Law, International Human
Rights and Humanitarian Law, Public International Law, and Legal Pluralism. Recent
publications include: International Criminal Justice in bello? The ICC between Law
and Politics in Darfur and Northern Uganda (Martinus Nijhoff, 2012).
Uta Kohl received her University Law/Arts education in the UK and Australia and has,
since then, been teaching and researching at Aberystwyth University, Wales. She is a
Senior Lecturer at the Department of Law and Criminology with interests in Internet
Governance and Corporate Governance as well as Internet Corporate Governance. She
has presented papers and written a number of articles on these themes and is the author
of Jurisdiction and the Internet: Regulatory Competence over Online Activity (2007) as
well as co-author of Human Rights in the Market Place (2008) and Information
Technology Law (2011). Uta Kohl organised a multi-disciplinary symposium on
internet jurisdiction, sponsored by Google Inc, in September 2014.
Frédéric Mégret is an Associate Professor at the Faculty of Law, McGill University,

and the Canada Research Chair on the Law of Human Rights and Legal Pluralism. His
interests are in International Criminal Justice, International and Transnational Legal
theory, and the Laws of War and Human Rights.
Eric Myjer is a Professor of Conflict and Security Law, School of Law, Utrecht
University, the Netherlands and the Director of the Centre for Conflict and Security
Law. He has published widely on issues in the area of conflict and security law with
special emphasis on arms control law, most recently serving as one of the editors of
The Chemical Weapons Convention, A Commentary published by Oxford University
Press in 2014. He is also co-editor in chief of the Journal of Conflict & Security Law.

15/5
x Research handbook on international law and cyberspace
Hitoshi Nasu is a Senior Lecturer in law and LLM International Security Law stream
Convenor at the Australian National University. He holds BA and MA in Political
Science (Aoyama Gakuin) and a Master of International Law and a PhD in law
(Sydney). He is the author of International Law on Peacekeeping: A Study of Article 40
of the UN Charter (Martinus Nijhoff, 2009) and a co-editor of Human Rights in the
Asia-Pacific Region: Towards Institution Building (Routledge, 2011), Asia-Pacific
Disaster Management (Springer, 2013) and New Technologies and the Law of Armed
Conflict (TMC Asser, 2014). He is currently the lead investigator of an Australian
Research Council Discovery Grant Project, A Legal Analysis of Australia’s Future
Engagement with Asia-Pacific Security Institutions, under which the research for this
volume’s chapter is supported.
Dr Andreas Rahmatian is a Senior Lecturer at the University of Glasgow where he

teaches Intellectual Property Law and Commercial Law. His research interests comprise
Intellectual Property Law, Property Law and Property Theory, Commercial Law,
Comparative (Private) Law and Intellectual history and the Law. His most recent book:
Copyright and Creativity: The Making of Property Rights in Creative Works (Edward
Elgar, 2011) was shortlisted for the Peter Birks Prize for outstanding Legal Scholarship
in 2012 by the Society of Legal Scholars.
Marco Roscini has a PhD from the University of Rome ‘La Sapienza’ and is Reader in
International Law at the Westminster Law School. Dr Roscini has published widely in
the field of International Conflict and Security Law. In particular, he is the author of
Cyber Operations and the Use of Force in International Law (Oxford University Press,
2014) and of several articles on the international law aspects of cyber operations.
Neil C. Rowe, Ph.D., is Professor of Computer Science at the U.S. Naval Postgraduate
School where he has been since 1983. His main research interests are the modeling of
deception, information security, surveillance systems, image processing, and data
mining. Recent work has focused on Cyberwarfare, Digital Forensics, and the problems
of large-scale data analysis. He is the author of a book on artificial intelligence and 160
technical papers.
Ben Saul is Professor of International Law and an Australian Research Council Future
Fellow at The University of Sydney, and a barrister. He is the author of Defining
Terrorism in International Law (2006), co-author of The International Covenant on
Economic, Social and Cultural Rights: Commentary, Cases and Materials (2014), and
editor of Research Handbook on International Law and Terrorism (2014).
Michael Schmitt is the Charles H. Stockton Professor and Director of the Stockton
Center for the Study of International Law at the United States Naval War College in
Newport, Rhode Island. He is also Professor of Public International Law at Exeter Law
School and a member of Exeter University’s Strategy and Security Institute, a Fellow at
Harvard Law School’s Program on International Law and Armed Conflict, Senior
Fellow at the NATO Cyber Defence Centre of Excellence, and Editor-in-Chief

6/5
Contributors xi
of International Law Studies. Professor Schmitt was previously Professor of Inter-

national Law at Durham University, Dean of the George C. Marshall European Center
for Security Studies in Germany, and General Editor of the Yearbook of International
Humanitarian Law. Before joining the Marshall Center, Professor Schmitt served 20
years in the United States Air Force as a judge advocate specializing in operational and
international law.
Helen Trezise is a fourth year Arts/Law student at the Australian National University.
She is currently a research assistant to Dr Hitoshi Nasu on his Australian Research
Council Discovery Grant Project, A Legal Analysis of Australia’s Future Engagement
with Asia-Pacific Security Institutions, under which the research for this volume’s
chapter is supported.
Nicholas Tsagourias is Professor of International Law at the University of Sheffield.

He is also Director of the Sheffield Centre for International and European Law and
Co-Director of the Centre for the Freedom of the Media. Nicholas sits on the editorial
board of the Journal of Conflict and Security Law (Oxford University Press) and is a
member of the Cyberterrorism Study Group of the International Law Association. His
teaching and research interests are in the fields of International Law and the Use of
Force, International Humanitarian Law, and International Criminal law. Among his
publications are the books Jurisprudence of International Law: The Humanitarian
Dimension (Manchester University Press, 2000); Collective Security: Law Theory and
Practice (Cambridge University Press, 2013) co-authored with Professor White; and
the edited books Use of Force in International Law (Ashgate, 2012) and Transnational
Constitutionalism: International and European Models (Cambridge University Press,
2007).
David Turns is Senior Lecturer in International Laws of Armed Conflict at the Defence
Academy of the United Kingdom (Cranfield University). He was previously a Lecturer
in Law at the University of Liverpool (1994–2007) and taught at the London School of
Economics & Political Science (1990–94). He has been on the Visiting Faculty of the
International Institute of Humanitarian Law (San Remo, Italy) since 1997 and has also
taught on legal courses at the NATO School (Oberammergau, Germany) and the Centro
Alti Studi per la Difesa (Rome, Italy). In 2002 he was a Visiting Professor at the Institut
für Völkerrecht und Internationale Beziehungen (University of Vienna, Austria). In
2004 he was one of the founders of the Vienna Course on International Law for
Military Legal Advisers, in collaboration with the Austrian Federal Ministry of Defence
and Sport and the International Committee of the Red Cross. Since 2008 he has been
the Chairman of the UK National Group of the International Society for Military Law
and the Law of War and is a Member of the Society’s Board of Directors.
Ramses A. Wessel is Professor of International and European Institutional Law and

Co-Director of the Centre for European Studies at the University of Twente, The
Netherlands. Additional functions include: Member of the standing Governmental
Advisory Committee on Issues of Public International Law (CAVV); Member of the
Governing Board of the Centre for the Law of EU External Relations (CLEER) in The

6/5
xii Research handbook on international law and cyberspace
Hague; editor-in-chief and founder of the International Organizations Law Review and
of the Netherlands Yearbook of International Law; editor of Nijhoff Studies in
European Union Law and member of a number of other editorial boards. Ramses
Wessel graduated in 1989 at the University of Groningen in International Law and
International Relations and subsequently worked at the same university (1989–91) and
at the Department of International and European Institutional Law at Utrecht University
(1991–2000). He wrote and co-edited several books, including: The European Union’s
Foreign and Security Policy: A Legal Institutional Perspective (Kluwer Law Inter-
national, 1999), Multilevel Regulation and the EU (Martinus Nijhoff Publishers, 2008),
International Law as Law of the European Union (Martinus Nijhoff Publishers, 2011),
Informal International Lawmaking (Oxford University Press, 2012), Between Autonomy
and Dependence: The EU under the Influence of International Organizations (TMC
Asser Press/Springer, 2013), EU External Relations Law (Cambridge University Press,
2014) and other publications in the field of international and European law. His general
research interests lie in the field of International and European Institutional Law, with
a focus on the law of International Organisations, Issues of Global Governance, the
Relationship between International and EU law, European Foreign, Security and
Defence Policy and EU External Relations in general.
Katharina Ziolkowski (Dr) is Legal Adviser to the German Armed Forces, currently
serving at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn,
Estonia.

6/5
Preface
The idea for a research handbook on international law and cyberspace emerged from
our own research and discussions in different fora about the applicability of inter-
national rules to cyberspace and to various cyber activities and the realisation that the
range of issues and problems involved pose various challenges to international law. For
this reason, we endeavoured to bring together an array of experts to offer original and
insightful analysis of a host of legal issues pertaining to cyberspace and to various
cyber activities.
The handbook starts with an examination of the legal status of cyberspace and of the
way certain international law principles apply to cyberspace. These include sovereignty,
jurisdiction, state responsibility, intellectual property rights, human rights, and indi-
vidual criminal responsibility. Part II proceeds by setting out and analysing the legal
rules that apply to cyber terrorism, cyber espionage, and cyber crime. Part III examines
the rules that apply to cyber attacks whereas Part IV considers the application of
international humanitarian law principles to cyberwar. Part V examines international
and regional cyber security policies such as those of the EU, NATO, Asia-Pacific
nations and of the United Nations.
This research handbook thus serves as a guide to academics, practitioners, research-
ers and students on the international law principles and rules that apply to cyberspace
and to certain cyber activities. The handbook also serves as a basis for further research
in this area by identifying a number of important issues that require more detailed and
specialised treatment.
We are grateful to various people who have contributed in different ways to this
research handbook. First, we are indebted to all the authors for their excellent
contributions. We are also grateful to Professor Michael Schmitt for writing the
introduction. Professor Schmitt has almost single-handedly placed cyber on the
academic and policy agenda. Finally, we want to thank Andraz Kastelic, our research
assistant, Robin Morris for his help with editing and proof-reading as well as Ben
Booth, Jennifer Stanley and the Edward Elgar team for facilitating the production of
this research handbook.
Nicholas Tsagourias and Russell Buchan
October 2014
xiii
8/5
Table of cases
INTERNATIONAL
Accordance with International Law of the Unilateral Declaration of Independence in respect of
Kosovo, Advisory Opinion of 22 July 2010, (Declaration of Judge Simma), [2010] Rep.
403 ICJ ................................................................................................................................. 65
Air Service Agreement of 27 March 1946 between the United States and France (Award),
[1978] 18 Reports of International Arbitral Awards 417 .................................................. 274
Argentina v. Uruguay (Pulp Mills on the River Uruguay), [2010] ICJ Rep. 14 ................ 69, 279
Bosnia and Herzegovina v. Serbia and Montenegro (Application of the Convention on the
Prevention and Punishment of the Crime of Genocide), [2007] ICJ Rep. 43 ...... 57, 59, 60,
68, 70, 278, 334, 335
Costa Rica v. Nicaragua (Dispute Regarding Navigational and Related Rights) (Judgment),
[2009] ICJ Rep 213 ........................................................................................................... 246
Democratic Republic of Congo v. Belgium (Arrest Warrant Case) (Joint Separate Opinion of
Judges Higgins, Kooijmans and Buergenthal), [2002] ICJ Rep 3 ...................................... 19
Democratic Republic of Congo v. Belgium (Arrest Warrant Case), [2002] ICJ Rep 3 ............. 20
Democratic Republic of the Congo v. Uganda (Armed Activities on the Territory of the
Congo), [2005] ICJ Rep. 168 .............................................................................. 68, 270, 276
Federal Republic of Germany v. Denmark; Federal Republic of Germany v. Netherlands
(North Sea Continental Shelf Cases) [1969] ICJ Rep. 3 .......................................... 151, 268
France v. Turkey (The ‘S.S. Lotus’), [1927] PCIJ Rep Series A No 10 18 ..... 18, 19, 20, 21, 36,
37, 48, 51, 65, 181, 344
Germany v. Poland (Claim for Indemnity) (The Factory at Chorzów), [1928] PCIJ Ser A
No. 17 .................................................................................................................................. 57
Hungary v. Slovakia (Gabčíkovo-Nagymaros Project) (Judgment), [1997] ICJ Rep 7… 279, 355
Interlocutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide, Perpetration,
Cumulative Charging, (UN Special Tribunal for Lebanon, Appeals Chamber),
STL-11-01/I (16 February 2011) ...................................................................................... 155
Islamic Republic of Iran v. United States (Oil Platforms) (Judgment of 6 November 2003),
[2003] ICJ Rep. 161 ......................................................................... 265, 266, 267, 273, 275
Jurisdictional Immunities of the State, ([2012] ICJ Rep. 99 .................................................... 266
Legal Consequences for States of the Continued Presence of South Africa in Namibia
(South West Africa) notwithstanding Security Council Resolution 276 (1970)
(Advisory Opinion), [1971] ICJ Rep 16 ........................................................................... 246
Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory
(Advisory Opinion), [2004] ICJ Rep. 2005 .............................................................. 233, 276
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226
(Nuclear weapons) ...... 235, 238, 265, 267, 272, 279, 293–6, 299, 301, 343, 344, 356, 367
Lichtenstein v. Guatemala (Nottenbohm Case), [1955] ICJ Rep 4 23 ....................................... 19
Nicaragua v. United States (Military and Paramilitary Activities in and Against Nicaragua)
(Merits) (Nicaragua Case), [1986] ICJ Rep. 14 ... 60, 64, 65, 126, 175, 180, 181, 186, 233,
237, 238, 243, 250, 252, 253, 254, 255, 266, 267, 270, 273, 274,
275, 278, 301, 334, 355, 356
Prof. Allain Pellet (Independent Objector) v. Afilias Ltd, Case No EXP/409/ICANN/26
(November 2013) ............................................................................................................... 116
xiv
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofCases_rev_2 /Pg. Position:
1 / Date: 15/5
Table of cases xv
Prosecutor v. Aleksovski (Judgment), ICTY-95-14/1-T (25 June 1999) .................................. 127

Prosecutor v. Bemba (Confirmation of Charges), ICC-01/05-01/08 (15 June 2009) ............... 126
Prosecutor v. Blaskić (Judgment), ICTY-95-14-T (3 March 2000) .......................................... 126
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (Judgment), [2005] Case
No IT-03-66-T .................................................................................................... 337, 339, 340
Prosecutor v. Galic (Appeals Chamber Judgment), IT-98-29-A (30 November 2006) ............ 161
Prosecutor v. Galic (Judgment), ICTY-98-29-T (5 December 2003) ....................... 135, 161, 373
Prosecutor v. Hadžihasanović and Kubura (Judgment), ICTY-01-47-T (15 March 2006) ...... 126
Prosecutor v. Katanga and Ngudjolo Chi (Confirmation of Charges), ICC-01/04-01/07-717
(30 September 2008) ......................................................................................................... 127
Prosecutor v. Kunarac, Kovac and Vokovic (Appeals Judgment), ICTY-96-23 &
ICTY-96-23/1-A (12 June 2002) ....................................................................................... 127
Prosecutor v. Limaj et al.(Judgment), ICTY-03-66-T (30 November 2005) ............................ 126
Prosecutor v. Ljube Boškoski Johan Tarčulovski (Judgment), [2008] Case
No IT-04-82-T ........................................................................................................... 339, 340
Prosecutor v. Lubanga (Confirmation of Charges), ICC-01/04-01//06 (27th January 2007) ... 121
Prosecutor v. Milutinović et al. (Judgment), ICTY-05-87-T (26 February 2009) .................... 126
Prosecutor v. Musovic et al (Judgment), ICTY -96-21-T (16 November 1998) ...................... 127
Prosecutor v. Perišić (Judgment), ICTY-04-81-T (6 September 2011) .................................... 126
Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (Judgment), [2008] Case
No. IT-04-84-T ................................................................................................... 337, 338, 368
Prosecutor v. Slobodan Milošević (Trial Chamber Decision on Motion for Judgment of
Acquittal), [2004] Case No. IT-02-54-T .................................................................... 340, 341
Prosecutor v. Tadić, [1999] ICTY Appeals Chamber Judgment, IT–94–1–A .......... 60, 121, 126,
127, 268, 327, 328, 334, 335, 336, 337, 345, 348, 384
Spain v. Canada (Fisheries Jurisdiction) (Judgment) [1998] ICJ Rep 432
(4 December 1998) ............................................................................................................ 244
United Kingdom v. Albania (Corfu Chanel Case) (Separate Opinion of Judge Alvarez),
[1949] ICJ Rep 43 ........................................... 17, 63, 64, 67, 182, 250, 254, 279, 333, 395
United Kingdom v. Germany (The ‘S.S. Wimbledon’), [1923] PCIJ Rep Series A No 1 25 .... 28
United States v. Canada (Trail Smelter Case) (Award), [1941] UN Reports of International
Arbitral Awards (2006) 1905.............................................................................................. 279
United States v. Iran (United States Diplomatic and Consular Staff in Tehran), [1980]
ICJ Rep 3 ................................................................................................ 57, 61, 67, 333, 335
United States v. Netherlands (Island of Palmas Case), [1928] Reports of International
Arbitral Awards 839 .................................................................................................... 17, 279
Velasquez–Rodriguez v. Honduras (Judgment of 29 July 1988), [1988] Inter–Am Ct HR
(Ser C), No. 4 ...................................................................................................................... 67
WTO
United States – Import Prohibition of Certain Shrimp And Shrimp Products – Report of the
WTO Appellate Body, 12 October 1998, WT/DS58/AB/R ............................................... 355
United States – Measures Affecting the Cross-Border Supply of Gambling and Betting
Services, WTO Panel, 10 November 2004, WT/DS285/R ........................................... 42, 52
Services, WTO Appellate Body, 7 April 2005, WT/DS285/AB/R................................ 42, 52
Services, WTO Panel, 30 March 2007, WT/DS285/RW .............................................. 42, 52

2 / Date: 15/5
xvi Research handbook on international law and cyberspace
EUROPEAN
European Court of Human Rights
Anheuser–Busch Inc. v. Portugal, App No 73049/01, [2007] EHCR 40, (2007) 45 EHHR, 36,
[2007] ETMR 24 ................................................................................................................. 77
Balan v. Moldova, App No 19247/03, [2008] ECHR 81; [2009] ECDR 6 .......................... 72, 77
Perrin v. United Kingdom, App No 5446/03, 18 October 2005 ................................................. 39
Smith Kline and French Laboratories Ltd. v. Netherlands, App No 12633/87, (1990)
66 ECDR 70 ........................................................................................................................ 77
Yildirim v. Turkey, App No 3111/10, [2012] ECHR 3003 ................................................. 53, 101
European Court of Justice/Court of Justice of the European Union
Bezpečnostní softwarová asociace – Svaz softwarové ochrany v. Ministerstvo kultury,

C-393/09 [2010] ECR I-13971; [2011] FSR 18 ................................................................. 86
Commission v. United Kingdom, C-222/94 [1996] ECR I-4025 ............................................... 50
Criminal Proceedings against Massimiliano Placanica and Others, C-338/04, C-359/04 and
C-360/04 [2007] ECJ ECR I-0000 ...................................................................................... 41
Criminal Proceedings against Piergiorgio Gambelli, C-243/01 [2003] ECR I-13031 ......... 41, 43
Deutscher Apothekerverband eV v. 0800 Doc Morris NV, C-322/01 [2003] ECR I-14887 ...... 40
Donner, C 5/11 (21 June 2012) [2012] ECLI:EU:C:2012:472 ................................................... 45
eDate Advertising and Martinez, Joined Cases C-509/09 and C-161/10 [2011]
ECR I-10269 ........................................................................................................................ 46
European Commission v. Council of the European Union (European Road Transport
Agreement), Case 22/70 [1971] ECR 263 ......................................................................... 406
European Commission v. Council of the European Union (Small Arms/ECOWAS),
C-91/05 [2008] ECR I-3651............................................................................................... 422
European Parliament v. Council of the European Union, C-130/10 [2012] (Judgment of the
Court) (19 July 2012) ......................................................................................................... 424
European Parliament v. Council of the European Union, C-658/11 [2011] OJ L 254/1 .......... 423
Football Dataco Ltd and others v. Yahoo! UK Ltd and others, C-604/10 [2012] ECDR 10 ..... 86
Google Spain SL, Google Inc v. Agencia Española de Protección de Datos (AEP), C-131/12
CJEU (Grand Chamber) (13 May 2014) ......................................................................... 44–5
Hotel Alpenhof GmbH v. Heller, C-144/09 [2010] ECR 1-12527 ............................................. 45
Infopaq International v. Danske Dagblades Forening, C–5/08 [2009] ECR I-06569;
[2009] ECDR 16 ........................................................................................................... 82, 86
L’Oréal SA and Others v. eBay International AG and Others, C-324/09 [2011]
ECR I-06011 ........................................................................................................................ 45
Painer v. Standard Verlags GmbH and others, C-145/10 [2011] ECR I-0000; [2012]
ECDR 6 ................................................................................................................................ 86
Pammer v. Reederei Karl Schluter GmbH & Co KG, C-585/08 [2010] ECR I-12527 ............. 45
Pinckney v. KDG Mediatech AG, C-170/12 [2013] ECR I-0000................................................ 46
SAS Institute v. World Programming Ltd, C-406/10 [2012] ECDR 22 ..................................... 90
Wintersteiger v. Products 4U Sondermaschinenbau GmbH, C-523/10 [2012] ECR I-0000 ..... 46

3 / Date: 15/5
Table of cases xvii
NATIONAL
Australia
Brownlie v. State Pollution Control Commission, (1992) 27 NSWLR 78 ................................. 48

Dow Jones & Co Inc v. Gutnick, [2001] VSC 305; [2002] HCA 56 ................................... 43, 49
R v. Boden, [2002] QCA 164 ................................................................................................ 158–9
R v. Toubya, [1993] 1 VR 226 .................................................................................................... 48
Bulgaria
Bulgarian Supreme Administrative Court, decision no. 13627,

11 December 2008....................................................................................................... 167
Canada
R v. Sharpe, 2001 SCC 2 ........................................................................................................... 191
Cyprus
Supreme Court of Cyprus Appeal Case Nos. 65/2009, 78/2009, 82/2009 and
15/2010-22/2010, 1 February 2011 .................................................................................... 167
Czechoslovakia
Czech Constitutional Court on Act No. 127/2005 and Decree No 485/2005,

22 March 2011.................................................................................................................... 167
France
LICRA & UEJF v. Yahoo! Inc & Yahoo France, Tribunal de Grande Instance de Paris,
22 May 2000, affirmed Tribunal de Grande Instance de Paris, 20 November 2000 ... 38, 98
Fondation Carl Zeiss Stiftung v. Fondation Carl Zeiss Heidenheim, Cour de Cassation,
15 March 1965...................................................................................................................... 78
Germany
Arzneimittelwerbung im Internet BGH (30 March 2006) I ZR 24/03 ....................................... 39

CompuServe (1995) 8340 Ds 465 Js 173158/95 ........................................................................ 38
Federal Constitutional Court of Germany, 1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08,
2 March 2010...................................................................................................................... 167
Persönlichkeitsverletzungen durch ausländische Internetveröffentlichungen BGH
(2 March 2010) Az. VI ZR 23/09 ....................................................................................... 43
R v. Somm (Amtsgericht München, 17 November 1999) .......................................................... 38
Unzulässiges Online-Glücksspielangebot (OLG Hamburg, 19 August 2004) 5 U 32/04,
(2004) 12 Computer und Recht 925 ................................................................................... 41
Schöner Wetten BGH (1 April 2004) I ZR 317/01 ...................................................................... 41

4 / Date: 15/5
xviii Research handbook on international law and cyberspace
The Netherlands
Holland Casino v. Paramount Holdings et. al, District Court, Utrecht (27 February 2003) ....... 41
National Sporttotaliser Foundation v. Ladbrokes Ltd, District Court, The Hague
(27 January 2003) ................................................................................................................ 41
United Kingdom
Baigent v. Random House Group Ltd, [2006] EMLR 16 (High Court), [2007]
FSR 24 (CA) ........................................................................................................................ 88
Berezovsky v. Michaels and Ors, [2000] UKHL 25 ................................................................... 32
BT (and others) v. One in A Million and others, [1999] 1 WLR 903 ........................................ 92
Cantor Fitzgerald International v. Tradition, (UK) Ltd. [2000] RPC 95 .................................... 89
DPP v. Stonehouse, [1978] AC 55 .............................................................................................. 48
Harrods Ltd v. Dow Jones Co Inc, [2003] EWHC 1162 (QB) ................................................... 43
Ibcos Computers v. Barclays Mercantile, [1994] FSR 275 ........................................................ 89
John Richardson Computers Ltd v. Flanders, [1992] FSR 497 .................................................. 89
Jones v. Ministry of Interior Al-Mamlaka Al-Arabiya AS Saudiya (Kingdom of Saudi
Arabia), [2006] UKHL 26 ................................................................................................. 265
Kuwait Airways Corp v. Iraqi Airways Co, [2002] 3 All ER 209 .............................................. 32
Lewis and Ors v. King, [2004] EWHC 168 (QB); [2004] EWCA Civ 1329 ............................. 43
McGrath and Anor v. Dawkins and Ors, [2012] EWHC B3 (QB) ............................................. 43
Navitaire Inc. v. EasyJet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725
(Ch), [2006] RPC 111 ......................................................................................................... 89
Nova Productions Ltd. v. Mazooma Games Ltd, [2007] EWCA Civ 219 ................................. 89
Peer International Corporation v. Termidor Music Publishers Ltd, [2002] EWHC 2675
(Ch) ...................................................................................................................................... 79
R v. Mohammed Gul, [2012] EWCA Crim 280 ....................................................................... 156
R v. Markus, [1975] 1 All ER 958 .............................................................................................. 48
R v. Perrin, [2002] EWCA Crim 747 .................................................................................... 39, 50
R v. Sheppard and Anor, [2010] EWCA Crim 65 ...................................................................... 19
R v. Treacy, [1971] AC 557 ......................................................................................................... 48
Ravenscroft v. Herbert, [1980] RPC 193 .................................................................................... 88
SAS Institute v. World Programming Ltd, [2010] EWHC 1829 (Ch), [2012] RPC 31 ....... 89, 90
The ‘Vishva Ajay’, [1989] 2 Lloyd’s Rep 558 ............................................................................ 32
Twentieth Century Fox Film Corp and Ors v. British Telecommunications plc, [2011]
EWHC 1981 ........................................................................................................................ 52
University of London Press v. University Tutorial Press, [1916] 2 Ch 601 ............................... 86
Vidal -Hall and Ors v. Google Inc, [2014] EWHC 13 (QB) ...................................................... 44
United States
Cable News Network LP v. cnnews.com, 162 F Supp 2d 484 (ED Va.2001) and 177 F
Supp 2d 506 (ED Va 2001), affirmed in 56 Fed Appx 599 (4th Cir 2003) ................. 47, 52
CompuServe, Inc v. Patterson, 89 F 3d 1257 (6th Cir1996) ................................................ 19, 20
Computer Associates Inc. v. Altai Inc, 982 F 2d 693 (1992), 20 USPQ 2d 1641 (1992) ......... 89
Dow Jones & Co. v. Harrods Ltd, 237 F Supp 2d 394 (2002) ................................................... 43
Hartford Fire Insurance Co v. California, 509 US 764 (1993) ................................................... 49
International Shoe Co v. Washington, 326 US 310 (1945) .................................................. 20, 45
ITC Ltd. v. Punchgini, Inc, 482 F 3d 135 (2d Cir 2007) ............................................................ 80
Kiobel v. Royal Dutch Petroleum Co, 569 US (17 April 2013), affirmed 621 F3d 111
(2d Cir 2010) ....................................................................................................................... 32

5 / Date: 15/5
Table of cases xix
People v. World Interactive Gaming Corp, 714 NYS 2d 844 (1999) ......................................... 47
Reno v. American Civil Liberties Union, 521 US 844 ............................................................. 256
Smith v. Maryland, 442 US 735 (1979) .................................................................................... 103
T-Mobile West Corp. v. Crow, No. CV08-1337-PHX-NVW, (D Ariz Dec 16, 2009) ............... 19
The Exchange v. McFaddon, 11 US (7 Cranch 116) 116 (1812) ............................................... 17
U.S. v. Yousef, 327 F.3d 56, 112 (2d Circ 2003) ........................................................................ 20
US v. $734,578.82 in US Currency, 286 F 3d 641 (2002) ......................................................... 47
Wedding v. Meyler, 192 US 573 (84 1904) ................................................................................ 19
Yahoo! v. La Ligue contre le racisme et l’antisémitisme, 433 F 3d 1199 (9th Cir 2006) ....... 193
Young v. New Haven Advocate, 315 F 3d 256 (2002) ............................................................... 47
Zippo Mfg Co v. Zippo Dot Com Inc, 952 F Supp 1119 (WD Pa 1997) .................................. 20

6 / Date: 15/5
Table of legislation
INTERNATIONAL Arts 1, 2(2)(b) ........................................ 453

Charter of the United Nations 26 June 1945
LEGISLATION (entered into force 24 October 1945) .. 2,
13, 140, 141, 174, 175, 180,
Agreement on Trade-related Aspects of 251, 253, 255, 268, 285, 299,
Intellectual Property Rights (TRIPs 301, 368, 381, 389, 394
Agreement) 1994 ............... 5, 74, 77, 78, Art 2(1) ................................................... 175
80, 84, 93 Art 2(4) .... 6, 138, 139, 141, 148, 173, 186,
Arts 1– 7 .................................................. 74 187, 188, 233–50, 253, 254,
Art 9(1) .................................................... 74 255, 261, 265, 266, 267, 276,
Art 9(2) .................................................... 88 291, 295, 299, 300, 303
Art 10(1) .................................................. 84 Art 2(5) .................................................. 389
Art 16(2), (3) ........................................... 80 Art 22 ..................................................... 487
African Union Convention on Cybersecurity Art 25 ............................................ 389, 395
(Draft) 2012 ...................................... 192 Chapter VII ... 172, 281, 389, 393, 394, 395
Art III-14 ............................................... 200 Art 41 .................................... 238, 389, 395
Arts III-29–III-32 .................................. 197 Art 42 ............................................ 238, 395
Art III-40 ............................................... 196 Art 49 ..................................................... 389
Antarctic Treaty 1959 (entered into force 23 Art 51 ...... 6, 122, 138, 139, 148, 173, 238,
June 1963, as amended) 241, 255, 261, 265, 266, 267,
Art IV ...................................................... 26 270–73, 275, 279, 282, 291,
ASEAN Convention on Counter Terrorism 294, 300, 301, 302, 304, 394
2007 (entered into force Art 57 ..................................................... 487
27 May 2011) ................................... 162 Art 103 .......................................... 393, 395
Art II ...................................................... 162 Czechoslovakia and Hungary Bilateral
Art VI ..................................................... 162 Agreement 1977 ................................ 355
ASEAN Treaty of Amity and Cooperation in Commonwealth of Independent States
Southeast Asia, 24 February 1976 Agreement on Cooperation in Combating
(entered into force 15 July 1976) ..... 451 Offences related to Computer
Art 2(c) .................................................. 451 Information 2001 .............................. 192
Arab Convention on the Suppression of Council of Europe’s Convention on
Terrorism, 22 April 1998 (entered into Cybercrime 23 November 2001 (entered
force 7 May 1999) .............................163 into force 1 July 2004) .... 162, 192, 193,
Berne Convention for the Protection of 204, 205, 212
Literary and Artistic Works 1886 (Paris Art 2 ....................................................... 194
text 1971, amended 1979) ..... 73, 74, 78, Arts 3–6 ................................................. 195
79, 83 Art 6(1) .................................................. 196
Art 2 ......................................................... 73 Arts 7–9 ..................................................196
Art 2(1) .................................................... 84 Art 10 ..................................................... 197
Art 5 ......................................................... 74 Art 13 ..................................................... 194
Art 5(2) .................................................... 78 Art 14 ..................................................... 199
Art 6bis .................................................... 74 Art 15 ..................................................... 199
Art 10(1) ................................................ 197 Arts 16, 17, 19–21 ........................ 198, 199
Charter of the Association of Southeast Asian Art 22(1), (2), (5) .................................. 202
Nations 20 November 2007 (entered into Arts 23, 24 ............................................. 199
force 15 December 2008) Art 30(3) ................................................ 203
xx
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: TableofLegislation /Pg. Position: 1
/ Date: 8/5
Table of legislation xxi
Art 35 ..................................................... 199 Art 35(1)–(3) ................................. 134, 374

General Agreement on Trade in Services Art 36 ............................................ 120, 239
(GATS) (entered into force January Art 37 .................................... 129, 357, 374
1995) Arts 40–42 ............................................. 374
Art 16 .......................................................... 42 Art 43 ..................................................... 372
Geneva Convention for the Amelioration of Art 44 ..................................................... 357
the Condition of the Wounded and Sick Art 46 ..................................................... 172
in Armed Forces in the Field 12 August Art 47(2) ................................................ 128
1949 (entered into force 21 October Arts 48–58 ............................................. 371
1950) (GC I) ............. 121, 312, 327, 340 Art 48 ............ 122, 129, 130, 344, 353, 356
Art 2 ..................... 121, 328, 329, 367,, 368 Art 49 ............................................ 371, 374
Art 3 ..................... 126, 128, 327, 336, 337, Art 49(1) ............... 122, 123, 129, 142, 282
339, 340, 362 Art 51 ............................ 345, 353, 356, 372
Art 9 ....................................................... 131 Art 51(1) ........................................ 122, 129
Art 24 ..................................................... 374 Art 51(2) ........................................ 161, 376
Geneva Convention II for the Amelioration of Art 51(3) ................................................ 362
the Condition of Wounded, Sick and Art 51(4) ....................... 133, 134, 361, 374
Shipwrecked Members of Armed Forces Art 51(5) .............. 124, 134, 135, 361, 364,
at Sea. Geneva Field 12 August 1949 372, 373
(entered into force 21 October 1950) Art 52(1) ................................................ 130
(GC II) .............. 121, 312, 327, 329, 340 Art 52(2) ............... 124, 130, 131, 358, 372
Art 2 .............................. 121, 328, 367, 368 Art 53 ..................................................... 374
Art 3 ..................... 126, 128, 327, 336, 337, Art 54 ............................................ 131, 374
339, 340, 362 Art 55 .................................... 131, 134, 374
Geneva Convention Relative to the Treatment Art 56 .................................... 131, 136, 374
of Prisoners of War Field 12 August Art 57 .................................... 136, 353, 373
1949 (entered into force 21 October Art 57(1) ................................................ 129
1950) (GC III) ................. 121, 312, 327, Art 57(2) ....................... 124, 134, 135, 136
340, 398 Art 57(3) ................................................ 136
Art 2 ...................... 121, 328, 329, 367, 368 Art 57(4) ................................................ 136
Art 3 ..................... 126, 128, 327, 336, 337, Art 58 .................................... 136, 137, 357
339, 340, 362 Art 58(a) ................................................ 137
Art 4(4) .................................................. 128 Art 58(c) ........................................ 129, 137
Art 4A(2) ....................................... 127, 128 Art 60 ..................................................... 133
Art 4A(6) ............................... 128, 129, 398 Art 65 ..................................................... 372
Geneva Convention Relative to the Protection Geneva Conventions Protocol Additional to
of Civilian Persons in Time of War Field the Geneva Conventions of 12 August
12 August 1949 (entered into force 21 1949, and Relating to the Protection of
October 1950) (GC IV) ........... 121, 312, Victims of Non-international Armed
327, 340 Conflicts (AP II) ............... 336, 339, 340
Art 2 ...................... 121, 328, 329, 367, 368 Art 1 .............................................. 336, 339
Art 3 ..................... 126, 128, 327, 336, 337, Art 1(2) .................................................. 336
339, 340, 362 Art 3 ....................................................... 327
Art 18 ..................................................... 131 Art 13(3) ................................................ 128
Geneva Conventions Additional Protocol Geneva Convention on the High Seas (1958)
Relating to the Protection of Victims of Art 2 ......................................................... 26
International Armed Conflicts 8 June Hague Convention (IV) Respecting the Laws
1977 (AP I) ............. 327, 328, 344, 354, and Customs of War on Land and Its
356, 372, 373 Annex: Regulations Concerning the
Art 1 ....................................................... 126 Laws and Customs of War on Land 18
Art 1(2) .................................................. 344 October 1907 (entered into force 26
Art 12 ..................................................... 131 January 1910) .......... 121, 327, 394, 397,
Art 13(2) ................................................ 161 398, 399

/ Date: 8/5
xxii Research handbook on international law and cyberspace
Art 22 ............................................ 134, 344 Hay-Bunau-Varilla Treaty (Convention for the

Art 23(e) ........................................ 134, 374 Construction of a Ship Canal), 18
Hague Convention (V) Respecting the Rights November 1903 ................................. 383
and Duties of Neutral Powers and International Convention against the Taking of
Persons in Case of War on Land 18 Hostages, 17 December 1979 (entered
October 1907 (entered into force 26 into force 3 June 1983) ............ 152, 154
January 1910) .......... 121, 385, 386, 393, International Convention for the Suppression
394, 396, 397, 398, 399 of Acts of Nuclear Terrorism, 13 April
Art 1 .............................................. 387, 393 2005 by UN General Assembly
Art 2 ...................................... 388, 393, 397 Resolution 59/290 (2005) (entered into
Art 3 ...................................... 388, 393, 396 force 7 July 2007) .................... 152, 153
Art 2(1) .................................................. 153
Art 4 .............................................. 388, 398
International Convention for the Suppression
Art 5 .............................. 388, 391, 393, 396
of Terrorist Bombings, 15 December
Art 7 .............................................. 388, 389 1997 by UN General Assembly
Art 8 .............................................. 396, 399 Resolution 52/164 (1997) (entered into
Art 10 ............................................ 389, 394 force 23 May 2001) .............. 152, 154–5
Hague Convention (VIII) Relative to the Art 2(1) .................................................. 155
Laying of Automatic Submarine Contact International Covenant on Civil and Political
Mines 18 October 1907 (entered into Rights 1966 (ICCPR) ........ 76, 100, 101,
force 26 January 1910) .... 121, 386, 394, 103–4, 114, 116, 199
397, 398, 399 Art 1 ......................................................... 23
Arts 1, 2, 4, 5 ........................................ 386 Art 17 ..................................................... 103
Hague Convention (XI) Relative to Certain Art 19 ............................................ 100, 101
Restrictions with Regard to the Exercise International Covenant on Economic, Social
of the Right of Capture in Naval War 18 and Cultural Rights 1966
October 1907 (entered into force 26 (ICESCR) ....................... 77, 104–6, 116
January 1910) ... 386, 394, 397, 398, 399 Art 1 ......................................................... 23
Hague Convention (XIII) concerning the Art 2 ....................................................... 105
Rights and Duties of Neutral Powers in Art 4 ....................................................... 106
Naval War 18 October 1907 (entered into Arts 6–15 ............................................... 105
force 26 January 1910) .... 121, 385, 393, International Law Commission Articles on the
394, 396, 397, 398, 399 Responsibility of States for
Internationally Wrongful Acts (ARS)
Art 1 ....................................................... 387
(adopted 2001) ....... 57–8, 62, 70, 125–6
Art 2 .............................................. 387, 393
Art 1 ..........................................................58
Art 5 .............................................. 393, 396 Art 2 .................................................. 58, 59
Arts 8, 9 ................................................. 387 Arts 4–6 ................................................... 59
Art 26 ............................................ 389, 394 Arts 4–9 ................................................. 126
Hague Convention for the Protection of Arts 7, 8 ................................................... 60
Cultural Property in the Event of Armed Arts 9–15 ................................................. 61
Conflict 1954 Arts 16–18 ................................................62
Art 8(1) .................................................. 360 Arts 20–25 ............................................... 62
Hague Rules concerning the Control of Art 47(1) .................................................. 61
Wireless Telegraphy in Time of War and Arts 49–54 ............................................... 62
Air Warfare, Part I: Rules for the Control Art 50(1) ................................................ 250
of Radio in Time of War .......... 386, 396 Internet Corporation for Assigned Names and
Art 3 ....................................................... 396 Numbers (ICANN) .... 21, 22, 72, 74, 76,
Arts 4, 5, 8 ............................................. 397 79, 92, 116, 220
Hague Rules concerning the Control of Lateran Pacts 1929 .................................... 383
Wireless Telegraphy in Time of War and League of Arab States Convention on
Air Warfare, Part II: Rules of Aerial Combating Information Technology
Warfare ...................................... 385, 388 Offences 2010 ................................... 192

/ Date: 8/5
Table of legislation xxiii
Arts 10, 11 ............................................. 196 UN Agreement Governing the Activities of

Art 12 ..................................................... 197 States on the Moon and Other Celestial
Arts 15, 16 ............................................. 196 Bodies 18 December 1979 (entered into
Arts 30–43 ............................................. 200 force 11 July 1984)
North Atlantic Treaty Organization 1949 Art 11(7)(d) ............................................. 23
(NATO) ....................................... 427–45 United Nations Convention against
Art 2 ....................................................... 427 Transnational Organized Crime,
Art 5 ...................................... 260, 268, 418 15 November 2000 (entered into force
Organisation of the Islamic Conference 29 September 2003) (Palermo
Convention on Combating International Convention) ............................... 198, 199
Terrorism of 1999 1 July 1999 ......... 163 Arts 1, 2, 6, 8, 29 .................................. 198
Paris Convention for the Protection of UN Convention for the Suppression of
Industrial Property 1883 Unlawful Acts against the Safety of Civil
(Stockholm text 1967, amended Aviation 23 September 1971 (entered
1979) ....................................... 74, 78, 83 into force 26 January 1973) ............. 152
Art 2 ......................................................... 74 Art 1(a) .................................................. 153
Art 4 ......................................................... 73 Art 1(c) .................................................. 154
Art 4bis(1) ............................................... 78 Art 1(d) .................................................. 153
Art 6 ......................................................... 73 UN Convention for the Suppression of
Art 6(3) .................................................... 78 Unlawful Acts against the Safety
Art 6bis .................................................... 80 of Maritime Navigation 10 March
Arts 9, 10 ................................................. 73 1988 (entered into force 1 March
Art 19 ....................................................... 78 1992) ......................................... 152, 153
Paris Declaration Respecting Maritime Law of Art 1(a) .................................................. 153
16 April 1856 .................................... 385 Art 3(a) .................................................. 154
Rome Statute of the International Criminal Art 3(c) .................................................. 153
Court 1998 (ICC Statute) ................. 206 Art 3(d) .................................................. 154
Art 7 .............................................. 142, 143 Art 3 (e), (f) ........................................... 153
Art 7(1) .......................................... 140, 141 Art 3(g) .................................................. 154
Art 7(2) .......................................... 142, 143 UN Convention for the Suppression of
Art 8 ...................... 121, 125, 126, 130, 135 Unlawful Seizure of Aircraft 16
Art 8(2) .......................................... 362, 135 December 1970 (entered into force
Art 8bis(1) ............................... 140–41, 142 14 October 1971) .............................. 152
Art 8bis(2) ............................. 137–140, 142 Art 1(a) .................................................. 154
Arts 22–24 ............................................. 140 UN Convention on Acts of Nuclear Terrorism
Shanghai Cooperation Organisation, 2005 ................................................... 153
Agreement on Cooperation in the Field
UN Convention on the Law of the Sea 10
of International Information Security
December 1982 (entered into force 16
16 June 2009 .................... 113, 122, 192
November 1994)
Shanghai Cooperation Organisation, Charter
Arts 87, 89 ............................................... 26
June 2002
Art 157(1) ................................................ 23
Art 2(4) .................................................. 251
Shanghai Cooperation Organisation UN Convention on the Prevention and
Convention on Combating Terrorism, Punishment of Crimes against
Separatism and Extremism of 2001 Internationally Protected Persons,
15 June 2001 (entered into force including Diplomatic Agents 14
29 March 2003) ................................ 163 December 1973, (entered into force
Treaty Concerning the Permanent Neutrality 20 February 1977) .................... 152, 154
and Operation of the Panama Canal Art 2 ....................................................... 154
(7 September 1977) .......................... 383 UN Convention on the Rights of the Child
Treaty of Brest-Litovsk 1918 .................... 384 20 November 1989 (entered into force
Treaty of London (1839) ........................... 383 September 1990)

/ Date: 8/5
xxiv Research handbook on international law and cyberspace
Art 38 ..................................................... 362 EUROPEAN UNION

UN Convention Optional Protocol to the
Convention on the Rights of the Child Council Directive 89/552/EC of 3 October
on the involvement of children in armed 1989 on the coordination of certain
conflict 25 May 2000 (entered into force provisions laid down by law, regulation
February 2002) or administrative action in Member
Art 1 ....................................................... 362 States concerning the pursuit of
UN Convention on the Suppression of television broadcasting activities ........ 50
Unlawful Acts of Violence at Airports Council Directive 2008/114/EC of 8
1988 ................................................... 153 December 2008 on the identification and
Protocol, art II ........................................... 153 designation of European critical
UN Convention against Transnational infrastructures and the assessment
Organized Crime 2000 (entered into of the need to improve their
force 2013) ........................................ 149 protection .......................................... 269
UN Draft Comprehensive Anti-Terrorism Art 2(a) ...................................................269
Convention .......................... 155–62, 164 Council Regulation 1334/2000/EC of 22 June
UN Protocol for the Suppression of Unlawful 2000 setting up a Community regime for
Acts against the Safety of Fixed the control of exports of dual-use items
Platforms Located on the Continental and technology .................................. 422
Shelf 10 March 1988, (entered into Council Regulation (EC) No 44/2001 of 22
force 1 March 1992) ......................... 152 December 2000 on jurisdiction and the
Art 2(1) .......................................... 153, 154 enforcement of judgments in civil and
UN Treaty on Principles Governing the commercial matters (Brussels I
Activities of States in the Exploration Regulation) ........................................ 411
and Use of Outer Space, including the Art 2 ......................................................... 82
Moon and Other Celestial Bodies Art 5 ......................................................... 83
(19 December 1966) Art 6 ......................................................... 83
Arts 1, 2, 7, 8 .......................................... 26 Art 5(3) .................................................... 46
Uniform Domain Name Dispute Resolution Art 15(1)(c) .............................................. 45
Policy (URDP) ....................... 74, 79, 92 Art 22(4) .................................................. 82
Universal Declaration of Human Rights Council Regulation (EC) No 6/2002 of
10 December 1948 (UDHR) ............ 106 12 December 2001 on community
Art 17 ....................................................... 76 designs ................................................. 80
US-USSR Agreement on the Prevention of Council Regulation (EC) no. 207/2009 of
Dangerous Military Activities (1989) 26 February 2009 on the Community
Art I(9) ............................................... 251–2 Trade Mark (codified version) ............ 80
Art III(1) ................................................ 251 Directive 95/46/EC of the European
Vienna Convention on Diplomatic Relations Parliament and of the Council of
(1961) .................................................. 67 24 October 1995 on the protection of
Vienna Convention on the Law of Treaties individuals with regard to the
(1969) processing of personal data and on
Art 31(1) ................................................ 237 the free movement of such data
Art 31(3) ................................................ 246 (Data
WIPO Copyright Treaty 1996 ..................... 74 Protection Directive) ................. 103, 416
Art 4 ......................................................... 84 Art 4(1) .................................................... 44
Art 8 ......................................................... 74 Directive 96/9/EC of the European
WIPO Model Provisions on the Protection of Parliament and of the Council of 11
Computer Programs (1978) ................ 84 March 1996 on the legal protection
World Health Organization Framework of databases (Database Directive) ..... 84,
Convention on Tobacco Control 85, 86
(Geneva, 2003) Art 1(2) .............................................. 84, 85
Art 13(7) .................................................. 39 Art 3(1) .............................................. 85, 86

/ Date: 8/5
Table of legislation xxv
Art 7 ......................................................... 84 the Member States relating to trade

Directive 2001/29/EC of the European marks (codified version) (Trade Mark
Parliament and of the Council of 22 May Directive) ...................................... 77, 80
2001 on the harmonization of certain Art 2 ......................................................... 92
aspects of copyright and related rights in Directive 2009/24/EC of the European
the information society (InfoSoc Parliament and of the Council of 23
Directive) ............................................ 90 April 2009 on the legal protection of
Art 6 ......................................................... 90 computer programs (Software
Directive 2001/83/EC of the European Directive) ............. 84, 85, 86, 88, 89, 90
Parliament and of the Council of 6 Art 1(1) .................................................... 84
November 2001 on the Community code Art 1(2) .............................................. 88, 89
relating to medicinal products for Art 1(3) .................................................... 85
human use Art 4 ......................................................... 87
Art 87(1) .................................................. 39 Art 5 ......................................................... 90
Directive 2000/31/EC of the European Art 5(3) .................................................... 90
Parliament and of the Council of 8 June Art 6 ......................................................... 90
2000 on certain legal aspects of Directive 2013/40/EU of the European
information society services, in Parliament and of the Council of 12
particular electronic commerce, in August 2013 on attacks against
the internal market on electronic information systems and replacing
commerce (Electronic Commerce Council Framework Decision
Directive) ...................................... 39, 40 2005/222/JHA ................... 269, 281, 412
Recital 16 ................................................. 41 Directive 2014/26/EU of 26 February 2014 of
Recital 21 ................................................. 39 the European Parliament and of the
Art 1(5)(d) ............................................... 41 Council on collective management of
Art 2(c) .................................................... 50 copyright and related rights and
Art 2(h) .................................................... 50 multi-territorial licensing of rights in
Art 2(h)(ii) ............................................... 39 musical works for online use in the
Art 3(1) .................................................... 50 internal market
Art 3(2) .................................................... 50 Art 1 ......................................................... 81
Art 3(4) .................................................... 50 Art 43 ....................................................... 81
Art 3(4)(i) ................................................ 39 EC Treaty
Art 12(1) .................................................. 88 Arts 226, 227 ........................................... 50
Art 13(1) .................................................. 87 EU Council Framework Decision
Art 14(1) .................................................. 87 2002/475/JHA of 13 June 2002 on
Art 15 ....................................................... 88 combating terrorism .................. 163, 164
Directive 2006/116/EC of the European EU Council Framework Decision
Parliament and of the Council of 12 2005/222/JHA of 24 February 2005
December 2006 on the terms of on attacks against information
protection of copyright and certain systems ............. 149, 162, 193, 202, 415
related rights (Term Directive) EU Council Framework Decision
Art 1(1) .................................................... 87 2008/977/JHA of 27 November 2008 on
Directive 2006/24/EC of the European the protection of personal data processed
Parliament and of the Council of 15 in the framework of police and judicial
March 2006 on the retention of data cooperation in criminal matters ....... 416,
generated or processed in connection 417
with the provision of publicly available European Convention on Human Rights ... 77,
electronic communications services or of 199, 204
public communications networks and Art 10 ..................................................... 100
amending Directive 2002/58/EC ...... 167 Art 15(1) .................................................. 77
Directive 2008/95/EC of the European European Patent Convention (EPC) 1973
Parliament and of the Council of 22 (revised 2000) ............................... 78, 83
October 2008 to approximate the laws of Recital 8 ................................................... 81

/ Date: 8/5
xxvi Research handbook on international law and cyberspace
Art 5(3) .................................................... 81 NATIONAL

Art 7(1) .................................................... 81
Art 52(2) ............................................ 83, 91
Australia
Art 52(3) .................................................. 91
Regulation (EC) No 460/2004 of the
Criminal Code Act 1995 (Cth)
European Parliament and of the Council s. 101.1 .................................................. 165
on 10 March 2004 establishing the Interactive Gambling Act 2001 (Cth)
European Network and Information ss. 8, 9, 14, 15 ......................................... 41
Security Agency (ENISA) ........ 258, 409
Regulation (EC) No 864/2007 of the
China
European Parliament and of the Council
of 11 July 2007 on the law applicable to
Criminal Law of the PRC
non-contractual obligations (Rome II Art 287 ................................................... 164
Regulation)
Art 8(1) .................................................... 83
Regulation (EU) No 1257/2012 of the
France
European Parliament and of the Council
Code of Civil Procedure
of 17 December 2012 implementing
Arts 808, 809 ........................................... 38
enhanced cooperation in the area of
the creation of unitary patent
protection ...................................... 81, 84 India
Treaty on European Union (TEU)
Art 3(5) .................................................. 403 Information Technology Act 2000
Art 5(2) .................................................. 405 s. 66F(1) ................................................ 167
Art 13 ..................................................... 405
Art 21 ............................................ 405, 421 New Zealand
Art 24 ............................................ 421, 422
Art 26 ..................................................... 421 Gambling Act 2003
Art 37 ............................................ 421, 423 s. 19 ......................................................... 41
Art 40 ............................................ 421, 422
Art 42 ..................................................... 423 South Africa
Art 42(7) ................................................ 418
Art 43 ..................................................... 423 Protection of Constitutional Democracy
Art 47 ..................................................... 422 against Terrorism and Related Activities
Treaty on the Functioning of the European Act 2004 ............................................ 164
Union (TFEU)
Art 16 ..................................................... 416
Art 21(3) ................................................ 420 The Netherlands
Arts 49, 56 ............................................... 42
Art 75 ..................................................... 424 Act on the Use of Force by Guards of
Art 83(1) ................................................ 415 Military Objects 2003
Art 114 ................................................... 416 Art 1 ....................................................... 222
Art 215 ................................................... 424
Art 218 .......................................... 421, 423 United Kingdom
Art 222 ................................................... 417
Arts 263, 267 ......................................... 420 Copyright, Designs and Patents Act 1988
Art 275 ................................................... 422 (CDPA)
Art 276 ..................................................... 89 s. 1 ........................................................... 72

/ Date: 8/5
Table of legislation xxvii
s. 1(1) ....................................................... 85 United States

ss. 3–8 ...................................................... 85
s. 3(1)(b), (c) ........................................... 84 Act to Further Promote the Defense of the
s. 3(2) ................................................. 85, 87 United States 1942 ............................ 384
s. 5A(2) .................................................... 85 Anticybersquatting Consumer Protection Act
s. 5B(4) .................................................... 85 (1999) 15 USC
s. 6(6) ....................................................... 85 § 1125(d) ................................................. 47
s. 8(2) ....................................................... 85
Computer Software Act 1980 ..................... 84
s. 11(1) ..................................................... 87
Copyright Act 1976
s. 12(2) ..................................................... 87
s. 16 ......................................................... 87 § 102(b) ................................................... 88
s. 17 ......................................................... 87 § 512 ........................................................ 75
s. 29 ......................................................... 90 Digital Millenium Copyright Act 1998
s. 30 ......................................................... 90 (DCMA) .................................... 74–5, 90
s. 50A, 50B, 50BA, 50C ......................... 90 Espionage Act 1917 .............................. 171–2
s. 213 ....................................................... 72 Federal Anti-Tampering Law 1982 ........... 312
s. 296, 296ZA, ................................... 90, 91 FISA (Foreign Intelligence Surveillance
s. 296ZE .................................................. 91 Act) Amendment Act 2008 (FAA
Digital Economy Act 2010 ......................... 75 2008) ................................................. 224
s. 17 ......................................................... 75 Patent Act 1952
Gambling Act 2005 ..................................... 51 § 101 ........................................................ 83
Gambling (Licensing and Advertising) Act Protect America Act (PAA) 2007 ............. 224
2014 ..................................................... 51 Restatement (Third) of Foreign Relations
Obscene Publications Act 1959 .................. 39 Law (1986)
Patents Act 1977 (PA) § 403(1), (2) ............................................. 49
s. 1(2) ....................................................... 91 Trade Marks Act 1946 (Lanham Act)
s. 30(1) ..................................................... 72 15 USC ................................................ 80
Registered Designs Act 1949 (RDA) Uniting and Strengthening America by
ss. 1(2), 2 ................................................. 72 Providing Appropriate Tools Required to
Regulation of Investigatory Powers Act Intercept and Obstruct Terrorism Act
(RIPA) 2000 ...................................... 223 2001 (PATRIOT Act) ........ 165, 224, 269
Terrorism Act 2000
s. 1(2)(e) ................................................ 164 Uruguay
Trade Mark Act 1994 (TMA)
s. 1 ........................................................... 92 Statute of the River Uruguay of 1975
s. 2 ........................................................... 72 Art. 36 ...................................................... 69
s. 10 ......................................................... 91

/ Date: 15/5

/ Date: 8/5
Introduction
Michael Schmitt
Since the digital revolution, the exponential growth of information and communication
technology has created a complex web of networked systems. This is the new and
vibrant environment that we know as cyberspace. More specifically, cyberspace is the
‘global domain within the information environment consisting of the interdependent
network of information technology infrastructure, including the Internet, telecommuni-
cations networks, computer systems, and embedded processors and controllers’.1
Over the course of the last three decades, cyberspace has been ‘woven into the fabric
of daily life’2 and now permeates all aspects of modern society. Millions of people,
organisations, governmental and public institutions, corporations and businesses use
cyberspace every day to communicate, gather or exchange information, bank, shop, do
business, distribute energy, govern and exert influence. By December 2013, 39 per cent
of the world population used the internet (with usage in Europe being 68.6 per cent and
in North America 84.9 per cent), an increase of 676.3 per cent since 2000.3
Notwithstanding the enormous benefits and advantages it offers, cyberspace has also
become a repository for various threats, vulnerabilities and insecurities. They may
originate from governments, organised groups, individuals, or businesses, be intentional
or accidental and have financial, military, political or other aims. For instance,
conventional crime is metastasising to the cyber domain with criminals using networks
and cyber tools. Cyber theft, cyber fraud, the sale of illegal products, blackmail,
pornography and copyright and intellectual property theft are common occurrences that
can generate deleterious financial, personal, and even political consequences.4 State
security can be compromised by military-like and non-military-like cyber attacks
targeting critical national infrastructure and other essential assets and activities.
1
Joint Chiefs of Staff, Joint Publication 1-02, DOD Dictionary of Military and Associated
Terms (8 November 2010) (as amended through 15 June 2014) 64. The International Tele-
communications Union describes cyberspace as ‘systems and services connected either directly
or indirectly to the internet, telecommunications and computer networks’; ITU, ITU National
Strategy Guide (Geneva: ITU, 2011) 5, http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-
national-cybersecurity-guide.pdf accessed 13 October 2014.
2
69th Session of the UN General Assembly A/69/112 (30 June 2014) 4, foreword by the UN
Secretary-General, http://undocs.org/A/69/112 accessed 13 October 2014.
3
Internet World Stats: Usage and Population Statistics (26 September 2014), http://
www.internetworldstats.com/stats.htm accessed 13 October 2014.
4
In the UK, the cost of cybercrime to the UK has been estimated to be around £27bn per
annum of which £3.1 is the cost to citizens, £2.2 the cost to government and £21bn to business;
UK Cabinet Office and Detica, The Cost of Cyber Crime: A Detica Report in Partnership with
the Office of Cyber Security and Information Assurance in the Cabinet Office (Guildford, Surrey:
Detica Limited, 2011), 18–24.
1
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: 00d-Introduction_tracked /Pg.

Position: 1 / Date: 24/3
2 Research handbook on international law and cyberspace
Terrorists may begin to use cyberspace to perpetuate terrorist acts; they already use it
for recruitment, training, propaganda and funding purposes.5
The unique characteristics of cyberspace magnify both its potential benefits and
risks. At its core, cyberspace is a virtual environment; it is not subject to a time-space
continuum and is thus unconstrained by the limitations that these characteristics
impose. In this virtual environment, no physical action takes place. Instead, information
is transferred instantly through interconnected networks that transcend physical, legal
or political borders. In cyberspace actors can often maintain their anonymity. For
instance, efforts to trace cyber attacks encounter serious legal and technical obstacles
because they may operate through different networks.
Its unique characteristics make cyberspace a challenging environment for legal
regulation. Important questions arise about the role and efficacy of law, particularly
international law, in regulating cyber activities and cyberspace. In the immediate years
that followed the advent of cyber activities, some legal commentators claimed that
existing legal frameworks – whether it be national, regional or international law – are
inapplicable to cyberspace.6 The argument was that existing legal frameworks were
designed to regulate physical, geographically defined territories. In contrast, cyberspace
is a virtual domain that is global in scope but technically borderless. It was thus
proposed that cyberspace should be governed by a sui generis regulatory framework,
one devised and shaped by its users according to the specific features and needs of this
new domain. What they anticipated was the emergence of a subject-specific ‘law of
cyberspace’.
In recent years, states have made it clear that existing legal frameworks continue to
apply to cyberspace. For example, the UN Group of Governmental Experts established
by the UN Secretary-General to review existing and potential threats from cyberspace
stated in its 2013 report that ‘[i]nternational law, and in particular the Charter of the
United Nations, is applicable and is essential to maintaining peace and stability and
promoting an open, secure, peaceful and accessible ICT environment’ and that ‘State
sovereignty and international norms and principles that flow from sovereignty apply to
State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure
within their territory’.7 Similarly, in 2014 NATO’s heads of state agreed ‘[o]ur policy
also recognises that international law, including international humanitarian law and the
UN Charter, applies in cyberspace’.8
This is not to say however that the application of these legal frameworks is
uncontested or unproblematic. Indeed, this is particularly the case with international
5
See generally UN Office on Drugs and Crime: The Use of the Internet for Terrorist
Purposes (2012), http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_
Purposes.pdf accessed 13 October 2014.
6
D Johnson and D Post, ‘Law and borders – The rise of law in cyberspace’ (1996) 48
Stanford Law Review 1367.
7
Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security UN Doc, A/68/98 (24 June 2013)
paras 19–20, http://www.mofa.go.jp/files/000016407.pdf accessed 13 October 2014.
8
Wales Summit Declaration, Issued by the Heads of State and Government participating in
the meeting of the North Atlantic Council in Wales (5 September 2014), para 72, http://
www.nato.int/cps/en/natohq/official_texts_112964.htm accessed 13 October 2014.


Introduction 3
law because it very much adopts a state-based structure that is preoccupied with
notions of territory. With this in mind, the objective of this research handbook is to map
out the international rules and regulatory frameworks that apply to cyberspace in
general and to specific activities in cyberspace in particular. For this reason it brings
together leading international law scholars and practitioners to critically assess the
application of various international law principles and regimes to cyberspace.
Before I proceed to provide an overview of the contents of the book, allow me to
offer a few words about the originality and importance of this project. As a result of the
widespread media attention dedicated to the topic of cyber war, a great deal of
scholarly attention has been directed towards examining whether and how international
law applies to cyber attacks that is, military-like attacks on states by other states or
non-state actors. The Tallinn Manual on the International Law applicable to Cyber
Warfare, for example, has made a significant contribution to clarifying the application
of international laws relating to cyber uses of force and armed conflict involving cyber
operations.9 The present collection builds upon that research with chapters addressing
both the jus ad bellum and jus in bello.
However, much less attention has been focused upon the role of international law in
addressing other threats in and from cyberspace, such as cyber terrorism, cyber crime
and cyber espionage. The present research handbook responds to such a need. The
handbook also assesses the cyber security policies of a number of international
organisations, such those of the EU, NATO, and the UN, and assesses Asian approaches
to achieving and maintaining cyber security. This research handbook thus makes a very
important contribution in the field of cyber security by assessing the application of
international law to these different types of cyber threats.
The normative scope of the handbook is likewise broad. It examines the status as
well as the governance structures that apply to cyberspace. Accordingly, it contains
chapters on the legal character of cyberspace and the application of general principles
of international law to cyberspace, such as the law of state responsibility, international
human rights law, international criminal law and intellectual property law.
The result is a handbook that for the first time provides a comprehensive account of
the international legal rules that apply to cyberspace, engages in a systematic analysis
of how they do so, and provides an assessment of their suitability and effectiveness.
Moreover, where the regulatory functions performed by international law in cyberspace
are found lacking, this handbook offers suggestions for new regulatory regimes or
interpretations of existing rules that can deal more effectively with cyber activities. In
sum, the present research handbook contributes to the creation of a common base of
knowledge in this field.
As such, it is essential reading for policy makers, lawyers, political scientists, the
military and police, technologists, researchers or students who want or need to know,
understand or apply the international regulatory framework governing cyberspace and
cyber activities. I heartily congratulate the individual authors and both editors for their
efforts in bringing this important project to successful completion. It is a work that will
influence and shape this complex, but increasingly central, facet of international law.
9
M Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare
(CUP, 2013).


OVERVIEW OF THE CHAPTERS

The first part of the handbook comprises five chapters that focus upon the application
of general principles of international law to cyberspace. In the opening chapter,
Nicholas Tsagourias examines the legal status of cyberspace under international law.
He challenges the position that because state sovereignty has been historically
associated with control over physical territory, and that because cyberspace is a domain
that states cannot subject to territorial claims, states cannot therefore exercise sover-
eignty in cyberspace. Tsagourias disentangles sovereignty from territory. In doing so,
he argues that states are able to exercise sovereignty and thus jurisdiction over persons,
objects and actions in cyberspace. He then explores the question of whether cyberspace
can itself be sovereign and goes on to consider the legal implications of treating
cyberspace as a global commons. Tsagourias concludes by suggesting a global treaty to
regulate cyberspace, albeit explaining that one is not possible at this stage.
In Chapter 2 Uta Kohl assesses the conditions under which states can exercise
jurisdiction in cyberspace. Kohl argues that state practice indicates that states exercise
jurisdiction in cyberspace on the basis of the objective territoriality principle, meaning
that a state will assert jurisdiction over online activity if the effects of that activity are
felt on its territory. Although Kohl concedes that this is a common-sense approach, she
nevertheless concludes that the approach is likely to artificially fragment the internet,
an inherently global domain, into a web of national cyberspaces. The impact, Kohl
concludes, is that this may jeopardise the enjoyment of fundamental human rights such
as freedom of expression in cyberspace and may, more broadly, endanger the potential
for economic, political, social and cultural exchange.
In Chapter 3 Constantine Antonopoulos suggests that although the rules relating to
the responsibility of states for internationally wrongful acts apply to state conduct in
cyberspace, such applicability is fraught with difficulties because this legal framework
is premised upon the assumption that internationally wrongful acts are capable of
attribution to states. As Antonopoulos explains, this is problematic in the context of
cyberspace because of its unique characteristics, such as the anonymity that cyberspace
affords. In light of this, he argues that the best solution is to subject states to a duty of
due diligence to prevent computer systems that are subject to their jurisdiction from
being used to commit acts that are injurious to other states.
Chapter 4 assesses the extent to which international law protects intellectual property
rights in cyberspace. This is an important question since cyberspace can act as a venue
for intellectual property rights, while the protection of such rights may be technically
difficult. Andreas Rahmatian contrasts cyberspace with the territorial scope of intellec-
tual property rights. He then goes on to examine copyright law as applied to
cyberspace, patent protection of computer-implemented inventions, and trade mark/
domain name protection. He asserts that the standardisation of international property
rights by international conventions, and especially the TRIPS Agreement, has loosened
the territoriality principle. For him, any future international convention for the
regulation of cyberspace would have to address the problem of the territoriality of
intellectual property rights and perhaps consider the establishment of an international
organisation for the monitoring and policing of such a convention.


Introduction 5
In Chapter 5, David Fidler addresses the relationship between cyberspace and human
rights. For him, cyberspace challenges certain principles of international law central to
the protection of human rights, such as the principle of sovereignty and jurisdiction.
For instance, it raises questions as to whether internet access is a human right and how
the concept of, and debate over, the extraterritoriality of human rights law applies in the
cyber context. The cyberspace-human rights relationship also evokes questions as to
national and international policies on internet governance and cyber security, an
important issue given Edward Snowden’s revelations concerning the United States
National Security Agency’s massive cyber surveillance campaign. Fidler concludes that
cyberspace is subject to international politics that have historically affected human
rights protection. Examples include the resilience of sovereignty, national security
concerns and shifting balances of power. He concludes that this means the potential of
cyberspace to significantly enhance the enjoyment of fundamental human rights may
never be fully realised.
In Chapter 6 Kai Ambos considers the question of whether the commission of cyber
attacks can give rise to individual criminal responsibility, with particular reference to
the provisions of the Rome Statute. Ambos examines the conditions by which
individuals may be held criminally responsible for war crimes and crimes against
humanity and applies them in the cyber context. He also asks whether cyber aggression
can fall within the definition of the crime of aggression under the Rome Statute and
whether criminal jurisdiction can be exercised over cyber aggression.
Part II of the handbook assesses the extent to which international law adequately
deters and suppresses threats that emerge in and from cyberspace. In Chapter 7 Ben
Saul and Kathleen Heath evaluate whether international terrorism conventions apply to
cyber terrorism. Although they conclude that certain terrorism conventions can be
interpreted in such a manner, they assert that gaps remain in legal regulation, not the
least of which is that there is no definition of terrorism (and, for that matter, of cyber
terrorism). They query whether cyber terrorism would be better addressed through the
negotiation and conclusion of a direct and specific international treaty on cyber
terrorism.
In Chapter 8 Russell Buchan assesses the permissibility of cyber espionage under
international law. Buchan argues that accessing and collecting confidential information
resident in cyberspace that falls under the sovereignty of another state is an intrinsically
pernicious practice that breeds distrust and hostility between states. This reality is
exemplified by the international response to the Snowden revelations. Buchan asserts
that in such an environment states are unable to act in a collaborative and coordinated
manner to address issues that threaten international peace and security, such as
international terrorism, environmental degradation and human rights abuses. Buchan
thus concludes that cyber espionage represents a threat to international peace and
security. Moreover, he argues that because states exercise sovereignty in cyberspace,
when a state accesses and copies (without authorisation) confidential information
falling under the jurisdiction of another state such conduct constitutes an unlawful
intervention in that state’s sovereign authority and is therefore violative of international
law.
Chapter 9 focuses upon cyber crime and the role of national, regional and
international law in combating this activity. Philipp Kastner and Frédéric Mégret argue


that many crimes committed in cyberspace are regulated by domestic criminal legal
systems. They illustrate this by reference to specific crimes committed in cyberspace.
The application of domestic criminal law notwithstanding, Kastner and Mégret suggest
that in order to achieve adequate criminal law enforcement multilateral initiatives such
as the Council of Europe’s Convention on Cyber Crime are essential, for they lay the
foundations for greater cooperation between states. Indeed, they conclude that a
multilateral treaty achieving global cooperation, beyond state or regional boundaries,
and across the state/non-state divide, is needed to deal with many forms of cyber crime
In Part III, the relationship between hostile cyber operations and the jus ad bellum is
examined. To provide background, Paul Ducheine explores the notion of cyber
operations in Chapter 10. He argues that, at the state level, there are broadly five
distinct paradigms that can be used to describe cyber operations: governance, protec-
tion, law enforcement, intelligence and military operations. Ducheine asserts that it is
the last paradigm that constitutes the most far-reaching framework for governmental
action and therefore suggests that the proliferation of concepts such as cyber attacks,
cyber targeting and cyber war are indicative of the growing militarisation of cyber-
space.
Chapter 11 considers whether cyber attacks constitute an unlawful use of force under
Article 2(4) UN Charter. Marco Roscini argues that force within the meaning of Article
2(4) requires the use of a weapons accompanied by a coercive intention and effects.
Roscini concludes that in the context of cyber attacks this occurs when the attack
against computer systems results in physical damage to property or loss of life or injury
to people, as in the case of an attack against computer systems that subsequently causes
planes to crash. He also advocates a reading of Article 2(4) that extends to cyber
attacks that, whilst not manifesting real-world damage, nevertheless render ineffective
or unusable computer systems that sustain critical infrastructures and thus cause
significant disruption to the delivery of essential services.
Following on from this assessment of Article 2(4), in Chapter 12 Carlo Focarelli
examines the circumstances by which a cyber attack can amount to an armed attack
pursuant to Article 51 of the UN Charter and thus trigger a state’s right to use force in
self-defence. In particular, and with reference to state practice and recent literature,
Focarelli debates whether an armed attack can only be said to occur where the cyber
attack produces sufficiently serious physical damage or instead whether its application
extends to sufficiently serious non-physical damage. An attack that affects the function-
ality of computer systems sustaining critical national infrastructure illustrates the latter.
In addition, Focarelli considers how the principles of necessity and proportionality
apply to cyber uses of force that are committed in accordance with to Article 51 UN
Charter.
States may seek to protect their cyber infrastructure against military threats from
cyberspace by recourse to the language of cyber deterrence by asserting that it will
respond to cyber attacks with a devastating cyber attack of its own. In Chapter 13 Eric
Myjer compares deterrent strategies in the nuclear realm with deterrence in the cyber
arena. He argues that because of the unique features of cyberspace, cyber deterrence is
not comparable with nuclear deterrence and that therefore cyber deterrence is unlikely
to be effective. Perhaps more importantly, Myjer concludes that deterrence by the threat


Introduction 7
of cyber retaliation would be contrary to certain basic principles of international law,

such as necessity and proportionality.
Part IV focuses upon the use of cyber technology during times of armed conflict and
in particular the application of international humanitarian law to cyber weapons and to
hostilities conducted in cyberspace. In Chapter 14 Neil Rowe identifies various
important ethical concerns unique to the use of cyber weapons. These include
attribution, product tampering, unreliability, damage repair and collateral damage. He
concludes that many of these concerns are intractable. As a result, he encourages the
development of international treaties to restrict and regulate their use.
In Chapter 15 Louise Arimatsu addresses how cyber conflicts should be classified
under international humanitarian law and, most notably, whether cyber conflicts give
rise to an international or a non-international armed conflict. This inquiry involves
consideration of whether cyber attacks satisfy the requirement of ‘international’,
‘armed’ and ‘attack’ for the purpose of international armed conflict. In relation to
non-international armed conflict, the key questions are whether cyber groups can be
regarded as ‘organised’ and whether cyber conflict can be ever of sufficient intensity to
trigger international humanitarian law.
In Chapter 16 Karine Bannelier-Christakis assesses whether the principle of distinc-
tion is still relevant to hostilities conducted in cyberspace. Bannelier-Christakis explains
that the principle of distinction applies only to conduct that amounts to an attack under
international humanitarian law, which conventionally requires the use of violence that
produces physical damage. Bannelier-Christakis criticises this conclusion given that in
the contemporary era states place heavy reliance upon cyberspace and thus conduct that
affects the functionality of computer systems can be extremely damaging even if it does
not cause physical damage. As a result, she argues that the better approach is to subject
all military operations (including those in cyberspace) to the principle of distinction
regardless of the damage they cause. Customary international law, at least according to
Bannelier-Christakis, supports such an approach. She also stresses the difficulty of
distinguishing between military and civilian objects in cyberspace given its inherent
interconnectivity and also explores how the concept of direct participation in hostilities
applies to individuals involved in devising, maintaining and implementing cyber
operations during times of armed conflict.
Chapter 17 examines the application of the principle of proportionality and the duty
to take precautions in attack in relation to attacks carried out in the cyber domain. Terry
Gill argues that a cyber attack would only qualify as an ‘attack’ for the purpose of
international humanitarian law if it is committed in the context of a recognised armed
conflict and is intended to or reasonably likely to cause appreciable danger of physical
harm or damage. He concludes that while many cyber attacks would therefore not
qualify as attacks, some would and, for those, international humanitarian law would be
applicable by analogy in much the same way as it applies to attacks by kinetic
weapons. Thus, cyber attacks against purely military installations or combatants,
without any likely appreciable consequences to civilians or civilian objects, would fall
outside the applicability of proportionality. Cyber attacks directed against military
objectives or combatants that incidentally harm civilian objects or civilians are subject
to the proportionality test and would be unlawful if the expected damage to the civilian


objects or civilians is likely to be excessive in relation to the anticipated military

advantage.
In Chapter 18 David Turns assesses the application of the law of neutrality to
cyberspace. Turns explains that this is a complicated process because the law of
neutrality was devised more than a century ago and was therefore constructed with the
intention of protecting the territorial sovereignty of neutral states, namely tangible
constructs such as physical territory, territorial waters and territorial airspace. In
contrast, cyberspace is an intangible and interconnected environment. This considerably
enhances the potential for operations in cyberspace to implicate third parties. Turns
concludes that the law of neutrality is still relevant to cyberspace by analogy and
proceeds to examine how neutrality affects the conduct of cyber operations by neutrals
and belligerents.
Part V reviews the approaches of various international organisations to regulating
activities in cyberspace and in particular achieving and maintaining cyber security. In
chapter 19 Ramses Wessel explains that over the past decade the EU has started to take
its first steps in formulating and regulating cyberspace as a new policy area, especially
since the adoption of its 2013 Cyber Security Strategy. In an exploratory fashion,
Wessel’s chapter evaluates both the EU’s existing and emerging internal cyber security
rules, as well as the EU’s contribution to the development of a global regulatory
framework for cyberspace.
In Chapter 20 Katharina Ziolkowski examines NATO’s strategy for achieving cyber
security. She explains that cyber defence entered NATO’s agenda in 2002 after the
cyber attacks against the Alliance’s networks during the Kosovo crisis. Since 2002
NATO has begun to offer various cyber crisis management mechanisms and other
assistance to its member states and partner nations so as to strengthen their national
cyber defence capabilities. This being said, Ziolkowski argues that NATO has main-
tained a degree of strategic ambiguity in relation to the question of the circumstances
under which malicious cyber activities constitute a situation pursuant to Article 5 of the
North Atlantic Treaty and thereby engage its collective self-defence mechanism. This
has been settled recently with NATO adopting the policy that a significant cyber attack
on a member state implicates collective self-defence according to Article 5 of the North
Atlantic Treaty.
Hitoshi Nasu and Helen Trezise explore Asia’s approach to achieving cyber security
in Chapter 21. The authors note that cyber security has become a key priority for many
Asia-Pacific states, although they conclude that achieving cyber security in this region
is likely to be a complex and difficult task because of the political, economic and
socio-cultural diversity in the region. This chapter identifies cyber security policy
initiatives adopted by institutions in the Asia-Pacific region, such as ASEAN and
APEC. The authors assert that regional cyber security efforts have been somewhat
frustrated by the traditional security challenges that confront many states in the region.
In Chapter 22 Christian Henderson reviews the role and recent activities of the UN in
the cyber security context. He argues that although the UN has historically been
sluggish in take on cyber security issues, it has, in the wake of the dramatic increase in
cyber attacks since 2007, gradually begun to address this topic. In particular, activity
can be seen in various committees of the UN General Assembly, including the
achievement of consensus within several Groups of Governmental Experts on various


Introduction 9
cyber issues. Additionally, issues of cyber security have surfaced in the UN Security
Council, the Economic and Social Council and other subsidiary organs and specialised
agencies. Henderson concludes that although the decision of these UN agencies to
address cyber security is to be welcomed, the next challenge for these agencies is to
cooperate more closely in order to ensure an integrated and concerted response to the
maintenance of cyber security.
CONCLUSION
Although it is by now fairly well settled that international law applies to activities in
cyberspace, the jury is still out on how to apply such law. This book engages that
dialogue in a sophisticated and insightful manner. I admit to disagreeing with some of
the reasoning and conclusions reached by individual contributors. Nevertheless, even in
such cases, I find the analysis highly incisive and intellectually provocative. I again
congratulate my friends Nicholas Tsagourias and Russell Buchan on bringing together
such a talented group to so usefully examine one of the most complex topics being
grappled with by the international law community.




PART I
CYBERSPACE AND GENERAL

PRINCIPLES OF
INTERNATIONAL LAW

Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMedit-Chapter1 /Pg. Position: 1
/ Date: 24/3

/ Date: 24/3
1. The legal status of cyberspace

Nicholas Tsagourias
INTRODUCTION
Cyberspace is often presented as a purely non-legal domain. According to John
Barlow’s Declaration of the Independence of Cyberspace ‘legal concepts do not apply
to cyberspace’.1 This view of cyberspace as a non-legal domain is based on a number
of assumptions. The first assumption is that cyberspace is different from real spaces: its
a-territorial, borderless and ubiquitous character differentiates it from the physical and
bounded spaces that are subject to legal regulation.2
The second assumption is that cyberspace, true to its original conceptualisation and
design, should remain an open, decentralised and participatory space, not hampered by
legal regulations.3
Yet, the view that cyberspace is subject to law and indeed to international law is not
in dispute anymore.
For example, a report of the United Nations Group of Governmental Experts on
developments in the field of information and telecommunications in the context of
international security affirmed that international law, especially the United Nations
(UN) Charter, applies to cyberspace and that State sovereignty and international norms
and principles that flow from sovereignty apply to State conduct of ICT-related
activities4, and to jurisdiction over ICT infrastructure within a State’s territory.5 As the
UN Secretary-General also noted in the Foreword to the report, ‘[t]he recommendations
point the way forward for anchoring ICT security in the existing framework of
international law and understandings that govern State relations and provide the
foundation for international peace and security’.6
This view is often supplemented by a qualification: namely, that international law
should adapt its rules in order to grapple with the particularities of cyberspace. As the
US President opined in the 2011 International Strategy for Cyberspace:
1
John P Barlow, ‘A Declaration of Independence for Cyberspace’ (Davos, 1996) <https://
projects.eff.org/~barlow/Declaration-Final.html> accessed 22 July 2014.
2
David R Johnson and David G Post, ‘Law and borders: The rise of law in cyberspace’
(1996) 48 Stanford L Rev 1367. Contra Jack L Goldsmith, ‘Against cyberanarchy’ (1998) 65 U
Chi L Rev 1199.
3
Tim Wu and Jack Goldsmith, Who Controls the Internet? Illusions of a Borderless World
(OUP 2006) 23.
4
Information and Communication Technology.
5
UNGA ‘Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security’ (24 June 2013) UN Doc A/68/98
paras 19–20.
6
Ibid., 4.
13
/ Date: 6/5
The development of norms for state conduct in cyberspace does not require a reinvention of
customary international law, nor does it render existing international norms obsolete.
Long-standing international norms guiding state behavior – in times of peace and conflict –
also apply in cyberspace. Nonetheless, unique attributes of networked technology require
additional work to clarify how these norms apply and what additional understandings might
be necessary to supplement them.7
It is important to note at this juncture that the question as to whether cyberspace is

subject to law is a deeply political question. Cyberspace, as any technology in general,
is not an abstract entity that exists in isolation from politics but, instead, as the debates
mentioned above attest, is subject to political debates. Such debates may eventually
lead to common understandings about its ontology or use which are then normativised
in the form of legal rules. Law thus constructs the ontology and function of cyberspace
by embedding in the legal norms that apply to cyberspace authoritative choices about
the nature and use of cyberspace whilst at the same time it moulds such choices
through its own principles and standards. In other words, law serves a normative as
well as a performative function.
Yet, even if now is widely accepted that cyberspace is subject to law or indeed to
international law, scholars and practitioners usually focus on how international rules
apply to cyberspace and to cyber activities with relatively little consideration being
given to the legal status of cyberspace. This is therefore the main focus of this chapter.
Before exploring that question however, an enquiry into ‘what is cyberspace’ is
necessary.
WHAT IS CYBERSPACE
Questions as to what cyberspace is, and more specifically whether cyberspace is a
corporeal entity, an intangible entity or a bundle of functions have technical, philosoph-
ical, political, sociological and legal origins and ramifications. For example, Koepsell,
in his book on the ontology of cyberspace, set himself the task of answering the
following questions:
What is cyberspace? Is it dimensional? Are there things in cyberspace? Are things in

cyberspace properly called objects? Are such objects, or cyberspace itself, substance or
process? Is cyberspace or the objects in it real or ideal? What is the categorical scheme of
cyberspace? How should cyberspace fit into a broader categorical scheme?8
7
The White House, ‘International Strategy for Cyberspace’ (May 2011) 9 <http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf> accessed at
23 July 2014; Harold H Koh, ‘International Law in Cyberspace’ (U.S. Department of State,
USCYBERCOM Inter-Agency Legal Conference, 18 September 2012) <http://www. state.gov/s/l/
releases/remarks/197924.htm> accessed 25 February 2014.
8
David Koepsell, The Ontology of Cyberspace: Law, Philosophy, and the Future of
Intellectual Property (Open Court Publishing 2003) 10. Julie Cohen spoke of the representations
of cyberspace as ‘utopia’ that is, as a separate space; as ‘isotopia’ that is, as a space that
continues existing space and as ‘heterotopia’ as a space where ordinary rules of behaviour or
conduct are suspended or transformed. Heterotopia preserves its relational aspect which, with

/ Date: 6/5
The legal status of cyberspace 15
I will not engage here with the various debates concerning the ontology of cyberspace
due to lack of expertise, but I will offer a basic description of cyberspace in order to
grasp the object of enquiry and because it is its features and attributes that shape the
way law understands and consequently treats cyberspace.
Cyberspace has been defined as ‘a global domain within the information environ-
ment consisting of the interdependent network of information technology infrastruc-
tures and resident data, including the Internet, telecommunications networks, computer
systems, and embedded processors and controllers’9. Although this is not the most
exact definition of cyberspace as it does not mention, at least explicitly, software
programmes, yet it is a starting point because it identifies certain common traits that
most academic or institutional definitions of cyberspace contain. A more comprehen-
sive definition is that offered by Kuehl according to which cyberspace is ‘a global
domain within the information environment whose distinctive and unique character is
framed by the use of electronics and the electromagnetic spectrum to create, store,
modify, exchange, and exploit information via interdependent and interconnected
networks using information-communication technologies’.10
It transpires from the above that cyberspace has three layers: a physical layer which
consists of computers, integrated circuits, cables, communications infrastructure and
the like; a second layer which consists of the software logic; and, finally, a third layer
which consists of data packets and electronics.11
What also transpires is that, whereas the core of cyberspace may form a virtual
space, it is nonetheless supported by physical objects such as computers, which connect
the irreducible part of cyberspace to the physical world;12 and interactions in cyber-
space are independent of time or space constraints and are conducted through logistics
rather than through physical acts.13
Having provided a basic decription of cyberspace and of its features, in the
remainder of the chapter I will focus on the legal representation of cyberspace and
more specifically on its status in international law.
For international lawyers, their conception of cyberspace is influenced by their
understanding of how spaces are represented in international law. For this reason, they
regard to cyberspace, refers to its connection to ‘real’ space. Julie E Cohen, ‘Cyberspace as/and
space’ (2007) 107 Columbia L Rev 210.
9
US Department of Defense, ‘Department of Defense Dictionary of Military and Associ-
ated Terms’, Joint Publication 1-02 (8 November 2010, as amended through 15 March 2014),
64; II.9. See also ‘The UK Cyber Security Strategy Protecting and promoting the UK in a digital
world’ (2011) 11 <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/
60961/uk-cyber-security-strategy-final.pdf> accessed 11 October 2014.
10
Daniel T Kuehl, ‘From cyberspace to cyberpower: Defining the problem’ in Franklin D
Kramer, Stuart H Starr, Larry K Wentz, Cyberpower and National Security (National Defense
University Press 2009) 28 [italics in the original].
11
Lior Tobanksy, ‘Basic concepts in cyber warfare’ (2011) 3(1) Military and Strategic
Affairs 75, 77–78.
12
Rebecca Bryant, ‘What kind of space is cyberspace?’ (2001) 5 Minerva – An Internet J of
Philosophy 138.
13
Lawrence Lessig, ‘The path of cyberlaw’ (1995) 104(7) Yale L J 1743, 1745–6; William S
Byassee, ‘Jurisdiction of cyberspace: Applying real world precedent to the virtual community’
(1995) 30 Wake Forest L Rev 197, 207–8.

/ Date: 6/5
not only look for analogies with physical spaces but also apply certain fundamental
international law principles such as that of sovereignty to cyberspace pondering at the
same time on how this principle applies in cyberspace and how it models its status.
Cyberspace and Sovereignty
I will now explore the question of whether the principle of sovereignty applies to
cyberspace and, if it does, what are the implications for the status of cyberspace. These
are important questions because sovereignty is a fundamental principle of international
law; it is in fact the basic organising principle of international law.14 In its traditional
definition, sovereignty denotes summa potestas.15 It denotes authority and control
which in legal terms is translated as the power to promulgate laws and the power to
enforce these laws.16
The two pertinent questions to ask then with regard to cyberspace are, first, whether
cyberspace can be subject to sovereignty and, secondly, whether cyberspace can itself
be sovereign.
Regarding the first question, there are those that maintain that cyberspace should be
free from sovereignty. According to Johnson and Post, for example, cyberspace cannot
be subject to sovereignty but instead, cyberspace should be subject to its own distinct
system of legal regulation based on self-regulation.17 For them, it is not only the
borderless and a-territorial nature of cyberspace that make it adverse to the standard
systems of territorially based international legal regulation but also the fact that
sovereignty’s principles of validity exhibited in territorially based entities in the form of
power, legitimacy, effects and notice are impossible or at best diluted in cyberspace.18
More specifically, the lack of borders in cyberspace deprives sovereigns of the ability to
exercise their power over defined peoples and territories and deprives sovereign power
from the legitimising effect of consent. It also deprives users from notice when entering
a different jurisdiction. It is because of these features and of the need to have an
effective regulatory system appropriate to cyberspace that cyberspace should develop
its own legal system based on self-regulation.19 All in all, the no-sovereignty thesis is
based on a concept of cyber-exceptionalism.
The descriptive and normative premises of the no-sovereignty thesis have been
challenged by Jack Goldsmith in his article ‘Against cyberanarchy’. For him, the
jurisdictional and enforcement inadequacies of sovereign power in cyberspace identi-
fied by Johnson and Post have been exaggerated. In fact, sovereigns can regulate the
local effects of extraterritorial activities.20 Moreover, traditional legal tools can resolve
14
Alan James, Sovereign Statehood (Allen & Unwin 1986) 267–9.
15
Samantha Besson, ‘Sovereignty’ in Rüdiger Wolfrum (ed.), Max Planck Encyclopedia of
Public International Law (OUP 2012).
16
‘In short, authority concerns rule-making and control, rule-enforcement.’ Janice E
Thomson, ‘State sovereignty in international relations: Bridging the gap between theory and
empirical research’ (1995) 39 Intl Studies Quarterly 213, 223.
17
Johnson and Post (n 2).
18
Ibid., 1370–76.
19
Lawrence Lessig, Code: Version 2.0 (Basic Books 2006) 3.
20
Goldsmith (n 2).

/ Date: 6/5
the multi-jurisdictional problems implicated in cyberspace and thus overcome issues of

legitimacy and validity.
Yet, whether cyberspace can be subject to sovereignty depends on how the concept
of sovereignty is understood and used in legal discourse.
As was said, sovereignty refers to supreme and full authority and in international law
it connotes authority and power over a certain territory and over its people to the
exclusion of any other authority. In the words of Judge Alvarez, by sovereignty ‘we
understand the whole body of rights and attributes which a State possesses in its
territory, to the exclusion of all other States, and also in its relations with other
States’.21 What transpires from the above is that in international law sovereignty has a
strong territorial dimension.22 The territorial dimension of sovereignty is explained by
the fact that its emergence as a political and legal concept coincided with the
emergence of the State as a political unit following the apportionment of territories and
the political and legal recognition of such territorial compartmentalisation by the Treaty
of Westphalia. As Judge Humber said in the Isle of Palmas case ‘territorial sovereignty
serves to divide between nations the space upon which human activities are
employed’.23
By elevating territory and the polity attached to that territory into components of
sovereignty,24 sovereignty became bounded. To explain, whereas sovereignty as summa
potestas is unbounded, territory localises sovereignty and acts as the ‘constraint that
unravels the assertion of unconstrained sovereignty’.25 In other words, territory has
become not only the object but also the container of sovereignty by drawing its legal
and political borders.
It follows from the above that whereas internal sovereignty, that is sovereignty over
a territory, is in principle full and exclusive, external sovereignty is relative.26 External
sovereignty denotes power over externalities but, because all sovereigns are equal and
21
Corfu Chanel Case (UK v Albania) (Separate Opinion of Judge Alvarez) [1949] ICJ Rep
43.
22
Jens Bartelson, A Geneology of Sovereignty (CUP 1993) 26. See also Montevideo
Convention on the Rights and Duties of States (signed 26 December 1933, entered into force 26
December 1934).
23
Island of Palmas Case (or Miangas) (United States v Netherlands) [1928] Reports of
International Arbitral Awards 839.
24
‘The state is the land, the people, the organization of coercion and a majestic idea, each
supporting and even defining the other, so that they [become] indivisible.’ Nicholas G Onuf,
‘Sovereignty: Outline of a conceptual history’ (1991) 16(4) Alternatives: Global, Local, Political
425, 437.
25
Joel P Trachtman, ‘Cyberspace, sovereignty, jurisdiction and modernism’ (1998) 5(2)
Indiana JGLS 560, 567. As was said in The Exchange v McFaddon, 11 U.S. (7 Cranch 116) 116
(1812):
The jurisdiction of a nation within its own territory, is exclusive and absolute. It is susceptible
of no limitation not imposed by itself. Any restriction deriving validity from an external
source would imply a diminution of its sovereignty to the extent of that restriction, and an
investment of that sovereignty to the same extent in that power which could impose such
restriction.
26
Stephen D Krasner, Sovereignty: Organized Hypocrisy (Princeton University Press 1999)
1–42.

/ Date: 24/3
have an equal claim to external sovereignty, the exercise of sovereign power outside the
allocated territory by one of them will encroach on the sovereignty of the others. Thus,
external manifestations of sovereignty are coordinated and managed through consent.
Consent is a sovereign act of voluntary acquiescence. As the Permanent Court of
International Justice opined in the Lotus case ‘international law governs the relations
between independent States. The rules of law binding upon States … emanate from
their own free will’.27
That having been said, it is important to disentangle sovereignty as a concept from
territory. Territory as an element of sovereignty is a lego-political construct: it is ‘about
organising space for political [or legal] purposes’.28 With that I mean that the carving
of territories upon which sovereignty is exercised is a political act; it is the end result of
a political process involving claims, counterclaims and successful assertions of power.
The Peace of Westphalia, for example, which is treated as the foundation of the modern
territorially-bound sovereignty was in fact about the redrawing of political bound-
aries.29 Thus, there is no inherent nexus between territory and sovereignty, although
territory offers a tangible space where sovereignty can manifest itself effectively in
political and legal terms. As was observed, ‘state territory can be regarded as a
container of power and not just as a place where powers are located’.30 Moreover, even
the territorially-based concept of sovereignty has an element of abstraction. As Ford
observed, territory ‘is abstractly and homogeneously conceived’ which means that ‘the
space of a jurisdiction is conceived of independently of any specific attribute of that
space’ and ‘[o]ne consequence of this abstract presentation of space is that it eliminates
the need for the specific enumeration and classification by kind’.31
If the essence of sovereignty is power and not territory, it can extend not only beyond
any allocated territory but also to non-territorial entities. Whether this will happen or
how this will happen, is a completely different question. Moreover, sovereignty as a
concept is not monolithic, but a ‘sponge concept’32 that can manifest itself in different
forms.
These observations can assist us in answering the question of whether sovereignty
can be asserted in cyberspace which, as was said, has a physical as well as a virtual
component and where activities may defy space or time constraints but nonetheless
have real effects on spaces, humans, or institutions. In this regard and since the focus of
this chapter is law and in particular international law, we should speak of jurisdiction.33
Jurisdiction is a concomitant of sovereignty and in fact it is the legal instantiation of
27
The Case of the S.S. “Lotus” (Judgement) [1927] PCIJ Rep Series A No 10 18.
28
Thomas Forseberg, ‘Beyond sovereignty, within territoriality: Mapping the space of
late-modern (geo) politics’ (1996) 31(4) Cooperation and Conflict 355, 362; John G Ruggie,
‘Territoriality and beyond: Problematising modernity in international relations’ (1993) 47 Intl
Organization, 139.
29
Daniel Bethlehem, ‘The end of geography: The changing nature of the international
system and the challenge to international law’ (2014) 25(1) EJIL 9, 13.
30
Peter J Taylor, ‘The state as container: Territoriality in the modern world-system’, (1994)
18 Progress in Human Geography 151.
31
Richard T Ford, ‘A history of jurisdiction’ (1999) 97 Michigan L Rev 843, 853–4.
32
Bartelson (n 22) 237.
33
For jurisdiction in cyberspace see Kohl (Ch 2 of this book).

/ Date: 6/5
sovereignty.34 Jurisdiction refers to legal authority and power and as an ingredient of

sovereignty translates sovereign power into prescription, enforcement and adjudica-
tion.35 Through jurisdiction sovereignty becomes operational and is substantiated.
Being attendant on sovereignty, jurisdiction has an internal as well as an external
aspect. Internally, ‘jurisdiction extends (and is limited) to everybody and everything
within the sovereign’s territory and to his nationals wherever they may be’ and
externally ‘[l]aws extend so far as, but no further than the sovereignty of the State
which puts them into force’.36
With regard to cyberspace, a State can exercise jurisdiction over cyber infrastructure
located on its territory and over its nationals37 when engaged in cyber activities. It can
also do so over non-nationals located in its territory.38 A State can exercise jurisdiction
over information circulated through cyberspace at the point of delivery as well as the
point of reception or when the information crosses through wires and lines falling
within its jurisdiction.39 A State can exercise jurisdiction over web addresses to the
extent they are registered in a specific country. In sum, the State can exercise its
prescriptive and enforcement jurisdiction over cyberspace and over cyber activities on
the basis of nationality and territoriality.
Yet, territoriality and nationality as bases of jurisdiction can be interpreted quite
extensively and expand even further the scope of a State’s jurisdiction and thus
sovereignty. More specifically, a State may exercise jurisdiction over its nationals
regardless of where their acts have been committed. This refers to the active nationality
principle and in cyberspace it means that if a national of a certain State commits a
wrongful cyber act in a foreign jurisdiction, for example a cybercrime, her/his State of
nationality may still exercise jurisdiction over her/him.
Moreover, a State can extend its jurisdiction extraterritorially if one of its nationals
has been the victim of a wrongful act. This refers to the passive nationality principle
which has been asserted by certain States in particular with regard to terrorism.40 For
example, if nationals of a particular State have been victims of cyber terrorism which
has been committed by non-nationals from a foreign jurisdiction, this can trigger the
jurisdiction of the victims’ State of nationality.
34
‘Jurisdiction is an aspect or an ingredient or a consequence of sovereignty,’ James
Crawford, Brownlie’s Principles of Public International Law (8th edn, OUP 2012) 456–7.
35
Michael Akehurst, ‘Jurisdiction in International law’ (1972) 46 (145) BYIL 9197 15. And
Wedding v Meyler, 192 U.S. 573 (84 1904).
36
Frederick A Mann, ‘The doctrine of international jurisdiction revisited after twenty years’
in Academie De Droit International De La Haye, Recueil Des Cours 1984 (Martinus Nijhoff
Publishers 1984) 9.
37
Nottenbohm Case (Lichtenstein v Guatemala) [1955] ICJ Rep 4 23.
38
T-Mobile West Corp. v Crow, No. CV08-1337-PHX-NVW, (D. Ariz. Dec. 16, 2009)
15–16); CompuServe, Inc v Patterson 89 F. 3d 1257 (6th Cir.1996); The Case of the S.S. “Lotus”
(Dissenting Opinion by Judge Moore) [1927] PCIJ Rep Series A No 10.
39
R v Sheppard & Amor [2010] EWCA Crim 65; Sean Kanuck, ‘Sovereign discourse on
cyber conflict under international law’ (2010) 88(7) Tex L Rev 1571, 1573–5.
40
Arrest Warrant Case (Democratic Republic of Congo v Belgium) (Joint Separate Opinion
of Judges Higgins, Kooijmans and Buergenthal) [2002] ICJ Rep 3 para 47; Restatement of the
Law Third, The Foreign Relations Law of the United States (1986) para 402.

/ Date: 24/3
A State may also exercise its jurisdiction when a certain cyber activity has effects
within that State’s territory.41 The effects doctrine was first enunciated by the
Permanent Court of International Justice in the Lotus case42 and has now been accepted
as a jurisdictional ground applicable in many different areas of law43 although there are
differing views about its scope. The controversy revolves around a number of issues,
for example whether the effects should have already been felt; whether they should be
substantial; whether they should be detrimental or whether foreseeable effects44 would
also suffice in order to trigger a State’s jurisdiction. A problem with applying the
effects doctrine to cyberspace is that effects may have been felt in a number of different
jurisdictions. If all affected States were to assert jurisdiction, the practical difficulties
become more than evident. Even if international law contains rules on conflicts of
jurisdiction, the assertion of jurisdiction in such situations may affect the principle of
fairness. In order to avoid jurisdictional overlaps and preserve jurisdictional fairness,
the threshold for the effects doctrine has been raised from ‘certain minimum contacts’45
to substantial contacts.46 Moreover, the principle of targeting has been developed,
according to which it is the State targeted by the impugned behaviour that can exercise
jurisdiction irrespective of any effects felt in other jurisdictions.47 As was said, targeting
is ‘something more than effects, but less than physical presence’.48
A State can also assert its jurisdiction over activities that endanger important national
interests regardless of where, or by whom, they have been committed.49 This refers to
the protective head of jurisdiction.50 A State for example can exercise jurisdiction over
cyber espionage if its security has been compromised.
In addition to the aforementioned bases for exercising jurisdiction, it is also
important to mention at this juncture the indirect exercise of jurisdiction over
cyberspace. States or private actors may partition cyberspace territorially by regulating
access to cyberspace on the basis of geolocation or by blocking websites. Secondly, a
41
For the effects doctrine see also Kohl (Ch 2 of this book).
42
The Case of the S.S. “Lotus” (n 27) 23.
43
Arrest Warrant of 11 April 2000 (n 40) para 47.
44
U.S. v Yousef , 327 F.3d 56, 112 (2d Circ, 2003).
45
International Shoe Co v Washington 326 US 310 [1945].
46
CompuServe v Patterson (n 38):
This court has repeatedly employed three criteria to make this determination: First, the
defendant must purposefully avail himself of the privilege of acting in the forum state or
causing a consequence in the forum state. Second, the cause of action must arise from the
defendant’s activities there. Finally, the acts of the defendant or consequences caused by the
defendant must have a substantial enough connection with the forum to make the exercise of
jurisdiction over the defendant reasonable.
See also Zippo Mfg Co v Zippo Dot Com Inc 952 F Supp 1119 (WD Pa 1997).
47
Thomas Schultz, ‘Carving up the Internet: Jurisdiction, legal orders, and the private/public
international law interface’ (2008) 19(4) EJIL 799, 816.
48
Ibid., 817.
49
The Case of the S.S. “Lotus” (n 27) (Dissenting opinion by Judge Loder) [1927] PCIJ Rep
Series A No 10 35–6: When the ‘offences […] are directed against the State itself or against its
security or credit [, t]he injured State may try the guilty persons according to its own law if they
happen to be in its territory or, if necessary, it may ask for their extradition.’
50
Cedric Ryngaert, Jurisdiction in International Law (OUP 2008) 96.

/ Date: 24/3
State can assert jurisdiction over cyberspace by regulating cyberspace technology. As

was said, ‘the actor who reigns over the architecture of technology also defines the
rights and constraints existing within this architecture’.51 A state can do this by
regulating the functions and activities of software or by imposing conditions such as
passwords. Thirdly, the assertion of jurisdiction by one State may have ‘spill over’
effects on other jurisdictions or on areas outside any jurisdiction, for example on the
virtual domain of cyberspace. For instance, if a State regulates access to terrorist
materials, it makes their circulation through cyberspace more difficult in the absence of
a common regulatory regime, although eventually not impossible.52
This leads to the question of whether a State can exert jurisdiction over objects or
activities in the virtual part of cyberspace. If sovereignty connotes authority and power
and is not inherently territorial, nothing prevents a State from exercising its jurisdiction
unilaterally or in cooperation with other States over objects or activities in the virtual
domain since they do not fall within any specific jurisdiction. This is based on the
permissive rule introduced by the Permanent Court of International Justice (PCIJ) in
the Lotus case according to which, in the absence of a prohibition, a State is free to
assert its jurisdiction ‘its title to exercise jurisdiction rests in its sovereignty’.53 That
said, whether a State will be able to actually exercise jurisdiction depends on its
technological capabilities.
What we observe then with regard to cyberspace is, on the one hand, the
territorialisation of cyberspace and of cyber activities and on the other, the
de-territorialisation of sovereignty.54 With territorialisation I do not mean the territorial
carving of cyberspace or its treatment as tangible territory but the extension to
cyberspace and to cyber activities of configurations of authority and power linked to
territorial spaces. This process links cyberspace to the traditional notion of sovereignty
and, in fact, reinforces State sovereignty. On the other hand, we observe the deter-
ritorialisation of sovereignty as far as cyberspace is concerned. Deterritorialisation has
been defined as ‘the detachment of regulatory authority from a specific territory’.55
This has two aspects. The first is about the diverse norm-setting authorities, sources of
normativity and plurality of norm addressees.56 In cyberspace rules and regulations are
laid down by States but also by a variety of public and private authorities whereas the
addressees of such rules and regulations are equally States and other legal or natural
persons. For example ICANN (Internet Corporation for Assigned Names and Numbers)
51
Christoph B Graber, ‘Internet Creativity, Communicative Freedom and a Constitutional
Rights Theory Response to “Code is Law”’ (i-call Working paper no. 03, University of Lucerne
2010) 5 <http://ssrn.com/abstract=1737630> accessed 28 June 2014.
52
Goldsmith (n 2), 1240–42.
53
The Case of the S.S. “Lotus” (n 27) 19.
54
These terms have been used albeit differently in Geoffrey L Herrera, ‘Cyberspace and
Sovereignty: Thoughts on Physical Space and Digital Space’ (1st International CISS/ETH
Conference on “The Information Revolution and the Changing Face of International Relations
and Security” Lucerne, Switzerland, May 23–25, 2005) 30.
55
Catherine Brölmann, ‘Deterritorializing international law: Moving away from the divide
between national and international law’ in Janne E Nijman and André Nollkaemper (eds), New
Perspectives on the Divide between National and International Law (OUP 2007) 84–109.
56
Ibid.

/ Date: 24/3
is a ‘not-for-profit public-benefit corporation’ incorporated in the USA being respons-

ible for assigning Internet namespaces and for keeping the Internet secure, stable and
interoperable. As it declares on its website ICANN, ‘bring[s] together individuals,
industry, non-commercial and government representatives to discuss, debate and
develop policies about the technical coordination of the Internet’s Domain Name
System’.57 The other aspect of de-territorialisation of sovereignty concerns the State
itself and finds expression in the extraterritorial exercise of jurisdiction. When the State
exercises its jurisdiction with regard to cyber activities extraterritorially, its locus of
jurisdiction is not the sovereign territory.
Having examined the question of whether cyberspace can be the locus of sover-
eignty, the next question is whether cyberspace itself can be a sovereign entity.58 The
a-territorial nature of cyberspace may provoke some reservations but, as was said
previously, territory is not necessarily integral to the concept of sovereignty. Moreover,
territory is not just a geographical notion with political and legal connotations but it is
also a social construct and a perception. Territory is about the relationships between
humans, actions and spaces as well as about attachments and allegiances to spaces. To
this it should be added that space is a cognitive construction. As Cohen argued ‘[t]o say
that humans reason spatially is not to say that we are place-bound, or property-bound,
but simply to say that we are embodied, situated beings, who comprehend even
disembodied communications through the filter of embodied, situated experience’.59
Following from this, one can say that cyberspace has, in addition to its physical
infrastructure and to its human users, a conceptual and a perceptual dimension as well.
Conceptually, cyberspace is ‘the sense of space generated within the mind as we
interact with computer technology’, and perceptually it is ‘the sense of space generated
by the computer-user interface, through one or a combination of our senses.’60
Interestingly, William Gibson coined the term ‘cyberspace’ by watching video game
kids and computer users who seemed ‘to develop a belief that there is some kind of
actual space behind the screen, some place you cannot see but you know is there’.61
One may thus describe cyberspace as a ‘figurative’ or ‘noumental’ space ‘inhabited’ and
‘experienced’ through machines by people who are located in real spaces.62
The question that can be asked then is whether these people or the cyberspace
community at large can declare the sovereignty of cyberspace. Put differently, can the
57
https://www.icann.org/.
58
Timothy S Wu, ‘Cyberspace sovereignty? The Internet and the international system’
(1997) 10(3) Harvard J of L & Technology 648.
59
Cohen (n 8) 213 .
60
Lance Strate, ‘The varieties of cyberspace: Problems in definition and delimitation’ (1999)
63(3) Western J of Communication 382, 412.
61
Sue Barnes, ‘Cyberspace: Creating paradoxes for the ecology of self’ in Lance Strate,
Ronald L Jacobson, Stephanie B Gibson (eds), Communication and Cyberspace (Hampton Press
1996) 195.
62
According to Julie Cohen cyberspace ‘is constituted via the interactions between and
among practice, conceptualisation, and representation. It is a nexus of social practice by
embodied human beings; a site for the enactment of visions of the ideal organisation of social
and economic activity; and a catalyst for impressionistic re-imaginings of socio-spatial practice’.
Cohen (n 8) 236.

/ Date: 6/5
cyberspace community in exercising its right to self-determination determine the

political and legal status of cyberspace as a sovereign entity? Indeed, that was the gist
of the famous Declaration of the Independence of Cyberspace.
It should be noted in this respect that at the basis of the principle of self-
determination is the notion that people have a say in the internal organisation and the
external representation of the space within which they live and that people entitled to
self-determination and States are distinct entities.63 It should also be recalled that
sovereignty in its political journey was separated from the person of the sovereign and
according to current democratic theories of sovereignty, the source and holder of
sovereignty are the people who can exercise their right to self-determination through
democratic process.
Such a constitutive act by the cyber community even if it were to happen would be
devoid of any legal as well as practical significance. First, there are questions as to
whether the cyberspace community constitutes a ‘people’ for self-determination pur-
poses. In international law there is no universally accepted definition of the term
‘people’64 but a UNESCO report mentioned a number of characteristics which are
‘inherent in a description (but not a definition) of a people’. They include: a common
historical tradition; racial or ethnic identity; cultural homogeneity; linguistic unity;
religious or ideological affinity; territorial connection; common economic life. The
Report also noted that ‘the group must be of a certain number’, that the ‘group as a
whole must have the will to be identified as a people or the consciousness of being a
people’ and that the group must have ‘institutions or other means of expressing its
common characteristics and will for identity’.65 If we apply these characteristics to the
cyber community, it does not satisfy any of the above criteria. Also, the cyber
community cannot be defined as a group of people because membership of the cyber
community is infinite. Furthermore, membership of cyberspace does not translate itself
into forging strong normative ties beyond certain agreement on rules of behaviour. Nor
is there a shared feeling among users of constituting a unit based on collective identity
and a sense of common destiny.66 Granted, users may have the consciousness of being
cyberspace users and they may share some common interests but their interaction does
not translate itself into any overriding political, social, legal, or ethical association.
Although cyberspace in principle offers an open and easily accessible public space
where questions about common destiny and association can be deliberated and reflected
upon, the sheer volume of users or languages and the lack of structures make the
possibility of such deliberation difficult. For most part, cyberspace users associate
themselves and place their allegiances with their own States and people.
63
See Article 1 of the ICCPR and ICESCR. See also principle 1 and 5 of the Declaration on
Principles of International Law concerning Friendly Relations and cooperation among States in
accordance with the Charter of the United Nations, UNGA Res 2625 (XXV) of 24 October
1970.
64
Rupert Emerson, Self-determination’ (1971) 65 AJIL 459, 462.
65
UNESCO ‘International Meeting of Experts on further study of the concept of the rights
of peoples’ (22 February 1990) SHS-89/CONF.602/7 para 22 <http://unesdoc.unesco.org/images/
0008/000851/085152eo.pdf> accessed 11 October 2014.
66
Dieter Grimm, ‘Does Europe need a constitution?’ (1995) 1 European L J 282.

/ Date: 24/3
Secondly, the inhabitants of cyberspace are embodied individuals who live in real
spaces. Cyberspace users even as inhabitants of that figurative space do not suddenly
lose physicality or become displaced figures. They live in real geographic and time
spaces and are under the jurisdiction of their respective States. Any decision to
proclaim the sovereignty of cyberspace and any laws or regulations they may
promulgate will be subject to the scrutiny of their own State.
Thirdly, even if they declare the sovereignty of cyberspace, the normative, institu-
tional, or legal structure needed to support sovereignty in cyberspace cannot be
independent of State structures. Cyberspace does not have any central authority to
promulgate or enforce laws. Instead it is the laws of real spaces that are projected in
cyberspace.
It transpires then that cyberspace does not have its own ‘people’ or its own
independent and self-generating mechanisms to declare and sustain a claim to internal
as well as external sovereignty.
That being the case, the next question is whether sovereignty can be attributed to
cyberspace by States. States as the original subjects of international law with plenary
sovereign powers can create other entities and attribute them with certain powers. They
can do so as far as cyberspace is concerned but it will not make it a sovereign entity
even if, in the process, it expands its powers. In international law, the only depositories
of sovereignty are the States. Their creations may be attributed with powers over issues
that hitherto belonged to States, however they do not have plenary sovereign powers
and any attributed powers can be recalled.
From the preceding discussion it can be concluded that cyberspace can never become
sovereign but can be subject to sovereignty. I have already explained how States can
assert their sovereignty in cyberspace but in what follows I will also discuss a different
legal representation of sovereignty in cyberspace.
CYBERSPACE AS GLOBAL COMMONS

Often cyberspace is identified as a global commons or a res communis.67 The founder
of the World Wide Web for example dedicated the protocol to the whole world,
preventing anyone from attaining property over it.68
Global commons are resource domains that lie outside the exclusive sovereignty of
States.69 Global commons share certain broad characteristics. First, their utility as a
67
Dan Hunter, ‘Cyberspace as place and the tragedy of the digital anticommons’ (2003) 91
California L Rev 439; Abraham M Denmark and James Mulvenon (eds), Contested Commons:
The Future of American Power in a Multipolar World (Centre for New American Century 2010);
Canada’s Cybersecurity Strategy: For a stronger and more prosperous Canada (Government of
Canada 2010) 4 <http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/index-eng.aspx>
accessed 28 July 2014.
68
Tim Berners-Lee and Mark Fischetti, Weaving the Web: The Original Design and Ultimate
Destiny of the World Wide Web (Texere 2000) 124.
69
UNEP, ‘IEG of the Global Commons: Background’ (United Nations Environment Pro-
gramme Division of Environmental Law and Conventions) <http://www.unep.org/delc/
GlobalCommons/tabid/54404/Default.aspx> accessed 28 July 2014; John Vogler, ‘Global

/ Date: 24/3
whole is greater than if broken down into smaller parts; second, States and non-state
actors with the requisite technological capabilities are able to access and use them for
economic, political, scientific and cultural purposes; and third, in most cases they are
governed collectively.70
International law has recognised a number of global commons such as the High Seas,
Antarctica and the Outer Space,71 which have been characterised as the ‘cyberspaces’
of a previous generation.72
With regard to the high seas, the mare liberum principle was first promulgated by
Grotius as reaction to the prevalent at the time theory of enclosed sea (mare clausum).
Grotius compared the sea with the air in the following terms:
the air belongs to this class of things [res communis] for two reasons: First it is not
susceptible of occupation; and secondly its common use is designed for all mankind. For the
same reasons the sea is common to all, because it is so limitless that it cannot become a
possession of anyone, and because it is adopted for the use of all, whether considered from
the point of view of navigation or of fisheries.73
In another passage he said:
the sea … cannot become subject to private ownership. The extent of the ocean is in fact so
great that it suffices for any possible use on the part of all peoples … the same thing would
need to be said, too, about the air. There is, furthermore, a natural reason which forbids that
the sea, considered from the point of view mentioned, should become a private possession.
The reason is that occupation takes place in the case of a thing which has definite limits.74
In contrast, if water is enclosed, it can be possessed as in the case of lakes.75
Commons revisited’ (2012) 3(1) Global Policy, 61; Mika Aaltola, Joonas Sipilä and Valtteri
Vuorisalo, ‘Securing Global Commons: A small state perspective’ (FIIA Working Paper 71, June
2011).
70
Denmark and Mulvenon (eds) (n 67) 11.
71
United Nations Convention on the Law of the Sea (signed 10 December 1982, entered into
force 16 November 1994) art 157(1); The Agreement Governing the Activities of States on the
Moon and Other Celestial Bodies (signed 18 December 1979, entered into force 11 July 1984)
art 11(7)(d); Tara Murphy, ‘Security challenges in the 21st century global commons’ (2010) 5(2)
Yale J of Intl Affairs 28.
72
United Nations Environment Programme (n 57); Paul S Berman, ‘The globalisation of
jurisdiction’ (2002) 151(2) U of Pennsylvania L Rev 311, 494.
73
Hugo Grotius, The Freedom of the Seas, or, the Rights Which Belongs to the Dutch to Take
Part in the East Indian Trade (edited by James B Scott, OUP 1916) 28.
74
Hugo Grotius, The Classics of International Law: De Jure Belli Ac Pacis Libri Tres: Vol.
II Book II. (translated by Francis W. Kelsey et al, Clarendon/Carnegie Endowment for
International Peace 1925) Ch II para III
75
Ibid., Ch III, VIII.

/ Date: 8/5
It becomes thus apparent that Grotius’ designation of the high seas as global
commons was premised on the nature of the seas and on its public utility accompanied
by generous doses of natural law theory and by Grotius’ political support of free
trade.76
This principle has been confirmed in Article 2 of the Geneva High Seas Convention
(1958) as well as in Articles 87 and 89 of United Nations Convention on the Law of the
Sea. According to that Convention, ‘no State may validly purport to subject any part of
the high seas to its sovereignty’ and ‘no State shall claim or exercise sovereignty or
sovereign rights over any part’ of the seabed and ocean floor and subsoil thereof,
beyond the limits of national jurisdiction.’77
As far as the Outer Space is concerned, it ‘is not subject to national appropriation by
claim of sovereignty, by means of use or occupation, or by any other means’.78 The
Outer Space Treaty lays down a number of fundamental principles for the exploitation
and use of outer space by recognising outer space as a ‘province of all mankind’.79
More specifically, nations can only use the moon and other celestial bodies for peaceful
purposes, including scientific research, and should not launch any nuclear weapon or
other weapon of mass destruction into orbit.
The legal status of Antarctica is more complex. A number of States – Australia,
Argentina, Chile, France, New Zealand, Norway and the UK – have made conflicting
claims to parts of Antarctica.80 With the introduction of the Antarctica Treaty System,
States ‘agreed to disagree’ over territorial claims81 and compromised on the issue of
sovereignty over parts of Antarctica.82 According to the Antarctic Treaty ‘[n]o new
claim, or enlargement of an existing claim, to territorial sovereignty in Antarctica shall
be asserted while the treaty is in force’.83 Moreover, nations can only use the Antarctic
for peaceful purposes, including scientific research, and should not test nuclear
weapons or dispose nuclear waste in the Antarctica.84 The Antarctic Treaty also
76
Mireille Hildebrandt, ‘Extraterritorial jurisdiction to enforce in cyberspace?: Bodin,
Schmitt, Grotius in cyberspace’, (2013) 63 U of Toronto L J 196, 210–16; Nico Schrijver and
Vid Prislan, ‘From Mare Liberum to the Global Commons: Building on the Grotian Heritage’
(2009) 30(1) Grotiana 168, 173.
77
United Nations Convention on the Law of the Sea (n 71) art 89, 139.
78
Treaty on Principles Governing the Activities of States in the Exploration and Use of
Outer Space, including the Moon and Other Celestial Bodies (19 December 1966) art 2.
79
Treaty on Principles Governing the Activities of States in the Exploration and Use of
Outer Space, including the Moon and Other Celestial Bodies (n 78) arts 1, 2, 7, 8; Agreement
Governing the Activities of States on the Moon and Other Celestial Bodies (n 71) art 4(1). See
also UNGA Res 1962 (XVIII) (13 December 1963).
80
Elizabeth K Hook, ‘Criminal jurisdiction in Antarctica’ (1978) 33 U of Miami L Rev
(1978) 489.
81
The Antarctic Treaty (signed 1 December 1959, entered into force 23 June 1963) art IV;
Jill Grob, ‘Antarctica’s frozen territorial claims: A meltdown proposal’ (2007) 30 Boston College
Intl & Comparative L Rev 461, 468.
82
Rolph Trolle-Anderson, ‘The Antarctic scene: Legal and political facts’ in Gillian D Tiggs
(ed), The Antarctic Treaty Regime (CUP 2009) 57.
83
The Antarctic Treaty (n 81) art 4(2).
84
Ibid., art 5.

/ Date: 6/5
defines global commons as ‘south of 60 [degrees] South Latitude, including all ice
shelves’.85
One may say that Antarctica is not a global commons stricto sensu but an
international commons in that a number of States enjoy certain rights over Antarctica.86
In a world of sovereignty, the concept of global commons appears to be an anomaly.
The idea however persists in legal and political thinking. Why this is so, can be
explained by the fact that it does not contradict basic international legal and political
principles such as the principle of sovereignty. If sovereignty connotes authority and
power, the res communis concept concerns the type and scope of authority and power
that is exercised over certain objects.
This will become evident if we recall the categorisation of objects in Roman law
from which the res communis concept derives. Roman law is broadly divided into the
law that pertains to persons and the law that pertains to objects (res). In Roman law res
included both corporeal and incorporeal objects and the law pertaining to objects
concerned the type of power that can be exercised over them in view of their nature and
function.87 More specifically, res in patrimonio were subject to ownership whereas res
extra patrimonium were divided into those subject to divine law and those subject to
human law but cannot be privately owned.
Those subject to human law were further divided into res communes – belonging to
all mankind, res publicae – belonging to a state for use of its citizens, and res
universatis –belonging to a city for use of its citizens.88
Applying the Roman law analogies but also historical analogies to cyberspace it
transpires that cyberspace even as a virtual space can be subject to law and that it
exhibits some of the characteristics of those objects that have been designated res
communis in Roman law. A historical account of the development of the res communis
concept going back to Grotius also reveals that the designation of certain areas such as
the sea or the air as res communis was due to the accumulated resources of these areas;
the indivisibility of assets and the benefits that their exploitation would deliver to each
and every State; and the difficulties in apportioning them due to their size and to the
fact that their boundaries are not clearly demarcated.
The designation of an area as res communis does not mean that States cannot extend
their authority over the designated area or that these areas are not subject to law; what
it means is that States agree to refrain from claiming ownership over that area, accept
that they will exercise their authority concurrently with that of other States and devise
a common regulatory regime to fulfil its designation of global commons. As was seen,
most of the current areas designated as res communis are subject to treaty regimes, the
product of State consent, which define the rights and obligations of States over such
areas. This shows that the res communis or global commons concept is a lego-political
85
Ibid., art 6.
86
Silja Vöneky and Sange Addison-Agyei, ‘Antarctica’ in Rüdiger Wolfrum (ed.), Max
Planck Encyclopedia of Public International Law (Max Planck Institute for Comparative Public
Law and International Law 2011) para 19. Susan J Buck, ‘The global commons: An introduc-
tion’ (Island Press 1998) 6.
87
Max Radin, ‘Fundamental concepts of the Roman law’ (1925) 13 California L Rev 207.
88
George Mousourakis, Fundamentals of Roman Private Law (Springer 2012) 119–21.

/ Date: 6/5
construct89 which is not adverse to the principle of sovereignty. When States decide to
designate a certain area as res communis and consequently agree to abstain from
exercising their full sovereign power over such an areas is an act of sovereign authority.
Auto-limitation is an expression of sovereignty. As the PCIS said in the S.S. Wimbledon
case: ‘The Court declines to see, in the conclusion of any treaty by which a state
undertakes to perform or refrain from performing a particular act, an abandonment of
its sovereignty … the right of entering into international engagements is an attribute of
state sovereignty’.90
In order for cyberspace to be designated a global commons, States should consent
and agree on the rules and principles that will govern that area. At this point in time,
there is no political or legal impetus to designate cyberspace a legal commons and
whether such impetus develops depends on many variables crucial among which is
whether cyberspace warrants to be so designated if compared to existing ones.
That said, it should be noted that there are differences between cyberspace and other
global commons. First, whereas global commons refer to natural resources, cyberspace
is a technical man-made resource domain. Second, whereas global commons have some
physical and geographical boundaries, this is not the case in cyberspace where its
virtual part permeates all boundaries. Third, whereas global commons are created in
order to avoid depletion of natural resources, this is not the case in cyberspace where
resources cannot be depleted.91 Fourth, whereas global commons are non-excludable in
the sense that others cannot be excluded, to the extent that cyber infrastructure belongs
to States means that others can be excluded. Finally, the physical part of cyberspace
such a computers and the like is nationally owned which means that they should be
‘de-owned’ or that what will fall under the global commons domain will be the
‘un-owned’ part of cyberspace. Still, questions remain as to how this would affect the
owned part of cyberspace due to the interconnectedness of cyberspace.
It is for this reason that it has been claimed that cyberspace is an ‘imperfect
commons’.92
CONCLUDING THOUGHTS
It is apparent from the preceding discussion that cyberspace has not acquired any
special legal status in international law but instead existing legal categories and
principles have been applied to cyberspace. By doing so, a non liquet has been avoided;
a finding that is of a substantive or interpretative gap in international law.
Yet if cyberspace is a domain that offers possibilities but also contains risks and
dangers, a regulatory system based on common values, principles and rules of conduct
is needed to foster cooperation and good citizenship in cyberspace. This may require a
comprehensive and globally negotiated treaty to establish rules of behaviour and
89
Garrett Hardin, ‘The tragedy of the commons’ (1968) 3859 Science 1243.
90
S.S. ′Wimbledon′ (Jugement of 17 August 1923) [1923] PCIJ Rep Series A No 1 25.
91
This relates to Hardin’s ‘tragedy of the commons’. Hardin (n 89); Trachtman (n 25).
92
Joseph S Nye, The Future of Power (PublicAffairs 2011) 143.

/ Date: 6/5
conduct, outlaw certain behaviours and provide rules on jurisdiction.93 Yet agreement
on a comprehensive legal framework for cyberspace faces huge challenges.
To mention just a few, certain characteristics of cyberspace such as anonymisation;
place shifting; and rapid technological development make any legal regulation imme-
diately inadequate or even redundant. Secondly, the technological disparities that exist
between States as well as between States and non-state actors, such as big enterprises,
affect participants’ choices and preferences of legal regulation or as to whether legal
regulation is needed at all. For example, because cyberspace as a growing environment
offers capabilities and opportunities, States or private actors may not want to limit their
future opportunities. Thirdly, cyberspace is used by governments and individuals for
different purposes therefore consensus and compromise is difficult to achieve. Fourth,
because of the nature and use of cyberspace, any agreement needs to involve
governments but also public and private sector bodies, a combination of stakeholders
that international law is not always capable of managing.
So the outlook for such a comprehensive regime is not auspicious. Instead existing
international rules and principles will continue to apply to cyberspace followed by calls
for responsible behaviour by States or non-state actors. Undoubtedly, international law
shapes State behaviours and interests in cyberspace and perhaps rationalises them but it
rarely pre-empts legislation.
93
Ahmad Kamal, The Law of Cyber-Space: An invitation to the table of negotiations (United
Nations Institute of Training and Research 2005) 1–4 <http://www.un.int/kamal/thelawofcyber
space/The%20Law%20of%20Cyber-Space.pdf> accessed 29 July 2014.

/ Date: 24/3
2. Jurisdiction in cyberspace
Uta Kohl
1. INTRODUCTION
Media critic and sociologist Herbert Schiller observed in the 1980s of the emerging
conflict between global information flows and State sovereignty:
The problem here is that the activities of the transnational corporations depend precisely on
the overcoming of national boundaries, and the opening up of the ‘free flow’ of information,
across the world market. The concerns of national governments, to regulate communications
in their own countries, therefore present an obstacle to the transnational corporations, and
these transnational corporations are increasingly concerned (and increasingly able) to
override national government policies, to the extent perhaps, of posing a threat to the very
sovereignty of individual nations.1
In the twenty-first century, this conflict between national authority and global media
activity is epitomised in the jurisdictional battles between States and online actors, in
particularly transnational corporations, across a wide spectrum of regulatory concerns.
States have argued that these transnational ‘stateless’ corporations need to respect
national legal expectations, while they in turn have asserted that they should only have
to comply with the laws of their home State (often the US) and anything else
undermines ‘free speech’. How are these conflicts resolved and how should they be
resolved? This chapter examines whether and, if so, how customary international law
on jurisdiction contributes to these resolutions and how the latter, in turn, have shaped
international law. The importance of the topic for the future contours of cyberspace, on
the one hand, and for national political and cultural spaces, on the other hand, cannot
be overstated.
Before examining internet jurisdiction cases, two preliminary observations ought to
be made. First, a critical feature of the internet that explains why its transnationality is
legally so much more problematic than the transnationality of the telephone, is that it
allows anyone connected to it to become a transnational publisher, e.g. through a blog,
Facebook post or YouTube video, potentially attracting a mass audience. It is this
potential mass audience that increases an activity’s legal significance, shifting it from
the private to the public sphere. As transnational activity is no longer the prerogative of
big business, neither is the problem of international jurisdiction, i.e. who must comply
with which foreign law in what circumstances. Yet, many recent cases on the issue of
1
David Morley and Kevin Robins, Spaces of Identity – Global Media, Electronic
Landscapes and Cultural Boundaries (Routledge 1995) 223, referring to Herbert Schiller,
‘Electronic Information Flows: New Basis for Global Domination’ in Phillip Drummond and
Richard Paterson (eds.), Television in Transition (British Film Institute 1985).
30
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position: 1
/ Date: 24/3
Jurisdiction in cyberspace 31
jurisdiction have involved not small online participants, but rather large internet
corporations. The reason for this apparent anomaly is that the vast bulk of regulation is
most efficiently enforced by channelling it through intermediaries as gatekeepers, and
cyberspace is no exception in this respect. Despite the internet’s decentralised under-
lying infrastructure and despite initial claims of online disintermediation, new inter-
mediaries have emerged and these have become natural targets for national regulators,
which partly explains why they are so often the defendants in transnational online
disputes. Also, of course, the interests of these powerful transnational corporations are
diametrically opposed to those of national authorities in so far as their ‘product’ is a
global one that ‘depend[s] precisely on the overcoming of national boundaries and the
opening up of the “free flow” of information, across the world market’ (see Schiller
above). Thus they only reluctantly assume the role of national regulatory gatekeeper
and only under intense pressure which foreshadows the issue of enforcement juris-
diction (discussed below).
Second (following the observation on who is implicated in disputes on cyber-
jurisdiction), the question is what is their underlying substance. Again, the internet is
peculiar in this respect vis-à-vis much transnational activity that preceded it, in that all
internet jurisdiction disputes concern the transnational exchange of information: the
activity itself is always information-based even if the underlying transaction (e.g.
buying a physical product) is not necessarily so. This frequently heightens the political
significance of these conflicts as they are about the control of information and by
implication also often about ‘image making and public opinion formation [that is] …
the quintessence of power’.2 In medieval Europe the papacy’s control over the church,
the then main agency of mass communications, meant that it dominated institutions of
ideological production and could thereby promote a construction of reality that
legitimised its supremacy.3 Today global online actors, large and small, are contesting
the control over information and ideological production which, before the internet, was
more or less exclusively enjoyed by national political authorities.
2. COMPETENCE UNDER PUBLIC INTERNATIONAL LAW

(a) The Scope of International Law: Criminal and Civil Jurisdiction?
Before turning to the jurisdictional principles under customary international law, let us
briefly look at their ambit. Historically, there has been some debate whether public
international law governs the reach of civil law (i.e. imposes limits on private
international law) or whether the jurisdiction rules are solely concerned with criminal
jurisdiction. Akehurst in his seminal article on ‘Jurisdiction in International Law’ in the
early 1970s argued for the non-application of international law to civil disputes:
[a]re there any rules of public international law which limit the jurisdiction of a State’s courts
in civil trials? Some writers have answered this question in the affirmative. Brownlie even
2
Herbert Schiller, Mass Communications and American Empire (Beacon Press 1969) 1.
3
James Curran, Media and Power (Routledge 2002) 64f.

/ Date: 6/5
says that ‘there is in principle no great difference between the problems created by assertion
of civil and criminal jurisdiction over aliens’. This is rather an extreme view; as John Bassett
Moore argued à propos of the Cutting incident, ‘the rules governing the jurisdiction in civil
and in criminal cases are founded in many respect on radically different principles, and … an
assumption of jurisdiction over an alien in the one case is not to be made a precedent for like
assumption in the other’; and one might add conversely that limitation in criminal cases
cannot be cited as authority for the existence of likely limitations in civil cases. Of course,
rejection of analogies drawn from criminal trials does not necessarily mean that international
law imposes no limitation whatever on jurisdiction in civil cases – the limitations might
simply be of a different kind. But … when one examines the practice of States … one finds
that States claim jurisdiction over all sorts of cases and parties having no real connection with
them and that this practice has seldom if ever given rise to diplomatic protests.4
There are numerous recent cases that confirm the continued validity of Akehurst’s
analysis.5 Yet, there are also those academics who have asserted the contrary6 and those
civil cases, such as US anti-trust treble-damages-awards cases and recent Alien Tort
Statute litigation that triggered protests from other States against the alleged excessive-
ness of the extra-territorial civil claims.7 (Note: State protest is an indicator of
illegitimacy under customary international law.8) In this chapter, it will be assumed that
international law on jurisdiction extends across the entire spectrum of national laws and
thus prima facie also imposes limits on private international law. This assumption is
made partly because this general application would in fact be desirable in terms of
creating an orderly international allocation regime of regulatory competence, according
to which the same general principle (e.g. targeting principle) govern the same online
activity (e.g. online gambling) in respect of different national laws (e.g. gambling
licencing requirements and consumers contract law). This assumption will also be
made because the existing jurisdictional division between civil and criminal law seem
artificial in respect of those legal obligations (e.g. data protection or copyright) that are
‘civil’, i.e. govern the relationship between private parties and breaches may result in
4
Michael Akehurst, ‘Jurisdiction in International Law’ (1972–73) 46 B.Y.I.L. 145, 170
[emphasis in the original, internal citations omitted]. See also Gerald Fitzmaurice, ‘The general
principles of international law’ (1970) 92 Recueil des Cours 1, 218; Gerfried Mutz, ‘Private
international law’ in Rudolph Bernhardt (ed.), Encyclopaedia of Public International Law (1987)
Vol 10, 330, 334; Malcolm Shaw, International Law (6th edn., CUP 2008) 652.
5
In the UK, Kuwait Airways Corp v. Iraqi Airways Co [2002] 3 All ER 209, the House of
Lords decided that it had jurisdiction, and would exercise it, in respect of a claim between two
foreign parties concerning a conversion that took place entirely abroad: ‘it is an action in tort
which has nothing whatever to do with England save that England has made itself available as
the forum for litigation.’ (Lord Scott of Foscote para. 174); see also Berezovsky v. Michaels and
Others [2000] UKHL 25 or The Vishva Ajay [1989] 2 Lloyd’s Rep 558.
6
Frederick A. Mann, The Doctrine of Jurisdiction in International Law (vol 111, Recueil
des Cours 111 series, Martinus Nijhoff Publishers 1964) 73ff; Frederick A. Mann, The Doctrine
of International Jurisdiction Revisited after Twenty Years (vol 186, Recueil des Cours, Martinus
Nijhoff Publishers 1985) 20ff, 67ff; Ian Brownlie, Principles of Public International Law (5th
edn., OUP 2001) 302.
7
See in particular the Amicus Briefs submitted in the US Supreme Court judgement in
Kiobel v. Royal Dutch Petroleum Co 569 US (17 April 2013), affirmed 621 F3d 111 (2d Cir
2010).
8
Cedric Ryngaert, Jurisdiction in International Law (OUP 2008) 31ff.

/ Date: 6/5
compensation claims, but are also enforced by national regulatory authorities through
the imposition of criminal or administrative sanctions.9 It would seem perverse that
international law should govern the latter but not the former enforcement activity,
arising out of the same wrongdoing and requiring the same compliance actions by the
global online actor.
(b) Legitimising Links
The principles of jurisdiction under international law facilitate the allocation of

regulatory control amongst States.10 Starting with the territoriality principle which
gives each State exclusive regulatory control over a physical portion of the globe,
international law also lays down the rules for allocating control over transnational
events, looking at which State or legal system is sufficiently closely linked or connected
to a transnational event, person or dispute to entitle it to regulatory control.11 The
rationale of the jurisdictional principles lies in the efficient sharing of regulatory
control between States and the fair treatment of individuals, protecting them from
unreasonable compounding or conflicting obligations. Yet, as will be seen, these
principles are so heavily grounded in the notion of the sovereignty of each State, that
they are far more centred round each State’s interest in upholding their territorial
sovereignty than the overall cohesion of the allocation regimes. International law has
for a long time accepted the incident of concurrent jurisdictional claims e.g. by two or
more States that are territorially connected to an event. Concurrency is problematic as
it gives rise to onerous obligations for individuals. The level of the problem increases
the higher the number of States that claim regulatory competence in parallel – a
problem endemic in the online context. Brierly, in 1928, famously stated: ‘The
suggestion that every individual is or may be subject to the laws of every State at all
times and in all places is intolerable.’12 For this reason, it may be argued that the
strength of any link of a State with the to-be-regulated transnational event ought to be
measured against potentially competing links by other States. A link with an event that
is so weak that it could also be relied upon by innumerable other, or all, States – again
as is often the case in internet scenarios – is theoretically and practically dubious. It
would give rise to a high level of regulatory concurrency and thereby defeat the aim of
the allocation of competence i.e. that regulation is most efficient when shared between
different regulators and that individuals must be protected from overregulation.
The rules on regulatory competence vary depending on the type of competence a
State seeks to assert: adjudicative, legislative or enforcement – in line with the three
9
See, for example, the criminal copyright case of Donner (Free Movement of Goods)
[2012] EUECJ C-5/11 (21 June 2012); or Bogdan, ‘Google was fined by French and Spanish
Data Protection Authorities’ (15 January 2014) EDRi (European Digital Rights), <http://edri.org/
google-fined-french-spanish-data-protection-authorities/> accessed 11 August 2014.
10
On jurisdiction in cyberspace see Tsagourias (Ch 1 of this book).
11
Apart from the territoriality principle which, as shown below, is also heavily used in the
transnational context, the principal bases of jurisdiction are the nationality principle, the
protective principle, the universality principle and the passive personality principle. See Ryngaert
(n 8) Ch 4.
12
James L. Brierly, ‘The “Lotus” Case’ (1928) 44 L.Q.R. – 154, 161.

/ Date: 6/5
arms of government.13 The first type concerns the question whether a court has the
right to hear a dispute (in private international law the ‘jurisdictional’ enquiry); the
second whether a State has the right to ‘legislate’ in relation to a transnational event or
more generally whether it can apply its substantive law to the case, also known as
prescriptive jurisdiction (in private international law the ‘choice of law’ inquiry). In
criminal cases, unlike civil cases, adjudicative jurisdiction and legislative jurisdiction
coincide in so far as a court that decides to go ahead with a criminal prosecution would
always apply local and never foreign law to the case. So under public international law,
generally no distinction is made between adjudicative and legislative jurisdiction – even
if some have argued that a sole focus on limiting adjudicative jurisdiction pays
insufficient regard to the effect of too expansive legislation on, e.g. transnational
corporate actors which may take overly defensive steps to pre-empt adjudication.14 In
light of the discussion below, it is submitted that any debate on possible differences
between these two types of jurisdiction would, at best, be cosmetic gloss. Finally, the
third type of competence concerns the question whether a State has the right to enforce
the judgment or conviction against the defendant or accused. Enforcement jurisdiction
is strictly territorial: a State can never enforce its law on the territory of another State
by, for example, sending its police officers there (except with the consent of the other
State). As Lombois put it: ‘The law may very well decide to cast its shadow beyond its
borders; the judge may well have a voice so loud that, speaking in his house, his
condemnations are heard outside; the reach of the police officer is only as long as his
arm … he is a constable only at home.’15 As this strict territoriality is not applicable to
adjudicative/legislative jurisdiction [hereafter, for the sake of simplicity, legislative
jurisdiction], the mismatch between the latter types of jurisdiction and enforcement
jurisdiction creates a significant enforcement gap which is felt particularly in the online
context.
(c) Jurisdictional Principles versus Legal Harmonisation
The issue of jurisdiction, in the widest sense of regulatory competence, presupposes

diversity of substantive and procedural laws. Against the hypothetical scenario of
comprehensive legal harmonisation, it would not be relevant where a case is heard or
which law is to be applied because all laws and court processes would be the same,
leading to the same outcome. Jurisdictional rules would be unnecessary and the raison
d’être of States as legal/political bodies representing and being constituted of distinct
political and cultural communities would also disappear. Thus the topic of jurisdiction
is inextricably connected to diversity of laws (and cultures) and the notion of statehood.
Yet, as shown below, some harmonisation of substantive laws (falling short of
all-comprehensive harmonisation) would already mean that each State could rely on
13
See Akehurst (n 4); also Luc Reydam, Universal Jurisdiction – International and
Municipal Legal Perspectives (OUP 2003) 25f.
14
Ivan Shearer, ‘Jurisdiction’ in Sam Blay, Ryszard Piotrowicz and Martin Tsamenyi (eds.),
Public International Law – An Australian Perspective (2nd edn., OUP 2005) 154, 156.
15
Claude Lombois, Droit Penal International (2nd edn., Daloz 1979) 536, cited in Pierre
Trudel, ‘Jurisdiction over the Internet: A Canadian perspective’ (1998) 32 Int’l. L. 1027, 1047.

/ Date: 24/3
other States to uphold legal standards vis-à-vis perpetrators on their territory when the
perpetrator’s conduct had an effect on the territory of a State. In that sense,
harmonisation presents an enforcement strategy but, as discussed below, at a cost that
is, at this stage, too high for most States in respect of most legal subject-matters. Thus
it is important to remember that the jurisdictional wranglings reflect each State’s or
community’s desire to uphold their legal standards as to what is good, just and fair on
their territories and these standards vary across a wide spectrum of regulatory concerns.
In addition there are strong economic interests as drivers behind jurisdictional disputes.
3. ADJUDICATIVE / LEGISLATIVE JURISDICTION

(a) The Internet Jurisdiction Problem
All jurisdictional issues in the online context, no matter which legal field, may be
reduced to one core question: to which laws / courts are actors legitimately answerable
by virtue of their global online activity or publication? Put differently from the State’s
perspective: which State has the right to regulate which online activity? For example,16
do Antiguan online gambling providers have to comply with US internet gambling
prohibitions? Does a Chinese news site with the domain name of cnnews.com (i.e. .cn
being the Chinese country domain) have to respect US trademark law? Is Google
Search subject to European data protection standards? Should US-based Yahoo! Inc
have to comply with French or German laws on Nazi memorabilia? Can a Dutch
pharmacy offer drugs online to German customers if not licenced in Germany? Does
the provider of a US pornography site have to ensure compliance with British obscenity
laws? Should a foreign music and film piracy site have to observe the laws of the States
where its users are? In each of these cases, the activity complained about is tolerated,
i.e. not illegal, and at times perfectly legitimate in the place where it is hosted or
uploaded, that is where the provider is established, and yet it is illegal in the place or
places where it is accessed or downloaded. Occasionally high-profile cases make the
headlines, such as the blocking of ‘The Innocence of Muslims’ video by YouTube in
Egypt and Libya17 or the blocking of foreign political material in China and these
incidents are decried as intolerable censorship by repressive political regimes. Yet, these
Islamic or Communists States do little more than Western democratic States also
routinely do, which is to apply their legal standards to the internet, including foreign
16
The examples are all based on real cases discussed below.
17
CNN, ‘Death, destruction in Pakistan amid protest tied to anti-Islam film’ (21 September
2012) <http://edition.cnn.com/2012/09/21/world/anti-islam-film-protests> accessed 11 August
2014. Previously, the most notorious example of cultural clashes over online content was the
controversy caused by the cartoons featuring the Prophet Muhammad in a Danish newspaper in
2005 and its subsequent publication on YouTube. Viewed as legitimate political debate on
criticism of Islam and self-censorship in Denmark, the cartoon was violently decried in the
Muslim world, leading to attacks on Danish embassies and Muslim leaders offering rewards to
anyone who killed the cartoonist. Peter Hervik, ‘The Danish Muhammad cartoon conflict’
(2012) No 13 Current Themes in IMER Research <http://www.mah.se/upload/Forsknings
centrum/MIM/CT/CT%2013.pdf> accessed 11 August 2014.

/ Date: 24/3
online activity, and seek to enforce it by requiring intermediaries, such as Internet

Service Providers [ISPs], search engines or domain name registrars, to block the
relevant content. The crux of these headline cases is not that the States apply their laws
to transnational online activity or even their attempt to enforce them via blocking (i.e.
the jurisdictional issue), but rather the values that these laws reflect (i.e. the substantive
law issue). These two issues are distinct and must be disentangled in any debate on the
legitimacy of censorship, given that censorship occurs in all States, even the US, as
shown below.18 The topic of jurisdiction is concerned with the legitimacy of when a
State can apply its laws to transnational online activity, not with what law the State
seeks to apply.
(b) The Permissiveness of International Law
The starting point for the rules on legislative jurisdiction under customary international
law is the judgement of the Permanent Court of International Justice in Lotus (1927)19
where a French and a Turkish steamer collided on the high seas resulting in the death
of eight Turkish sailors and passengers. The issue was whether Turkey could institute
criminal proceedings against a French lieutenant for his acts on the French ship, based
on the effects of those acts on the Turkish steamer which, according to international
law, is an extension of Turkish territory. The case is important not just because of the
court’s interpretation of the territoriality principle, but also for commenting on the
jurisdictional discretion of States:
It does not, however, follow that international law prohibits a State from exercising
jurisdiction in its own territory, in respect of any case which relates to acts which have taken
place abroad, and in which it cannot rely on some permissive rule of international law. Such
a view would only be tenable if international law contained a general prohibition to States to
extend the application of their laws and the jurisdiction of their courts to persons, property
and acts outside their territory, and if, as an exception to this general prohibition, it allowed
States to do so in certain specific cases. But this is certainly not the case under international
law as it stands at present. Far from laying down a general prohibition to the effect that States
may not extend the application of their laws and the jurisdiction of their courts to persons,
property and acts outside their territory, it leaves them in this respect a wide measure of
discretion, which is only limited in certain cases by prohibitive rules; as regards other cases,
every State remains free to adopt the principles which it regards as best and most suitable.
This discretion left to States by international law explains the great variety of rules which
they have been able to adopt without objections or complaints on the part of other States …
In these circumstances all that can be required of a State is that it should not overstep the
limits which international law places upon its jurisdiction; within these limits, its title to
exercise jurisdiction rests in its sovereignty.20
18
See Adam Liptak, ‘A wave of the watch list, and speech disappears’ (4 March 2008) New
York Times <http://www.nytimes.com/2008/03/04/us/04bar.html?_r=0:> accessed 11 August
2014. Liptak notes the blacklisting of domain names occurs under the Trading with the Enemy
Act 1917, through a blacklist established by the Office of Foreign Assets Contract (OFAC) and
passed onto US domain name registrars.
19
The Case of the SS ‘Lotus’ (France v Turkey) [1927] PCIJ Reports, Series A, No. 10.
20
Ibid., para. 46f.

/ Date: 6/5
This approach that ‘everything that is not prohibited is permitted’ (as opposed to
‘everything that is not permitted is prohibited’) is pervasive in the domestic legal
sphere. Yet it met with strong opposition at the international level.21 But more recently
it has been affirmed by the International Court of Justice in its Advisory Opinion on the
Declaration of Independence of Kosovo (2010)22 where it concluded that it only needed
to establish whether ‘international law prohibited the declaration’.23 The problem with
this approach in the jurisdictional context is that the principles of legislative jurisdiction
(e.g. territoriality or nationality) are expressed as permissive grounds and the only clear
express prohibitive rule is the non-interference rule governing enforcement jurisdiction;
per Lotus:
[T]he first and foremost restriction imposed by international law upon a State is that … it
may not exercise its power in any form in the territory of another State. In this sense
jurisdiction is certainly territorial … It does not however, follow that international law
prohibits a State from exercising jurisdiction in its own territory, in respect of any case which
relates to acts which have taken place abroad … Such a view would only be tenable if
international law contained a general prohibition to States to extend the application of their
laws and the jurisdiction of their courts to persons, property and acts outside their territory …
But this is certainly not the case under international law as it stands at present.24
Thus the principles of legislative jurisdiction are hardly restrictive of regulatory

assertions made by States in respect of transnational or extra-territorial events.
Nonetheless, they indicate an a priori requirement of some link with the to-be-
regulated event, person or property, as in the absence of an overall general prohibition
on exercising jurisdiction without any links, the principles would be superfluous. At the
same time a requirement of some link imposes almost no limitation, in so far as States
rarely have an interest in regulating an activity entirely unconnected with them. This
permissiveness of international law on jurisdiction is borne out by the regulatory
assertions made by States over all sorts of foreign online activity without any
objections from other States.
(c) The Territoriality Principle within Non-territorial Cyberspace
In 1996 Johnson and Post in their seminal article ‘Law and borders – The rise of law in
cyberspace’25 argued that laws based on geographical location were not tenable on the
internet as all online activity is as much located in one State as in another and therefore
no one State had a greater entitlement than any other State to regulate any particular
21
Vaughan Lowe and Christopher Staker, ‘Jurisdiction’ in Malcolm D. Evans (ed.),
International Law (3rd edn., OUP 2010) 313, 318ff. See also Ryngaert (n 8) 36ff, for more
general commentary.
22
Accordance with International Law of the Unilateral Declaration of Independence in
Respect of Kosovo (ICJ Advisory Opinion) 22 July 2010 <http://www.icj-cij.org/docket/files/141/
15987.pdf> accessed 11 August 2014.
23
Ibid., para. 56.
24
The Case of the SS ‘Lotus’ (n 19) 18.
25
David R. Johnson and David G. Post, ‘Law and borders – The rise of law in cyberspace’
(1996) 48 Stan. L. Rev. 1367.

/ Date: 8/5
online activity. This, in turn, undermined each State’s claim to do so. Any attempt by a
State to apply their law to the internet, particularly online activity originating from
abroad, would raise problems of democratic legitimacy, fairness to the individual and
enforceability. In many respects Johnson and Post were entirely correct and yet, States
have consistently asserted their right to regulate online activity from within or from
without. The link they have relied upon has invariably been a territorial link between
the online activity and the State: the site in question can be, or has been, accessed from
the State’s territory, even if its author and its server are located abroad. So based on a
site’s accessibility from within its territory, States have asserted their entitlement to
regulate online activity.
(i) The destination approach – the blunt version: Accessibility

One of the earliest high-profile cases to do this was the French case of LICRA & UEJF
v Yahoo! Inc & Yahoo France.26 Two French Jewish organisations brought an action
against Yahoo! Inc, a US corporation, and its French subsidiary for allowing surfers
from France to buy Nazi artefacts from third parties on Yahoo! Inc’s auction site,
contrary to France’s prohibition on the sale and distribution of Nazi-memorabilia.27 The
Paris Court held in favour of the plaintiffs, even in respect of the yahoo.com site which
was far more clearly connected with the US than France: it was set up and maintained
by a US corporation on a server situated in the US and it was in English with the vast
majority of its users coming from the US. Yet, because ‘harm was suffered on the
territory of France’ by virtue of the site’s accessibility in France, France felt entitled to
apply its laws to the site, and just because Yahoo! Inc operated a separate .fr site –
dedicated to French surfers and complying with French law – did not relieve it of
accountability under French law in respect of its .com site. The latter site was also
accessible in France, it also had to comply with French law and it did not matter that
the material in question was legal in the US. This holding, although making headlines
at the time, has since been replicated innumerable times by courts across the globe –
each time legitimising the right of the ‘destination’ State to assert control over the
foreign site based on its local accessibility. The German High Court in R v Töben
(2000)28 held, almost identically, that a holocaust-denying site published in Australia
26
LICRA v. Yahoo! Inc & Yahoo France (Tribunal de Grande Instance de Paris, 22 May
2000), affirmed in LICRA & UEJF v. Yahoo! Inc & Yahoo France (Tribunal de Grande Instance
de Paris, 20 November 2000). An even earlier case was the German CompuServe (1995) 8340
Ds 465 Js 173158/95, where German police raided CompuServe’s German offices in an
investigation concerning online pornography and CompuServe responded by temporarily sus-
pending all of its 200 plus newsgroups (hosted in the US and accessible worldwide) for its 4
million users because it was technically incapable of blocking only Germans. Later its local
manager, Felix Somm, was convicted under German obscenity laws and received a two-year
suspended sentence; overturned on appeal as there was no blocking technology available to
CompuServe: R v. Somm (Amtsgericht München 17 November 1999).
27
Articles 808 and 809 of the French New Code of Civil Procedure.
28
R v. Töben BGH (12 December 2000) 1 StR 184/00, LG Mannheim; (2001) 8 Neue
Juristische Wochenschrift 624; discussed in Yulia A Timofeeva, ‘Worldwide prescriptive juris-
diction in internet content controversies: A comparative analysis’ (2005) 20 Conn. J. of Int’l. L.
199, 206f, and Irini E Vassilaki, ‘Anmerkung’ (2001) 4 Computer und Recht 262.

/ Date: 6/5
would expose its author to criminal sanctions under the German Criminal Code,
although the court made a point of noting that the content of the site was objectively
closely connected to Germany. Töben was arrested, charged and convicted whilst on
holiday in Germany. The same approach of focusing on the effect of foreign online
activity on the State’s territory was taken by an English court in the pornography
context. In R v Perrin (2002)29 a French director of a US company operating a US
hosted website was convicted of the offence of publishing an obscene article contrary
to UK Obscene Publications Act 1959 in relation to the freely accessible preview site
of his pornography subscription site on the basis of the site’s accessibility in England –
regardless of the fact that it had been uploaded on a server abroad and that, arguably,
the ‘major steps’ in relation to the publication were taken abroad.30 While the above
cases are examples of different national laws reflecting varying moral standards on hate
speech and pornography and the resultant online clash of these laws, the diversity of
laws extends to many other morally less charged activities even within the relatively
homogenous European Union. For example, in Arzneimittelwerbung im Internet
(2006)31 a Dutch site advertising and selling drugs to Germans was held to be subject
to German licensing requirements even though the drugs were legal in the Netherlands.
The court affirmed the approach that focuses on the effects of the site, rather than
conceding regulatory control solely to the State from where the site ‘originated’. As the
Electronic Commerce Directive32 imposes the ‘origin rule’ on EU Member States
(discussed below), the German court had to exclude its application in this case: it held
that the Directive was not applicable to national legal requirements concerning the
physical delivery of goods.33 Implicitly this shows the rather blurred boundary between
the online and the offline space. The court also held that the ‘origin rule’ under the
Directive was not applicable where the regulation by the destination State was designed
for the protection of public health,34 signalling the importance of the topic of health
and safety to national law spaces. Finally, according to the court, a disclaimer that
products would not be delivered to certain States would only be effective to avert
accountability under the laws of the excluded States, if the disclaimer was unequivocal
29
R v. Perrin [2002] EWCA Crim 747. Perrin’s application to the European Court of
Human Rights, arguing that the UK regulation breached his right to freedom of expression, was
rejected: Perrin v. UK (ECHR 18 October 2005, No 5446/03).
30
Note: although Perrin was a resident in the UK at the time of wrongdoing, that fact was
not focused upon by the court. It appears that – as a matter of establishing personal
responsibility of the site – Perrin admitted being a director and majority shareholder of one or
more US companies involved in operating the website from the US.
31
Arzneimittelwerbung im Internet BGH (30 March 2006) I ZR 24/03, paras 27–30.
32
Directive 00/31/EC of the European Parliament and of the Council on Electronic
Commerce (Electronic Commerce Directive).
33
Electronic Commerce Directive (n 32) Recital 21 and Art 2(h)(ii).
34
Ibid., art 3(4)(a)(i). See also art 87(1) of the Community Code for Medicinal Products for
Human Use, Directive 2001/83/EC (prohibition on the marketing of drugs for which there is no
authorisation in accordance with Community law). Note too, that art 13(7) of the WHO
Framework Convention on Tobacco Control (Geneva, 2003) allows States to ban cross-border
tobacco advertising (including advertising via the internet).

Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: RMEdit-Chapter2 /Pg. Position:
10 / Date: 24/3
and the provider did not act contrary to his stated intentions.35 In other words, online
providers that effectively territorially ring-fence their sites (i.e. erect territorial cyber-
borders) can avoid the reach of foreign laws: the price paid for legal immunity is
foregoing the transnationality of the internet.
Another activity which has challenged State control head on, due to the internet’s
transnationality, is gambling, which most States seeks to control because of its
potentially high financial stakes. For the purposes of this chapter, the example of online
gambling is significant, first, because it shows that even the US with its strong,
free-speech tradition and concomitant tolerance of much online speech/activity that is
illegal elsewhere has its limits of acceptance. As online gambling is illegal in most US
states, it has struggled with foreign gambling sites and employed aggressive unilateral
enforcement strategies comparable to other States in other contexts. Second, gambling
is also insightful as it shows that jurisdictional conflicts are not always about national
legal / cultural differences: regulating gambling is essentially about controlling a
lucrative industry. Gambling is economically beneficial for the State where the provider
is established through the creation of employment and as a source of revenue. These
benefits are lost if the gambling services are provided by a foreign operator who, in
addition, may also undermine the local gambling industry (and this may be unavoidable
due to free trade commitments). On the other hand, gambling creates significant social
and economic problems flowing from addiction, and these in turn might be exacerbated
by foreign providers that are less regulated than local ones. As foreign providers offer
none of the economic advantages associated with gambling activity and all of its
disadvantages, they have received significant regulatory hostility and aggressive juris-
dictional responses by most States. In respect of the US attitude, one commentator
succinctly noted:
The fairly harsh approach to online gambling is a reversal of both the federal government’s
… receptivity to tribal gaming, and its acceptance of the recent liberalization of gambling
laws in most U.S. states. The fierceness … in this area is puzzling until one realises the one
factor at stake in … traditional gambling, but not at stake in Internet gambling: Money. …
Internet gambling, hosted by foreign operators, not only generates zero governmental revenue
and zero jobs, it also threatens traditional gambling.36
35
In Deutscher Apothekerverband eV v. 0800 Doc Morris NV C-322/01 [2003] ECR
I-14887 an injunction against an online Dutch pharmacy in respect of its supply of certain drugs
in Germany – based on a German legal requirement of presence sales, i.e. that certain drugs can
only be sold in pharmacies – was challenged as being inconsistent with the internal market rule
of free movement of goods. The European Court of Justice held that such requirement was only
justified for prescription drugs where confusion over language or labelling could lead to harmful
consequences, but not to over-the-counter drugs, the online sale of which could not be restricted
by the destination State. Since that case the Electronic Commerce Directive came into force and
prima facie the regulation of drugs is not excluded from the scope of the origin rule required by
art 3.
36
Christine Hurt, ‘Regulating public morals and private markets: Online securities trading,
internet gambling and the speculation paradox’ (2005) 86 B.U. L. Rev. 371, 375f.

11 / Date: 6/5
Thus perhaps even in the absence of national differences to gambling activities, there
would be significant jurisdictional tensions simply because of the economic disadvan-
tages of competing foreign providers. These tensions have manifested themselves
widely. For example, a Dutch court in National Sporttotaliser Foundation v Ladbrokes
Ltd (2003)37 ordered the defendant, Ladbrokes, based in England and Gibraltar, to
make its gambling site inaccessible to Dutch residents as it did not comply with Dutch
licensing requirements. Australia prohibits anyone, whether local or foreign,38 from
offering online gambling services to people in Australia by virtue of the Interactive
Gambling Act 2001 (Cth), whilst local Australian providers are free to offer their
gambling services to punters abroad.39 Australia seeks to obtain the benefits derived by
gambling, without any of its losses. In New Zealand the Gambling Act 2003 prohibits
remote interactive gambling,40 but excludes ‘gambling by a person in New Zealand
conducted by a gambling operator located outside New Zealand’.41 However, the reach
of foreign providers is circumscribed by prohibiting local online and offline inter-
mediaries (e.g. ISPs, local sites and offline publishers) from advertising foreign
gambling services in New Zealand.42 Instead of seeking to control local gambling
through prohibitions on foreign gambling providers that are difficult to enforce, the
New Zealand legislation targets local intermediaries (that provide knowledge of, and
access to, the foreign services) over which full enforcement power is present.
That the wrangling about online gambling is far more centred on economic interests
than varying moral values is illustrated by two disputes that have brought online
gambling restrictions into conflicts with trade agreements, at EU and WTO level
respectively. In both cases, the attempt by one State to restrict foreign online gambling
services was challenged as being inconsistent with trade commitments.43 In Gambelli
(2003)44 the European Court of Justice [CJEU] was presented with a challenge to
37
District Court, The Hague (27 January 2003), see also Holland Casino v. Paramount
Holdings et. al., District Court, Utrecht (27 February 2003). For a comparable German
judgement, see Unzulässiges Online-Glücksspielangebot OLG Hamburg (19 August 2004) 5 U
32/04, (2004) 12 Computer und Recht 925; following Schöner Wetten BGH (1 April 2004) I ZR
317/01.
38
Interactive Gambling Act 2001 (Cth), s 14: ‘this Act extends to acts, omissions, matters
and things outside Australia’.
39
Ibid., ss. 8, 15 (unless the foreign country has been declared a ‘designated country’ see
ss 15A, 9A, 9B).
40
Ibid., s. 9(2)(b) and Gambling Act 2003, s. 19.
41
Gambling Act 2003, s. 4 on the definition of ‘remote interactive gambling’.
42
Ibid., s. 16.
43
In the EU gambling was specifically excluded from the Electronic Commerce Directive
and in particular the Directive’s origin rule (i.e. that online service providers should only be
regulated by their home State). See Electronic Commerce Directive (n 32) Recital 16 and art
1(5)(d).
44
Criminal Proceedings against Piergiorgio Gambelli C-243/01 [2003] ECR I-13031. In
Criminal Proceedings against Massimiliano Placanica and Others C-338/04, C-359/04 and
C-360/04 [2007] ECJ ECR I-0000 it was again held that Italy’s licencing regime which excluded
companies listed on a stock exchange from tendering for a betting licence violated the freedom
of establishment and the freedom to provide services as it went beyond what is necessary to
achieve the objective of preventing the exploitation of the industry for criminal purposes.

12 / Date: 24/3
Italy’s attempt to impose criminal sanctions on Italian agencies which, contrary to local
licensing requirements, acted as online intermediaries for the UK bookmaker Stanley
International Betting Ltd. Effectively, Italy wanted to protect its very lucrative national
monopoly in the sports betting and gaming sector. This protectionist policy was
challenged as contrary to the freedom of establishment and freedom to provide services
of foreign providers (now Articles 49 and 56 of the Treaty on the Functioning of the
EU). These freedoms demanded, the CJEU held that Member States take a regulatory
hands-off approach to gambling providers from other Member States and regulated by
those other States, unless justifiable ‘for reasons of overriding general interest’, e.g. to
reduce the gambling, but not out of a fear of losing revenue.
Similarly, the WTO Appellate Body was presented with the same type of conflict in
Services (2005).45 Antigua and Barbuda lodged a complaint against the US with the
WTO in 2003, alleging that the US prohibition on the cross-border supply of gambling
and betting services was inconsistent with ‘market access’ commitments made by the
US under Article 16 of the General Agreement on Trade in Services (GATS). Antigua
blamed the increasingly aggressive US strategy (enforced with the help of local US
intermediaries) towards the operation of cross-border gaming activities in Antigua for
the significant decline of gambling operators in Antigua: ‘from a high of up to 119
licensed operators, employing around 3,000 and accounting for around 10 per cent of
GDP in 1999, by 2003 the number of operators has declined to 28, employing fewer
than 500’.46 The WTO Appellate Body rejected the US claim that by excluding sporting
services from its GATS commitments, it had also excluded gambling and betting
services, and held that various US Acts were inconsistent with its GATS commitments.
As in Gambelli, the Appellate Body held that ‘public moral’ or ‘public order’ may
exceptionally justify market access barriers, provided there were no other reasonable
alternative measures. Given that the US had exempted domestic providers from the
very prohibitions it sought to apply to foreign operators, it could not rely on these
exceptions. Online gambling activity shows how regulatory assertions by States over
foreign online providers based on its effect on the local territory may serve to protect
local economic interests. By the same token, ‘free trade’ commitments, if present, may
45
Services first heard by the WTO Dispute Settlement Panel (WTO Panel, 10 November 2004,
WT/DS285/R) and then by the Appellate Body (WTO Appellate Body, 7 April 2005,
WT/DS285/AB/R). In 2007 the WTO Panel concluded ‘that the United has failed to comply
with the recommendations and rulings of the DSB in this dispute’ (WTO Panel, 30 March 2007,
WT/DS285/RW) which paved the way for a compensation claim and then trade sanction by
Antigua.
46
Services (WTO Panel, 10 November 2004, WT/DS285/R) para. 3.5. A similar complaint against
the US was lodged in 2007 by the Remote Gambling Association with the European
Commission, which came to very similar conclusions as the WTO Panel. See Report to the
Trade Barriers Regulation Committee: Examination Procedure concerning an Obstacle to Trade,
within the Meaning of Council Regulation (EC) No 3286/94, consisting of Measures Adopted by
the United States of America Affecting Trade in Remote Gambling Services (Brussels, 10 June
2009).

13 / Date: 6/5
provide a defence to such regulatory assertions. If such commitments are not available,
‘free speech’ arguments have filled the gap and at times successfully so (see below).
In the civil context, jurisdictional tensions have most prominently been played out
in the context of defamation and data protection, particularly in Europe, as well as in
trademark and copyright law. Disregarding the technicalities of the legal analysis in
these different contexts, the overall jurisdictional approach is comparable to that taken
in criminal law cases, albeit at times more moderate. For example, in defamation, one
of the first high-profile international defamation cases was the Australian case of Dow
Jones & Co Inc v Gutnick (2002)47 where the High Court of Australia upheld the
application of Australian defamation law to Barrons Online, a subscription site
uploaded in the US by US publisher for a mainly US audience. The court justified the
focus on the location of the destination of the site on the basis that the defamatory harm
was suffered in the Australia where the claimant enjoyed a reputation, because of the
Australian subscriptions and despite their small number. The same approach was
endorsed in the English case of Harrods Ltd v Dow Jones Co Inc (2003)48 concerning
Harrods Ltd’s defamation claim again against Dow Jones. The offending article, which
appeared only in the US edition of the journal, not the European one, had been sent to
ten subscribers of the US edition in the UK and there were a few hits on the online
edition, in contrast to its US circulation of 1.8 million copies. Yet, as the claim was
restricted to the damage arising from UK subscriptions, the court allowed the claim to
proceed in England. A year later the English Court of Appeal upheld this destination
approach in Lewis & Ors v King (2004)49 and explicitly rejected a more moderate
version according to which sites should be only accountable under the substantive and
procedural laws of the State that are targeted by it.50 Also, according to McGrath &
Anor v Dawkins & Ors (2012),51 a local company with a local site may be responsible
for the content of a foreign site by a foreign partner if the local and foreign sites are
closely associated and their distinctiveness is not obvious to the local user.52 Unlike
Gutnick and Harrods, a German court held in Persönlichkeitsverletzungen durch
ausländische Internetveröffentlichungen (2010)53 that the New York Times was answer-
able to German courts for its online version where a defamatory article had clear points
of reference with Germany e.g. German surfers had a significant interest in the online
publication, that otherwise targeted a world-wide audience. The court made some
attempt to weight the German regulatory claim vis-à-vis other possible claims, rather
than see it in isolation of the wider context of the site.
These defamation decisions have – in the 2010s – been followed by multiple data
protection investigations and claims that have pitched European data protection
47
[2002] HCA 56, which affirmed Gutnick v. Dow Jones & Co. Inc. [2001] VSC 305.
48
[2003] EWHC 1162 (QB). In Dow Jones & Co. v. Harrods Ltd. 237 F Supp. 2d 394, the
New York District Court refused to grant to Dow Jones a declaratory judgment and an injunction
requiring Harrods Ltd to abstain from pursuing a defamation claim in the UK.
49
[2004] EWCA Civ 1329, affirming King v. Lewis & Ors [2004] EWHC 168 (QB).
50
Lewis & Ors v King [2004] EWCA Civ. 1329, 24–39.
51
[2012] EWHC B3 (QB).
52
[2012] EWHC B3 (QB) para. 26.
53
BGH (2 March 2010) Az. VI ZR 23/09.

14 / Date: 6/5
stakeholders against global internet businesses from the US.54 Again the issue of
jurisdiction has figured highly in some of these disputes. For example, in Vidal-Hall &
Ors v Google Inc (2014)55 an English court allowed the privacy and data protection
claim against Google Inc. – for collecting personal browser generated information
without the user’s consent – to go ahead in England, rather than California where
Google Inc. is headquartered, on the basis that the damage was suffered in England.
Similarly, according to the CJEU in Google Spain SL, Google Inc. v Agencia Española
de Protección de Datos (2013)56 Google Inc. and its search activity fell within the
territorial ambit of the Data Protection Directive,57 or in that case the Spanish
implementing legislation, even though the processing of search queries occurred in the
US. The Advocate General reasoned that Google Inc. had an ‘establishment’ in Spain
through its subsidiary, Google Spain SL, which promoted and sold keyword advertising
space on the search engine in Spain ‘which [in turn] is the source of income and, as
such, the economic raison d’être for the provision of a free information location tool in
the form of a search engine’.58 The Grand Chamber of the CJEU went along with this
reasoning, stressing that the ‘establishment’ requirement cannot be interpreted restric-
tively in light of the objective of the Directive which is ensure the right of privacy, with
respect to the processing of personal data, and allowing search engines those obliga-
tions would compromise that goal.59
(ii) The destination approach – the moderate version: Targeting

The Advocate General in Google Spain SL, Google Inc. v Agencia Española de
Protección de Datos (2013) notably mentioned that the future European approach to
jurisdiction in data protection cases is likely be the same as in other EU law contexts:
The Article 29 Working Party has proposed that in future legislation relevant targeting of
individuals could be taken into account in relation to controllers not established in the EU. In
the Commission Proposal for a General Data Protection Regulation (2012) the offering of
goods or services to data subjects residing in the European Union would be a factor making
EU data protection law applicable to third country controllers. Such an approach, attaching
the territorial applicability of EU legislation to the targeted public, is consistent with the
54
For example, BBC News, ‘European data watchdogs target Google over privacy’ (2 April
2013) <http://www.bbc.co.uk/news/technology-22003551> accessed 11 August 2014. Note also
that the governments of Greece, Italy, Austria, Poland and the European Commission made
submissions in Google Spain SL, Google Inc v. Agencia Española de Protección de Datos (AEP)
C-131/12 CJEU (Grand Chamber) (13 May 2014).
55
Vidal -Hall & Ors v. Google Inc. [2014] EWHC 13 (QB).
56
Google Spain SL, Google Inc v. Agencia Española de Protección de Datos (AEPD)
C-131/12 CJEU Opinion of the Advocate General (25 June 2013); Google Spain SL, Google Inc
v. Agencia Española de Protección de Datos (AEPD) Case C-131/12 CJEU (Grand Chamber)
(13 May 2014).
57
Article 4(1) of the Directive 95/46/EC of the European Parliament and of the Council on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data (24 October 1995); see also art 29 Working Party, Opinion 8/2010 on
Applicable Law (WP 179).
58
Google Spain SL (n 56) para. 64 [emphasis in the original].
59
Google Spain SL (n 54) see answer to Question 1(a).

15 / Date: 6/5
Court’s case-law on the applicability of the ecommerce Directive 2000/31, Regulation No

44/2001, and Directive 2001/29 to cross-border situations.60
This is a description of the more moderate version of the destination approach;

according to the moderate version not every State where a site can be accessed has the
right to regulate it but only those States that are specifically targeted by it. This
moderate destination approach restricts the number of concurrent claims and thereby
reduces the regulatory burden on content providers, whilst also acknowledging that
many sites, even if accessible worldwide, are only of minor interests in most
jurisdictions. An example of this European approach in the civil context, rarely used in
the criminal context,61 is L’Oréal SA and Others v eBay International AG and Others
(2011)62 where the CJEU held that European trademark owners may prevent the sale,
offer for sale or advertising of goods located in a third State bearing their trademarks –
if they are:
(i) sold by an economic operator through an online marketplace without the consent of the
trade mark proprietor to a consumer located in the territory covered by the trade mark or
(ii) are offered for sale or advertised on such a marketplace targeted at consumers located in
that territory … by virtue of the rules set out in Article 5 of Directive 89/104 [EU Trademark
Directive] or in Article 9 of Regulation No 40/94 [Community Trademark Regulation]. It is
the task of the national courts to assess on a case-by-case basis whether relevant factors exist,
on the basis of which it may be concluded that an offer for sale or an advertisement displayed
on an online marketplace accessible from the territory covered by the trade mark is targeted
at consumers in that territory.63
Emphatically, the court stated that ‘it must be made clear that the mere fact that a
website is accessible from the territory covered by the trade mark is not a sufficient
basis for concluding that the offers for sale displayed there are targeted at consumers in
that territory’.64 It followed its earlier decision in Pammer and Hotel Alpenhof (2010)65
on adjudicative jurisdiction in electronic consumer contracts – under Article 15(1)(c) of
the Jurisdiction Regulation66 – according to which consumers only get the benefit of
the protective provision if the online activities under dispute were ‘directed’ at them.
60
Google Spain SL (n 56) para. 56 [emphasis added, internal marks omitted].
61
In Donner (Free Movement of Goods) [2012] EUECJ C-5/11 (21 June 2012), interpreting
the Copyright Directive 2001/29/EC, the CJEU took the targeting approach in a criminal
copyright scenario: Donner, a German citizen and resident, unsuccessfully sought to avoid
German criminal law by setting up a company in Italy to offer copyright infringing furnishings
to German residents through a German language website, in circumstances where Italian
copyright law provided no remedy. Note: in circumstances where the targeting approach is used
to establish liability, rather than deny it, the forbearance it requires is not put to the test.
62
L’Oréal SA and Others v. eBay International AG and Others C-324/09 (2011) ECR
I-6011.
63
Ibid., para. 67 [emphasis added].
64
Ibid., para. 64.
65
Pammer v. Reederei Karl Schluter GmbH 8 Co KC C-585/08 and Hotel Alpenhof GmbH
v. Heller C-144/09 [2010] ECR 1-12527.
66
EU Regulation on jurisdiction and the recognition and enforcement of judgments in civil
and commercial matters (EC) No 44/2001.

16 / Date: 24/3
Yet still neither EU legislation nor CJEU jurisprudence are uniform in this respect. In
Pinckney v KDG Mediatech (2013)67 the CJEU held that copyright claims fell under the
tort head in Article 5(3) of the Jurisdiction Regulation which:
does not require … that the activity concerned [is] to be ‘directed to’ the Member State in
which the court seized is situated … [Jurisdiction is established] if the Member State in
which that court is situated protects the copyrights relied on by the plaintiff and the harmful
event alleged may occur within the jurisdiction of court seized.68
The court followed this less moderate approach under Article 5(3) in Wintersteiger v
Products 4U Sondermaschinenbau GmbH (2012)69 where it upheld an Austrian court’s
jurisdiction to hear a trademark claim based on an Austrian trademark, where the
allegedly infringing advertising had solely occurred on google.de and not google.at and
the claimant held no registered trademark in Germany. Nonetheless, according to the
court, Austria, as the place of registration, satisfied the objective of foreseeability and
that of sound administration of justice and was best suited to assess whether any
damage had occurred.70 On the other hand, the Advocate General made a clear attempt
to bring the case within the targeting analysis. He noted that the mere accessibility of a
site would not be sufficient to justify jurisdiction under the Regulation71 and then
proceeded:
The fundamental factor or point is whether the information disseminated on the internet is
really likely to have an effect in the territory where the trade mark is registered. It is not
sufficient if the content of the information leads to a risk of infringement of the trade mark
and instead it must be established that there are objective elements which enable the
identification of conduct which is in itself intended to have an extraterritorial dimension. For
those purposes, a number of criteria may be useful, such as the language in which the
information is expressed, the accessibility of the information, and whether the defendant has
a commercial presence on the market on which the national mark is protected. It is also
necessary to establish the territorial scope of the market on which the defendant operates and
from which the information was disseminated on the internet. For that purpose, an assessment
must be made of facts such as, inter alia, the top-level domain, the address or other location
data supplied on the website, and the place where the person responsible for the information
has the place of business for his internet activities. As a result of that examination, the court
will conclude whether the case before it involves the means necessary for producing, a priori,
an actual infringement of a trade mark in another Member State via the internet.72
67
Peter Pinckney v. KDG Mediatech AG C-170/12 [2013] EUECJ (3 October 2013).
68
Ibid., paras 42 and 43.
69
Wintersteiger v. Products 4U Sondermaschinenbau GmbH C-523/10 [2012] ECR I-0000;
see also Joined Cases eDate Advertising and Martinez C-509/09 and C-161/10 [2011] ECR
I-10269.
70
Wintersteiger v. Products 4U Sondermaschinenbau GmbH C-523/10 (n 69) paras 27, 28.
71
Ibid. Opinion of the Advocate General para. 23.
72
Ibid., paras 28–30 [internal marks omitted].

17 / Date: 24/3
This moderate approach to jurisdiction is, in theory, deeply embedded in the US

jurisprudence on the ‘due process’ requirement under the Constitution.73 The modern
approach to the court’s exercise of personal jurisdiction over a foreign defendant was
conceived in International Shoe Co v Washington (1945)74 laying down the test of
‘minimum contacts’ of the defendant with the forum, so much so, that an action would
not offend ‘traditional notions of fair play and substantial justice’. Further developed in
Hanson v Denckla (1958)75 the question became whether a foreign defendant had
purposefully availed itself of the privilege of conducting activities within the local
State, thus invoking the benefits and protections of its laws. In the internet context, this
test has meant that courts have examined – in a plethora of cases – either whether the
foreign site was ‘targeted’ at the local customers as e.g. in the gambling case of People
v World Interactive Gaming Corporation (1999),76 or whether the foreign site was
knowingly aimed at a local readership or audience as e.g. in the defamation case of
Young v New Haven Advocate (2002).77 In such cases the courts have, often expressly,
aimed to avoid a position whereby every site is subject to the courts of every state. Yet,
even in the US this moderate destination approach has at times been displaced by its
blunt version. For example, in in rem actions the jurisdiction of the court is based, not
on the contacts of the foreign defendant with the local territory, but on the location of
the property implicated by the dispute within the territory. So in US v $734,578.82 in
US Currency (2002)78 a New Jersey court held that it had jurisdiction in a civil
forfeiture claim by the US Government concerning an illegal gambling British operator,
solely on the basis of US bank accounts with gambling proceeds within the US.
Similarly wide extraterritorial in rem jurisdiction can be and has been asserted in
trademark infringement claims under the Anticybersquatting Consumer Protection Act,
based on the registration of the disputed domain name within the US.79 In these latter
cases, effective enforcement jurisdiction essentially confers adjudicative jurisdiction to
the courts and at times in cases that have no connection with the US.80
(iii) The destination approaches under customary international law

The question in all of the above scenarios is whether international law permits these
often very expansive assertions of regulatory competence. The answer is yes, whether
under the name of the objective territoriality principle or the effects doctrine.81
73
Fifth and Fourteenth Amendment to the US Constitution, dealing with the right of ‘due
process’ as against the Federal government and state governments respectively.
74
International Shoe Co v. Washington 326 US 310 (1945).
75
Hanson v. Denckla 357 US 235, 253 (1958).
76
People v. World Interactive Gaming Corporation 714 NYS 2d 844 (1999).
77
Young v. New Haven Advocate 315 F3d 256 (2002).
78
US v. $734,578.82 in US Currency 286 F 3d 641 (2002).
79
15 USC § 1125(d)(2)(A).
80
See, for example, Cable News Network LP v. cnnews.com 162 F Supp 2d 484 (ED Va.
2001) and 177 F. Supp. 2d 506 (ED Va 2001), affirmed in 56 Fed. Appx 599 (4th Cir 2003).
81
The difference between the effects doctrine and the objective territoriality principle, if
there indeed is one, is that the former appears to have no explicit requirement that the effects on
the territory must be a ‘consistent element’ of the crime in question, although in fact this is

18 / Date: 6/5
Customary international law has – since Lotus (1927)82 – explicitly recognised that in
transnational wrongdoing, the State on the territory on which the ‘foreign’ wrong takes
effect enjoys the right to regulate that conduct, alongside the State from where the
wrong originates (subjective territoriality principle). The Permanent Court of Justice
stated:
[I]t is certain that the courts of many countries, even of countries which have given their
criminal legislation a strictly territorial character, interpret criminal law in the sense that
offences, the authors of which at the moment of commission are in the territory of another
State are nevertheless to be regarded as having been committed in the national territory, if one
of the constituent elements of the offence, and more especially its effects, have taken place
there.83
This principle has gone through different incarnations: it underlies the concept of
‘result’ crime (versus ‘conduct’ crime) traditionally used by common law courts;84 it
provides the basis of the US ‘effects doctrine’ in the antitrust context in the 1970s to
1990s85 and is, in the internet context, referred to as the destination or receipt rule (in
contrast to the origin rule).86 Common to all these concepts or labels is the focus on the
impact of a foreign act on the State’s territory and that impact provides the basis for
subjecting the foreign actor to the law of the land. Once it is understood that the
‘impact’ need not be physical (as in Lotus) and can include economic and other
intangible impacts, one may fathom the role of the objective territoriality principle in
contemporary globalised society.
As the discussion above may already have foreshadowed, the objective territoriality
principle has severe shortcomings in the online context. Most importantly, it gives rise
to too many concurrent claims and thus compounding obligations on online actors.
Indeed, it creates de facto universal jurisdiction which, as a head of jurisdiction, has
traditionally been limited to a handful of universally condemned crimes, such as piracy,
war crimes or crimes against humanity, and is clearly not meant to extend to the
numerous and varying legal standards applicable to online activity. This overregulation
is, to some extent, alleviated by the more moderate destination approach which only
gives targeted States the right to regulate the activity and requires forbearance by States
which are also affected by the site, but only marginally so. This approach has also some
precedent in international law, as even prior to the internet, the potentially huge
diffusion of economic effects of a single activity, e.g. a cartel, triggered numerous
overlapping and at times conflicting regulatory claims by various States. For example,
invariably established and can be provided for by framing the offence appropriately. See more on
legal status of cyberspace in Tsagourias (Ch 1 of this book).
82
The Case of the SS ‘Lotus’ (n 19) 1.
83
Ibid. 23.
84
DPP v. Stonehouse [1978] AC 55; R v. Treacy [1971] AC 557; R v. Markus [1975] 1 ALL
ER 958; Brownlie v. State Pollution Control Commission (1992) 27 NSWLR 78; R v. Toubya
[1993] 1 VR 226; discussed in Matthew Goode, ‘The tortured tale of criminal jurisdiction’
(1997) 21(2) Melbourne Uni. L. Rev. 411, 437ff.
85
Alan V. Lowe (ed.), Extraterritorial Jurisdiction (Grotius Publications Ltd 1983).
86
Graham Smith (ed.), Internet Law and Regulation (4th edn., Sweet and Maxwell 2007)
507f, Ch 12.

19 / Date: 6/5
a reasonable effects test is embedded in paragraph 403 of the US Restatement (Third)

of Foreign Relations Law (1986) which states that ‘a state may not exercise jurisdiction
… with respect to a person or activity having connections with another state when the
exercise of such jurisdiction is unreasonable’.87 Whether such exercise is ‘reasonable’ is
made dependant on factors, such as the extent to which the activity has a substantial,
direct or foreseeable effect upon the territory, the character of the activity, the degree to
which the desirability of regulation is generally accepted, the existence of justified
expectations, the importance of regulating the activity, the consistency of the regulation
with traditions of the international systems, the interest of other States in regulating the
activity and the likelihood of conflicting regulation.88 The problem with this test is that
it is inherently uncertain; in the internet context it is often highly ambiguous whether a
site is or is not targeted at a State, and there can be no resolution to that ambiguity: is
a French news site based in France also targeted at the French minority in Canada or
the smaller one in Louisiana?
The other major problem with the destination approach is that States do not have the
right to enforce their laws against foreign wrongdoers outside their territory, which
means that they are dependant on voluntary compliance by online actors or enforce-
ment via local intermediaries in the form of blocking non-compliant sites. In any event,
the reasonable effects doctrine certainly does not set a prescriptive standard under
customary international law that would prevent States from foregoing jurisdiction based
on the blunt version of mere effects – given the latter’s pervasive and uncontested use
in the criminal context (as shown above).89
(iv) The origin approach

As for all but the largest online providers compliance with all legal standards of all the
States where their site can be accessed is practically impossible, online businesses have
strongly and persistently argued that they should only be subject to the laws of the State
in which they are established or where the site is hosted.90 This is commonly known as
the origin approach in so far as it seeks to allocate regulatory competence, solely, on
the basis of the origin rather than the destination of the online activity. Its main
advantages are, first, that the regulatory burden on online actors is reasonable; they
only have to comply with their home rule. At the same time, the origin approach does
not create an enforcement deficit in so far as the to-be-regulated actor or an
establishment of the actor is within the territory and thus within the enforcement reach
87
US Restatement (Third) of Foreign Relations Law (1986) § 403(1).
88
Ibid. § 403(2).
89
Even in the US, the moderate version was narrowly confined in Hartford Fire Insurance
Co v. California 509 US 764 (1993) to situations of a ‘true conflict’ between domestic and
foreign law, i.e. where the application of domestic law would entail the violation of the foreign
country’s law. This occurs very rarely. Most laws ‘conflict’ by imposing compounding duties on
the subject.
90
For alternative possibilities, see Dow Jones & Co Inc. v. Gutnick [2002] HCA 56 where
the editorial office was in New York and the server in New Jersey; see also para. 41, where the
court noted alternatives: the location where the material was initially composed or the place of
incorporation of the provider; Australian Law Reform Commission, Choice of Law (Report No
58, 1992) 57.

20 / Date: 6/5
of the regulating State. Nonetheless, but for a few exceptions, States have rejected it,
notably not in terms of foregoing their rights to regulate local online actors, but rather
in terms of leaving the regulation of foreign online actors solely to the State of origin.91
In other words, they have asserted their right to regulate local online providers but not
to the exclusion of regulating foreign online providers as well. This is consistent with
customary international law which, as shown above, has long recognised that the
territoriality principle gives concurrent regulatory rights to the origin State (subjective
territoriality principle) and destination States (objective territory principle). The core
reason for the general unacceptability of the exclusive origin approach is that it
undermines the regulatory control of States over their territories: there is very little
point in prohibiting a drug in the offline world, if it can be bought legitimately online
from a foreign providers whose State of origin does not prohibit it and who is not
subject to local rules. Thus the lowest common regulatory denominator becomes the
legal standard for every State.
The operation of the exclusive origin rule within Europe shows the particular
conditions that must be satisfied before it becomes politically acceptable. For example,
the Electronic Commerce Directive lays down the exclusive origin rule in Article 3(2)
by requiring Members States not to regulate providers of information society services
established in another Member States.92 This rule, however exceptional it may be in the
international context, relies on three prerequisites in the European context. First, it
requires relatively harmonised legal standards so much so that the foreign rule does not
significantly clash with local standards. Although the origin rule in the Electronic
Commerce Directive is not limited to the harmonised standards established in other
parts of the Directive, it works against the background of substantial long-term steps
taken towards more harmonisation or approximation within the European internal
market.93 Second, the exclusive origin rule in the Directive is not simply a rule
forbidding destination States to regulate providers from other Member States, but
imposes a duty on the origin State to regulate their local providers.94 Again, this
ensures that there is no regulatory vacuum. Last but not least, the rule requires
91
For example, R v. Perrin [2002] EWCA Crim 747.
92
Electronic Commerce Directive (n 32) art 2(c): ‘a service provider … pursues an
economic activity using a fixed establishment for an infinite period. The presence and use of the
technical means and technologies required … do not, in themselves, constitute an establishment
of the provider.’ Julia Hörnle, ‘Country of origin regulation in cross-border media: One step
beyond the freedom to provide services?’ (2005) 54 I.C.L.Q. 89, 113; and Commission v. UK
Case C222/94 [1996] ECR I-4025, concerning art 2(1) of the Television Without Frontiers
Directive 89/552/EC (later revised by 97/36/EC).
93
Electronic Commerce Directive (n 32) art 2(h). An earlier Directive that adopted the
approach is, for example, Television without Frontiers Directive 89/552/EEC (revised by
97/36/EC), see art 2a(1).
94
Electronic Commerce Directive (n 32) art 3(1): ‘Each Member State shall ensure that the
information society services provided by a service provider established on its territory comply
with the national provisions applicable in the Member State in question which fall within the
coordinated field.’ The destination State can first of all request the origin State to fulfil its duty
and then take measures to restrict incoming services, after notifying the Commission and the
origin State of its intention under art 3(40(b) of the Directive; it can also initiate infringement
proceedings under art 226 or art 227 of the EC Treaty.

21 / Date: 6/5
reciprocity (rather than being acceptable unilaterally): to the extent that States gain
economic advantages from being able to access foreign markets without the hurdles
presented by different regulatory requirements, they also lose by opening their market
to foreign providers.95 In the Directive’s context, there is reciprocity amongst the
Member States. In short, internationally an exclusive origin rule would not be
acceptable to States – bar the unlikely scenario that mutually trusting and respecting
States entered into an international convention that, first of all, harmonised the legal
standards to which it, then, applied the origin rule. Yet, as noted above, the jurisdic-
tional wranglings are principally caused by the significant differences in the legal
standards (and underlying cultural values) and thus the acceptability of the origin
approach presupposes the very solution to the crux of the jurisdictional problem.
4. ENFORCEMENT JURISDICTION
Enforcement jurisdiction is, unlike adjudicative and legislative jurisdiction, strictly
territorial, as stated by the Lotus court: ‘the first and foremost restriction imposed by
international law upon a State is that … it may not exercise its power in any form in
the territory of another State’.96 This strict territoriality is an essential aspect of the
non-interference rule under international law which, in turn, is part and parcel of the
concept of State sovereignty; in short it is a rock solid pillar of international law.
The strict territorial limit of enforcement jurisdiction has meant that, although States
have in principle extended their legal standards to foreign actors, they have struggled
with enforcing them. In effect, the internet’s legal landscape has been dominated by a
de facto origin rule, but this is highly problematic for the very reasons that make the
origin approach unacceptable in the first place.
How then can the limits of enforcement jurisdiction be overcome and how have they
been overcome? The answer is simple. First, there is the possibility of more or less
‘voluntary’ compliance by online actors. For example, some large corporate online
actors – keen to have the veil of respectability which requires minimum legal
compliance – can implement national regulatory requirements easily on their localised
platforms, (e.g. amazon.co.uk or google.fr or eBay.de), but this option is not so
obviously open to global social networking platforms (e.g. Twitter or Facebook). In
addition, States have looked towards avenues of preventing non-compliant legal content
from ‘entering’ their territory and this involves requiring local or localised inter-
mediaries, such as ISPs, search engines and social networking sites, to block legally
non-compliant foreign content. The OSCE [Organization for Security and Co-operation
95
Note, the UK the Gambling Act 2005 took a unilateral origin approach: the requirement
of an operating licence (s. 33) only applied to locally based gambling operators, that is ‘to the
provision of facilities for remote gambling only if at least one piece of remote gambling
equipment used in the provision of the facilities is situated in Great Britain …’ (s. 36). This
provision has been altered by the Gambling (Licensing and Advertising) Act 2014 which makes
all those who provide gambling services in the UK subject to the licencing requirement.
96
The Case of the SS ‘Lotus’ (n 19) 18a.

22 / Date: 24/3
in Europe] Report ‘Freedom of Expression on the Internet’ (2011)97 based on an

extensive survey of European and other States found a:
new trend in Internet regulation [that] seems to entail blocking access to content if state
authorities are not in a position to reach the perpetrators for prosecution or if their request for
removal or take down of such content is rejected or ignored by foreign law enforcement
authorities or hosting and content providers.98
And those States were not just authoritarian States, such as Belarus or the Russian
Federation. For example, the report notes: ‘Some countries also started to develop
country-level, domain-name blocking or seizure policies (the Czech Republic, Mol-
dova, Switzerland, and the United Kingdom).’99 At times such blocks are judicially
ordered and at times they are executive requests. Throughout Europe courts have
granted injunctions against ISPs to block piracy sites. For example, in Twentieth
Century Fox Film Corp & Ors v British Telecommunications Plc (2011)100 BT, one of
the main ISPs in the UK, was ordered to prevent access to Newzbin, a foreign piracy
site. This order was followed by injunctions against other ISPs in relation to the same
and other piracy sites. Or, in another example, in German legislation, prohibiting
neo-Nazi material has been enforced by requiring networking sites such as YouTube
and Twitter to block offending content.101 But even in the US, where ‘free speech’
towers above many other competing values, blocking occurs e.g. when a court orders
the surrender of a generic top-level domain to enforce intellectual property, or when
gambling prohibitions are enforced by requiring local credit card providers to disallow
suspicious payments.102
Through such measures States effectively draw traditional territorial borders onto
cyberspace. The porosity of these cyber-borders undoubtedly varies, with the least
porous being in authoritarian States, such as China or Iran, that have put in place
wholesale blocks on domains as Facebook and YouTube. Sometimes these cyber-
borders are more porous when local users are ‘nudged’ toward existing national
normativity on localised sites e.g. eBay.co.uk, but can still access non-compliant online
content e.g. amazon.com is accessible in the UK. Nonetheless, the general trend is
clearly towards the territorial fragmentation of the internet, with the not illegitimate aim
97
OSCE (Yaman Akdeniz), Freedom of Expression on the Internet (15 December 2011)
<http://www.osce.org/fom/80723> accessed 12 August 2014.
98
Ibid. 6.
99
Ibid. 25.
100
[2011] EWHC 1981. But such blocks are not always based on judicial authority, with the
responsibility of censorship increasingly being shifted to intermediaries. See Juliette Garside,
‘Ministers will order ISPs to block terrorist and extremist websites’ (29 November 2013)
The Guardian <http://www.theguardian.com/uk-news/2013/nov/27/ministers-order-isps-block-
terrorist-websites> accessed 12 August 2014.
101
Kate Connolly, ‘Twitter blocks neo-Nazi account in Germany’ (18 October 2012) The
Guardian <http://www.theguardian.com/technology/2012/oct/18/twitter-block-neo-nazi-account>
accessed 12 August 2014.
102
See Cable News Network LP v. cnnews.co (n 80) and United States – Measures Affecting
the Cross-Border Supply of Gambling and Betting Services (n 45) (and accompanying discus-
sion) respectively.

23 / Date: 24/3
of upholding national laws reflecting peculiar political and cultural values, and at times
economic interests, e.g. copyright. The most striking example of this emerging trend is
the discussion about the possibility of a Europe-only communication network in the
wake of the Edward Snowden revelations – the aim being to have the technical
infrastructure for online communications on European soil in order to ensure the legal
protection of that data against foreign abuse.103 While the desire to uphold national or
regional normativity online is legitimate, particularly in democracies, the attendant
fragmentation of the internet entails significant costs for freedom of (transnational)
expression. The European Court of Human Rights [ECtHR] in Case of Yildirim v
Turkey (2013)104 held that wholesale blocking by Turkish ISPs of Google Sites website
(which had included a third-party site that violated Turkish law on the protection of
Ataturk’s memory) was inconsistent with Yildirim’s right to freedom of expression as
the Turkish judges had failed to take into ‘consideration, among other elements, the fact
that such a measure, by rendering large quantities of information inaccessible,
substantially restricted the rights of Internet users and had a significant collateral
effect’.105 Yildirim’s site which was unrelated to the offending site had become
inaccessible due to this general block, but Turkey insisted that blocking access to
Google Sites was the only technical means of blocking the one offending foreign site;
there was no evidence that Google had been approached with a request to take down
the specific offending sites.106 Above all, this case illustrates that the topic of
jurisdiction on the internet has strong intersections with human rights law and it is in
the light of rights such as freedom of expression, but also privacy and freedom of
conscience and religion, that a discourse on the topic needs to be developed.
5. CONCLUSION
The internet has pushed the regime of international jurisdiction from the shadows of the
law into its limelight – given that transnationality of conduct is no longer the exception
but the rule. Every search on Google, every click on a Facebook Like triggers a
border-crossing event that challenges the rule of national law; considering the online
dominance of US corporations, its national law appears to be least threatened by the
internet. This limelight is undoubtedly uncomfortable given that traditional jurisdic-
tional regimes (under public international law and private international law) are
strongly location-centric and thus inherently ill equipped to ‘reconcile’ transnational
activity with national law. Thus any solutions they produce are, of necessity, a ‘botched
job’.
103
BBC News, ‘Data protection: Angela Merkel proposes Europe network’ (15 February
2014) <http://www.bbc.co.uk/news/world-europe-26210053> accessed 12 August 2014.
104
Case of Yildirim v. Turkey No 3111/10 ECtHR (18 March 2013).
105
Ibid., para. 66.
106
One question here is whether an expectation of self-censorship based on national legal
requirements as was the case prior to the internet vis-à-vis communication bottlenecks, such as
TV, radio and the press, is still legitimate vis-à-vis online intermediaries.

24 / Date: 6/5
The discussion above shows how in particular the objective territoriality principle
under customary international law has been stretched to its maximum in order to extend
national law to online activity, which is in itself an entirely legitimate endeavour, even
if it comes at the expense of a coherent overall allocation system and an open internet.
Taking a State-internal perspective, each individual case is defensible in terms of
seeking to prevent the internet from undermining national legal standards, and thus on
the basis of upholding the ‘rule of law’ within each State’s territorial dominion. Yet,
from a global perspective, the blunt application of national law to the transnational
internet cannot but lead to the territorial fragmentation of the internet into national
cyberspaces with attendant costs for freedom of expression as well as for economic,
political, social and cultural exchange. Arguably, the transnational internet is suffering
the tragedy of the commons or a death by a thousand cuts: each time a State asserts its
right to apply its peculiar regulatory version of the ‘good life’ to the online world and
each times this assertion is enforced via voluntary compliance or border blocking,
transnationality is slightly impeded. This (enforced) fragmentation still appears to be at
its early stages. At the same time, there are also signs of a more moderate version of
the objective territoriality principle in form of the targeting / directing approach
emerging from the more private law spectrum of cross-border online disputes. This
version would go some way towards retaining, to some extent, the openness of internet
while also, largely, upholding national law on the internet. As this moderate approach
to territorial jurisdiction is – with respect to most legal areas – a more realistic option
than achieving substantive legal harmonisation at the global level, the future of an open
internet must lie in its hands.

25 / Date: 24/3
3. State responsibility in cyberspace

Constantine Antonopoulos
1. INTRODUCTION
The terms Internet and Cyberspace are household words. They represent domains the
use of which is indispensable to the entire or at least a substantial part of the global
population. At the same time, as this author understands it, they are not identical in
meaning as a matter of computer science terminology. The Internet is a ‘global network
connecting millions of computers’; it is ‘decentralized by design’, subject to ownership
or control (unlike ‘online services’) by no single (or a plurality of) person or entity.1
The Internet has a physical dimension because of the interconnection of different
computer systems, their accessibility and the transmission of information to and from
such systems by using the standard Internet Protocol (IP).2 Cyberspace, however, is a
more abstract term; it is a non-physical domain created by computer systems that
allows people to communicate with each other, to exchange or to gather information.
Moreover, it refers to the ‘notional environment in which digitized information is
communicated over computer networks’.3 Be this as it may, it appears that there exists
a tendency to treat these two terms as synonyms and use them interchangeably. To give
an example, the US Government Cyber Policy Review 2009 defines cyberspace as ‘the
interdependent network of information technology infrastructures, and includes the
Internet, telecommunications networks, computer systems, and embedded processors
and controllers in critical industries. Common usage of the term also refers to the
virtual environment of information and interactions between people’.4 It appears
therefore, that apart from identity in terms, these two concepts have a dual role: they
refer to the domain as well as to the medium of conducting certain activities.
Furthermore, it would be an understatement to say that the Internet is important to
private individuals, corporations and States: the US Government has stated that
cyberspace / the Internet underlines every aspect of modern society and it is both the
1
Vangie Beal, ‘Internet’ (Webopedia) <http://www.webopedia.com/TERM/I/Internet.html>
accessed on 1 November 2013.
2
Bill Young, ‘Navigating Cyberspace: Introduction to Cyberspace’ (9 January 2013)
University of Texas <http://www.cs.utexas.edu/~byoung/cs329e/slides1–introduction.pdf>
accessed on 4 November 2013.
3
US Department of Defense, ‘Dictionary of Military and Associated Terms’ JP 1–02 (12
April 2001, as amended through 31 August 2005) 139.
4
The White House, ‘Cyberspace Policy Review: Assuring a trusted and resilient
information and communications infrastructure’ (2009) <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> 1, accessed on 4 November 2013.
55
/ Date: 24/3
domain where and the medium by which economic, public safety, civil society and
national security activities are pursued.5
While the usefulness of the Internet is universally acknowledged, the same is the
case with regard to its misuse or hostile use, in the form of cyber-crime and espionage.6
In particular, as nowadays private business and governments conduct most of their
functions and activities in cyberspace, safety and resilience are matters to be preserved.
In the words of the US Cyber Policy Review 2009 ‘to realize the full benefits of digital
revolution, users must have confidence that sensitive information is secure, commerce
is not compromised and the infrastructure is not infiltrated. Nation-states also need
confidence that the networks that support their national security and economic
prosperity are safe and resilient. …’7 It is, therefore, not inconceivable that the Internet
may be used in such a way as to cause harm to States or as to compel them to act in a
particular manner. There have been three episodes in State practice that have revealed
how the hostile use of the Internet may affect the orderly function of basic services in
a State or threaten its security. In 2007 Estonia was the object of massive and
coordinated computer hacking attacks that paralyzed its economy and the functioning
of government services for weeks. In 2008 Georgia was the target of similar attacks
during the conflict with the Russian Federation with respect to South Ossetia. Also, in
2009 a computer virus by the name of Stuxnet caused the progress of the nuclear
program of Iran to suffer significant delay.8 In this context the question arises whether
such use of the Internet may give rise to State responsibility. The answer must be in the
affirmative provided that a specific use of the Internet amounts to an ‘internationally
wrongful act’.9 As the Internet is an international domain, then States must conduct
themselves over this domain in accordance with international law10 and therefore the
use of cyberspace is subject to international law. As Harold Koh, the former Legal
Advisor of the US State Department has remarked ‘international law principles do
apply in cyberspace. …’11 However, there are substantive challenges facing the law on
international responsibility as it exists in contemporary international law by the
particularities of cyberspace since this body of rules is premised heavily on attribution
of acts of individuals to a State. Be as it may, the present author submits, that the
application of this area of international law to cyberspace is not impossible, mainly as
a result of establishing responsibility on the basis of the breach of the obligation of due
diligence on the part of States, which dispenses with the difficulty of attributing acts of
individuals to a State, while even attribution may in certain cases be established. To
5
Ibid.
6
Mary E O’Connell, ‘Cyber security without cyber war’ (2012) 17 J. Conflict & Sec. L.
187, 190.
7
The White House (n 4) 1.
8
On these episodes see O’Connell (n 6) 192–194; Russell Buchan, ‘Cyber attacks:
Unlawful uses of force or prohibited interventions?’ (2012) 17 J. Conflict & Sec. L. 211, 218–21.
9
The International Law Commission Articles on state responsibility [2001] in James
Crawford (ed.), The International Law Commission’s Articles on State Responsibility, Introduc-
tion, Text and Commentaries (CUP 2002) 61.
10
O’Connell (n 6) 189.
11
Harold H. Koh, ‘State Department legal adviser addresses international law in cyberspace’
(2013) 107(4) A.J.I.L. 243, 244.

/ Date: 6/5
State responsibility in cyberspace 57
claim that State responsibility in cyberspace is by definition inapplicable would amount

to saying that a technological invention or evolution would create lacunae or ‘law-free
zones’ carrying the implication that lack of normative regulation may lead to any or
unrestricted behaviour.12
In this chapter the author will first briefly outline the legal framework on the
requirements of State responsibility (section 2) and subsequently address the challenges
presented by the particularities of the Internet to the requirements of an internationally
wrongful act, namely, attribution (section 3) and breach of an international obligation in
particular by way of omission by failing to observe the principle of due diligence
(section 4).
2. AN OUTLINE OF THE REQUIREMENTS OF STATE

RESPONSIBILITY
State responsibility appears to have emerged as a branch of international law by way of
private law analogy.13 As the Permanent Court of International Justice (PCIJ) ruled in
Factory at Chorzów (Indemnities) ‘it is a principle of international law, and even a
general conception of law, that any breach of an engagement involves an obligation to
make reparation’.14 However, subsequent judicial pronouncements and the work of the
International Law Commission (ILC) form a departure from legal analogies with the
domestic law of tort in favour of reconstructing the responsibility as a matter of
international public law arising when, an act: (1) is attributable to a State; and (2)
constitutes a breach of an international obligation. In US Diplomatic and Consular Staff
in Tehran the International Court (ICJ) stated that it had to ‘determine how far, legally,
the acts in question may be regarded as imputable to the Iranian State’ and whether
they were compatible or not ‘with the obligations of Iran under treaties in force or
under any other rules of international law that may be applicable’.15 Moreover, in
Bosnian Genocide the ICJ ruled with regard to the breach of the Genocide Convention
that ‘the obligations in question … and the responsibilities of States that would arise
from breach of such obligations are obligations and responsibilities under international
law. They are not of a criminal nature.’16
The contemporary law of State responsibility has as its principal source of reference
the Articles on the Responsibility of States for Internationally Wrongful Acts (ARS)
12
Ibid. Also see Hersch Lauterpacht, The Function of Law in the International Community
(first published in 1933, OUP 2011) 68–77.
13
See generally, Hersch Lauterpacht, Private Law Sources and Analogies of International
Law (first published in 1927, The Law–book Exchange 2002), Ch III, Sec VII.
14
The Factory at Chorzow (Claim for Indemnity) (Germany v. Poland) [1928] PCIJ Ser. A
No. 17, 29.
15
Case Concerning United States Diplomatic and Consular Staff in Tehran (USA v. Iran)
[1980] ICJ Rep. 3, 29.
16
Case Concerning Application of the Convention on the Prevention and Punishment of the
Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) [2007] ICJ Rep. 43,
115.

/ Date: 6/5
adopted by the ILC in 2001.17 This text is not (or not yet) a treaty. However, since 2001
it has been so extensively cited by international courts and tribunals, as well as in State
practice, that it is considered as an authoritative statement of the customary inter-
national law on State responsibility.18 The legal regime introduced by ARS is premised
on the distinction introduced by ILC Rapporteur Roberto Ago between ‘primary
obligations’ and ‘secondary rules’. The very first paragraph of the Introduction of the
Commentaries to ARS states that:
The emphasis is on the secondary rules of State responsibility, that is to say, the general
conditions under international law for the State to be considered responsible for wrongful
actions or omissions, and the legal consequences which flow therefrom. The articles do not
attempt to define the content of the international obligations breach of which gives rise to
responsibility.19
A second basic feature of ARS is that it views responsibility of States not as an

exclusive pattern of bilateral relations between the wrongdoing and injured State. By
contrast, State responsibility is given a public order dimension by laying emphasis on
the existence of an internationally wrongful act20 and not upon the damage or injury
caused and the existence of a causal link between the damage and the breach of
obligation. Thus, the Commentary to Article 1 ARS states that:
[T]he term ‘international responsibility’ … covers the relations which arise under inter-
national law from the internationally wrongful act of a State, whether such relations are
limited to the wrongdoing State and one injured State or whether they extend also to other
States or indeed to other subjects of international law, and whether they are centred on
obligations of restitution or compensation or also give the injured State the possibility of
responding by way of counter-measures.21
Moreover, this dimension of State responsibility is further supported by Articles 40 and

48 ARS dealing, respectively, with serious breaches of obligations arising under a
peremptory norm of international law and the invocation of the responsibility of a State
by States other than the injured party.
As the emphasis in ARS lies in the wrongful act, central position is given to its
requirements, namely, attribution to a State and breach of an international obligation
(Art. 2 ARS). Attribution means ‘the operation of attaching a given act or omission to
a State’22 and to this end the ARS relies on the identity of natural persons and their
17
[2001] Yearbook of the ILC, vol. II (Part Two).
18
UNGA Responsibility of States for Internationally Wrongful Acts – Compilation of
Decisions of International Courts, Tribunals and other bodies (Report of the Secretary-General)
A/65/76; [2010] UNGA Responsibility of States for Internationally Wrongful Acts – Comments
and Information received from Governments (Report of the Secretary-General) A/65/96; James
Crawford (ed.), Brownlie’s Principles of Public International Law (8th edn., OUP 2012) 540.
19
Draft Articles on Responsibility of States for Internationally Wrongful Acts, with commen-
taries [2001] A/56/10 31.
20
The International Law Commission Articles on State Responsibility (n 9) art 1.
21
Draft Articles on Responsibility of States for Internationally Wrongful Acts, with
commentaries (n 19) 33.
22
Ibid. 36.

/ Date: 24/3
relationship with a particular State. As the Commentary to Article 2 ARS makes

absolutely clear the fact is that States act through human beings or groups; therefore,
the issue of attribution is reduced to identifying the persons or groups that should be
considered to act on behalf of the State.23 This finding appears to rest on a dual basis
that is disjunctively applied: either the identity of a person or group as such or the
control exercised by a State over the activities of a person or a group. In a nutshell,
the ARS, for the purposes of attribution, are centred on the individual. Thus, the
responsibility of a State is engaged for acts or omissions by the following categories of
individuals:
(a) De jure State agents or organs, irrespective of their hierarchical position in the
apparatus of the State or the constitutional structure or organization of the State
(namely, whether it is a unitary or federal State) (Art.4 ARS);
(b) De facto State organs, namely, non-State actors or entities that have been
‘elevated’ to de facto State agents or organs because they are under the absolute
dependence and control of a State. In Bosnian Genocide the issue before the ICJ
was whether the atrocities perpetrated by the Bosnian Serbs in Srebrenica in July
1995, which as the Court ruled amounted to commission of genocide under the
1948 Genocide Convention, could be attributed to Serbia. The Court ruled that:
[t]his question has in fact two aspects, which the Court must consider separately. First,
it should be ascertained whether the acts committed in Srebrenica were perpetrated by
organs of the Respondent [namely, Serbia], i.e., by persons or entities whose conduct is
necessarily attributable to it, because they are in fact instruments of its action. Next, if
the preceding question is answered in the negative, it should be ascertained whether the
acts in question were committed by persons who, while not organs of the Respondent,
did nevertheless act on the instruments of, or under the direction or control of, the
Respondent.24
The Court then proceeded to identify de facto States organs as;
persons, groups of persons or entities [that], may for purposes of international
responsibility, be equated with State organs even if that status does not follow from
internal law, provided that in fact the persons, groups or entities act in ‘complete
dependence’ on the State of which they are ultimately the instrument … .25;
(c) Delegation of Government Authority. In this contingency the conduct of a
non-State actor (i.e. ‘a person or entity which is not the organ of the State’) is to
be considered as an act of the State if the non-State actor ‘is empowered by the
law of that State to exercise elements of governmental authority’ and it ‘is acting
in that capacity in the particular instance’ (Art. 5 ARS);
(d) The situation where an organ of a State is placed at the disposal of another State.
The acts or omissions of this organ in the exercise of government authority on
behalf of the State at the disposal of which it has been placed give rise to this
State’s responsibility (Art. 6 ARS);
23
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 35.
24
Crime of Genocide (n 16) (Merits) 201.
25
Ibid. 205 [emphasis added].

/ Date: 24/3
(e) Ultra Vires Acts. A State organ or entity gives rise to the responsibility of the
State even when acting in this capacity it exceeds its authority or against
instructions (Art.7 ARS);
(f) Instructions, Direction and Control of a State over acts of private persons. In the
jurisprudence of the ICJ this control must be ‘effective control’ in order to give
rise to the responsibility of the State. The Court reached this finding in Nicaragua
where it ruled that the US assistance to the contras and its general control over
them were not sufficient in default of further evidence to attribute their acts
violating human rights and humanitarian law to the US government. By contrast
‘[f]or this conduct to give rise to legal responsibility of the United States, it would
in principle have to be proved that that State had effective control of the military
and paramilitary operations in the course of which the alleged violations were
committed.’ 26 Moreover, in Bosnian Genocide the Court, having found that the
Bosnian Serbs did not constitute a de facto organ of Serbia, proceeded to
determine whether Serbia exercised effective control over them. The Court
explained that the:
test thus formulated differs in two respects from the test … to determine whether a
person or entity may be equated with a State organ even if not having that status under
internal law. First, in this context it is not necessary to show that the persons who
performed the acts alleged to have violated international law were in general in a
relationship of ‘complete dependence’ on the respondent State; it has to be proved that
they acted in accordance with the State’s instructions or under its ‘effective control’. It
must however be shown that this ‘effective control’ was exercised, or that the State’s
instructions were given, in respect of each operation in which the alleged violations
occurred, not generally in respect of the overall actions taken by the persons or groups
of persons having committed the violations.27
In this respect, the Court declined to uphold the ruling of the ICTY Appeals
Chamber in the Tadić case where the ad hoc Tribunal applied the test of ‘overall
control’ that dispenses with the need to evaluate control of a State over each
specific operation of a non-State actor;28 the Court took the view that the
determination of State responsibility on the part of Serbia did not constitute an
indispensable finding to determine individual criminal responsibility by an
international criminal tribunal29 (Art. 8 ARS);
(g) Exercise of elements of government authority in the absence of or inadequate
function of State authorities and in circumstances that warrant the exercise of this
authority. In Yeager v. Islamic Republic of Iran the Iran-US Claims Tribunal ruled
26
Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicara-
gua v. USA) (Merits) [1986] ICJ Rep. 14 64–5 [hereinafter Nicaragua Case].
27
Crime of Genocide (n 16) 211–15.
28
Prosecutor v. Tadić, [1999] ICTY Appeals Chamber Judgment, IT–94–1–A, para. 145; but
cf. ibid. paras 118–122, where the Tribunal has drawn a distinction between acts performed by
private individuals to which the effective control test applies (as articulated in Nicaragua Case)
and organized military groups to which the overall control test applies.
29

/ Date: 24/3
that the immigration, customs and other similar acts that had been carried out by
the Revolutionary Guards at the Tehran airport in the immediate aftermath of the
Islamic revolution were attributable to Iran. The Tribunal reasoned that even
though these functions were not authorized by the Iranian government they
objectively consisted in the exercise of elements of governmental authority in the
absence of official authorities of the State ‘in operations of which the new
Government must have had knowledge and to which it did not specifically
object.’30 (Art. 9 ARS);
(h) The ARS provides in particular that acts or omissions by an insurrectional or
other movement are attributed to a State in the event the insurrection is successful
and the movement become the government of the State (Art. 10 ARS);
(i) Approval and Adoption by a State of acts of private persons or entities. In US
Diplomatic and Consular Staff in Tehran the Court ruled that the act of
overrunning of the US Embassy in Tehran by demonstrators and the seizure as
hostages of the US diplomatic staff could not be as such attributed to the Iranian
Government because the demonstrators were neither State organs nor did they
carry out a specific government act on behalf of the State31. However, the
responsibility of Iran for the acts of the demonstrators was established at a later
stage when the Iranian government approved of and adopted the occupation of the
Embassy premises and the captivity of the US diplomatic staff as its own32
(Art.11 ARS).
The second requirement of State responsibility, namely a breach of an international

obligation, may consist in a physical act or omission and may emanate from a rule of
either customary law or treaty (Art. 12 ARS) that introduces an obligation in force for
the particular State (Art.13 ARS). Moreover, the responsibility of a State may arise
whether the act is or is not of a continuing character (Arts 14 and 15 ARS) or it
constitutes part of a composite activity. Furthermore, State responsibility arises with
respect to acts of other States. This is not to say that acts of other States are attributed
to another State for, as the ILC has made clear, the ARS is premised on the principle
that ‘each State is responsible for its own wrongful conduct … attributable to it …
which is in breach of an international obligation of that State …’ and that ‘responsibil-
ity is specific to the State concerned’.33 Even though in this respect the ILC identifies
contingencies of ‘collaborative conduct’34 it does not appear to introduce a particular
legal framework of ‘shared responsibility’ for the collaborative element appears to be
viewed simply as a factual rather than a normative parameter.35 This is further
corroborated by Article 47(1) ARS on the invocation of State responsibility for an
30
[1987] 17 Iran–US Claims Tribunal Rep. (1987), 104.
31
Case Concerning United States Diplomatic and Consular Staff in Tehran (n 15) (Merits),
29–30.
32
Ibid. 33–36.
33
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 64.
34
Ibid.
35
On shared responsibility see generally André Nollkaemper and Dov Jacobs, ‘Shared
responsibility in international law: A conceptual framework’ (2013) 34(2) Michigan J. Int’l. L.
359.

/ Date: 24/3
internationally wrongful act committed by a plurality of States: in this contingency the

responsibility of each State may be invoked with respect to this act. Having said this,
the responsibility of a State for the acts of another State arises on the basis of conduct
of the former State in relation to the latter that consists in aid or assistance, direction
and control and coercion (of the latter State). In each of these contingencies there must
be two requirements cumulatively: first, the conduct must be internationally wrongful if
it was committed by the other State and, secondly, the aiding/controlling/coercing State
must have knowledge of the circumstances of the internationally wrongful act (Arts
16–18 ARS). Finally, the ILC ARS provide for grounds precluding the wrongfulness of
an act that prima facie constitutes a breach of an international obligation; these are:
consent (Art. 20); self-defence (Art. 21); countermeasures (Arts 22, 49–54); force
majeure (Art. 23); distress (Art. 24); and necessity (Art. 25).
3. ATTRIBUTION IN CYBERSPACE
Cyberspace as a domain and the use of electronic devices as a medium of State conduct
raises difficulties with respect to ascribing particular acts to States. There is no reason
sweepingly to deny as a matter of principle the application of the rules of attribution
provided in ARS to conduct in cyberspace. However, the identification of individuals or
entities that use the Internet is characterized by considerable difficulty, for the Internet
guarantees, if not actually absolute, certainly a large measure of anonymity or
deniability. Thus, it is almost impossible to identify directly and with certainty the
person or entity operating a personal computer. Identification of persons, and by
consequence, attribution is only possible via the identification of a computer by way of
its IP that identifies its precise location.
Therefore, an internationally wrongful act in cyberspace appears to be ascribed to a
particular computer whereas the identity of the person operating it may only be
established either by way of presumption or on the basis of inside information
disclosed by government agents of the State perpetrating the internationally wrongful
acts in cyberspace.36 Thus, if a computer is identified by way of its location (in the
premises of a government department or a diplomatic mission) as a government
computer then the transmission of malware or denial of service interference may in
principle be attributed to a particular State. This appears to be established either on the
identity of the operator who is presumed to be a government agent or on the mere
location of the computer as this falls under the exclusive and complete control of a
State. Thus, in October and November 2013 the German Government launched strong
diplomatic protests with the US and UK Governments for allegations of electronic
surveillance of German governmental departments, including the German Chancellor’s
36
Viz. the information disclosed by the former US National Security Agency (NSA) Edward
Snowden on the NSA surveillance of many foreign government agencies; see Joshua Eaton,
‘Timeline of Edward Snowden’s revelations’, Al Jazeera America <http://america.aljazeera.com/
articles/multimedia/timeline–edward–snowden–revelations.html> accessed on 26 November
2013.

/ Date: 24/3
Office, from the US and UK embassies in Berlin. In particular, the German Govern-
ment warned the UK ambassador that the interception of German Government
information by intelligence services from a diplomatic mission constituted a breach of
international law.37
At the same time, the Tallinn Manual adopts a rather cautious approach to attribution
with respect to cyber wrongful acts by stating that the fact that a cyber operation has its
source in government cyber infrastructure is not sufficient to attribute these acts to a
State; it merely constitutes an indication that a particular State is associated with the
cyber operation. The Manual explains this approach by reference to the particular
features of cyber context and especially the likelihood that a government cyber
infrastructure may be ‘hijacked’ by non-State actors.38 Moreover, the former Legal
Advisor of the US Department of State has acknowledged the problem of attribution in
that cyberspace ‘significantly increases an actor’s ability to engage in attacks with
“plausible deniability”, by acting through proxies’ and suggested that this challenge is
‘as much [a question] of a technical and policy nature rather than exclusively or
predominantly’ a question of law.39 But attribution is predominantly a question of law
and it is not determined ‘on the mere recognition of a link of factual causality’.40
Furthermore, neither the Tallinn Manual nor the US Government propose an alternative
cogent framework of attribution but leave the whole issue surrounded in ambiguity
which suggests a wide margin of discretion on the part of an injured State to decide the
matter of attribution on the basis of extra-legal factors, such as the general political
climate between it and another State.41 In the absence of an alternative proposition it
appears that this position casts aside the current legal framework of attribution by
replacing it with a laissez faire approach by an injured State on a case-by-case basis.
Attribution of an injurious act to a State is a matter of evidence. As injurious acts in
cyberspace emanate from computers located in the territory of one or more States the
territorial location of computers may serve as a starting-point. State sovereignty entails
the expectation that every State exercises control over cyber infrastructure and activities
within its territory.42 However, as the ICJ ruled in Corfu Channel the mere fact of
existence of objects constituting a source of injurious acts (in this case computers
engaged in injurious cyber acts) within its territory is not sufficient to impute
knowledge of these acts to the State. At the same time, the victim State is permitted ‘a
more liberal recourse to inferences of fact and circumstantial evidence’.43 This lower
37
Nigel Morris et. al., ‘Germany calls in Britain’s ambassador to demand explanation over
“secret Berlin listening post”’ (6 November 2013) The Independent <http://www.independent.
co.uk/news/uk/politics/germany–calls–in–britains–ambassador–to–demand–explanation–over–secret–
berlin–listening–post–8923082.html > accessed 13 August 2014.
38
Michael N. Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) 39–40 [hereinafter Tallinn Manual].
39
Koh (n 11) 247.
40
Draft Articles on Responsibility of States for Internationally Wrongful Acts (n 19) 38–9.
41
Cf. Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17 J. Conflict & Sec. L. 229, 233.
42
Tallinn Manual (n 38) 25–6.
43
Corfu Channel Case (UK v. Albania) (Merits) [1949] ICJ Rep. 4, 18; also see Tallinn
Manual (n 38) 34.

/ Date: 6/5
standard of evidence was admitted in Corfu Channel because the UK did not have
direct access to evidence and this in the context of a dispute where there was no
controversy either over the territorial source of the injurious act (the territorial sea of
Albania) or the agency (the mines) through which this act materialized. In the cyber
context the establishment of the exact and actual source of the injurious act is
extremely difficult to locate, let alone establish the identity of the perpetrator.44 Thus, it
appears that a very liberal approach to evidence is called for by the very nature of
cyberspace that would combine expert technical knowledge, press reports45 (where
available) revelation by defector public officials of a State (the US NSA surveillance
activities were divulged by former NSA official Edward Snowden) even though the fact
of defection may diminish its probative value as evidence contrary to the interests of
his own State.46 The inherent difficulty in identifying a single State as the source of an
injurious cyber act47 appears to leave the victim State two possible avenues: either the
identification of the perpetrating State on the basis of the existing political climate
between it and the victim State or cooperation with other States whether in the context
of international organizations or not. The first avenue may entail a degree of
arbitrariness and ultimately it does not, and cannot by itself, establish responsibility in
the absence of more objective evidence. By contrast, the second avenue offers a better
potential of identifying the alleged wrong-doing State. The fact, however, remains that
such identification defies to a large extent the established legal framework of
attribution.
On the basis of the assumption that injurious cyber activity can be traced to the
territory of a single State it is submitted that the best approach in the cyber context is
to attribute hostile cyber acts to this State on the basis of a presumption of
responsibility which may be rebutted by the State on the basis of evidence. In other
words, attribution may rest on a presumption that introduces a reversal of the burden of
proof. This submission departs from the ruling of the ICJ in Corfu Channel but unlike
sea-mines, computers are ubiquitous and by their nature not injurious. Thus, all that has
to be established is their location in the territory of a particular State and the latter’s
alertness by the victim to the fact that injurious cyber acts emanate therefrom. Once
this takes place knowledge of the injurious activity is established. It is true that the
State from the territory of which the injurious acts emanate may not constitute their
actual source, as the computers on its territory may have been hijacked. But this is no
reason to deny the right of the victim to alert this State and demand measures on its
part for the cessation of the injurious activities. Such measures may entail, depending
on the circumstances, a degree of denial of Internet services throughout the territory of
that State, and it is a question of balancing the interests of both the victim State and the
State from the territory of which the particular cyber activity emanates on whether or
not this is feasible.48 However, this cannot be prima facie excluded as a possibility in
44
Tsagourias (n 41) 233–5.
45
Cf. Nicaragua Case (n 26) 40–41.
46
Ibid. 43.
47
Tsagourias mentions that the cyber attack on Estonia in 2007 ‘involved a large botnet of
approximately 85,000 hijacked computers from around 178 countries’: see: (n 41) 233.
48
Tallinn Manual (n 38) 33.

10 / Date: 24/3
view of the fact that States in other circumstances (for instance, when facing unrest by
dissident political groups) are all too prepared to adopt sweeping measures of Internet
service-denial even throughout their territories. Having said this, there appears to be
only one situation in which injurious cyber acts may not be imputed to the territorial
State, namely, where the acts emanate from a location that is under the exclusive
jurisdiction of another State, such as the premises of a diplomatic mission or the
installation of a military base. In the context of the US NSA electronic surveillance
practices it was reported that special units located on the rooftops of a number of US
embassies in Europe and Asia (such as the US embassies in Athens and Baku) collected
data.49 In these cases these acts would not be attributed to the host States (respectively,
Greece and Azerbaijan) but to the USA.
4. BREACH OF AN INTERNATIONAL OBLIGATION IN

CYBERSPACE
There is no difficulty with the proposition that activities in cyberspace may constitute
breach of international obligations giving rise to State responsibility. Thus, certain acts
may violate the sovereignty of another State or other States, in the sense of interfering
in areas of competence that are exclusively reserved to every State. This contingency
may be relative to incidents of electronic surveillance of, or espionage against,
government departments and personnel of another State.50 However, there is no
consensus on this issue: according to a school of thought that relies on the famous (or
infamous?) Lotus principle,51 espionage is not prohibited or regulated by international
law; therefore, its practice does not as such constitute a breach of the sovereignty of
another State, unless perhaps some additional damage is caused.52 On the other hand, it
is argued that if an act is not expressly prohibited by international law this does not
lead necessarily and automatically to its permissibility;53 espionage, in particular, is
practiced extensively by States but no government has ever asserted that it constitutes a
lawful enterprise.54 Moreover, cyber acts may constitute instances of unlawful interven-
tion in the internal or external affairs of another State, provided the element of
‘coercion’ exists,55 or use of force.56
49
Morris (n 37).
50
On cyber espionage and international law see Buchan (Ch 8 of this book).
51
The Case of the ‘S.S. Lotus’ (France v. Turkey) [1927] PCIJ Ser. A No. 10, 18.
52
Tallinn Manual (n 38) 26, 36.
53
Accordance with International Law of the Unilateral Declaration of Independence in
respect of Kosovo, Advisory Opinion of 22 July 2010, (Declaration of Judge Simma) [2010] ICJ
Rep. 403, 478–9.
54
Anne Peters, ‘Surveillance without borders? The unlawfulness of the NSA–Panopticon,
Part I’, EJIL: Talk! (1 November 2013) <http://www.ejiltalk.org/surveillance–without–borders–
the–unlawfulness–of–the–nsa–panopticon–part–i/> accessed 7 November 2013.
55
Nicaragua Case (n 26) 107–8; Tallinn Manual (n 38) 26; Buchan (n 8) 221–6.
56
Tallinn Manual (n 38) 26, 45 et seq.; Koh (n 11) 244–5; Tsagourias (n 41) 230–33; cf.
O’Connell (n 6) 191–2, 198–203.

11 / Date: 24/3
However, all these may constitute a breach of international legal obligations

presuppose attribution of the unlawful acts to a State. The considerable difficulty of
attribution of an act perpetrated in cyberspace on the basis of the identity or the link of
a person or of an entity operating computers to a State, points at the other, in most
cases the only, ground for establishing responsibility: the violation of the duty of due
diligence arising from the principle that no State may knowingly allow its territory to
be used for, or be the source of, acts injurious to other States.57 The proof of attribution
in this contingency is made redundant because it concerns an omission to act in
accordance with a primary obligation and it may be established by the fact that a State
possesses the requisite infrastructure operated by its agents or de facto agents or private
parties to which government authority was delegated, to prevent such injurious acts.
Thus, due diligence is the primary obligation the breach of which (failure to act or
omission) ensures the observance of other primary obligations (either based on treaty or
customary law). The precise content and extent of due diligence varies in conjunction
with specific obligations. The ILC has deliberately refrained from including due
diligence in the Articles on State Responsibility because this would entail examination
of the content of primary rules; nevertheless, it did point out that there is a presumption
that any primary rule contains a qualification of due diligence.58
In the context of trans-boundary harm from hazardous activities the ILC has adopted
the view that the duty of due diligence involved does not extend to guaranteeing that
significant harm is to be totally prevented if it is impossible to do so. Furthermore the
ILC stated that the standard of due diligence to assess the conduct of a State would be
that which would be deemed ‘appropriate and proportional to the degree of risk of
trans-boundary harm in the particular instance’.59 Moreover, the Sea Bed Disputes
Chamber of the International Tribunal of the Law of the Sea (ITLOS) ruled in its
Advisory Opinion in the Responsibilities and Obligations of States with respect to
Activities in the Area ruled that due diligence is a ‘variable concept’ and the standard it
may set may change as a result of scientific and technological developments as well as
the risks involved in a particular activity.60
In the human rights field the duty of due diligence has been upheld in Velasquez-
Rodriguez in which the Inter-American Court of Human Rights interpreted the
obligation introduced in Article 1(1) of the Inter-American Convention of Human
Rights to respect and ensure the exercise of the rights enshrined in the Convention. The
Court ruled that the obligation to ‘ensure’ the exercise of these rights gave rise to the
duty of contracting States to organize the governmental infrastructure in such a way so
as to ensure ‘free and full enjoyment’ of the rights and prevent, investigate and punish
57
Corfu Channel Case (n 43) 22.
58
Report of the International Law Commission on the work of its 51st session (Supplement
No 10, 3 May–23 July 1999) GAOR, A/54/10, 86; Jan A Hessbruegge, ‘The historical
development of the doctrines of attribution and due diligence in international law’ (2004) N.Y.U.
J. Int’l L. & Pol. 265, 275.
59
ILC Draft Articles on the Prevention of Trans–Boundary Harm from Hazardous Activities
[2001] A/56/10, 154.
60
Responsibilities and Obligations of States Sponsoring Persons and Entities with respect to
Activities in the Area (Advisory Opinion) [2011] ITLOS Sea Bed Disputes Chamber, para. 111,
117.

12 / Date: 24/3
their violation; this obligation to ‘ensure’ is not fulfilled solely by the existence of ‘a
legal system designed to make it possible to comply with this obligation – it also
requires the government to conduct itself so as to effectively ensure the free and full
exercise of human rights’.61
The ICJ has dealt with the duty of diligence in a number of disputes involving
alleged breaches of international obligations in a variety of contexts. In Corfu Channel
the Court ruled at the outset that the mere existence of the source of an injurious act (in
this case the mines) in the territory of Albania was not sufficient to attribute this act to
the State, for the control exercised by a State over its territory as a result of sovereignty
does not establish prima facie knowledge of every activity taking place therein.62 After
establishing knowledge by Albania of the laying of mines in its territorial sea,63 the
Court ruled that the responsibility of Albania lay in her failure to notify the existence of
a minefield in its territorial sea to third-State shipping. In the opinion of the Court, this
obligation rested on three general principles, namely, elementary considerations of
humanity, the freedom of maritime communication and ‘every State’s obligation not to
allow knowingly its territory to be used for acts contrary to the rights of other States’.64
But the Court also took account of the particular factual circumstances of the case in
order to confirm its legal finding: it acknowledged that if the mines had been laid at the
last possible moment, namely, less than 24 hours before the UK warships struck them
it would have been difficult or even impossible to issue a general notification to
third-State shipping. But, as the incident took place at a time by which the Albanian
authorities could have had knowledge of the existence of the mines as a result of their
close surveillance of the Corfu Strait, Albania did not observe its duty of due
diligence.65 In US Diplomatic and Consular Staff in Tehran the Court ruled that the acts
of the demonstrators who took over the premises of the US embassy and held its staff
hostage could not be imputed per se to the government of Iran. However, Iran bore
responsibility because of its failure to observe its obligation under the Vienna
Convention on Diplomatic Relations (1961) to protect the inviolability of the persons
and premises of another State’s diplomatic mission.66
In Congo v. Uganda the Court dealt in the context of the first counterclaim of
Uganda with the allegation that the Congo had violated its obligation of due diligence
(or duty of vigilance) by failing to prevent the action of dissident armed bands against
Uganda from its territory. The Court ruled that the existence and toleration of armed
groups on Congolese territory could not be assimilated with active support to these
groups; in addition, the Court took into account the inimical geographical terrain where
the groups operated and the material inability of the Congolese (as well as the former
Zairian) Government to effectively control that part of the territory of the State. Thus,
61
Velasquez–Rodriguez v. Honduras (Judgment of 29 July 1988) [1988] Inter–Am. Ct. HR
(Ser C), No. 4, paras 166–167.
62
Corfu Channel Case (n 43) 18.
63
Ibid. 18–22.
64
Ibid. 22.
65
Ibid. 22–3.
66
Case Concerning United States Diplomatic and Consular Staff in Tehran (n 15) 30–33.

13 / Date: 24/3
the Court concluded that it could not uphold the allegation of breach of the duty of
vigilance on the part of the Congo.67
Moreover, in Bosnian Genocide the Court dealt with the obligation to prevent
genocide that is enunciated in the 1948 Genocide Convention.68 In the course of its
reasoning the Court made some statements of principle regarding the duty to prevent
(due diligence) even though it made it clear that it did not intend to introduce a general
framework of universal application on the duty of due diligence; it observed that ‘the
content of duty to prevent varies from one instrument to another, according to the
wording of the relevant provisions, and depending on the nature of the acts to be
prevented’.69 Then the Court analysed the content of the duty to prevent in relation to
the crime of genocide. It stated at the outset that this duty was an obligation of conduct
and not of result; hence, a State did not have the obligation to succeed in preventing
genocide ‘whatever the circumstances’ but was under the obligation to ‘employ all
means reasonably available’ to it to prevent the commission of the crime.70 Thus,
failure to achieve the desired result does not give rise to responsibility; by contrast,
responsibility arises in case of manifest failure to take all steps within its power that
would contribute to preventing genocide because ‘in this area the notion of “due
diligence”, which calls for an assessment in concreto, is of critical importance. Various
parameters operate when assessing whether a State has duly discharged the obligation
concerned’.71 The Court proceeded to identify those parameters in relation to the
specific obligation to prevent genocide and found of particular importance the capacity
to influence (within the limits of the law) the perpetrators on the basis of: (a) the
geographical distance between the State concerned and the scene of the crime: and (b)
the strength of political or other links between the State and the perpetrators.72 The
essence of due diligence lies, therefore, in the application of all means at the disposal
of the State even though such application may be proved on the basis of evidence to be
futile; in other words a State must not be inert even in the knowledge that its measures
will in all probability be ineffective to prevent the injurious act.73 Even though the
Court found that the duty to prevent genocide would give rise to responsibility only
when the crime was actually committed (viz. Article 14(3) ARS) it recognized that a
State was not absolved from responsibility if it remains inactive until commission of
the crime commences where there is a serious risk of its commission; in such a
contingency the State is under the obligation to employ the means available to it to
prevent the crime, otherwise the substance of the obligation would be negated.74
67
Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v.
Uganda) (Merits) [2005] ICJ Rep. 168, 268.
68
Convention on the Prevention and Punishment of the Crime of Genocide (1948) 78 UNTS
277, art 1.
69
70
Ibid. 221.
71
Ibid.
72
Ibid.
73
Ibid.
74
Ibid. 222.

14 / Date: 24/3
Finally, in Pulp Mills the Court ruled that both litigants (Argentina and Uruguay)
were under an obligation of due diligence to act through the Administrative Commis-
sion of the River Uruguay (CARU) with respect to adopting measures to preserve the
ecological balance of the river by virtue of Article 36 of the Statute of the River
Uruguay of 1975.75 The present author submits that State responsibility as a result of
breach of the duty of due diligence is consummated in the conduct of a State consisting
in its failure to act and it does not extend to the end result that occurred as a
consequence of this failure and that constitutes breach of a different primary rule (for
instance, the prohibition of the use of force). The latter contingency would require
further evidence that the ultimate outcome was the direct result of acts or omissions
amounting to the breach of this other primary rule and not simply the failure to adopt
preventative measures that even they might not guarantee beyond all doubt that the end
result would not occur.
On the basis of the preceding analysis it is submitted that the responsibility of a State
for internationally wrongful acts in cyberspace may be established in customary law on
the duty of due diligence in observing the obligation of not knowingly allowing its
territory to be the source of acts violating the rights of other States. The content of the
due diligence must be assessed by taking into account, first, that the use of the Internet
is not unlawful per se; secondly, that transmission from a computer or a host of
computers may or may not be the actual source of the injurious activity and; finally,
that the existence of thousands of computers on the territory of a State does not by and
of itself constitute knowledge of such injurious activity. Moreover, due diligence being
an obligation of conduct and not of result does not entail as a necessary outcome the
obligation to take steps to protect the rights of other States as this appears to go beyond
the requirement to employ all means that a State reasonably possesses to prevent an
unlawful act.76 Furthermore, knowledge of the cyber injurious act could be established
only upon the notification by the victim State that has the discretion to select the States
(they may be many) from the territories of which injurious transmissions occur.
The criteria for selection for notification are a matter of political decision, but once
notification takes place ‘knowledge’ exists and the State or States notified are under an
obligation to employ measures reasonably at their disposal to prevent the wrongful
cyber activity. Such measures appear to be commensurate with the possession of
technological capabilities to deny temporarily Internet service either to particular users
or throughout the State, even though the latter may disproportionately affect the
function of the governmental and economic infrastructure of the State. Thus, it appears
to be a matter of balancing the cost of Internet denial to the State of origin against the
effect of the injurious acts to the victim State and this is to be assessed in the particular
circumstances of each case. However, total denial of service may not, in principle, be
regarded as a reasonable response to injurious cyber acts; but it may not be excluded,
either in particular circumstances or even more so when States appear prepared to
resort to it to silence political opponents or contain internal unrest. What is important is
that a State that is established to have knowledge of injurious cyber acts emanating
from its territory is under a duty to act in a preventative manner irrespective of the fact
75
Pulp Mills on the River Uruguay (Argentina v. Uruguay) [2010] ICJ Rep. 14, 77.
76
Cf. Tallinn Manual (n 38) 33.

15 / Date: 24/3
that the said cyber activity also originates from the territories of other States. To say
that the failure to employ measures within that State’s capability is of no consequence
because the wrongful cyber activity also emanates from computers located in a
plurality of States does not absolve the former from responsibility under due diligence.
The ICJ ruled in Bosnian Genocide that such an assertion is irrelevant to the breach of
an obligation of conduct warranted by the duty of due diligence, especially when there
is a possibility of cooperation through concerted action in a situation where the
perpetrator of an injurious cyber act takes over a large number of computers situated in
a plurality of States.77 Indeed, it is because of this contingency, so frequent in practice,
that cooperation and concerted action is essential either on an ad hoc basis to counter
specific wrongful cyber activities or on a more permanent basis through institutional-
ized mechanisms or a pre-existing framework of good practices in cyber-space.78 Thus,
the NATO initiatives on information security are in principle steps in the right
direction79 as well as the initiative of China and the Russian Federation for the
introduction of an International Code of Conduct for Information Security.80
5. CONCLUSION
Cyberspace raises many challenges to the law on State responsibility as it has evolved
through State practice, judicial decisions and the work of the ILC culminating in the
2001 ARS. Cyberspace as a domain has international dimensions; therefore it is in
principle amenable to regulation by international law and the rules on State respons-
ibility, in particular, may be applied. While a breach of an international obligation may
be established without much difficulty in relation to certain types of cyber activity, it is
attribution of it to a specific State that raises difficulties that in practice appear
insurmountable and seem to defy the rules on attribution established in the ILC ARS.
These rules on attribution are centred on acts of persons and their imputation to a
particular State. Moreover, the process of attribution is a juridical one. However, the
nature of cyberspace as a domain, the freedom and the prima facie lawfulness of its
use, the transmission of information through computers and the anonymity of the users
of those computers leave very little scope for establishing with a relative degree of
certainty both the identity of the user and his/her link to a specific State. The only fact
that can be established with certainty is the location of a particular computer or
computers in the territory of one or more States. This gives rise to the presumption that
the State from the territory of which cyber injurious acts emanate could be the one that
may incur responsibility. However, this does not dispense with the specific rules of
77
Crime of Genocide (n 16) 221.
78
O’Connell (n 6) 206–9.
79
NATO, ‘NATO and Cyber Defence’ (7 August 2014) <http://www.nato.int/cps/en/natolive/
topics_78170.htm?> accessed 13 August 2014.
80
Letter dated 12 September 2011 from the Permanent Representatives of China, the
Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary–
General, Annex, A/66/359.

16 / Date: 24/3
attribution and the fact that computers situated in the territory of a one or more States
are the actual source of wrongful cyber acts as they may have been ‘hijacked’ by the
real perpetrator. Hence there have been suggestions of overcoming this difficulty by
addressing attribution more flexibly or even by going beyond its existing legal
framework and establishing it on existing political relations between the States
concerned. Whereas political relations may constitute a factor for a victim State of
selecting another State or other States as the likely source of wrongful cyber activity, it
should not constitute a substitute for the existing rules on attribution and should not
dispense with the burden of proof of the grounds of attribution. This enterprise requires
evidence and as this is not possible to collect on the territory of a State from which
cyber activity occurs, circumstantial evidence may be admissible (for instance, the
revelation in the press by former government agents that a State has engaged in
wrongful cyber acts) as well as the reversal of the burden of proof upon the State
allegedly perpetrating injurious cyber acts.
The difficulty in applying the existing rules on attribution could be overcome by
focusing on the primary rule breached (namely, the specific international obligation) in
conjunction with the duty of due diligence either by reference to the substantive content
of the primary obligation or the general principle of international law that no State must
knowingly allow its territory to be used for injurious acts against other States. In this
manner, responsibility may be established on the fact that certain wrongful cyber acts
have their source in computers located in the territory of a State or a plurality of States
and it occurs with knowledge of the latter. This knowledge would be established on the
basis of alerting the territorial State (or States) to the fact of wrongful cyber activity
from its territory and its failure to act by employing measures within its capabilities to
curb that activity. The best course of action to achieve cessation of injurious cyber acts
appears to be through the adoption of good Internet practices and international
cooperation.

17 / Date: 24/3
4. Cyberspace and intellectual property rights

Andreas Rahmatian
1. INTRODUCTION: INTELLECTUAL PROPERTY AND

CYBERSPACE, OR: PRIVATE PROPERTY AND
INTERNATIONAL LAW – A COMPLICATED RELATIONSHIP
The cyberspace cannot be conceived as being fragmented into national jurisdictions.
But that is in conflict with the fundamentally territorial nature of intellectual property
rights. As this chapter focuses on intellectual property, it does not discuss international
rules which govern the cyberspace across the world (for example, the domain name
regulation system, or the allocation system for internet protocol addresses1). It does not
consider either in which way national laws and international rules interact in relation to
the cyberspace.2 The latter point highlights that sometimes it is difficult to ascertain the
boundary between international law and national law (of intellectual property),3
whereby national intellectual property laws with a foreign law connection are governed
by private international law rules.
Intellectual property is a form of private property. This is sometimes theoretically
disputed,4 but in practice is always accepted,5 and by the courts.6 Intellectual property
is therefore a creation of national private and commercial laws, as any other property.7
1
See, for example, Catherine Easton, ‘ICANN’s core principles and the expansion of
generic top–level domain names’ (2012) 20(4) Int’l. J. L. & Information Technology 273–90 on
the ICANN regime.
2
For discussion, see Antony Taubman, ‘International Governance and the Internet’, in
Lilian Edwards and Charlotte Waelde (eds.), Law and the Internet (3rd edn., Hart Publishing
2009) 4–7 et seq. See also Tsagourias and Kohl (Chs 1 and 2 of this book respectively).
3
Taubman (n 2) 16.
4
Peter Drahos, A Philosophy of Intellectual Property (Ashgate 1996) 210.
5
Also for property choice of law rules according to Private International Law, see James J.
Fawcett and Paul Torremans, Intellectual Property and Private International Law (2nd edn.,
OUP 2011) 696.
6
For example by the European Court of Human Rights in Balan v. Moldova [2009] ECDR
6, paras 32, 34: ‘The concept of “possessions” referred to in the first part of Art 1 of Protocol 1
[of the European Convention on Human Rights] has an autonomous meaning which is not
limited to ownership of physical goods’ … ‘The Court reiterates that art 1 of Protocol 1 is
applicable to intellectual property …’
7
See, for example, the statutory rules declaring intellectual property rights as property
rights in the UK in Copyright, Designs and Patents Act 1988 (CDPA), s. 1 (copyright), s. 213
(unregistered designs), Trade Mark Act 1994 (TMA), s. 2 (trade marks), Patents Act 1977 (PA),
s. 30(1) (patents), Registered Designs Act 1949 (RDA), ss. 1(2), 2 (registered designs). The
status of (non–statutory) goodwill, protected by passing off, and of confidential information is
more difficult to ascertain.
72
/ Date: 6/5
Cyberspace and intellectual property rights 73
But the position and recognition of (intellectual) property in international law is not so
straightforward, and that is not changed by the fact that intellectual property rights can
extend to the whole world, because they are legal concepts and do not attach to a finite
tangible object or reification. A plot of land cannot be taken out of the country and its
national jurisdiction.8 A trade mark can be created by (i.e. registered under) the national
law of the UK, but can have an effect worldwide. In this regard, intellectual property
rights share some similarity in practical terms with the naturally international quality of
the cyberspace. The cyberspace often acts as a carrier for objects of intellectual
property which then need protection in different countries, for example, a copyright-
protected text on the internet. Furthermore, electronic copying is extremely easy and
cheap and the copy corresponds exactly to the original. So an intellectual property right
attached to a digitally transmitted object is initially a product of a national law that can
spread internationally. This is effected by the international intellectual property
conventions.
2. INTELLECTUAL PROPERTY PROTECTION IN

INTERNATIONAL LAW
The roots of the international law of intellectual property date back to the nineteenth
century.9 The most important classical international conventions are the Paris Conven-
tion for the Protection of Industrial Property 1883,10 regulating a basic minimum
standard of protection for patents,11 industrial designs,12 trade marks and trade names,13
and protection against unfair competition;14 and the Berne Convention for the Protec-
tion of Literary and Artistic Works 1886,15 providing for basic principles of copyright
or author’s right protection.16 Both conventions establish a (Paris, Berne) Union for the
protection of industrial and intellectual property rights. In that Union nationals of any
country of the Union shall enjoy the same protection for their intellectual property
rights in all other countries of the Union as they enjoy in their country of origin
8
That is also reflected by the rule of lex rei sitae or lex situs in private international law,
see Fawcett and Torremans (n 5) 665.
9
A useful brief overview of the international intellectual property law system for present
purposes can be found in Graeme B. Dinwoodie, ‘The international intellectual property law
system: New actors, new institutions, new sources’ (2006) 10 Marq. Intell. Prop. L. Rev. 205,
205.
10
Paris Convention for the Protection of Industrial Property 1883 (Stockholm text 1967,
amended 1979).
11
Ibid. art 4–art 5 quater.
12
Ibid. art 5 quinquies.
13
Ibid. art 6–art 9, art 10 ter.
14
Ibid. art 10 bis.
15
Berne Convention for the Protection of Literary and Artistic Works 1886 (Paris text 1971,
amended 1979).
16
Ibid. art 2 et seq.

/ Date: 24/3
(national treatment).17 The Paris and Berne Conventions have been ‘absorbed’ by the
TRIPs Agreement (Agreement on Trade-related Aspects of Intellectual Property Rights)
1994, being Annex 1C of the Marrakesh Agreement establishing the World Trade
Organisation (WTO). According to Articles 2 and 9, respectively, ‘members [of TRIPs]
shall comply with’ the Paris and Berne Conventions.18 Since the TRIPs Agreement was
originally envisaged as a treaty securing the enforcement of (Western) intellectual
property rights in the rest of the world,19 the TRIPs Agreement is unusually detailed for
an international convention and could itself provide sufficiently comprehensive rules
for a national intellectual property regime in a country that does not already have one.20
Indeed, compliance with the TRIPs Agreement required almost no adaptation of the
national intellectual property systems in the Western world but prompted major changes
in many non-Western jurisdictions.21
Beside the Paris and Berne Conventions and TRIPs, other conventions and inter-
national standards are specifically relevant to the cyberspace, such as the World
Intellectual Property Organisation (WIPO) Copyright Treaty 1996. This treaty added to
the concept of the right of communication to the public of copyright-protected works
communication ‘by wire or wireless means, including the making available to the
public of their works in such a way that members of the public may access these works
from a place and at a time individually chosen by them’.22 In this way, the WIPO
Treaty moved away from the classical concept of publication (of a book, etc.) in
copyright law and catered for the uploading of texts and other works on the internet.23
Another regime is the Uniform Domain Name Dispute Resolution Policy (UDRP),
which is soft law, adopted by the Internet Corporation for Assigned Names and
Numbers (ICANN).24 There are also national laws, such as the US Digital Millennium
17
Paris Convention (n 10) art 2, Berne Convention (n 15) art 5. See e.g. Annette Kur and
Thomas Dreier, European Intellectual Property Law (Elgar 2013) 14, 19. The TRIPs Agreement
supplements the National Treatment Rules of the Paris and Berne Conventions by the Most
Favoured Nation Treatment Rule in art 3(1): Member States must extend trade benefits that were
granted to specific trading partners also to other Members of the Agreement.
18
However, the moral rights provisions in art 6 bis. of the Berne Convention are excluded
from the compliance requirement in the TRIPs agreement, see art 9(1), TRIPs Agreement.
19
Michael Blakeney, Trade Related Aspects of Intellectual Property Rights: A Concise
Guide to the TRIPS Agreement (Sweet and Maxwell 1996) 9.
20
TRIPs Agreement (n 18), Part II, sec 1: copyright; sec 2: trademarks; sec 3: geographical
indications; sec 4: industrial designs; sec 5: patents; sec 6: layout–designs (topographies) of
integrated circuits; sec 7: protection of confidential information; section 8: control of anti–
competitive practices in contractual licences.
21
Carlos M. Correa, Intellectual Property Rights, the WTO and Developing Countries (Zed
Books 2000) 3, 101, 111; Peter Drahos, ‘Developing countries and international intellectual
property standard–setting’ (2002) 5(5) J. World Intel. Prop. 765.
22
WIPO (World Intellectual Property Organisation) Copyright Treaty 1996, art 8.
23
Mihály Ficsor, The Law of Copyright and the Internet: The 1996 WIPO Treaties, their
Interpretation and Implementation (OUP 2002): The ‘making available’ right, is an ‘umbrella
solution’ because it contains a neutral description of interactive transmissions which in law is
neither to be characterised as distribution nor as communication to the public.
24
E.g. Taubman (n 2) 16–17; Easton (n 1) 273.

/ Date: 6/5
Copyright Act 1998 (DCMA)25 which initiated internet service providers’ (ISPs)
practices that have now become international norms,26 or the UK Digital Economy Act
2010.27 These provisions touch upon the enforcement of intellectual property rights
only and are outside the scope of this discussion.
One has to bear in mind here that the international intellectual property system is
designed to provide a regulatory framework in the context of trade and peaceful
activities. It is a part of international economic law, not of the law of war and peace. It
is therefore of no practical relevance to cyber attacks28 and cyber terrorism:29 persons
and countries engaged in such activities are naturally not concerned about private
intellectual property rights, they are more likely to flout them. The possibility of
redress for intellectual property infringements as a result of cyber attacks before a
(national) civilian court is usually remote (leaving aside the problem of jurisdiction),
and certainly has no deterrent effect. The question of cyber war has to be dealt with
according to rules of ‘classical’ international law, not under private law of which
intellectual property laws form a part.30
3. THE DIFFERENCE BETWEEN PROPERTY AND

SOVEREIGNTY, AND ITS RELEVANCE TO THE CYBERSPACE
The last point hints at the age-old distinction in law between property and sovereignty.
The cyberspace introduces a new idea of spatiality in property law; space is now purely
notional, and so is the attribution of that space to persons or entities as owners, or,
conversely, the keeping free from individual private ownership as a form of public
space or notional commons.31 But ‘traditional’ property is also a normative creation
attaching (sometimes) to physical things, and the qualification of the thing as ‘property’
attributed to an ‘owner’ is also a normative concept.32 So the cyberspace is not really a
conceptually new phenomenon which the law has to grapple with, particularly not as to
25
Most relevant is here §512 of the US Copyright Act 1976, introduced by the DCMA,
which provides that an internet service provider has no liability for damages for copyright
infringement where it hosts a web site containing infringing material and removes that material
without delay after having received a notification of the infringement from a copyright owner.
26
Dinwoodie (n 9) 207.
27
Relevant is here especially s. 17 which contains a power of the Secretary of State to make
a provision about a blocking injunction preventing access to locations on the internet that contain
copyright–infringing material.
28
See Roscini and Focarelli (Chs 11 and 12 of this book respectively).
29
See Saul and Heath (Ch 7 of this book).
30
See Part I – Cyberspace and General Principles of International Law of this book.
31
Mark A Lemley ‘Place and cyberspace’ (2003) 91 Cal. L. Rev., 521, 524 and references.
The ultimate intellectual root of that idea can be found in Jean–Jacques Rousseau, The Social
Contract, (Penguin 1968) 65–68 among other writings, although the Anglo–Saxon discussion
usually invokes John Locke, Second Treatise of Government, (Hackett Publishing 1980) Ch 5.
See also Tsagourias (Ch 1 of this book).
32
This is the effect of the concept of dematerialised property, see Andreas Rahmatian,
Copyright and Creativity. The Making of Property Rights in Creative Works, (Edward Elgar
2011) 1–25. See also Tsagourias (Ch 1 of this book).

/ Date: 24/3
the substance of protection: a text is protected by the normative concept of copyright,

whether printed and distributed physically or put online and made available on the
internet. The only fundamental difference is the much greater (factual) problem of
intellectual property enforcement in the cyberspace. However, the large institutional
copyright owners’ constant bewailing of massive infringement activities on the internet
has to be taken with a pinch of salt. A good deal of protection is excessive. If copyright
protection were cut back to reasonable proportions, the enforcement problem on the
internet would be reduced significantly, because in a greater number of cases certain
activities would not be infringements in the first place.
The international nature of the cyberspace with separate (private, property-holding)
individuals and companies as actors within the cyberspace can potentially blur the legal
division between sovereignty and property.33 A classical source for the distinction
between private property as dominium and sovereignty as imperium is Grotius:34
persons and things are subject to sovereignty, while property rights only extend to
things. This is echoed by Montesquieu: political laws confer liberty on someone, while
private laws confer property rights on someone.35 As a gloss on that, Rousseau noted
that property is alienable, while sovereignty is not.36 But it is well known that in
socio-economic reality this division is by no means that clear. Property rights are rights
against people in relation to things (dominium) which can effectively mutate to rights
over people in general in a certain region (a kind of ‘imperium’ in a sociological
sense).37 This also applies to the effects of international intellectual property regu-
lation.38 So he who has quasi-proprietary power over the cyberspace may very well
acquire quasi-sovereignty over people, especially where traditionally State activities are
‘outsourced’ to non-state entities with state backing.39
The protection of property, also in the form of intellectual property, enjoys some
recognition under international law. A direct reference to property protection can be
found in the Universal Declaration of Human Rights, Article 17.40 However, neither the
International Covenant on Civil and Political Rights 1966, nor the International
33
Keith Aoki, ‘Considering multiple and overlapping sovereignties: Liberalism, libertarian-
ism, national sovereignty, “global” intellectual property, and the internet’ (1998) 5 Ind. J. Global
Legal Stud. 443, 447–8.
34
Hugo Grotius, De jure belli ac pacis. Libri tres (Vol. II, ed. and trans. F. W. Kelsey et. al,
Oceana Publications 1964) 207.
35
Charles de Secondat Montesquieu, The Spirit of Laws (1st edn. 1748, ed. David W.
Carrithers, University of California Press 1977) book 26, 364.
36
Rousseau (n 31) book 1, 67, book 2, 69.
37
Morris R. Cohen, ‘Property and sovereignty’ (1927) 13 Cornell L. Q. 8, 12–13.
38
Rahmatian (n 32) 268–70. See also Aoki (n 33) 461.
39
The ICANN regime, for example, assumes a regulatory role that would traditionally have
been reserved to States. What has been said before has to be distinguished from virtual
sovereignty in a virtual world of a developer who created that virtual world (in computer games)
which uses the cyberspace. Discussion of that phenomenon by Wian Erlank, ‘Property and
sovereignty in virtual worlds’ in James C. Smith (ed.), Property and Sovereignty. Legal and
Cultural Perspectives (Ashgate 2013) 99, 116.
40
Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217
A(III) (UDHR) art 17: ‘Everyone has the right to own property alone as well as in association
with others. No one shall be arbitrarily deprived of his property’.

/ Date: 6/5
Covenant on Economic, Social and Cultural Rights 1966, contain property protection
provisions; the latter only has an oblique reference to patent and copyright protection in
Article 15(1).41 The protection of property is more clearly spelt out under the regime of
the European Convention on Human Rights – not in the Convention itself, but in
Article 1 of the First Protocol. According to that provision ‘every natural or legal
person is entitled to the peaceful enjoyment of his possessions’. The European Court of
Human Rights has extended the meaning of the term ‘possessions’ to cover intellectual
property rights, such as patents,42 trade marks and trade mark applications,43 and
copyright.44
4. THE TERRITORIAL NATURE OF INTELLECTUAL PROPERTY

RIGHTS
Any discussion about intellectual property rights, whether in a general context or in the
specific context of the cyberspace, must decide on a legal system when describing the
intellectual property right in question. To some extent one can give a broadened picture
by presenting a comparative study across some jurisdictions; there are the long-
standing international intellectual property treaties (especially the Paris and Berne
Conventions and, more recently, the TRIPS Agreement); and there is also regional
harmonisation in relation to some intellectual property rights (notably trade mark law
within the EU).45 But the principal situation remains: intellectual property rights are
territorial in nature, confined to specific jurisdictions. Thus there is a French author’s
right, a British copyright, a German patent, an Italian patent and so on. As has already
been said, this is in conflict with the necessarily international quality of the cyberspace.
(a) The Idea of Territoriality in Public International Law and Intellectual

Property Law and the Gradual Loosening of the Territoriality Principle
The following observations apply to international intellectual property rights in general,

but they are particularly relevant to the cyberspace because this medium enables the
dissemination of intellectual property (inventions protected by patents; texts, music,
pictures and computer programs protected by copyright; signs protected by trade
marks) worldwide with unprecedented speed. It has already been pointed out that
41
Ibid. art 15(1)(c): ‘The parties to the Covenant on Economic, Social and Cultural Rights
recognise the right of everyone to benefit from the protection of the moral and material interests
resulting from any scientific, literary or artistic production of which he is the author.’
42
Smith Kline and French Laboratories Ltd. v. Netherlands (1990) 66 European Commis-
sion of Human Rights, DR 70.
43
Anheuser–Busch Inc. v. Portugal (2007) 45 EHHR, 36, [2007] ETMR 24 (Grand
Chamber). Discussion of this case in Andreas Rahmatian, ‘Trade marks and human rights’, in
Paul Torremans (ed.), Intellectual Property and Human Rights (Kluwer 2008) 345–7.
44
Balan v. Moldova [2009] ECDR 6.
45
Directive 2008/95/EC of the European Parliament and of the Council of 22 October 2008
to approximate the laws of the Member States relating to trade marks (codified version) (Trade
Marks Directive).

/ Date: 6/5
intellectual property adheres formally to the territoriality principle,46 but with consid-
erable modifications.
In public international law the territoriality principle,47 itself a somewhat vague term,
means that certain types of State action within the exercise of the State’s sovereign
rights (statutes, court decisions, administrative acts and decisions) which generally
serve to advance State interests are normally effective only within the territory of the
acting State. The State is not subject to any other State, but free and sovereign. All
States are equal, and therefore respect each other’s sovereignty.48 An example of the
application of the territoriality principle is where State A seeks to expropriate private
property located in State B. Where such encroachments by foreign State A in the area
of private law are motivated by political or economic goals, State B need not give effect
to these.49 This is so with regard to tangible property, but there are also cases involving
intellectual property. For instance, the French Cour de Cassation said in Fondation Carl
Zeiss Stiftung v. Fondation Carl Zeiss Heidenheim that the expropriation of trade marks
by the German Democratic Republic was inoperative in France where these trade
marks had also been registered.50
However, the situation is more complex with intellectual property rights that are
regulated by international conventions. The international conventions, such as the Paris
and Berne or the European Patent Convention (EPC) 1973,51 are the root of a ‘bundle
theory’ of intellectual property that can be interpreted as the effect of the territoriality
principle:52 while traditional tangible property is valid everywhere or not at all
according to private international law, intellectual property is valid in form of a
‘bundle’ of independent rights within single States, subject (in principle) to the national
intellectual property law of the single State in question, and also subject to the private
international law of that State.53 Although the Berne Convention or the TRIPS
Agreement introduced minimum standards for the protection of copyright (‘inter-
national law’), the copyrights in question are still the national copyrights of the UK,
Canada or Australia (‘national laws’). Or, in the words of the English High Court: ‘The
concept of a world wide copyright is not acceptable as a matter of law, save to the
extent that there is any Convention or Treaty, such as the Berne Convention, recognised
46
Graeme B. Dinwoodie, ‘Developing a private international intellectual property law: The
demise of territoriality?’ (2009) 51 W. & Mary L. Rev. 711–800.
47
On territoriality principle in cyberspace see Kohl (Ch 2 of this book).
48
Gerhard Kegel and Ignaz Seidl-Hohenveldern, ‘On the territoriality principle in public
international law’ (1981) 5 Hastings Int’l & Comp. L. Rev., 245, 249–50.
49
Ibid. 253–4.
50
(1974) 47 Int’l. L. Rep. 129, 132; see also ibid. 276–7.
51
Signed on 5 October 1973; the EPC is technically outside the EU institutions and a
number of non–EU countries are also members of this intergovernmental treaty, including
Switzerland, Liechtenstein, Norway, Serbia and Turkey. All EU Member States are members of
the EPC. The EPC constitutes a special agreement within the meaning of art 19 of the Paris
Convention. See e.g. Kur and Dreier (n 17) 90–96.
52
Paris Convention (n 10) art 4bis(1) (for patents), art 6(3) (for trade marks); Berne
Convention (n 15) art 5(2) (for copyright).
53
Kegel and Seidl–Hohenveldern (n 48) 247; Dinwoodie (n 46) 734) Hugenholtz (2012: 9).

/ Date: 6/5
in English law which has that sort of effect.’54 A result of this territoriality principle is
the generally accepted lex loci protectionis55 to determine the applicable law in
intellectual property infringement cases. But there are exceptions, for example the
courts in the US determine the law for copyright authorship and ownership according
to the lex originis.56 There is no definite rule either for the allocation of intellectual
property rights between employer and employee.57 The question whether and how the
lex loci protectionis is applied to determine the applicable law is obviously also
important with regard to dealings in intellectual property rights: for example, an
assignment of copyright is permitted under UK copyright law (and common), but void
under German author’s rights law.58
A loosening of the strict application of the lex loci protectionis also indicates a
certain relaxation of the territoriality principle from which it derives. A work protected
by copyright is the same work everywhere, but the same creation is protected by about
200 separate national copyrights.59 Registered intellectual property rights, such as
patents and trade marks that may be registered in numerous separate countries, also
relate to the same object (inventions in case of patents and signs in case of trade
marks).60 Increasing constraints by international conventions on individual States to
regulate intellectual property, extensive international harmonisation of substantive
intellectual property law, more frequent trans-border activity, especially through the
internet, and augmented commercial power of multinational companies, call the
justification of the classical territoriality principle into question.61
54
Peer International Corporation v. Termidor Music Publishers Ltd. [2002] EWHC 2675
(Ch) (first instance), para. 71. Further, ‘[a]t least in the view of English law, copyright is, of
necessity and by definition, a territorial concept, and in so far as it is English – or United
Kingdom – copyright, it is governed by English – or United Kingdom – law. Although it is an
abstract concept, English copyright could no more be removed from England than English real
property could be removed from England.’
55
The law of the country in which protection is sought (in German law called ‘Schutz-
land ’).
56
See the discussion of the application of the lex originis with regard to authorship and
ownership and works created by employees in different jurisdictions, with a preference of an
‘origin single law’ approach: Paul Torremans, ‘Authorship, ownership of right and works created
by employees: which law applies?’ (2005) 27(6) Eur. Intell. Prop. Rev. 220, 221.
57
See extensive discussion by Dinwoodie (n 46) 728–33 with examples from case law in
the US.
58
Andreas Rahmatian, ‘Dealing with rights in copyright-protected works: assignments and
licences’ in Estelle Derclaye, Research Handbook on the Future of EU Copyright (Edward Elgar
2009) 299–301.
59
The Berne Convention and the TRIPS Agreement secure a minimum standard of
copyright protection of the creation in all countries that are members of these conventions, while
the national copyright laws are the basis of the separate property (copyright) in each country.
60
Dinwoodie (n 46) 766–7.
61
Ibid. 769–71. For the loosening of the territoriality principle by the Uniform Domain
Name Dispute Resolution Policy and ICANN specifically, see Hong Xue, ‘Territorialism v.
Universalism: International intellectual property law in the internationalised domain name
system’ in Ysolde Gendreau (ed.), Intellectual Property: Bridging Aesthetics and Economics
(Les Éditions Thémis 2006) 257.

/ Date: 24/3
The case of the well-known trade mark is another example of the gradual disintegra-
tion of the traditional territoriality principle. Article 6 bis of the Paris Convention
contains an exception to the territoriality principle for well-known trade marks:62
protection is granted against the registration of a sign in country B that is liable to
create confusion with a well-known mark in country A in relation to identical or similar
goods for which that mark has been registered in country A.63 So there is no
registration in country B, yet the reputation of the mark registered in country A can
prevent the registration or use of a confusingly similar sign in country B. The TRIPS
Agreement 1994 took this further in that it extended this protection of the well-known
mark to classes of goods outside these for which it has been registered, and to classes
of services.64 The result is that the rules regarding well-known trademarks leave the
national laws confined to the respective territorialities and form a kind of global law.65
This rule introduced by TRIPS is already reflected in court decisions throughout the
world.66
The regional harmonisation of intellectual property laws by the supranational laws of
the EU is a special case. The law of trade marks is most advanced in this regard. The
Trade Mark Directive67 ‘approximates’ or harmonises the national trade mark laws of
the EU Member States, but rests on the territoriality principle. Only the EU Community
Trade Mark Regulation68 introduces a new EU wide trade mark right. If, however, the
community trade mark is declared invalid or revoked, the owner can request conversion
of his registration into national trade mark applications in other EU Member States in
which the mark is not tainted with invalidity or non-use.69 The Community Designs
Regulation70 has a unitary design protection similar to the unitary trade mark protection
under the Community Trade Mark Regulation. The recent development concerning the
unification of patent law in the EU,71 however, does not follow the direction of EU
62
For ascertaining whether a mark is well known, see Joint Recommendation concerning
Provisions on the Protection of Well–Known Marks 1999, art 2.
63
Paris Convention (n 10) art 6bis(1). Discussion by James E Danton, ‘The coming of age
of the global trademark: The effect of TRIPS on the well-known marks exception to the
principle of territoriality’ (2011) 20 Michigan State Int’l. L. Rev. 11, 17.
64
TRIPs Agreement (n 18) art 16(2) and (3).
65
Danton (n 63) 19–20; Graeme Dinwoodie, ‘Trademarks and territory: Detaching trade-
mark law from the nation state’ (2004) 41 Houston L. Rev., 885, 919.
66
See e.g. cases from South Africa, Russia, discussed by Danton (n 63) 20–25. The matter
is characteristically less clear in the US. The 2nd Circuit, in contrast to the 9th Circuit, did not
recognise the rule on well-known trademarks because it does not consider the TRIPS Agreement
as self-executing in US law. If the territoriality principle be overridden, Congress needs to
amend the Lanham Act (US Trade Marks Act) accordingly, ITC Ltd. v. Punchgini, Inc. 482 F.3d
135 (2d Cir. 2007), at 161–2. See discussion in Danton (n 63) 25–9.
67
Directive 2008/95/EC of the European Parliament and of the Council of 22 October 2008
(codified version).
68
Council Regulation (EC) no. 207/2009 of 26 February 2009 on the Community Trade
Mark (codified version).
69
Ibid. art 112.
70
Council Regulation (EC) No 6/2002 of 12 December 2001 on Community Designs.
71
On the history of the (attempted) unification of patent law in the EU, see Justine Pila,
‘The European patent: An old and vexing problem’ (2013) 62(4) I.C.L.Q. 917, 917.

/ Date: 24/3
trade mark law. The relevant Regulation72 rather retains the existing EPC and the
national laws as its basis (though ‘with unitary effect’)73 and is therefore not an
autonomous system that creates a genuine EU patent, unlike the EU community trade
mark. Under the Unitary Patent Regulation we encounter several layers of protection:
the Regulation, the EPC, national laws of the EU Members States and private
international law.74
Most problematic is the case of copyright law in the EU. European copyright law is
still firmly based on the principle of territoriality.75 A harmonisation of national
copyright laws does not remove the principle of territoriality as such but can weaken it
somewhat. However, European copyright law has only been harmonised in relation to
specific areas, including computer programs, term of protection, rental and lending,
data bases, artists’ resale right, rights of reproduction and communication. The core
copyright law is not harmonised, let alone unified,76 for example dealings with
copyright (assignments and licences),77 copyright contracts, and moral rights, and it is
questionable whether such a harmonisation that goes to the foundations of the various
copyright protection philosophies and legal traditions is politically feasible at all. Since
the lex loci protectionis holds sway, a work made available on the internet affects as
many copyright laws as there are countries in which the work can be accessed online.
Copyright licences have to be sought in each EU country according to each individual
country’s legal provisions.78 For this reason, the Online Music Recommendation of the
European Commission gives some alleviation for music put online.79 This (non-
binding) recommendation requires collective rights management societies to permit
copyright holders to withdraw their online rights and grant them instead to a collective
rights manager operating at EU level.80 Now a new EU Directive, to be implemented
by the Member States by 10 April 2016, lays down requirements for multi-territorial
72
Regulation (EU) No 1257/2012 of 17 December 2012 implementing enhanced
cooperation in the area of the creation of unitary patent protection, OJ L 361.
73
See especially EPC (n 51) art 5(3): ‘participating Member State whose national law is
applicable to the European patent with unitary effect as an object of property in accordance with
Article 7’; Art 7(1): ‘A European patent with unitary effect as an object of property shall be
treated in its entirety and in all the participating Member States as a national patent of the
participating Member State in which the patent has unitary effect …’ See also Recital 8.
74
Katharina Kaesling, ‘The European patent with unitary effect – a unitary patent
protection for a unitary market?’ (2013) 2(1) UCL J. of L. & Jurisp. 87, 92.
75
Bernt P. Hugenholtz, ‘Harmonisation or unification of European Union copyright law’,
(2012) 38 Monash U. L. Rev. 4, 8.
76
See ibid. 4–8 for a discussion of advantages and disadvantages of harmonisation.
77
See Rahmatian (n 58) 315–6, questioning whether harmonisation in this area is fruitful
and desirable.
78
Hugenholtz (n 75) 9.
79
Commission Recommendation 2005/737/EC of 18 May 2005 on Collective Cross–border
Management of Copyright and Related Rights for Legitimate Online Music Services [2005] OJ L
276/54.
80
Hugenholtz (n 75) 10–11.

10 / Date: 24/3
licensing by collective management organisations of authors’ rights in musical works

for online use within the internal market.81
The lack of a comprehensive Directive on substantive copyright seems to have
prompted the ECJ / CJEU in recent decisions82 to deduce from existing specialist
Directives a general EU-wide definition of originality for copyright purposes, effect-
ively also in order to overcome the territoriality principle. The consequences of this
case law for the national copyright laws (for example in the UK) are as yet unclear.83
However, since the EU is currently preoccupied with the handling of a financial and
currency crisis and looks likely so to do for some time to come, the question of a
comprehensive harmonised EU copyright in form of a regulation or directive is
presently perhaps a side issue.
But generally there is a discernible convergence between international intellectual
property rights protection and the necessarily international approach to intellectual
property rights in the context of the cyberspace.
(b) Some Points of Private International Law with Regard to Intellectual

Property Law
Just a few comments can be made here in relation to this area of the law, and only with
regard to EU Member States.84 We have touched upon the private international law rule
of the lex loci protectionis already because of the connection of the principle of
territoriality with private international law rules.85 The nature of the internet invariably
leads to multi-jurisdictional disputes.86 The jurisdiction of a court for litigation arising
from registration or invalidity of an intellectual property right (patent, trade mark,
design) in the EU is contained for most aspects in Article 22(4) of the Brussels I
Regulation,87 which provides that the court of the Member State in which registration is
sought has jurisdiction.88 Jurisdiction for litigation arising from infringement is
determined according to Article 2 of the Brussels I Regulation (jurisdiction of the
defendant’s domicile) which, however, does not specifically deal with infringement.89
There can be special jurisdiction because of a close connecting factor to the defendant
81
Directive 2014/26/EU of 26 February 2014 on collective management of copyright and
related rights and multi–territorial licensing of rights in musical works for online use in the
internal market, OJ L. 84/72, 20 March 2014, arts 1 and 43.
82
Starting with Infopaq International v. Danske Dagblades Forening [2009] ECDR 16
(Case C–5/08).
83
Andreas Rahmatian, ‘Originality in UK copyright law: The old “skill and labour”
doctrine under pressure’ (2013) 44 Int’l. Rev. of Intell. Prop. & Comp. L. 4, 4, and briefly below
under 3.
84
A treatise devoted to the private international law of intellectual property is Fawcett and
Torremans (n 5).
85
Dinwoodie (n 46) 725.
86
Julia Hörnle, ‘The jurisdictional challenge of the internet’ in Lilian Edwards and
Charlotte Waelde (eds.), Law and the Internet (3rd edn., Hart Publishing 2009) 122–3.
87
Brussels I Regulation on Jurisdiction and Enforcement of Judgments in Civil and
Commercial Matters (44/2001), OJ L 012, 16/01/2001.
88
Fawcett and Torremans (n 5) 10, 15.
89
Ibid. 143.

11 / Date: 24/3
other than his domicile.90 As to the applicable law, the intellectual property conventions
contain no specific choice of law rules, but only provisions which address part of the
matter, for example the national treatment rules of the Paris and Berne Conventions.91
Relevant connecting factors are: nationality, first publication (in case of copyright
works), headquarters and habitual residence, etc.92 The law of the protecting country is
applicable: lex loci protectionis.93 This applies to the acquisition, scope, transferability
and termination of patents, trade marks and copyright alike.94 The law applicable to a
claim arising from the infringement of an intellectual property right is the law of the
country for which protection is claimed.95
On the basis of these preliminary observations one can now discuss the substantive
law of the specific intellectual property rights which are relevant to the cyberspace.
5. CYBERSPACE AND INTELLECTUAL PROPERTY:

PROTECTION OF COMPUTER SOFTWARE BY COPYRIGHT
AND OTHER INTELLECTUAL PROPERTY RIGHTS
(a) Copyright Protection
As the technological carrier and much of the content of the cyberspace is computer
software, the principal intellectual property protection regime is that of copyright. This
is not self-evident as such. The technical nature of software would rather suggest
protection by patents, and patent protection is indeed available (beside copyright) in the
US,96 but not under the EPC.97 The thinking behind this decision was presumably that
usually a patent protection process (application, examination, registration) would be far
too slow and too costly to keep pace with the extreme speed of software development
– so software that would eventually obtain a patent would be long out of date. The
amendment to the EPC in 2000 preserved the exclusion of software from patent
protection. Since all members of the European Union and a few other countries have
acceded to this convention,98 this legal regime – software protection by copyright only,
90
Brussels I Regulation (n 87), arts 5 and 6. For the traditional rules on jurisdiction, in
countries where the EU Brussels I Regulation does not apply, see ibid. 259.
91
Ibid. 671. This complex issue cannot be discussed here.
92
Ibid. 672–3, 686–7.
93
Ibid. 676.
94
Fawcett and Torremans (n 5) 706, 727. The discussion is greatly simplified here.
95
Article 8(1) Rome II Regulation (Rome II Regulation governing non–contractual
obligations), Reg. (EC) 864/2007 [2007] OJ L 199/40. See also ibid. 804. Again, the discussion
is much simplified. On the infringement of foreign intellectual property rights outside the EU
framework, see Graeme W. Austin, ‘The infringement of foreign intellectual property rights’
(1997) 113 L.Q.R. 321, with case law from Australia and New Zealand.
96
US Patent Act 1952, § 101.
97
EPC (n 51) (2000 revision), art 52(2)(c).
98
Non–EU members of the EPC are, in the order of their accession date in brackets:
Switzerland (1977), Liechtenstein (1980), Monaco (1991), Turkey (2000), Iceland (2004),
Norway (2008), Macedonia (2009), San Marino (2009), Albania (2010), and Serbia (2010).

12 / Date: 24/3
not (also) by patents – has been implemented accordingly in the national laws in
Europe.99 The newly enacted EU Regulation that will introduce a unitary patent in the
EU100 has retained this position in this regard through its general reference to the
EPC.101 Hence in the following the discussion will concentrate on copyright. Copyright
arises automatically once the protection criteria are met, and attaches immediately to
software just produced. Although more appropriate for software than patents, copyright
is, however, not really suitable, but rather an artificial solution, as will be shown.
Therefore, right from the beginning of a discussion about the protection of software by
intellectual property rights, a sui generis protection for software had been suggested,
because it would have catered for software properly rather than squeezed software into
the protection regime of copyright which was not designed for it.102 However, these
suggestions have not been implemented.
Following the publication of the WIPO Model Provisions on the Protection of
Computer Programs in 1978,103 the consensus in the late 1980s was that copyright was
the most appropriate method for protection.104 The US introduced copyright protection
for software in the Computer Software Act 1980,105 which was followed by the EU
Directive on the legal protection of computer programs 1991 (Software Directive).106
This EU Directive postulates that computer programs be protected by copyright as
literary works, whereby the term ‘computer programs’ shall include preparatory design
material for computer programs.107 The implementation of this rule in the UK can be
found in section 3(1)(a) and (b) of the CDPA 1988.108 Technically, therefore, a
computer program is the same as a novel or a newspaper article for copyright purposes.
At international level, the TRIPS Agreement requires copyright protection of computer
programs (whether in source or object code)109 as literary works under the Berne
Convention.110 Substantially, the same rule is contained in the WIPO Copyright Treaty
1996.111
A sui generis protection does exist for databases under the Database Directive.112
Databases are defined as ‘a collection of independent works, data or other material
99
CDPA (n 7), s. 3(1)(b) and (c) for the UK.
100
Regulation (EU) No 1257/2012 of 17 December 2012 implementing enhanced
cooperation in the area of the creation of unitary patent protection, OJ L 361.
101
Ibid. art 7(1) and Recitals 5 and 8.
102
See especially the view in France in Michel Vivant and Jean-Michel Bruguière, Droit
d’auteur (2nd edn., Dalloz 2012) 256. For Germany, see e.g. Gerhard Schricker and Ulrich
Loewenheim (eds.), Urheberrecht. Kommentar (4th edn., C. H. Beck 2010) 1299–1300.
103
WIPO publication No. 814(E), 1978.
104
See e.g. Schricker and Loewenheim (n 102) 1304–5).
105
Pub. L. No. 96–517, 94 Stat. 3015, 3028 (1980).
106
Today Directive 2009/24/EC (codified version), originally 91/250/EEC.
107
Ibid. art 1(1).
108
CDPA (n 7) c. 48.
109
TRIPs Agreement (n 18) art 10(1).
110
The definition of literary (and artistic) works in the Berne Convention (n 15), the
principal international copyright convention (1971 text, with amendments 1979), can be found in
art 2(1).
111
WIPO Copyright Treaty (n 22) art 4.
112
Directive 96/9/EC (Database Directive), arts 1(2), 7.

13 / Date: 6/5
arranged in a systematic or methodical way and individually accessible by electronic or

other means’.113 This indicates that databases do not have to run on the basis of
computer programs, although nowadays that will typically be the case. Besides, the
Database Directive preserves separate copyright protection for databases if they, by
selection or arrangement, constitute ‘the author’s own intellectual creation’.114 Thus an
electronic database attracts database protection, and potentially also copyright protec-
tion, and the underlying computer software obtains separate copyright protection.
The protection criteria for copyright in general also apply to computer programs in
the same way. Here one theoretically has to distinguish between the copyright regimes
(UK, US, Canada, Australia, etc.) and the author’s rights systems (broadly, the
continental European countries, with the most important representatives France and
Germany).115 However, the Software Directive cuts through these differences by
imposing copyright protection (as a literary work) on all the different copyright/
author’s rights regimes which have to accommodate their protection system individu-
ally to integrate software. Academic scholarship from continental European author’s
rights countries, especially France, expresses dissatisfaction with this solution; usually
computer software is regarded, arguably correctly, as an alien element within the
traditional concepts of author’s rights regimes.116 But because of the equalising effect
of the Software Directive one can concentrate here on the copyright system of the UK;
furthermore, the problems which arise from the protection of software by the technique
of copyright are substantially the same for both protection philosophies.
In the UK, copyright subsists in a creation if it is a ‘work’, if it is ‘original’ (or, for
certain categories of work, ‘not copied’),117 and if it is ‘recorded’.118 This is the
principal position. The criterion ‘recording’ is fulfilled by any physical fixation, in this
context typically electronically or magnetically on a computer disc, tape, etc., but also
on paper (e.g. source code). The creation must fall into one of the eight groups of
works (including literary, dramatic and artistic works, sound recordings, films119) to
obtain protection. In this context only the category of ‘literary work’ is relevant because
of the corresponding statutory definition of software falling into this group. As with any
copyright work, the computer program must also be ‘original’ in the copyright sense.
The definition of originality for software is prescribed by the Software Directive as ‘the
author’s own intellectual creation’,120 incidentally the same originality definition as for
113
Ibid. art 1(2).
114
Ibid art 3(1). On this specific copyright–originality requirement, see also immediately
below.
115
A brief outline (in English) of the most salient distinguishing features of these two
different regimes in Rahmatian (n 32) 36–60.
116
Vivant and Bruguière (n 102) 256. For an opposite view in France, see Nicolas Binctin,
Droit de la Propriété Intellectuelle (Lextensio Éditions 2010) 60.
117
CDPA (n 7), s. 1(1)(a); ss. 5A(2) (sound recordings), 5B(4) (films), 6(6) (broadcasts),
8(2) (published editions).
118
Ibid. s. 3(2).
119
See ibid. ss. 3–8.
120
Directive 2009/24/EC (n 106) art 1(3).

14 / Date: 24/3
the copyright protection of databases.121 It differs from the classical UK copyright

definition of originality as one’s ‘own independent skill, labour, effort, and judgement’:
this means, in particular, that the work must not be a copy of someone else’s work, and
its maker must not take a short cut without undertaking the effort of the author of a
pre-existing work.122 It is not entirely clear wherein exactly the difference between the
originality definition of the Directive and of traditional UK copyright law lies.123
Furthermore, recent EU case law from the CJEU (ECJ) as of 2009,124 based mainly on
the Software and Database Directives, may suggest that the definition for originality for
computer programs and databases (‘author’s own intellectual creation’) will have to
apply to all types of works of copyright in the UK and will therefore modify the
classical ‘skill, labour and judgement’ definition of originality in UK copyright law.125
To qualify as an ‘author’s own intellectual creation’ according to the CJEU, the relevant
criteria shall be that the author must have, by way of choice, sequence and combination
of words, expressed his creative ability,126 or must have displayed, through the selection
and arrangement of the content, a creative ability,127 or must have made free and
creative choices at several stages in the production process of the work and so stamped
his work with a personal touch.128 The actual effect of these new CJEU cases on the
originality concept in the UK is uncertain. The present author maintains that in reality
the changes will be slight (and in particular they are not a move towards continental
European originality concepts),129 but others regard them as very substantial.130 In any
case, for computer programs the rule has always been in the UK, by virtue of the
Software Directive, that computer programs are protected by copyright if they are
121
Database Directive (n 112), art 3(1). This is the copyright protection of databases, not the
separate sui generis database protection.
122
According to classical UK case law, see e.g. University of London Press v. University
Tutorial Press [1916] 2 Ch 601. Thus two photographers who photograph the Tower Bridge
from almost the same angle both obtain copyright because the photograph (artistic work) in each
case is the result of each photographer’s independent skill, labour and judgment. If photographer
A copies the photograph from photographer B, he infringes B’s copyright.
123
Lionel Bently and Brad Sherman, Intellectual Property Law (3rd edn., OUP 2009) 93–4.
124
Especially Infopaq International v. Danske Dagblades Forening (n 82); Bezpečnostní
softwarová asociace v. Svaz softwarové ochrany v. Ministerstvo kultury [2011] FSR 18 (Case
C–393/09); Painer v. Standard Verlags GmbH, Axel Springer AG, Süddeutsche Zeitung GmbH,
Spiegel–Verlag Rudolf Augstein GmbH & Co. KG, Verlag M. DuMont Schauberg Expedition der
Kölnischen Zeitung GmbH & Co KG [2012] ECDR 6 (C–145/10); Football Dataco Ltd and
others v. Yahoo! UK Ltd and others, 1 March 2012 (Case C–604/10), [2012] ECDR 10.
125
This highly complex problem has been discussed at length in Rahmatian (n 83) 7–22 et
passim.
126
Infopaq International v. Danske Dagblades Forening (n 82) para. 45.
127
Football Dataco Ltd and others v. Yahoo! UK Ltd and others (n 124) paras 26, 28–9.
128
Painer v. Standard Verlags GmbH, Axel Springer AG, Süddeutsche Zeitung GmbH,
Spiegel–Verlag Rudolf Augstein GmbH & Co. KG, Verlag M. DuMont Schauberg Expedition der
Kölnischen Zeitung GmbH & Co KG (n 124) paras 90–95.
129
Rahmatian (n 83) 29–32.
130
Estelle Derclaye, ‘Case Comment: Infopaq International A/S v. Danske Dagblades
Forening (C-5/08): wonderful or worrisome? The impact of the ECJ ruling in Infopaq on UK
copyright law’ (2010) 32(5) Eur. Intell. Prop. Rev. 247; Eleonora Rosati, ‘Towards an EU-wide
Copyright? (Judicial) pride and (legislative) prejudice’, (2013) 1 Intell. Prop. Q. 47.

15 / Date: 24/3
original in the sense of being the author’s own intellectual creation (and recorded in
writing or otherwise131).
The ‘author’ is the maker of the computer program (‘the natural person or group of
natural persons who has created the program’132). Because the computer program is
technically a literary work, the general rules for the duration of copyright apply:
copyright expires 70 years after the end of the calendar year in which the author
died.133 Here we have already one of the strange effects of the legal definition of
computer programs as literary works: if the computer programmer is, say, 18 at the
time of creating the software and dies at the age of 90, the effective protection period
is about 140 years. This is bizarre for software, and, in addition, that calculation applies
to the original release, not to updates which qualify as new copyright works in almost
all cases. The calculation of the duration of copyright is independent from copyright
ownership. The author, by default the first owner of the copyright,134 may in the
meantime have assigned the copyright in the software. Or, typically, the employer
obtains copyright directly by operation of law as soon as his employee programmer
creates the software.135 But in all cases copyright starts running with the end of the year
of the death of the author, whether he is copyright owner or not.
The legal abstraction that equates computer software with a traditional written or
printed text, like a novel or poem, is artificial not only in relation to the duration of
protection. That will become apparent when one considers what the object of protection
in case of a computer program really is, and what could constitute an infringement of
copyright. The owner of the software copyright is entitled to acts restricted to the
copyright owner, including copying, issuing copies of the work to the public, renting
and lending, adaptation.136 Anyone who performs any of these acts in relation to the
whole or a substantial part of the work, without authorisation or permission of the
copyright owner (licence, either against payment or for free), infringes the owner’s
copyright; the liability for such primary infringement is strict.137 ‘Copying’ means
reproducing the work in any material form, including storing the work in any medium
by electronic means; transient copies and copies incidental to some other use of the
work (typical for software), are also included.138 An internet service provider (ISP) can
avoid liability for infringing material he caches or hosts if, upon obtaining actual
knowledge, he ‘expeditiously’ removes or disables access to the material in question.139
131
See CDPA (n 7) s. 3(2).
132
Directive 2009/24/EC (n 106) art 2(1): the author of the computer program can also be a
legal person if the legislation of the EU member state so permits.
133
CDPA (n 7) s. 12(2), implementing the EU Term Directive, 2006/116/EC art 1(1).
134
Ibid. s. 11(1).
135
According to the employee–copyright provisions of s. 11(2). The situation is normally
different in continental European author’s rights countries.
136
Ibid. ss. 16 et seq.
137
Ibid. s. 16(2) and (3): Liability for secondary infringement requires knowledge or having
reason to believe that the copy is an infringing one. Secondary infringement includes the import,
possession, dealing with an infringing copy, providing the means for making infringing copies,
etc.
138
Ibid. s. 17(2) and (6), see also Directive 2009/24/EC (n 106) art 4.
139
Directive 2000/31/EC on Electronic Commerce arts 13(1)(e), 14(1)(b).

16 / Date: 24/3
Generally, ISPs have no liability for the information transmitted if they do not initiate
the transmission, do not select the receiver of the transmission or do not select or
modify the information contained in the transmission; furthermore, they do not have a
general obligation to monitor the information transmitted.140 The problem with the
‘notify-and-take down’ approach is that ISPs too quickly act upon notices without
ascertaining whether the claims have any substance.141
The problems arise with non-literal copying of software – literal copying, such as
downloading, etc. is obviously copyright infringement. In case of traditional literary
works, non-literal copying means that a qualitatively, not only quantitatively, substan-
tial part of the pre-existing work has been used. So, for example, a historical novel
using historic events or legends cannot monopolise these; a new novelist can write
about them, but by rendering that material in different modes of expression, such as
different wording and language, different scenic events, different selection and arrange-
ment of the material used and so forth.142 This is an application of the idea-expression
dichotomy in copyright law: ideas are not protected by copyright, while expressions
are.143 ‘Ideas’ in this context are concepts, historical facts, plots of a story, techniques,
harmonic standard progressions in music – generally procedures, systems, principles,
intellectual building blocks for the creation of a work. Hence one is free to write a
historical novel about Henry VIII, using known historical facts (idea), but one cannot
take over the wording and sequence of scenes of a pre-existing historical novel about
Henry VIII (expression). When a new work enters the realm of expression of a
pre-existing work (and infringes copyright) or when it remains in the free realm of
ideas, is ultimately a normative question decided by the courts considering the specific
case.
The curious situation copyright creates is that the idea–expression dichotomy
principle shall apply to computer programs in the same way, something IT practitioners
and programmers often find contrived and puzzling. This application of the idea–
expression dichotomy is the result of software having the same status in copyright as
traditional literary works, and it is even prescribed expressly by the Software Directive
itself.144 Since then the courts have struggled to accommodate this rule.145 Following
140
Ibid. arts 12(1), 15.
141
Lilian Edwards, ‘The fall and rise of intermediary liability online’ in Edwards and
Waelde (n 2) 75.
142
Ravenscroft v. Herbert [1980] RPC 193; Baigent v. Random House Group Ltd. [2006]
EMLR 16 (High Court), [2007] FSR 24 (CA) (the latter case involved Dan Brown’s novel ‘Da
Vinci Code’).
143
This principal rule applies in copyright and author’s rights jurisdictions alike, see
Rahmatian (n 32) 125–6, although statutory expression of this rule for copyright in general is
only given in the US Copyright Act 1976, 17 USC § 102(b) and the TRIPs Agreement (n 18) art
9(2).
144
Directive 2009/24/EC (n 106) art 1(2): ‘Ideas and principles which underlie any element
of a computer program, including those which underlie its interfaces, are not protected by
copyright under this Directive.’
145
Sometimes the application of the idea–expression dichotomy to computer programs is
referred to as the ‘look–and–feel’ protection of computer programs, see Arne Kolb, ‘Protection
of Computer Software’ in Edwards and Waelde (n 2) 342.

17 / Date: 24/3
US case law,146 one UK decision used an ‘abstraction-filtration-comparison’ test,147 but

that approach was rejected in another decision.148 This test was then entirely disre-
garded in later cases, where the courts tried to return to analogies between computer
programs and traditional literary works with regard to the concepts of ‘idea/expression’
and ‘substantial part’.149 The High Court in Navitaire ruled that neither individual
command names nor collections of complex commands are literary works and cannot
qualify for copyright protection; in addition, a collection of commands is to be
regarded as a computer language, not as a computer program and should therefore not
be entitled to copyright.150 The High Court in SAS Institute v. World Programming Ltd.
revisited the case law in this area and confirmed that computer programs are protected
by copyright as any other literary works, so that the idea-expression dichotomy applies
to computer programs as well,151 but it also stresses that ‘it does not necessarily follow
that particular doctrines which were established in relation to other types of literary
works can be applied to computer programs, or applied in the same way’.152 SAS
Institute followed Navitaire in that the distinction between a computer program and
computer language is correct, that the distinction is consistent with the distinction
between expressions and ideas, procedures, methods of operation and mathematical
formulae, and that therefore computer language should not be protected by copy-
right.153 For an exact interpretation of the idea-expression definition in the Software
Directive154 the court referred the matter to the CJEU for a preliminary ruling under
article 267 Treaty of the Functioning of the European Union (TFEU). The CJEU
decided that neither the functionality of a computer program nor the programming
language constitute a form of expression of that program, and, as such, are not
protected by copyright in computer programs.155 A more detailed discussion of this
complex area can be found in specialist works on computer law.
For the purpose of examining the matter of possible cyber-attacks and the response
of international law, it can be said that one can ‘use’ a pre-existing computer program
146
Computer Associates Inc. v. Altai Inc. 982 F. 2d 693 (1992), 20 U.S.P.Q. 2d 1641 (1992).
The next few lines follow Rahmatian (n 32) 136–7, which contains slightly more discussion.
147
John Richardson Computers Ltd v. Flanders [1992] FSR 497: Abstraction: discovering
non-literal elements through a kind of reverse engineering; filtration: separation of protectable
expression from non-protectable material; comparison: ascertainment of whether the defendant
has copied a substantial part of the protected expression.
148
Ibcos Computers v. Barclays Mercantile [1994] FSR 275.
149
Cantor Fitzgerald International v. Tradition (UK) Ltd. [2000] RPC 95, at 134–5;
Navitaire Inc. v. EasyJet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725 (Ch),
[2006] RPC 111, paras 118–126; Nova Productions Ltd. v. Mazooma Games Ltd. [2007] EWCA
Civ. 219, paras 35–36, 41.
150
Navitaire Inc. v. Easyjet Airline Co, Bulletproof Technologies Inc, [2004] EWHC 1725
(Ch), [2005] ECDR 17, [2006] RPC 111, paras 79, 81, 83, 92.
151
SAS Institute v. World Programming Ltd. [2010] EWHC 1829 (Ch), at paras 206–207,
217.
152
Ibid. para. 198.
153
Ibid. para. 217.
154
Directive 2009/24/EC (n 106) art 1(2).
155
CJEU in SAS Institute v. World Programming Ltd. (Case C–406/10), [2012] RPC 31,
[2012] ECDR 22, paras 39–40, 71.

18 / Date: 24/3
to the extent to which one can make one’s own program appear to be relying only on
the underlying ideas of a pre-existing program. That can in some cases nevertheless
inflict considerable commercial damage on the owner of the computer program. Since
national intellectual property laws, albeit harmonised at European level in some
measure, struggle in each jurisdiction with intricate details when ascertaining the extent
of protection afforded, it is practically impossible that international law would be able
to intervene more efficiently and clarify or, where desired, strengthen the position of
copyright owners in such cases.
Finally, it needs to be noted that a user can do any of the acts restricted to the
copyright owner without the owner’s permission if he can avail himself of a defence,
that is, his act falls into one of the permitted acts provided by copyright statute. There
are specific permitted acts with regard to computer programs. It is not an infringement
to make a backup copy necessary for lawful use,156 or to decompile the program (that
is, the conversion of the program from a low-level language to a high-level one which
involves incidental copying of the program) for the sole purpose of obtaining the
information necessary to enable the creation of another program interoperable with the
original one.157 Furthermore, the observation, study or testing of the program while
loading, displaying, running, etc. the program,158 and copying and adaptation as
necessary for lawful use159 are not infringements. These specific defences concerning
the use of computer programs reflect the provisions in the EU Software Directive.160
The Information Society Directive, following equivalent US legislation,161 introduced
a protection against the circumvention of technological measures which limit or prevent
acts restricted to the copyright owner.162 Thus circumventing an electronic copy
protection has in itself been made unlawful, irrespective of the underlying work which
may or may not be in copyright. This can conflict with the legitimate exercise of
permitted acts, such as fair dealing of the underlying work (e.g. a novel in electronic
format, a computer program) for research and private study163 or for criticism and
review,164 or the defence of making a back-up copy.165 Where the technological
measure does not allow the legitimate exercise of a permitted act in relation to the
underlying work, the user is entitled in the UK to issue a notice of complaint to the
156
CDPA (n 7) s. 50A.
157
Ibid. s. 50B.
158
Ibid. s. 50BA. The acts are permitted under this defence on condition that the person does
not infringe the exclusive rights of the owner of the copyright in the program, see SAS Institute
v. World Programming Ltd., CJEU (Case C–406/10), [2012] RPC 31, [2012] ECDR 22, paras 56,
71, with reference to the equivalent provision in the Directive 2009/24/EC (n 106) art 5(3).
159
Ibid. s. 50C. The defence in s. 50C can be contractually excluded.
160
Directive 2009/24/EC (n 106) arts 5 and 6.
161
Digital Millennium Copyright Act 1998 (DCMA), Pub. L. No. 105–304, 112 Stat. 2860
(Oct. 28, 1998).
162
Directive 2001/29/EC, art 6, implemented in the UK in CDPA (n 7) ss. 296, 296ZA et
seq.
163
CDPA (n 7) s. 29.
164
Ibid. s. 30.
165
Ibid. s. 50A.

19 / Date: 24/3
relevant Secretary of State.166 The reader may guess how practical this rule is. In any
case, if the underlying work is a computer program, this rule does not apply.167
(b) Protection of Computer-related Inventions by Patent Law
While in Europe, computer programs are only protected by copyright, computer-

implemented inventions can enjoy patent protection provided they fulfil the usual
requirements of patentability. The EPC 1973 excludes computer programs from
patentability as such,168 but patents are available in relation to the computer programs
which produce a new technical effect that goes beyond the normal physical interactions
between a program and a computer.169 The principal case here is the European Patent
Office decision of Vicom / Computer-related Invention170 which concerned a method
for image processing. An invention which would be patentable under the normal
criteria (novelty, inventive step, industrial application) is not excluded from protection
only because a computer program is used for its implementation.171 If a mathematical
method is used in a technical process, and that process is carried out by some technical
means implementing the method and provides as its result a certain change in that
entity, that technical means can also include a computer program. A patent claim
directed to a technical process carried out under the control of a program (hardware or
software) does not relate to the computer program as such, and is therefore not
excluded from patentability.172 The UK courts follow the view of the European Patent
Office.173
6. TRADE MARKS AND DOMAIN NAMES

The cyberspace does not constitute a substantive change to ordinary trade mark
infringement. It may be easier to infringe trade marks on the internet, but the actual
infringement is not a qualitatively different phenomenon as such. However, there is one
important exception: the conflict between trademarks and domain names which is
characteristic of the cyberspace. Trademarks174 are signs capable of being represented
graphically and capable of distinguishing goods or services of one undertaking from
166
Ibid. s. 296ZE (1) and (2).
167
Ibid. s. 296ZE (2).
168
EPC (n 51) (revised in 2000), art 52(2)(c) and (3). Implemented in the UK by Patents Act
1977, s. 1(2)(c) and proviso.
169
IBM / Computer Program Product [1999] TI173/97, European Patent Office, Technical
Board of Appeal.
170
[1986] T208/84, European Patent Office, Technical Board of Appeal.
171
Ibid. para. 16.
172
Ibid. para. 5.
173
Discussion of UK cases in this area, see e.g. Kolb (n 145) 351–8.
174
Trade marks can be registered or unregistered. The former are protected according the
infringement provisions of the trade mark statutes (in the UK, TMA 1994, s. 10), the latter are
protected (in Common Law countries) by passing off.

20 / Date: 24/3
those of other undertakings.175 Domain names are a different and more user-friendly
expression of internet protocol addresses (unique numbers that identify each computer
linked to the internet) which indicate the location of a given website.176 The question of
infringement arises if a domain name is confusingly similar or identical to a trade
mark. Very often this is even intended by the registrant of the domain name: he
registers (in bad faith) a domain name that is identical to a known trademark or trade
name of a company and then offers that company the domain name against payment of
a large sum of money – ‘cybersquatting’.177 In the UK the principal decision in this
regard is BT (and others) v. One in A Million: where there is clear evidence of
systematic registration by the appellants of well-known trade names for blocking
registrations and for extracting money from the owners of the goodwill in the chosen
name that is a threat to exploit the goodwill by trading under that name. The registering
of a distinctive name makes a representation to persons who consult the register that the
registrant is connected or associated with the name registered and thus the owner of the
goodwill in the name. This amounts to passing off, and also to trade mark infringe-
ment.178
Usually conflicts between trademarks and domain names are resolved according to
the Uniform Domain Name Dispute Resolution Policy (UDRP) which operates
worldwide. The registrant submits to this process on registration of his domain name.
Where the registrant’s domain name is identical or confusingly similar to the
complainant’s trade mark, and the registrant has no legitimate interests in the domain
name, and the domain name has been registered and is being used in bad faith, UDRP
will cancel, transfer or change the domain name.179 Although the law on infringement
is clear, it is also obvious that in fact cybersquatting opens up a large field of potential
cyber war activities.
175
For Europe, see Directive 2008/95/ EC (Trade Mark Directive), art 2. In the UK TMA
1994, s. 1, implementing this Directive.
176
See e.g. Caroline Wilson, ‘Domain names and trade marks: An uncomfortable inter-
relationship’ in Edwards and Waelde (n 2) 313.
177
Common is also ‘typosquatting’: the registration of a misspelt version of an existing
domain name or an existing trade mark (whether registered or not). The recent rise of websites
in languages written in the Cyrillic script has increased the opportunities for cybersquatters, as
the internet has been conceived on the basis of the Latin script, see Oleksandr Pastukhov,
‘Internationalised domain names: The window of opportunity for cybersquatters’, (2006) 4
Intell. Prop. Q. 421.
178
BT (and others) v. One in A Million and others [1999] 1 WLR 903, at 924–926, CA.
Discussion of other cases on cyberpiracy in the US and the UK, see Anan S Younes,
‘Trademarks and domain names: Exploring the inadequacy of existing protection for the
economic value of trade marks’ (2012) 34(12) Eur. Intell. Prop. Rev. 847, 849–50.
179
UDRP policy as approved by ICANN (Internet Corporation for Assigned Names and
Numbers), <http://www.icann.org/en/help/dndr/udrp/policy> accessed 7 February 2014, paras 3,
4(a) and (i).

21 / Date: 24/3
7. CONCLUSION
The real problem the cyberspace creates for intellectual property right holders is the
enforcement of their rights. The cyberspace necessarily operates worldwide, while
intellectual property rights are still territorial in nature, although intellectual property
protection has been standardised by international conventions, especially the TRIPs
Agreement. This standardisation has also loosened the territoriality principle which
governs intellectual property rights. An international regulation of the cyberspace
would have to address the problem of the territoriality of intellectual property rights.
Any attempt at the international regulation of the cyberspace and its interaction with
intellectual property rights would face the same legal and political problems as the
negotiation of any other international convention, and, perhaps, the establishment of an
international organisation for the monitoring and policing of such a convention. But in
such a context one could seek to regulate questions of cyber attacks and cyber war
through international law.

22 / Date: 6/5
5. Cyberspace and human rights

David P. Fidler
1. INTRODUCTION
As policy areas, cyberspace and human rights have become so intertwined that
understanding one requires sustained attention to the other. This observation holds even
though human rights are not dependent on any technology, and the technologies
producing cyberspace have no ‘hard wired’ ideology. This chapter analyses the
relationship between cyberspace and human rights – an interconnection forged during a
unique historical moment that exhibits increasing controversy as world politics experi-
ences shifting power and ideas. The relationship has evolved, from early visions of
cyberspace as an unprecedented realm for human rights to today’s struggles to protect
rights in a cyberspace shaped by divergent interests colliding in a multipolar world
increasingly dependent on cyber technologies.
The chapter argues that the Internet – the technical infrastructure that facilitates
cyberspace – is the most consequential communications technology to emerge during
the human rights era (Part 2). The Internet’s importance to human rights is as much a
function of chronology as technology. This largely American innovation became a
global phenomenon in the post-Cold War world dominated by US power, interests and
ideology, including US perspectives on democracy and human rights.
The human rights consequences of the Internet’s emergence are apparent in two
contexts. First, cyberspace challenges general principles of international law important
for human rights, including sovereignty, non-intervention and jurisdiction (Part 3).
Second, cyberspace emerges in the human rights regime – the international law,
institutions and processes associated with protecting human rights (Part 4). The human
rights ‘footprint’ of cyberspace is so large that experts debate whether Internet access
is, or should be, a new human right.
The cyberspace-human rights relationship extends beyond the human rights regime
because activities in other policy areas create human rights issues. This chapter
considers three such areas – Internet governance, cybersecurity and trade and com-
merce in cyber technologies and services – in order to identify how such issues arise
across different areas of international politics (Part 5). In these areas, controversies
emerged but have not been resolved, raising questions about the effectiveness of human
rights law in cyberspace.
The chapter concludes by assessing the trajectory of the cyberspace-human rights
relationship since it emerged in the late 1990s and speculating about its future. An
important trend is that human rights controversies have multiplied as Internet access
and use have increased. Recent developments, especially Edward Snowden’s revela-
tions, have also altered this relationship, especially aspects connected with US policy,
interests and reputation in cyberspace. Rather than being an exceptional technological
94
/ Date: 24/3
Cyberspace and human rights 95
phenomenon in human rights terms, cyberspace increasingly appears subject to the

harsh international politics that adversely affected human rights in the past. This
trajectory means the transformative human rights potential once associated with
cyberspace will be difficult to recover, creating obstacles for reconstituting the
cyberspace-human rights relationship on a new foundation.
2. INTERNET TECHNOLOGY, CYBERSPACE AND HUMAN

RIGHTS
(a) Internet Technology and International Politics
In theory, human rights function independent of any technology. In practice, tech-

nologies affect whether and how individuals enjoy human rights. For example, under
the principle of progressive realization, a State’s obligations concerning economic,
social and cultural rights expand as a country develops economically – a process
technology often drives. Technological innovations have also increased outlets for the
exercise of civil and political rights, such as the freedoms of expression and associ-
ation.
In the evolution of communication technologies, telegraphy, telephony and radio
came into use before the movement to protect human rights after World War II. The
period associated with the emergence of human rights witnessed the development of
other technologies, including television, satellites and the Internet. Of these, the
Internet is the most consequential for human rights. As important as they have been,
telegraph, telephone and television technologies – even enhanced by satellites – never
generated a concept of ‘telespace’ as the Internet produced ‘cyberspace’ – an idea with
human rights significance.
The reasons for this difference are technological and political. Although the
telegraph, telephone and television expanded cross-border communication, these tech-
nologies remained geographically anchored in ways that precluded conceptualizing
their use as creating a different realm of human interaction.1 Politically, radio and
tele-technologies emerged into international systems characterized by great power
competition, whether in multi-polar or bi-polar configuration. This competition
informed and constricted how these technologies functioned politically and legally
within and among countries, which reinforced the geographical anchoring.
The Internet’s emergence involves a different story.2 The technologies making up the
Internet create a different communication platform based on networks of interconnected
computers sharing digital information through ‘packet switching’. Rather than moving
across a closed circuit (as a traditional telephone call did), data is broken into digital
1
Wolfgang Kleinwächter, ‘The history of internet governance’ in Christian Möller and
Arnaud Amouroux (eds.), Governing the Internet: Freedom and Regulation in the OSCE (OSCE
2007).
2
Barry Leiner et al., ‘Brief history of the internet’ (15 October 2012) Internet Society
<http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet#LK
61> accessed 1 March 2014.

/ Date: 24/3
packets, transmitted over different routes in the networks, and reassembled at the
destination. With standardized communication protocols, this approach is robust,
achieves scale geographically and in numbers of users and supports many applications,
such as email.3 The development of the World Wide Web improved Internet accessibil-
ity and expanded its use.4
One way to sense how the Internet differs is to appreciate how it supports
communication previously undertaken through earlier technologies. People now listen
to the radio, watch television programs and make person-to-person video and voice
calls over the Internet. It is the most multi-functional communication technology ever
invented. In addition, the nature, interoperability and scalability of the component
technologies mean the Internet can link millions of people around the world, an
accessibility and connectivity no previous technology achieved. The Internet is a
technology of versatile capabilities and mass participation.
Although it has Cold War origins, the Internet did not emerge as a national and
global phenomenon until the 1990s, the first decade of the post-Cold War world.
Geopolitically, the dominance of US power, interests and ideas and the absence of great
power competition characterized this period. The international environment in which
the Internet came of age was, thus, unlike the political contexts that affected previous
communication innovations. In addition, because it was an American invention, US
political dominance facilitated the Internet’s rise to global prominence. The Internet
had space in the post-Cold War period to take root politically and expand globally, and
the Internet’s technologies did not create technical barriers to exploiting that space.
The end of the Cold War also opened room for other aspects of international
relations, including human rights. The Soviet Union’s collapse freed human rights
efforts from the ideological, zero-sum game the bipolar system often made human
rights politics. The Vienna Conference on Human Rights in 1993 – the first major
human rights meeting to convene after the Cold War ended – recognized ‘the major
changes taking place on the international scene’ and reflected the new energy the Cold
War’s end brought to human rights.5
(b) Cyberspace’s Connection with Human Rights
These technological and political developments converged to shape thinking about

‘cyberspace’ – a new realm of communication and connectivity. Perspectives on
cyberspace proliferated, indicating how fertile the context was for contemplating the
implications of this new innovation. One early, iconic view came from John Perry
Barlow’s Declaration of the Independence of Cyberspace in 1996.6 Barlow envisioned
3
David G. Post, In Search of Jefferson’s Moose: Notes on the State of Cyberspace (OUP
2009).
4
‘History of the Web’ (World Wide Web Foundation) <http://www.webfoundation.org/
vision/history-of-the-web/> accessed 1 March 2014.
5
World Conference on Human Rights, Vienna Declaration and Programme of Action, 25
June 1993.
6
John P. Barlow, ‘A declaration of the independence of cyberspace,’ (8 February 1996)
Electronic Frontier Foundation <https://projects.eff.org/~barlow/Declaration-Final.html> accessed
22 August 2014.

/ Date: 24/3
cyberspace as a virtual world operating without government interference through a

social contract that individuals would craft and implement. Others saw cyberspace in
more traditional ideological terms, especially as a new capability for promoting liberal
political objectives – economic interdependence among countries, democracy within
countries and the individual’s enjoyment of civil and political rights.
These perspectives envisioned cyberspace as a different realm for human interaction
associated with protection of human rights. The expansive capabilities of Internet
technologies, the political space the end of the Cold War and US dominance produced,
and re-energized interest in human rights converged in ways that embedded human
rights in thinking about cyberspace. To borrow from Waltz’s levels of analysis in
international relations theory,7 this convergence framed cyberspace in ‘first image’ (the
individual) and ‘second image’ (the State) terms because it focused attention on: (1) the
individual’s empowered and expanded communication opportunities; and (2) whether
governments are democratic and protect human rights and, if not, how to use
cyberspace to challenge such governments.
These perceptions worried authoritarian States, which began to emphasize the
principles of sovereignty and non-intervention and express opposition to US power in
cyberspace. This pushback appeared in forums discussing Internet governance and the
implications of military cyber weapons. In the early 2000s, China argued that Internet
governance should be more intergovernmental and subject to international law negoti-
ated among States.8 At this time, Internet governance consisted of multi-stakeholder
processes the US backed, which produced non-legal outcomes not negotiated by
governments as equals under international law. Authoritarian governments had prob-
lems with this model of Internet governance because it looked like a US power play
that threatened the principles of sovereignty and non-intervention.
Similarly, Russia drew attention to the military potential the Internet created and
proposed measures to address a potential ‘cyber arms race’.9 Although framed
neutrally, these initiatives targeted the perceived US advantage in military cyber power.
The US did not want to cooperate with these efforts to change the narrative about the
Internet and cyberspace, which cast suspicions on US cyber interests, behaviour and
power.
The emphasis on sovereignty, non-intervention and the dangers of US cyber power
attempted to shift thinking about cyberspace towards ‘third image’ (international
system) considerations and away from individual empowerment, human rights and
democracy. This perspective subjected cyberspace to a traditional understanding of
international order, and was at odds with visions of cyberspace that linked the agency
of individuals with progress on human rights and the spread of democratic governance.
This pushback turned the Internet governance controversy into a clash between
‘Internet freedom’ and ‘Internet sovereignty’ perspectives over the place of human
rights in cyberspace (see Part 5).
7
Kenneth N. Waltz, Man, the State and War: A Theoretical Analysis (Columbia UP 1959).
8
Kleinwächter (n 1) 41.
9
Tom Gjelten, ‘Shadow Wars: Debating cyber “disarmament”’ (2010) World Affairs
<http://www.worldaffairsjournal.org/article/shadow-wars-debating-cyber-disarmament> accessed
1 March 2014.

/ Date: 24/3
3. CYBERSPACE, HUMAN RIGHTS AND GENERAL PRINCIPLES

OF INTERNATIONAL LAW
(a) Challenges to General Principles of International Law
The emergence of human rights challenged general principles of international law

developed before such rights appeared in international relations, including principles on
sovereignty, non-intervention, jurisdiction and State responsibility. By according rights
to individuals, international law created friction with the principles of sovereignty and
non-intervention: whether a State can impose human rights obligations on persons and
activities outside its territory stimulated disagreements. The relationship of human
rights to non-State actors, such as corporations, generated controversies with respect to
State responsibility to protect such rights from third parties and the application of such
obligations against corporations.
The emergence of cyberspace has challenged the same principles, and, in a sign of
the cyberspace-human rights linkage, cyberspace controversies concerning these prin-
ciples often involve human rights.10 The ‘Internet sovereignty’ perspective on Internet
governance emphasizes the principles of sovereignty and non-intervention against
cyber-facilitated efforts to support civil and political rights and catalyse domestic
political change. Arguments about how States exercise jurisdiction over activities in
cyberspace famously arose in a case involving different conceptions of freedom of
expression.11 The difficulties involved with attributing cyber actions to specific actors –
as required under principles of State responsibility – raise concerns that governments
can exploit this problem and violate human rights (e.g., conducting surveillance against
political opponents). The need for protection of rights, such as privacy, against
cyber-based companies has been debated. Whether Internet service providers (ISPs)
and cyber technology companies have human rights obligations has stirred controver-
sies, echoing debates about the human rights duties of corporations.
(b) Between Universalism and Anarchy
Behind these challenges to general principles of international law is convergence of a

conceptual universalism in human rights thinking, and a technical universalism made
possible by Internet technologies. The idea of universal human rights predates
cyberspace and has been at the heart of the long-standing ‘human rights v sovereignty’
problem. However, in ways previous technologies did not achieve, the Internet makes
communications ‘borderless’ and produces the idea that cyberspace is a new realm of
human interaction. By contrast, general principles of international law reflect ideas
grounded in management of structural anarchy – the fragmentation of territorial control
and political authority in the international system. Put another way, neither human
rights (as a set of ideas) nor cyberspace (reflecting technological capabilities) is
Westphalian on its own, and certainly not when combined. In addition, when human
10
On legal status of cyberspace see Tsagourias (Ch 1 of this book).
11
Post (n 3) 164 (discussing French case against Yahoo! concerning Nazi memorabilia on an
auction website).

/ Date: 24/3
rights and cyberspace link, spill over occurs that heightens the pressure the combination
creates for Westphalian principles. Cyberspace begins to take on political significance
related to human rights the underlying technologies do not intrinsically have. Likewise,
human rights take on a technological imperative perhaps unprecedented for this field, a
development captured in the debate whether Internet access is a distinct human right
(see Part 4).
The existence of these challenges to general principles of international law does not
mean the challenges overwhelm the principles. The human rights movement still
confronts friction from appeals to sovereignty and non-intervention. For example, the
effort to re-calibrate human rights demands and sovereignty claims through the
principle of the responsibility to protect has proved controversial. In terms of
cyberspace, this chapter explores below how authoritarian States are increasing Internet
access while strengthening their control and manipulation of cyberspace, which
suggests cyberspace – even informed by human rights – has not killed sovereignty.
Understanding how the cyberspace-human rights relationship affects international law
also requires analysing specific areas of the law, a task the chapter addresses next.
4. CYBERSPACE AND THE HUMAN RIGHTS REGIME

In international relations, ‘human rights’ is more than an idea. It constitutes a regime –
a set of problems, players, principles and processes that shape human rights politically
and legally. This regime developed before the Internet and cyberspace emerged. As a
result, this regime informs how cyberspace relates to rights found in international law
(Sections 4(a)–4(b)). This analysis reveals that cyberspace has become important for
protecting human rights and a focus of actors, institutions, processes and procedures.
The manner in which the human rights regime applies to cyberspace informs the debate
whether Internet access constitutes, or should constitute, a new human right (Section
4(c)).
(a) Civil and Political Rights
International law recognizes civil and political rights directly connected with commu-
nications – the rights to freedom of expression and privacy. These rights protect private
and public communications from government interference, and these protections
facilitate enjoyment of other civil and political rights, including the rights to: freedom
of opinion; freedom of thought, conscience and religion; freedom of association; and
taking part in public affairs. Freedom of expression and privacy also facilitate
enjoyment of economic, social and cultural rights, including the rights to education and
taking part in cultural life.
As an accessible, multi-functional communication platform, the Internet provides
people with opportunities to share and receive information and associate with others.
Increasing use of Internet-based communication makes the right to privacy a central
cyberspace issue. Growing personal and social dependence on online communication
heightens the importance of civil and political rights in cyberspace. The emphasis the

/ Date: 24/3
‘Internet freedom’ approach to Internet governance gives to civil and political rights
demonstrates the extent to which these rights affect political discourse about cyber-
space.
(i) Right to freedom of expression

However, simply equating civil and political rights with the concept of ‘Internet
freedom’ would produce misunderstandings. Even before cyberspace emerged, uni-
formity on civil and political rights relevant to communication did not exist, even
among democracies. Experts on freedom of expression identified differences between
the US, with its sweeping protections of free speech, and many European democracies,
which banned expressions (e.g., Holocaust denial) the US tolerated.12 Treaties protect-
ing freedom of expression, such as the International Covenant on Civil and Political
Rights (ICCPR)13 and the European Convention on Human Rights (ECHR),14 recog-
nize that States parties can restrict enjoyment of this right for a number of reasons,
including protecting the reputations of others, national security, public order, public
health and morals.
Variance on the scope of freedom of expression, combined with more online
communication, has produced concerns about censorship in cyberspace. Nunziato
argued that:
It is an unfortunate truth that today, many countries censor Internet content – dictatorships
and democracies alike – and the number of countries doing so is growing every year. This set
of censorial regimes includes the obvious – repressive regimes like China, North Korea, and
others … but also those countries we might least expect, including liberal democracies like
the U.K., other western democracies, Asian democracies like South Korea, as well as Canada
and Australia.15
Identifying Internet censorship in democracies and authoritarian States does not mean
that both kinds of States restrict freedom of expression equally or in the same ways.
The point is that rules on freedom of expression operate in more complicated ways than
the ‘freedom v sovereignty’ dichotomy captures. National differences on freedom of
expression demonstrate that international law accords some deference to sovereignty –
what the European Court of Human Rights (ECtHR) calls the ‘margin of appreciation’
in protecting freedom of expression and other civil and political rights. The explosion
of online communications has not produced harmonization on the scope of freedom of
expression. In fact, the way the Internet makes all forms of information more accessible
can heighten State interests in restricting the right to send or receive certain kinds of
information. National differences on the freedom of expression also highlight how this
12
See articles in ‘Symposium: An ocean apart? Freedom of expression in Europe and the
United States’ (2009) Indiana L. J. 803.
13
International Covenant on Civil and Political Rights, 16 December 1966, 999 UNTS 171
[ICCPR] art 19.
14
European Convention on Human Rights and Fundamental Freedoms, 4 November 1950,
213 UNTS 221 art 10.
15
Dawn C. Nunziato, ‘How (not) to censor: Procedural First Amendment values and internet
censorship’ (2011) Georgetown J. Int’l. L. 1124, 1126.

/ Date: 24/3
right connects with the principles of sovereignty, non-intervention and territorial

jurisdiction.
The complexity of international law reveals not only diversity in how States regulate
speech but also the importance of procedural protections when governments restrict
expression. For example, the ICCPR permits restrictions that ‘are provided by law and
are necessary’.16 According to the Special Rapporteur on the Right to Freedom of
Opinion and Expression, these requirements mean that restrictions must be:
+ Based on laws that are transparent, accessible and predictable;

+ Relate to a legitimate purpose that justifies restricting expression;
+ Shown by the government to be necessary and the least restrictive means
available to achieve the purpose identified;
+ Applied by an independent body free of political, commercial or other influences;
+ Applied in a non-discriminatory and non-arbitrary manner; and
+ Supported by safeguards against abuse, including the ability to challenge restric-
tions and remedy abuses.17
Application of procedural requirements by human rights bodies reflects less tolerance

for variation in State behaviour, in contrast to deference shown on the legitimacy of
reasons for restricting freedom of expression. The jurisprudence of the ECtHR
demonstrates the seriousness with which it applies these requirements. In Yildirim v.
Turkey, the Turkish Government prosecuted the owner of a Google-based website
accused of insulting the memory of Kemal Ataturk.18 A Turkish court blocked access to
Google websites as part of this case. The ECtHR did not strike down the order because
insulting the memory of Ataturk was an illegitimate basis for restricting freedom of
expression, but because the order blocked access to websites having nothing to do with
Ataturk, meaning the order had a disproportionate impact on the right to receive
information. The migration of communication to the Internet, and divergent interests
States have on substantive protections for speech, make the procedural requirements
important for freedom of expression in cyberspace.
The complexity of the human rights regime on freedom of expression is not,
however, the problem with countries that engage in widespread Internet censorship with
few, if any, procedural protections. In 2011, the Special Rapporteur on the Right to
Freedom of Opinion and Expression asserted that:
[I]n many instances, States restrict, control, manipulate and censor context disseminated via
the Internet, without any legal basis, or on the basis of broad and ambiguous laws, without
justifying the purpose of such actions, and / or in a manner that is clearly unnecessary and /
or disproportionate to achieving the intended aim … Such actions are clearly incompatible
16
ICCPR (n 13) art 19.3.
17
Human Rights Council, Report of the Special Rapporteur on the Promotion and
Protection of the Right to Freedom of Opinion and Expression, UN Doc. A/HRC/17/27, 16 May
2011, para. 24 [Special Rapporteur’s Report]. See also Human Rights Committee, General
Comment No 34 on Article 19: Freedoms of Opinion and Expression, UN Doc. CCPR/C/GC/34,
12 September 2011, paras 21–36.
18
Ahmet Yildirim v. Turkey App no 3111/10 (ECHR, 18 December 2012).

/ Date: 24/3
with States’ obligations under international human rights law, and often create a broader
‘chilling effect’ on the right to freedom of opinion and expression.19
In 2012, Freedom House argued that ‘restrictions on internet freedom in many

countries have continued to grow, though the methods of control are slowly evolving
and becoming less visible’.20 It observed that the increased restrictiveness was mostly
occurring in authoritarian countries, while improvements happened ‘almost exclusively
in established democracies[.]’21 In 2013, Freedom House asserted that ‘global internet
freedom has been in decline for the three consecutive years … and the threats are
becoming more widespread,’22 with 34 of the 60 countries surveyed experiencing a
negative trajectory since 2012.23 Tactics used by authoritarian countries to restrict
freedom of expression in cyberspace include:
+ Blocking or filtering Internet content, including on social media sites;

+ Criminalizing dissemination of political, social or religious content;
+ Imposing liability on ISPs that host or fail to block illegal content;
+ Forcing websites or ISPs to shut down;
+ Disconnecting users from the Internet;
+ Cyber attacks against Internet sites operated or used by political opponents,
dissidents and non-governmental organizations (e.g., human rights groups);
+ Surveillance of online activities;
+ Manipulation of online communications through pro-government commentators
and spreading misinformation;
+ Physical attacks, including murder, against Internet users critical of the govern-
ment.24
The trajectory of increasing restrictions by authoritarian governments is occurring as

these governments increase Internet access for their populations. Numbers from the
International Telecommunication Union (ITU) indicate that authoritarian countries have
expanded access from 2007 to 2012,25 but increased government control and censorship
accompanied this expansion. This reality challenges notions that Internet technologies
undermine or overcome censorship. The success authoritarian governments appear to
be having in increasing Internet access and control over cyberspace activities highlight
not only how exploitable cyber technologies are but also how weak the human rights
regime is vis-à-vis these governments.26
19
Special Rapporteur’s Report (n 17), para. 26.
20
Freedom House, Freedom on the Net (Freedom House 2012) 1.
21
Ibid. 2.
22
Freedom House, Freedom on the Net (Freedom House 2013) 1.
23
Ibid. 2.
24
Special Rapporteur’s Report (n 17); Freedom House (n 20); Freedom House (n 22).
25
ITU, ‘Percentage of Individuals Using the Internet, 2000–2012’ <http://www.itu.int/en/
ITU-D/Statistics/Pages/stat/default.aspx> accessed 1 March 2014.
26
Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom (Public Affairs
2011) (analyzing authoritarian governments’ increasing control over Internet activities).

/ Date: 24/3
(ii) Right to privacy

The human rights regime protects another civil and political right directly relevant to
communication – the right to privacy.27 This right, too, predates the Internet, but
increasing use of cyber technologies creates a host of issues for privacy. As with
freedom of expression, international legal rules on privacy apply to communication in
cyberspace. However, problems arise in interpreting and implementing these rules
because countries do not always agree on what privacy means or requires, and these
differences exist even among democracies.
For example, the US and the EU have experienced difficult relations caused by
different legal standards for protecting privacy and personal data. Under US constitu-
tional jurisprudence, an individual has no reasonable expectation of privacy for
information shared with third parties, such as ISPs.28 Third parties that supply Internet
services store and process much of the information a US citizen now generates,
meaning privacy protections come from statutes not the Fourth Amendment. European
countries, through Council of Europe29 and EU30 instruments, have created more
protections for privacy and data – and these protections reflect the shift of communi-
cations into cyberspace and information into digital technologies in ways not seen in
the US approach. Attitudes about, and approaches to, privacy and data protection vary
even more between democratic and authoritarian States.
Looking at international legal principles, the ICCPR provides:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy,

family, home or correspondence, nor to unlawful attacks on his honour and
reputation.
2. Everyone has the right to the protection of the law against such interference or
attacks.31
These principles create negative and positive duties. First, ICCPR States parties cannot
restrict the right to privacy unless government interference relates to a legitimate
purpose and complies with procedural requirements. Legitimate purposes centre on
surveillance for criminal law enforcement, counter-intelligence and national security
(e.g., counter-terrorism). The procedural requirements mandate the need for: (1) a legal
basis for surveillance; (2) authorization to conduct the surveillance (e.g., a court order);
and (3) the surveillance to be necessary, meaning the interference with privacy must be
proportionate to the objectives sought.
Second, the ICCPR requires States parties to protect personal information stored,
transmitted, processed and used by governments or non-governmental actors (e.g.,
companies) from unlawful access and use. For the government, this requirement creates
27
ICCPR (n 13) art 17.
28
Smith v. Maryland 442 US 735 (1979).
29
Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, 28 January 1981, ETS no 108.
30
Council Directive (EC) 95/46/EC on the protection of individuals with regard to the
processing of personal data and on the free movement of such data [1995] OJ L281/31.
31
ICCPR (n 13) art 17.

10 / Date: 24/3
positive obligations to: (1) protect personal data collected, stored, processed and used
by government agencies; and (2) regulate third parties to ensure protection of personal
data from unlawful access and use. The ICCPR also requires governments to allow
individuals to ascertain what government agencies or third parties have their data and to
have data revised if incorrect or purged if held or used without legal authorization.
As with many aspects of the human rights regime, describing international legal
doctrine on privacy does not convey the reality of government practices. A long-
standing problem with surveillance has been expansive readings of the legitimate
purposes. Authoritarian governments often interpret these purposes broadly and the
procedural requirements narrowly (if they recognize them at all) in order to justify
surveillance against persons or groups considered actual or possible political oppo-
nents. Privacy advocates also lament inadequate legal protections for personal infor-
mation stored, processed or used by governments or private-sector entities. The
differences between the US and the EU on legal requirements for private sector
handling of personal data represent one example of the divergence that exists on this
aspect of privacy.32 As with freedom of expression, such differences among countries
on the substantive and procedural aspects of privacy reinforce, in practice, the
principles of sovereignty, non-intervention and territorial jurisdiction.
The movement of communication online creates, however, problems for privacy
arising from use of digital technologies linked through the Internet. Privacy contributes
to human dignity by protecting individual autonomy from government interference and
private efforts to profit from or exploit personal information. Protecting autonomy
becomes more difficult when individuals generate and share massive amounts of
information through Internet-facilitated technologies to communicate and engage in
transactions. The proliferation of these technologies, and increasing dependence on
them, accelerates this phenomenon. Massive production of digital data produces
opportunities for large-scale public and private storage, processing, analysis, utilization
and surveillance. These opportunities create commercial, law enforcement and national
security incentives to access and ‘mine’ this data, which places strains on rules
designed to protect privacy – at least in countries where such rules matter. Further,
concerns about cyber crime and cyber espionage33 indicate that protecting Internet-
linked streams and reservoirs of digital data from unauthorized access and exploitation
– as the right to privacy mandates – is difficult. These problems form part of debates
about the future of privacy in the age of Internet communication.
(b) Economic, Social and Cultural Rights
The human rights regime includes economic, social and cultural (ESC) rights, and the
leading multilateral treaty is the International Covenant on Economic, Social and
32
Paul M. Schwartz, ‘The E.U.-US privacy collision: A turn to institutions and procedures’
(2013) Harvard L. Rev. 1966.
33
On cyber espionage and international law see Buchan (Ch 8 of this book).

11 / Date: 24/3
Cultural Rights (ICESCR).34 ICESCR States parties accept general obligations, includ-
ing the principles of non-discrimination35 and progressive realization, or the duty to
‘take steps… to the maximum of its available resources’ to achieve progressively full
realization of the rights recognized in the treaty.36 These rights promote human
development and include the rights to: work; just and favourable working conditions;
social security; an adequate standard of living; the highest attainable standard of health;
education; to partake in cultural life; and enjoy the benefits of scientific progress.37
(i) International law on economic, social and cultural rights

International law on ESC rights creates three types of obligations – the duties to
respect, protect and fulfil. The duty to respect requires the State to refrain from
restricting enjoyment of ESC rights. Using the right to health as an example, the duty
to respect prevents a government from denying or limiting access for all persons to
health services.38 The duty to protect obligates the State to ensure that third parties,
such as corporations, do not threaten an individual’s access to resources or services
necessary for achieving ESC rights. In the health context, this duty calls for preventing
private-sector entities from disseminating false or misleading health information.39 The
duty to fulfil mandates the State provides goods, resources or services critical to the
enjoyment of ESC rights to persons unable to access or afford them. This obligation
means the State has to provide health services to people without access to such services
(e.g., rural communities) or who cannot pay for them (e.g., those in poverty).40
These duties involve immediate and unconditional obligations, such as ensuring
government actions are not discriminatory, and obligations that give States a margin of
discretion in how they achieve full realization of ESC rights, such as in priority setting
when government resources are limited. This discretion does not apply to ‘minimum
core obligations’ because the State has to guarantee ‘minimum essential levels of each
right,’ no matter the State’s level of economic development and financial resources.41
Any State actions that limit enjoyment of ESC rights are only permissible if they:
+ Are based on clear, accessible laws that are not discriminatory, arbitrary or
unreasonable and provide remedies for illegal or abusive actions;
+ Promote the population’s general welfare;
34
International Covenant on Economic, Social and Cultural Rights, 16 December 1966, 993
UNTS 3 [ICESCR].
35
Ibid. art 2.2.
36
Ibid. art 2.1.
37
Ibid. arts 6–15.
38
Committee on Economic, Social and Cultural Rights, General Comment No 14: The Right
to the Highest Attainable Standard of Health, UN Doc. E/C.12/2000/4, 11 August 2000, para. 34.
39
Ibid. para. 35.
40
Ibid. paras 36–37.
41
Committee on Economic, Social and Cultural Rights, General Comment No 3 on the
Nature of State Parties Obligations (art 2, para. 1), Report of the Fifth Session, Supp No 3,
Annex III, para. 10, UN Doc. E/1991/23.

12 / Date: 6/5
+ Do not impair the functioning of a democratic society (defined as a society that

recognizes and respects human rights); and
+ Do not jeopardize the essence of the rights being limited.42
This description of basic ICESCR principles does not communicate controversies that
international law on ESC rights has long experienced. Despite the right to health being
in the Constitution of the World Health Organization (1946), the Universal Declaration
of Human Rights (UDHR, 1948) and the ICESCR (1966), a 1999 study argued that this
right suffered from a ‘lack of conceptual clarity and… weak international and national
implementation’.43 The principle of progressive realization has been at the heart of
many ESC rights controversies. The idea that enjoyment of ESC rights is linked to the
level of a country’s economic development made them seem, to many, as political
aspirations rather than rights. Further, critics have argued that, without protections for
civil and political rights, ESC rights are not secure. For example, without freedom of
expression, the peoples’ ability to change government policies is undermined. Under
the margin of discretion, States can use the principles of sovereignty and non-
intervention to deflect outside concerns about government failure to protect, respect and
fulfil ESC rights, which weakens the international community’s ability to monitor
compliance.
(ii) Economic, social and cultural rights and cyberspace

Turning to ESC rights and cyberspace, human rights advocates frequently link the
Internet with enjoyment of ESC rights. Growing dependence on the Internet gives
online information flows increasing prominence in progressive realization of ESC
rights. Again using the right to health as an example, the duty to respect means a
government cannot limit or deny people access to valid health information and services
available on the Internet. The duty to protect obligates governments to prevent
Internet-based fraud by third parties involving health information, goods and services
(e.g., online sales of substandard medicines). The duty to fulfil requires a government
to create, enable or expand Internet access to information and services health care
providers and individuals can use to improve health.
The work of the Committee on Economic, Social and Cultural Rights (ESCR
Committee) – the body overseeing the ICESCR – illustrates that Internet access can
arise in evaluating State party performance. In its November 2013 review of ICESCR-
required implementation reports from Djibouti – a poor country with many problems –
the ESCR Committee mentioned the importance of Internet access ‘for all those who
sought assistance, employment, and opportunities to develop further their skills’ and
42
ICESCR (n 34) art 4; Limburg Principles on the Implementation of the International
Covenant on Economic, Social and Cultural Rights <http://www.escr-net.org/docs/i/425445>
accessed 1 March 2014.
43
Brigit C. A. Toebes, The Right to Health as a Human Right in International Law (Hart
Publishing 1999) 85.

13 / Date: 24/3
asked what Djibouti was ‘doing to facilitate access to the internet, particularly for
marginalized and disadvantaged groups’.44 The Djibouti Government responded:
Concerning internet access, the Government had obliged the national internet provider to cut
its rates by 50 per cent so that everyone, including students, could access the internet at a
very low cost. A wireless system was widely available in schools and universities. Djibouti
constantly worked to ensure that internet access was available in the more remote areas of the
country.45
The importance of cyberspace to ESC rights should, however, be kept in perspective.

Internet access is not a minimum core obligation because it is not critical to human
subsistence. In terms of progressive realization, many States parties face problems
implementing ESC rights for which Internet access is not a priority, including
obligations to provide people with adequate water, sanitation, food, housing and
essential medicines. Not every ESCR Committee review of State party reports mentions
Internet access,46 and the Committee’s guidelines on State party reports expressly
mention the Internet only once, in connection with enhancing ‘access to the cultural
heritage of mankind, including through new information technologies such as the
Internet’.47 In addition, most ESCR Committee’s general comments (authoritative
interpretations of ESC rights) adopted in the Internet era do not discuss Internet access
or use.48
(iii) The ‘digital divide,’ ESC rights and the right to development
Achieving human development through ESC rights connects to the ‘digital divide’
problem in development policy. The digital divide refers to the gap between developed
and developing countries in access to information and communications technologies
(ICTs), including the Internet. It also encompasses the ICT gap within countries
between, for example, more affluent urban areas and poorer rural areas. Reducing the
digital divide has become part of development strategies, including how increasing
access to ICTs (especially to broadband Internet) can contribute to achieving, for
example, the Millennium Development Goals and sustainable development objectives.
44
Office of the High Commissioner for Human Rights, ‘Committee on Economic, Social
and Cultural Rights Examines Report of Djibouti,’ (12 November 2013) <http://www.ohchr.org/
EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=13978&LangID=E> accessed 1 March 2014.
45
Ibid.
46
See, e.g., Office of the High Commissioner for Human Rights, ‘Committee on Economic,
Social and Cultural Rights Examines Second to Fourth Periodic Report of Egypt,’ (14 November
2013) <http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=13989&Lang
ID=E> accessed 1 March 2014.
47
Committee on Economic, Social and Cultural Rights, Guidelines on Treaty-Specific
Documents to be Submitted by States Parties under Articles 16 and 17 of the International
Covenant on Economic, Social, and Cultural Rights, UN Doc. E/C.12/2008/2, 24 March 2009,
para. 67.
48
Of the ten general comments the ESCR Committee has issued since 1999, only General
Comment No. 21 on the right to take part in cultural life mentions the Internet. Committee on
Economic, Social and Cultural Rights, General Comment No. 21 on the Right of Everyone to
Partake in Cultural Life, UN Doc. E/C.12/GC/21, 21 December 2009.

14 / Date: 6/5
The digital divide problem highlights not only the importance of cyberspace to ESC
rights but also the Internet’s role in the ‘right to development’. The UN General
Assembly declared in 1986 that everyone and all peoples have an inalienable right to
‘participate in, contribute to, and enjoy economic, social, cultural and political
development’.49 According to the UN High Commissioner for Human Rights:
Since the adoption of that landmark document, a debate has been raging in the halls of the
United Nations and beyond. On one side, proponents of the right to development assert its
relevance (or even primacy) and, on the other, sceptics (and rejectionists) relegate this right to
secondary importance, or even deny its very existence. Unfortunately … that debate has done
little to free the right to development from the conceptual mud and political quicksand in
which it has been mired all these years.50
This ongoing controversy has not prevented human rights advocates from making
cyberspace important to the right to development. The Human Rights Council
recognized ‘the global and open nature of Internet as a driving force in accelerating
progress towards development in its various forms’.51 The Special Rapporteur on the
Right to Freedom of Opinion and Expression argued that ‘the Internet boosts economic,
social and political development, and contributes to the progress of humankind as a
whole’.52 The World Federation of University Women emphasized to the UN Working
Group on the Right to Development that Internet access was key to women’s enjoyment
of the right to development, which required greater attention to the digital divide and its
gender implications.53
However, the efforts of the UN Working Group on the Right to Development and the
High-Level Task Force on the Implementation of the Right to Development54 indicate
that the digital divide has not been the most prominent concern related to access to
technologies. Working Group and Task Force reports demonstrate that technology
transfer issues, such as tensions between intellectual property rights and access to
essential medicines, have received more attention than Internet access and the digital
divide. Technology transfer has long been a problem for development policy, but
Internet access does not resemble traditional technology transfer controversies. The
technologies needed to produce such access are widely available and not subject to
limitations that have triggered technology transfer concerns, such as export controls on
‘dual use’ technologies and protection of intellectual property rights.
49
UNGA Declaration on the Right to Development (1986) UN Doc Res 41/128.
50
Navi Pillay, UN High Commissioner for Human Rights, ‘Development is a Human Right
for All,’ <http://www.ohchr.org/EN/ISSUES/DEVELOPMENT/Pages/DevelopmentIndex.aspx>
51
Human Rights Council, The Promotion, Protection and Enjoyment of Human Rights on
the Internet (29 June 2012) UN Doc A/HRC/20/L.13, 2.
52
Special Rapporteur’s Report (n 17) para. 67.
53
Report of the Open-Ended Working Group on the Right to Development (20 March 2001)
UN Doc E/CN.4/2001/26, para. 138.
54
High-Level Task Force on the Implementation of the Right to Development <http://
www.ohchr.org/EN/Issues/Development/Pages/HighLevelTaskForce.aspx> accessed 1 March
2014.

15 / Date: 24/3
(c) Internet Access as a New Human Right?
The Internet features so prominently across the human rights regime that people now
debate whether Internet access is, or should be, a human right. As the previous two
sections demonstrated, the Internet is important for the enjoyment of human rights,
with Internet access supporting the exercise of civil and political rights and the
progressive realization of ESC rights. The Special Rapporteur on the Right to Freedom
of Opinion and Expression captured this perspective in arguing that ‘the Internet has
become an indispensable tool for realizing a range of human rights, combating
inequality, and accelerating development and human progress’.55 Framing the Internet
in this way is consistent with the traditional approach – technologies are means for
protecting and promoting human rights. For example, health advocates see access to
technologies, such as vaccines, as important instruments in achieving the right to the
highest attainable standard of health.
Many arguments associated with ‘Internet access is a human right’ fall into this
instrumental approach. Secretary of State Hillary Clinton articulated a ‘freedom to
connect’ to the Internet, but this freedom’s meaning and purpose depend on other civil
and political rights – namely, the freedoms of opinion, expression and assembly.56
Mark Zuckerberg, founder of Facebook, argued that Internet connectivity is a human
right,57 but the connectivity he described is instrumental – connectivity as a means for
achieving the political, economic and social objectives the human rights regime already
targets. Vint Cerf, one of the Internet’s creators, stressed this point in arguing that
‘Internet access is just a tool for obtaining something else more important’.58
The idea of Internet access as a distinct right has to differ from the instrumental
perspective by positing that access is, by itself, so central to individual life, autonomy
or dignity that it deserves protection as a fundamental right. Responding to Cerf, Scott
Edwards, writing on an Amnesty International blog, asserted that Internet access is so
‘indispensable to world’s most marginalized people’ that its loss ‘in places from
Sub-Saharan Africa to the most impoverished communities here in the US … could
mean an immediate threat to lives and livelihoods’.59
This argument ignores the digital divide – the world’s most marginalized people do
not enjoy much Internet access. Further, problems already of grave concern in the
human rights regime more immediately threaten the lives and livelihoods of the world’s
most marginalized populations, such as lack of clean water, food insecurity, inadequate
health care, environmental degradation, poor education and political or criminal
55
Special Rapporteur’s Report (n 17) para. 85.
56
Hillary Clinton, ‘Remarks on Internet Freedom,’ (21 January 2010) <http://www.state.gov/
secretary/rm/2010/01/135519.htm> accessed 1 March 2014.
57
Mark Zuckerberg, ‘Is connectivity a human right?’ <https://fbcdn-dragon-a.akamaihd.net/
hphotos-ak-ash3/851575_228794233937224_51579300_n.pdf> accessed 1 March 2014.
58
Vint Cerf, ‘Internet access is not a human right’ (4 January 2012) NY Times <http://
www.nytimes.com/2012/01/05/opinion/internet-access-is-not-a-human-right.html> accessed 1
March 2014.
59
Scott Edwards, ‘Is internet access a human right?’, (10 January 2012) Human Rights Now
Blog <http://blog.amnestyusa.org/business/is-internet-access-a-human-right/> accessed 1 March
2014.

16 / Date: 24/3
violence. In addition, marginalized populations have had poor access to previous

technologies, such as telephony, without this problem being, by itself, considered an
immediate threat to life and livelihood.
The debate about Internet access as a human right often references national court
cases that reviewed government measures restricting access in response to actions by
the user, such as violating certain laws. One frequently mentioned case is a 2009
decision by France’s highest court striking down statutory provisions that suspended a
person’s Internet access for violating intellectual property rights.60 News reports often
described the decision as holding that Internet access is a basic human right.61
However, the decision applies the right to freedom of expression protected by the
French Declaration of the Rights of Man and the Citizen to the context of Internet
access.62 Given that freedom of expression is ‘one of the cornerstones of a democratic
society and one of the guarantees of respect for other rights and freedoms’, the court
ruled that Parliament could not vest an administrative committee, as opposed to a court,
with the power to restrict ‘the right of any person to exercise his right to express
himself and communicate freely, in particular in his own home’.63 Restrictions on this
right must be reviewed by a court and ‘adapted and proportionate to the purpose it is
sought to achieve’.64 The court recognized the importance of the Internet to the
contemporary exercise of freedom of expression, observing that ‘this right implies
freedom of access’65 to Internet services. In keeping with the traditional instrumental
perspective, this decision embeds Internet access within an existing civil and political
right rather than recognizing a distinct right.
How Internet access can be anything other than an application of existing human
rights that protect or foster information exchange is hard to see. The Internet is a tool
for imparting and receiving information. Internet access has no purpose independent of
this context. Increasing dependence on the Internet elevates access as a component of
the human rights regime. Rather than being a distinct human right, Internet access is an
increasingly important metric for determining the scope and quality of compliance with
civil and political rights and with the progressive realization of ESC rights.
5. INTERNATIONAL RELATIONS AND THE

CYBERSPACE-HUMAN RIGHTS RELATIONSHIP
Cyberspace affects international relations in ways beyond human rights, which calls for
examining how State behaviour in other areas connects to the cyberspace-human rights
60
Constitutional Council, Decision no 2009-580 on act furthering the diffusion and
protection of creation on the Internet, 10 June 2009 (official English translation).
61
Richard Wray, ‘French anti-filesharing law overturned,’(10 June 2009) The Guardian
<http://www.theguardian.com/technology/2009/jun/10/france-hadopi-law-filesharing?guni=Article:
in%20body%20link> accessed 1 March 2014.
62
Constitutional Council (n 60), para. 12.
63
Ibid. paras 15–16.
64
Ibid. para. 15.
65
Ibid. para. 12.

17 / Date: 24/3
relationship. This part looks at Internet governance, cybersecurity and trade and
commerce in cyber technologies as contexts in which human rights issues have
emerged. The ways in which human rights arise are controversial, reveal disagreements
about human rights in the Internet age and raise questions about the future of the
human rights regime in the next phase of cyberspace’s evolution.
(a) Internet Governance
This chapter previously mentioned the fault line on Internet governance between the
‘Internet freedom’ and ‘Internet sovereignty’ perspectives. The international politics of
Internet governance involve many issues, including great power competition, friction in
defining what problems fall within Internet governance, divergent views about non-
State actor participation in international governance and disagreements over civil and
political rights. Although the Internet governance controversy is broad, human rights
are one of the most prominent and divisive features.
Briefly, ‘Internet freedom’ views cyberspace as a means for advancing civil and
political rights, encouraging the spread of democracy and supporting technological and
governance innovation through collaboration of public, private and non-governmental
stakeholders. Internet freedom is a transformative vision – the Internet and cyberspace
can help change politics within and among countries. ‘Internet sovereignty’ embeds
cyberspace in an international order that functions through inter-State governance
mechanisms, the balance of power, and adherence to the principles of sovereignty and
non-intervention. Internet sovereignty is conservative – States must discipline use of the
Internet and cyberspace through traditional mechanisms for maintaining order among
sovereign States.
These contrasting perspectives have taken centre stage in negotiations on Internet
governance. In 2012, the ITU convened the World Conference on International
Telecommunications (WCIT) so that ITU members could revise the International
Telecommunication Regulations (ITRs).66 The negotiations failed because of the fault
line between Internet freedom and Internet sovereignty. Countries associated with
Internet freedom, especially the US and European democracies, rejected the revised
ITRs for a number of reasons, including concerns that the revisions introduced
provisions that could threaten civil and political rights, such as freedom of expression.
States linked with the Internet sovereignty approach, including China, Russia and other
authoritarian countries, supported the revised ITRs because, among other things, the
revisions reflected their interests in expanding the scope of Internet governance and
strengthening inter-governmental control of such governance.
Even though the WCIT produced stalemate rather than victory for either position,
what happened reflects growth in the influence and impact of the Internet sovereignty
perspective. China, Russia and supportive countries prevailed in getting Internet
governance on the ITU’s negotiating agenda, succeeded in having new ITR provisions
66
David P. Fidler, ‘Internet Governance and international law: The controversy concerning
revision of the International Telecommunication Regulations’ (7 February 2013) American
Society of International Law Insights <http://www.asil.org/sites/default/files/insight130207.pdf>

18 / Date: 24/3
they wanted and held firm against US and European opposition. In that sense, the
WCIT represented a culmination of authoritarian efforts, dating back to the turn of the
century, to make Internet governance reflect their interests more strongly. From a
human rights perspective, this development is worrisome given how authoritarian States
disregard civil and political rights in cyberspace.
(b) Cybersecurity
As other chapters in this volume analyse, cybersecurity has become a significant policy
concern, and this area involves human rights considerations. Cyber threats posed by
criminals, terrorists, intelligence agencies, and militaries have provoked governments to
respond in ways human rights advocates believe infringe civil and political rights.
Government exploitation of cyber technologies to repress political opposition, conduct
espionage and develop cyber weapons has also generated human rights worries. The
disclosures Edward Snowden started making in June 2013 about the cyber surveillance
and cyber espionage67 activities of the US National Security Agency (NSA) sparked
controversies about the threats these activities posed to civil and political rights in the
US and around the world. Cumulatively, cybersecurity problems convey the impression
that cyberspace is becoming insecure and dangerous in ways that undermine using the
Internet to strengthen human rights.
Over the past decade, concerns about cyber threats to national security have
increased. Cyber attacks by criminals, ‘hacktivist’ groups, and foreign intelligence
agencies, the fear of cyber terrorism, and development of offensive cyber weapons by
rival countries have forced governments to devote more attention to cybersecurity.
Policy thinking about how to respond has identified strategies that raise human rights
questions. For example, improving cyber defences requires improved ‘situational
awareness’, which heightened surveillance of Internet communication and expanded
information sharing between the private sector and government agencies can achieve.
However, persons and groups focused on protecting freedom of expression and privacy
oppose these strategies because they expand government power without adequate
safeguards for these rights.68
A different, but related, worry involves authoritarian governments using cybersecu-
rity threats as an excuse for expanding surveillance and repression of political
opposition. China’s attempts to censor and monitor Internet activities demonstrate that,
for the Communist Party, cybersecurity means protecting against the use of cyberspace
to challenge its authority and power.69 The treaty on information security concluded by
the Shanghai Cooperation Organization, the members of which are authoritarian States
67
See Buchan (Ch 8 of this book).
68
Rainey Reitman, ‘CIPSA, the privacy-invading cybersecurity spying bill, is back in
Congress,’ (13 February 2013) Electronic Frontier Foundation <https://www.eff.org/deeplinks/
2013/02/cispa-privacy-invading-cybersecurity-spying-bill-back-congress> accessed 1 March
2014.
69
Nigel Inkster, ‘China in cyberspace’ (2010) 52 Survival 55.

19 / Date: 24/3
(including China and Russia), defines terms – such as ‘information security’, ‘infor-
mation crime’, and ‘information terrorism’ – in ways that demonstrate no interest in
protecting freedom of expression and privacy in cyberspace.70
Snowden’s disclosures about NSA cyber surveillance and cyber espionage sparked
debate about privacy in the US and internationally. Within the US, Snowden exposed
NSA programs that collect domestic telephony metadata and communications of US
persons with foreign intelligence targets located outside the US. Privacy advocates have
challenged these programs in court and through proposed legislation, and these
challenges inform an ongoing US debate about how best to protect privacy in light of
national security needs and capabilities to conduct electronic surveillance.
Internationally, Snowden’s revelations about US cyber espionage against allied and
friendly countries, such as Germany and Brazil, produced a backlash against the US. In
November 2013, Germany and Brazil introduced a draft resolution in the UN General
Assembly’s Third Committee entitled ‘The Right to Privacy in the Digital Age’.71
Submitted as a response to NSA cyber spying, the draft resolution applied the right to
privacy to surveillance conducted by States outside their territories. This effort recalls
previous controversies about when human rights obligations apply when a country acts
outside its territory. But, the draft resolution contained a more radical proposition – that
a State’s foreign espionage activities, including against online communications, are
subject to the right to privacy in international law. At the UN, US diplomats opposed
the extraterritorial application of the right to privacy, meaning it does not apply to
espionage activities, and insisted that US electronic surveillance was lawful, in
compliance with international human rights law.72 The revised resolution submitted by
the Third Committee to the UN General Assembly contained compromise language that
permitted the different sides of the debate to claim it reflected their perspectives.73 The
UN General Assembly approved this resolution in December 2013 without a vote,74
another indication of the disagreements surrounding it.
This controversy raises interesting international legal issues, including whether the
power the US exercises in cyberspace qualifies, in the virtual world, as the equivalent
of effective, physical control of individuals often associated with extraterritorial
obligations under international human rights law.75 However, mounting concerns about
70
Shanghai Cooperation Organization, Agreement on Cooperation in the Field of Inter-
national Information Security, December 2008.
71
UNGA, The Right to Privacy in the Digital Age (1 November 2013) UN Doc A/C.3/68/
L.45.
72
Colum Lynch, ‘Exclusive: Inside America’s plan to kill online privacy rights everywhere,’
(20 November 2013) The Cable <http://thecable.foreignpolicy.com/posts/2013/11/20/exclusive_
inside_americas_plan_to_kill_online_privacy_rights_everywhere> accessed 1 March 2014.
73
UNGA, The Right to Privacy in the Digital Age (20 November 2013) UN Doc A/C.3/
68/L.45/Rev. 1.
74
UNGA, The Right to Privacy in the Digital Age (18 December 2013) UN Doc
A/RES/68/167.
75
Anne Peters, ‘Surveillance without borders: The unlawfulness of the NSA panopticon,
Part II,’ (4 November 2013) EJIL: Talk! <http://www.ejiltalk.org/surveillance-without-borders-
the-unlawfulness-of-the-nsa-panopticon-part-ii/> accessed 1 March 2014.

20 / Date: 24/3
cyber espionage demonstrate that intelligence agencies of many countries have power-
ful capabilities to penetrate foreign computer systems and networks, manipulate them,
and obtain sensitive information, including communications of private persons. The
countries to which Snowden fled – China and Russia – are accused of violating
domestic Internet freedoms, including the right to privacy,76 hardly an indication these
States seriously believe the right to privacy in international law affects their foreign
espionage activities.
The ubiquity of cyber espionage works against the notion that State practice reflects
the extraterritorial application of the right to privacy to government intelligence
activities. Questions about the extraterritorial application of the right to privacy will
continue to be important because, for example, the UN General Assembly requested the
UN High Commissioner for Human Rights to ‘submit a report on the protection and
promotion of the right to privacy in the context of domestic and extraterritorial
surveillance and/or the interception of digital communications and the collection of
personal data, including on a mass scale’ to the Human Rights Council and the General
Assembly.77
For its part, the US has long held that its ICCPR obligations do not extend outside
the US, a position enunciated again in the UN negotiations on the resolution on the
right to privacy in the digital age. However, in reforms announced in January 2014,
President Obama instructed the US intelligence community to protect the privacy
interests of all persons, including non-US persons located outside the US.78 Specific-
ally, US intelligence activities must ‘include appropriate safeguards for the personal
information of all individuals, regardless of the nationality of the individual … or
where that individual resides’.79 Although framed in terms of privacy ‘interests’ rather
than ‘rights’, how this dramatic shift in US policy on intelligence activities will affect
debates about the extraterritorial application of the right to privacy deserves close
scrutiny.
Snowden also disclosed information about US cyber espionage against other
countries, including China, Russia, and Iran. These authoritarian countries have not,
like Germany and Brazil, responded by calling for strengthening the right to privacy.
Instead, the revelations vindicated their claims that they were targets of large-scale US
cyber espionage. The disclosures badly damaged, if not destroyed, US diplomatic
efforts to pressure China to stop engaging in economic cyber espionage. Snowden’s
leaks also undermined the Obama administration’s Internet freedom agenda because
they exposed the US Government’s willingness to conduct cyber surveillance on a
global scale against friend and foe alike. Even Michael Hayden, former NSA and CIA
director, admitted the US could be fairly accused of militarizing cyberspace after what
76
Freedom House (n 22) 181–214 (China), 588–600 (Russia).
77
The Right to Privacy in the Digital Age (n 74), para. 5.
78
Presidential Policy Directive/PPD-28 – Signals Intelligence Activities, 17 January 2014,
§ 4, <http://www.lawfareblog.com/wp-content/uploads/2014/01/2014sigint.mem_.ppd_.rel_.pdf>
79
Ibid.

21 / Date: 24/3
Snowden revealed80 – an accusation corrosive of US claims to Internet freedom

leadership.
Finally, the disclosures gave rival States, especially China and Russia, glimpses of
US cyber power. In addition to US cyber espionage capabilities, the leaks revealed the
US had, in 2011, conducted 231 offensive cyber operations, or cyber attacks, against
targets around the world.81 The disclosures confirmed fears about US cyber power
these countries had long held, reinforced their commitment to Internet sovereignty, and
encouraged them to strengthen their intelligence and military cyber capabilities. None
of these consequences bodes well for protecting civil and political rights in cyberspace.
Nor do they reduce worries that realpolitik will make cyberspace increasingly insecure
and dangerous, damaging prospects for using the Internet to achieve progressive
realization of ESC rights.
(c) Private Enterprise, Human Rights and Cyber Technologies
Human rights issues have arisen in connection with the private sector’s development,
use and sale of cyber technologies and services. As mentioned above, migration of
communication to online formats gives ICT companies access to massive amounts of
data, and privacy advocates have expressed concerns that existing laws, especially in
the US, are insufficient to protect privacy from corporate interests. Human rights
groups have also criticized ICT companies of: (1) cooperating with Chinese Govern-
ment efforts to censor and control the Internet in repressing domestic political
opposition; and (2) selling cyber technologies to repressive regimes, such as Syria, that
use them against political opponents. These concerns informed creation of the Global
Network Initiative (GNI), a multi-stakeholder effort that helps ICT companies advance
freedom of expression and privacy through independent reviews of corporate compli-
ance with GNI’s principles.82 Countries participating in the Wassenaar Arrangement on
Export Controls for Conventional Arms and Dual-Use Goods and Technologies agreed
in December 2013 to include in this regime restrictions on exporting ‘dual use’ ICT
products, such as intrusion software and network surveillance systems, governments
could use to violate civil and political rights.83
80
Andrea Peterson, ‘Former NSA and CIA Director says terrorists love using gmail,’ (15
September 2013) Washington Post < http://www.washingtonpost.com/blogs/the-switch/wp/2013/
09/15/former-nsa-and-cia-director-says-terrorists-love-using-gmail/> accessed 1 March 2014.
81
Barton Gellman and Ellen Nakashima, ‘U.S. spy agencies mounted 231 offensive cyber
operations in 2011, documents show,’ (30 August 2013) Washington Post <http://articles.
washingtonpost.com/2013-08-30/world/41620705_1_computer-worm-former-u-s-officials-obama-
administration> accessed 1 March 2014.
82
Global Network Initiative <http://www.globalnetworkinitiative.org/> accessed 1 March
2014.
83
Public Statement: 2013 Plenary Meeting of the Wassenaar Arrangement on Export
Controls for Conventional Arms and Dual-Use Goods and Technologies, 4 December 2013; Edin
Omanovic, ‘International agreement reached controlling export of mass surveillance and
intrusive surveillance technology’ (9 December 2013) Privacy International <https://www.
privacyinternational.org / blog / international-agreement-reached-controlling- export-of-mass - and-
intrusive-surveillance> accessed 1 March 2014.

22 / Date: 1/4
Human rights appear in other contexts involving private-sector activities in cyber-

space. For example, the Internet Corporation for Assigned Names and Numbers
(ICANN) is an important multi-stakeholder mechanism for Internet governance because
it oversees the domain name system. ICANN’s ongoing process for creating new
generic, top-level domain names (gTLDs) permits an Independent Objector to file a
‘limited public interest objection’ that a proposed gTLD ‘is contrary to general
principles of international law for morality and public order’.84 The instruments
ICANN identified as containing such principles all protect human rights, including the
ICCPR and ICESCR.
Therefore, the ICANN process will vet a corporation’s application for a new gTLD
under human rights principles and will not approve it if the gTLD: (1) involves
incitement to, or promotion of, violent lawless action, discrimination, child porn-
ography or other sexual abuse of children; or (2) is ‘contrary to specific principles of
international law as reflected in relevant international instruments of law’.85 Here, a
non-governmental entity, ICANN, is applying human rights principles directly to
Internet activities proposed by corporations. This process includes a dispute resolution
mechanism under which expert panels will interpret international law in determining
the legitimacy of limited public interest objections challenged by applicants.86
6. CONCLUSION
The complexity of the cyberspace-human rights relationship makes finding its critical
features difficult, if not foolhardy. The relationship emerged at a unique historical
moment when unprecedented political conditions facilitated new technologies of
communication and connectivity with potential to strengthen human rights. The many
ways the human rights regime applies to the Internet and human rights activism on
cyberspace issues constitute partial fulfilment of this promise. However, political, legal
and technological developments have dramatically affected the relationship in ways that
burden the present and the future.
Politically, the uni-polar moment of the post-Cold War period has passed, replaced
by a multi-polar configuration characterized by divergent interests on the Internet and
human rights and intensifying geopolitical competition, including in cyberspace.
Legally, all-too-familiar gaps between legal doctrine and State practice on human rights
appear as well in the cyberspace-human rights relationship. Technologically, authoritar-
ian governments appear to have figured out how to expand Internet access and use
while increasing censorship and control over activities in cyberspace. As Snowden’s
84
ICANN, gTLD Applicant Guidebook, Module 3 (4 June 2012). As of this writing, the
Independent Objector had issued 11 limited public interest objections, all against proposed
gTLDs in the health/medical area and all applying the right to health. ‘The Objections Filed
by the Independence Objector’ <http://www.independent-objector-newgtlds.org/home/the-
independent-objector-s-objections/> accessed 1 March 2014.
85
ICANN, 3-21–3-22.
86
See for example Prof. Allain Pellet (Independent Objector) v Afilias Ltd, Case No
EXP/409/ICANN/26 (November 2013) (rejecting Independent Objector’s limited public interest
objection grounded in the right to health against .HEALTH gTLD application).

23 / Date: 24/3
disclosures make clear, the US harnessed cyber technologies for intelligence and
military purposes in ways that human rights advocates believe undermine what
cyberspace should mean for human rights.
These observations leave the impression that increasing individual, commercial,
social and governmental dependence on the Internet is weakening human rights in
cyberspace, which contradicts beliefs that the Internet’s global proliferation and
penetration of societies would transform whether and how people enjoy human rights.
The developing prowess of authoritarian governments in monitoring and manipulating
online activities, the momentum of the Internet sovereignty perspective, and the
damage Snowden’s disclosures have done to US interests and influence produce the
most difficult and dangerous conditions the relationship between cyberspace and
human rights has faced.
Whether changes to the human rights regime would make things better is doubtful.
International law on civil and political rights and ESC rights already applies compre-
hensively to online activities. Recognising Internet access as a distinct right would not
solve the problems facing the protection of civil and political rights in authoritarian
States. Attempts to impose privacy obligations on foreign espionage activities will
deepen the diplomatic problems the US faces and will be ignored by authoritarian
States that engage in cyber espionage. Monitoring implementation of ESC rights could
be more systematic in evaluating how the Internet can contribute to the realization of
these rights, but moving in this direction might reveal the limits of the Internet more
than it identifies untapped opportunities. Reducing the digital divide does not neces-
sarily improve the enjoyment of human rights because increased Internet access and
use does not, by itself, equate with stronger protection for civil and political rights or
more progressive realization of ESC rights.
Although the Internet is the most consequential communication technology to
emerge in the human rights era, it has not proven to be an exceptional technology in
freeing the human rights project from politics. Looking ahead, the primary human
rights challenges in cyberspace will involve grappling with age-old political problems,
including the resiliency of sovereignty, the tenacity of authoritarianism, the complexity
of international law, the difficulty of balancing human rights and national security, and
the unpredictability of shifts in power and interests in the international system.

24 / Date: 6/5
6. International criminal responsibility in cyberspace*

Kai Ambos
1. INTRODUCTION: SCOPE AND CONCEPTUAL

CLARIFICATIONS
Given the methodology and purpose of a Research Handbook the primary objective of
this chapter will be to give a reliable overview of the state of the art with regard to the
topic. This is not an easy task given its great uncertainty, complexity and dynamics.1 In
any event, given the broad scope of both ‘criminal responsibility’ and ‘cyberspace’ we
have, first of all, to determine more precisely the scope of the inquiry. While
‘cyberspace’ may be broadly defined as a domain characterized by ‘the use of
electronics … and the electromagnetic spectrum to store, modify, and exchange data
via networked systems and associated physical infrastructures’2 and thus ‘cybercrime’
encompasses a wide variety of criminal activity by means of or in the world wide web
(from criminal economic activity to copyright violations and child pornography),3 this
chapter will only focus on computer network attacks (CNAs), also sometimes called
* I thank my student research assistant Torben Schlüter for assistance in preparing this
chapter and Muriel Nißle for a final editorial revision.
1
This is admitted at the outset in the serious publications on the matter, see for example
David Turns, ‘Cyber warfare and the notion of direct participation in hostilities’ (2012) 17(2) J.
Conflict & Sec. L. 280, 282 (stating that it is ‘rather difficult to write authoritatively about
international law and CW [cyber warfare]: one has a distinct feeling of the ink not yet being dry
on the page.’).
2
US Department of Defense according to Herbert Lin, ‘Cyber conflict and international
humanitarian law’ (2012) 94(886) I.R.R.C. 515, 516; similarly Michael Schmitt, ‘Classification
of cyber conflict, (2012) 17 J. Conflict & Sec. L. 245, 258. On the differences between conflict
in cyberspace and physical space (i.e., traditional conflict) see ibid. 520.
3
It is not easy to find a comprehensive definition of the term ‘cybercrime’. It is often
interchangeably used with the terms ‘computer crime’, ‘computer-related crime’, ‘high-tech
crime’ and ‘cybercrime’. The Cybercrime Convention of the Council of Europe of 23 November
2001 lists: illegal access; illegal interception; data interference; system interference; misuse of
devices; computer-related forgery; computer-related fraud; offences related to child porn-
ography; and to infringements of copyright and related rights (arts 2–10). The AP of 28 January
2003 adds to this impressive list acts of a racist and xenophobic nature committed through
computer systems. EU documents take a similarly broad approach covering any conduct that
describes: ‘a) the use of information and communication networks that are free from geographi-
cal constraints; and b) the circulation of intangible and volatile data’, see European Commission,
‘Fight against cybercrime’ (12 September 2005) <http://europa.eu/legislation_summaries/justice_
freedom_security/fight_against_organised_crime/l33193b_en.htm> accessed 22 October 2013.
For a similar broad definition from an US-perspective see Oona A Hathaway et al., ‘The law of
cyber-attack’ (2012) 100 Cal. L. Rev. 817, 833; David Weissbrodt, ‘Cyber-conflict, cyber-crime,
and cyber espionage’ (2013) 22 Minnesota J. of Int’l. L. 345, 366–70.
118
/ Date: 6/5
International criminal responsibility in cyberspace 119
more shortly ‘cyber attacks’. A CNA is the strongest form of what is regarded to be
cyber warfare,4 i.e., the use of technical means to wage war against an adversary in
cyberspace.5 Apart from network attacks, other forms of attacks are cyber operations6
and cyber espionage.7 The reason for this focus on CNAs is that only these forms of
attacks are normally serious enough to qualify as international crimes and thus be
covered by an international criminal jurisdiction like the International Criminal Court
(ICC). However, the exact meaning of a CNA is still subject of discussion.8 Following
the majority view three elements may be distinguished. First, a CNA is not carried out
for (direct) financial gain or profit as are classical economic cybercrimes.9 Secondly,
the attack is not conducted for the purpose of gaining information (‘cyber espio-
nage’).10 Thirdly, a CNA alters, disrupts, degrades or destroys a computer network and
may lead to a disruption of devices connected to the network under attack.11 The latter
element is well captured by the definition provided for by the Tallinn Manual on Cyber
4
On the different understandings of ‘cyber warfare’ in state practice Cordula Droege, ‘Get
off my Cloud: Cyber Warfare, international humanitarian law and the protection of civilians’
(2012) 94 I.R.R.C. 533, 536–7. On computer network exploitation (CNE) and computer network
defence (CND) see Nils Melzer, Cyberwarfare and International Law (UNDIR Resources 2011)
5, available at <http://unidir.org/Publications/listerPublications/ idConference:170> accessed 20
October 2013.
5
See Lin (n 2) 519 (discussing the differences between traditional warfare and cyber
warfare regarding the law of armed conflict); Droege (n 4) 538 (referring to ‘cyber operations
amounting to or conducted in the context of armed conflict’); also Melzer (n 4) 4; Harrisson
Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 4 et seq.
6
Michael Schmitt (ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare (CUP 2013) [Tallinn Manual], probably the most authoritative source on our topic,
defines a cyber-operation as ‘The employment of cyber capabilities with the primary purpose of
achieving objectives in or by the use of cyberspace’ (258). For a critique on the Manual’s
methodological approach and the composition of the Expert group see Oliver Kessler and
Wouter Werner, ‘Expertise, uncertainty, and international law: A study on the Tallinn Manual on
cyberwarfare’ (2013) 26(4) L.J.I.L. 793 (concluding that ‘the Manual reduces uncertainty
through consensus on some issues, but also reproduces or even radicalizes uncertainty’ by
making ‘authoritative claims in the absence of consensus’ and reintroducing ‘open-ended
principles and contextual factors in legal reasoning’). See also Ducheine (Ch 10 of this book).
7
According to the Tallinn Manual ibid. Rule 66, this means ‘any act undertaken
clandestinely or under false pretences that uses cyber capabilities to gather (or attempt to gather)
information with the intention of communicating it to the opposing party.’ See also Weissbrodt
(n 3) 370–1; Buchan (Ch 8 of this book).
8
Cf. Ryan McClure, ‘International adjudication options in response to state-sponsored
cyber-attacks against outer-space satellites’ (2012) 18 New England J. of Int’l. & Comp. L. 431,
432 (with further references).
9
Melzer (n 4) 21; Lesley Swanson, ‘The era of cyber warfare: Applying international
humanitarian law to the 2008 Russian-Georgian cyber conflict’ (2010) 32 Loyola Los Angeles
Int’l. & Comparative L. J. 303, 307 (‘[cybercrimes] are governed by national criminal statutes
and include such acts as identity theft and internet fraud’).
10
Lin (n 5) 519; see also Jack Goldsmith, ‘How cyber changes the laws of war’ (2013) 24
E.J.I.L. 129, 135; Buchan (Ch 8 of this book).
11
This is basically the US Department of Defense definition, as quoted in Noam Lubell,
‘Lawful targets in cyber operations: Does the principle of distinction apply?’, (2013) 89 Int’l. L.
Studies 252, 258; see also Melzer (n 4) 5; Lin (n 2) 518–9; Brian T O’Donnell and James

/ Date: 6/5
Warfare: ‘a cyber operation, whether offensive or defensive, that is reasonably expected

to cause injury or death to persons or damage or destruction to objects.’12
The second limitation concerns the concept of ‘international criminal responsibility.’
Such a responsibility presupposes the existence of international crimes and the
participation in these crimes. The current debate is mostly concerned with the
application of the law of armed conflict, also – more euphemistically – called
international humanitarian law (IHL),13 to CNAs (section 2)14. This is not surprising
since States are, pursuant to Article 36 of the First Additional Protocol to the Geneva
Conventions (AP I), under an obligation to determine the applicable IHL rules for new
weapons and means or method of warfare.15 Less intense is the debate regarding
criminal responsibility for the crime of aggression (section 3). This is equally
unsurprising since this crime has only recently been codified and it is much less likely
that it will be applied any time soon to traditional armed attacks, let alone cyber
attacks. Finally, there is virtually no debate regarding the commission of crimes against
humanity by way of CNAs but it is worthwhile taking a brief look at this possibility
following the discussion of war crimes (section 4). There are, of course, other issues
regarding international criminal responsibility in cyberspace but they must be left to
future inquiries. One particularly complex and practically important topic concerns the
question of jurisdiction for cyber attacks given that these attacks are by definition
transnational and thus trans- or supra-jurisdictional. In fact, these attacks normally
originate in one jurisdiction but concern all jurisdictions they cross and where they may
produce harmful results. The ICC’s jurisdiction would then be derived from the
national jurisdiction(s) affected by the respective CNA.
Kraska, ‘Humanitarian law: developing international rules for the digital battlefield’ (2003) 8 J.
Conflict & Sec. L. 133, 138; crit. of the scope of the definition Lubell, op.cit., 258–9.
12
Tallinn Manual (n 6) rule 30; for an even broader definition Lin (n 2) 518–9; see also
Droege (n 4) 556–61 (including the interference ‘with the functioning of an object by disrupting
the underlying computer system’, at 560); for a too broad (albeit called ‘narrow’) definition
Hathaway and others (n 3) 826 et seq. (letting suffice ‘any action … to undermine the functions
of a computer network …’). Why the authors themselves consider this a ‘narrow’ definition
remains their secret, the special purpose requirement (‘political or national security purpose’)
does, in any case, not do the trick and their examples are also far too broad (ibid. 837 et seq.).
Discussing different cyber operations and attacks Charlotte Lülf, ‘International humanitarian law
in times of contemporary warfare – the new challenge of cyber attacks and civilian participation’
(2013) 26 Humanitäres Völkerrecht – Informationsschriften 74, 76–77.
13
IHL refers to all rules of the law of armed conflict protecting individuals in armed
conflicts (Christopher Greenwood, ‘Historical developments and legal basis’ in Dieter Fleck
(ed.), The Handbook of International Humanitarian Law (2nd edn., OUP 2008) 1–43, marginal
number (‘mn.’) 101.) and to cases of declared war or occupation (Gerhard Werle/Florian
Jessberger, Principles of International Criminal Law (3rd edn., OUP 2014) [Principles] mn.).
14
More on the application of IHL to the cyber realm can be read in Part IV of this book.
15
Cf. Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network
Attacks’ (19 November 2004) ICRC <http://www.icrc.org/eng/resources/documents/misc/
68lg92.htm> accessed 22 October 2013, 2; Droege (n 4) 540–1; Dinniss (n 5) 260–1; William H
Boothby, ‘Methods and means of cyber warfare’ (2013) 89 Int’l. L. Studies 387, 400.

/ Date: 8/5
2. CYBER ATTACKS AS WAR CRIMES
(a) Preliminary Remark
War crimes are nowadays most comprehensively defined in Article 8 ICC Statute
containing 53 individual offences all based on the primary prohibitions of the Hague
and Geneva Laws.16 Pursuing a structural and systematic approach focusing on the
interests and rights protected one can distinguish between basic offences against
protected persons and objects, attacks on civilian population and objects (prohibited
means of warfare) and other offences (including prohibited methods of warfare).17
Cyber attacks may constitute such offences if they meet their objective (actus reus) and
subjective (mens rea) requirements. This cannot be determined in the abstract but
depends on the concrete circumstances of each case. At any event, the application of
the war crimes regime to any form of attack – be it by traditional kinetic or modern
cyber means – is predicated on the existence of the general requirements for the
application of IHL to the case at hand. Thus, these general requirements must be
examined first before analyzing how the traditional IHL principles play out in the field
of cyber attacks.
(b) General Requirements
(i) Existence of an armed conflict18

According to Common Article 2 of the Geneva Conventions (GC),19 the application of
IHL is predicated on the existence of an armed conflict. The term is not positively
defined in written IHL but the International Criminal Tribunal for the Former
Yugoslavia (ICTY) has provided a generally accepted definition in its seminal Tadić
(Jurisdictional Decision). Accordingly, ‘an armed conflict exists whenever there is a
resort to armed force between States or protracted armed violence between governmen-
tal authorities and organized armed groups or between such groups within a State.’20
16
On these primary rules see Kai Ambos, Treatise on International Criminal Law. Volume
I: Foundations and General Part (OUP 2013) 11 et seq.
17
Cf. Kai Ambos, Treatise of International Criminal Law. Volume II: The Crimes and
Sentencing (OUP 2014) 164 et seq.
18
See also Arimatsu (Ch 15 of this book).
19
Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in
Armed Forces in the Field (adopted 12 August 1949, entered into force 21 October 1950) (GC I)
75 UNTS 31 (GC I); Convention II for the Amelioration of the Condition of Wounded, Sick and
Shipwrecked Members of Armed Forces at Sea. Geneva Field (adopted 12 August 1949, entered
into force 21 October 1950) 75 UNTS 85 (GC II); Convention relative to the Treatment of
Prisoners of War Field (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS
135 (GC III); Convention relative to the Protection of Civilian Persons in Time of War Field
(adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 267 (GC IV).
20
Prosecutor v Tadić, ICTY (Jurisdiction) ICTY-94-1-AR (2 October 1995) [Tadić
Jurisdictional Decision] [70]; Prosecutor v Lubanga (Confirmation of Charges) ICC-01/04-
01//06 (27th January 2007) [209]; cf. Werle/Jessberger (Principles) (n 13), mn. 1078; Antonio
Cassese and others, Cassese’s International Criminal Law (3rd edn., OUP 2013) 66.

/ Date: 15/5
Thus, what is of relevance is the employment of armed force and its attribution to one
of the parties to the conflict.21
The same principles apply to cyber attacks22 as long as there is no specific definition
of ‘war’ or ‘armed conflict’ for this kind of attack.23 Thus, one should first of all
distinguish between a situation where such an attack is part of an ongoing (conven-
tional) armed conflict or where it is carried out independently of such a conflict (i.e.,
where such a conflict does not exist in the first place or only at a different time).24
Given that in the former case the armed conflict threshold is passed anyway by the
recourse to conventional armed force, the question of a separate assessment of the
quality of a CNA arises only in the latter case of – what could be called – a ‘pure’
cyber attack. In such a case it must be inquired whether armed force has been
employed25 and whether this can be attributed to one party to the conflict.
Whether armed force has been employed may be determined by looking at the means
or instruments employed – ‘means approach’ – or at the effects, consequences or results
generated by this employment – ‘(equivalent) effects approach.’26 The former approach
would have difficulties to consider a CNA as an ‘armed’ use of force since the
computer systems employed to carry out such an attack cannot be considered ‘arms’ in
21
Cf. Ambos (n 17) 123.
22
Droege (n 4) 543 et seq.; Dinniss (n 5) 126 et seq.; generally more cautiously Lin (n 2)
515 et seq. (concluding that many of the traditional IHL assumptions ‘either are not valid in
cyberspace or are applicable only with difficulty’, at 530).
23
See for an enlarged definition of the concept of ‘war’ Annex 1 of the Agreement between
the Governments of the Member States of the Shanghai Cooperation Organisation on
Cooperation in the Field of International Information Security (adopted 16 June 2009) quoted in
Melzer (n 4) 22 and Droege (n 4) 535. This Annex defines ‘information war’ as a:
confrontation between two or more states in the information space aimed at damaging
information systems, processes and resources, critical and other structures, undermining
political, economic and social systems, mass psychologic brainwashing to destabilize society
and state, as well as to force the state to taking decision in the interest of an opposing party.
24
Dinniss (n 5) 127 et seq. distinguishes between three situations: during ongoing armed
conflict, independent of such an armed conflict and accompanying conventional use of force not
as such amounting to an armed conflict. The last situation may, however, be grouped together
with the first since in both cases conventional armed and cyber attacks happen together with a
lower degree of conventional force in the last situation. For Melzer (n 4) 24 cyber operations
‘not accompanied by a threat or use of conventional military force’ would normally not pass the
armed conflict threshold but ‘most likely be regarded as a criminal threat to be addressed
through law enforcement measures’.
25
Insofar the difference between ‘attack’ (as defined in art 49 (1) AP I) and the broader
concept of military ‘operation’ (see for e.g., art 51(1) AP I; for a discussion see Droege (n 4) 554
et seq.) is not relevant since in both situations armed force is employed. See with regard to the
principle of distinction (art 48 AP I) however infra (n 91).
26
The three relevant approaches (instrumentality-, target- and consequence-/effects-based)
have been developed with regarding to the ius ad bellum concept of an ‘armed attack’ (art 51 UN
Charter) see Hathaway et al. (n 3) 845–6; Weissbrodt (n 4) 363–4) but can be applied in the ius
in bello context of the armed conflict threshold as well.

/ Date: 24/3
the traditional sense since they lacking any kinetic expression of force.27 In any case,
such an approach does not only ignore the modern understanding of use of force which
does not focus on the weapons employed.28 It also fails to capture the special quality of
cyber attacks which is expressed in the effects of such attacks as compared to
traditional (kinetic) armed attacks. Thus, one should follow the effects approach.29
An effects-based reading is not excluded by the definition of an ‘armed attack’ as
‘acts of violence against the adversary’ (Art. 49 (1) AP I). For ‘violence’ can also be
brought about by the violent effects of a CNA producing a lasting harmful result.30
Thus, if a CNA brings about the replacement of a physical part of an attacked computer
network,31 it reaches the armed force or armed attack threshold of IHL.32 This confirms
that the crucial issue is not the nature of the attack in terms of its means but of its
effects. This entails, in contrast, that a CNA not causing any (lasting) physical or
serious functional damage (e.g., a temporary shutdown/breakdown of a computer
system) does not reach the armed conflict threshold.33 Of course, the effects of an
attack must be assessed in a broad sense. While a CNA may only produce limited
damage on the attacked system as such the broader effects may nevertheless produce
serious consequences, for example, if a large dam was regulated by this system and its
deactivation entails widespread flooding. Thus, the question is always whether a cyber
attack causes comparable or analogous damage to a traditional armed attack.34 In this
regard, also the equal treatment of ‘destruction, capture and neutralization’ in Article
27
On the differences between traditional warfare and cyber warfare insofar see: Lin (n 2)
520 et seq.; see also Nils Melzer, ‘Cyber operations and ius in bello’ (2011) 4 Disarmament
Forum 3, 5.
28
Cf. Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ
Rep 226 para. 39 (‘any use of force, regardless of the weapons employed’); conc. Tallinn
Manual (n 6) 42; Melzer (n 4) 13; Weissbrodt (n 4) 356; Boothby (n 15) 391; on the concept of
weapon with a view to the military advantage achieved Dinniss (n 5) 68–70.
29
Tallinn Manual (n 6) 107; in the same vein Richard W Aldrich, ‘The international legal
implications of information warfare’ (1996) 10 Airpower Journal 99; Dinniss (n 5) 74, 123,
131–2; Michael Schmitt, ‘Cyber operations and the jus in bello: Key issues’ (2011) 87 Int’l. L.
Studies 89, 92 et seq.; Melzer (n 4) 7, 24; Emily Haslam, ‘Information warfare: Technological
changes and international law’ (2000) 5(2) J. Conflict & Sec. L. 157, 170; Lülf (n 12) 77–8 (also
focusing on the effects of a cyber-operation and arguing that it reaches the threshold ‘whenever’
it ‘endangers protected persons or objects’ and ‘is more than a sporadic and isolated incident’);
Boothby (n 15) 389 (‘critical factor … injurious or damaging effect ‘), 402; Dörmann (n 15) 3
(‘degree of damage’); Lubell (n 11) 262–3, 265, 275 (‘violent effects’, ‘harm caused’);
Weissbrodt (n 4) 364 (regarding armed attack); Hathaway and others (n 3) 845, 847–8; crit.
because of a too high threshold Katherine C. Hinkle, ‘Countermeasures in the cyber context:
One more thing to worry about’ (2011) 37 Y.J.I.L. Online 11, 11–2, 21 (regarding the alleged
Russian cyber-attack on Estonia in 2007); crit. because of uncertainties with regard to the
concrete application Kessler and Werner (n 6) 808.
30
In the same vein Schmitt ibid. 93–4; Melzer (n 4) 26.
31
32
Schmitt (n 29) 93; see also Yoram Dinstein, ‘Computer network attacks and self-defense’
(2002) 76 Int’l. L. Studies 99, 103; Melzer (n 27) 7.
33
Melzer (n 27) 7; Schmitt (n 29) 95; similar: Swanson (n 9) 323; more detailed Tallinn
Manual (n 6) 106–107.
34
Droege (n 4) 546.

/ Date: 24/3
52(2) AP I seems to suggest a more flexible interpretation since it shows that

neutralization of a military objective may produce a military advantage and thus may
have the same effect as the destruction of this object.35 Indeed, the drafters of Article
52(2) AP I had in mind that an attack ‘for the purpose of denying the use of an object
to the enemy’ may have the same military effect as the destruction of this object.36 In
other words, a cyber operation leaving the targeted object physically intact but
neutralizing it in its functionality may amount to a militarily relevant attack,37 at least if
the operation disables the ‘critical infrastructure’ of the respective State.38 Of course,
minor disruptions, like the shutdown of a TV broadcasting system, do not constitute
military attacks; in fact, they normally cause less inconvenience than economic or
psychological warfare39 and these do not fall under the definition of an attack.40
Articles 51(5)(b), 57(2)(a)(iii) and 57(2)(b) AP I confirm this view since they only
mention physical consequences of armed attacks.41
In sum, pursuant to the effects approach, a CNA as defined above, i.e., as an attack
causing considerable human and other damage or a serious disruption of a computer
system, will normally amount to the employment of armed force and thus constitute a
militarily relevant attack.42 Of course, the amount of casualties alone does not turn a
conflict into an armed conflict,43 the quality of the attacks – against protected persons
and objects – always plays an important role in assessing the nature of the conflict.44
This speaks in favor of a combination of different factors, the effects being the most
important one, but nature and means of the attack to be taken into account.45 The same
test can be applied with regard to the necessary intensity and duration – ‘protracted
35
Cf. Dörmann (n 15) 4, 6; crit. Schmitt (n 29) 95–6 (warning of over-inclusivity and
arguing that art 52(2) AP I is predicated on the existence of an ‘attack’ and that may exclude
mere cyber-operations); Dinniss (n 5) 197–8; for a nuanced approach Melzer (n 4) 26 (arguing
that both positions have strong points).
36
Cf. Droege (n 4) 558.
37
Ibid. 559 (‘operations that disrupt the functioning of objects without physical damage or
destruction, even if the disruption is temporary’); see also Boothby (n 15) 389–90 (arguing, with
regard to ‘data’, that it ‘only becomes an “object” when it is critical to the operation of the
targeted system’): Lubell (n 11) 265–6 (criticizing an exclusive focus on physical damage).
38
On this criterion with definitions (regarding ius ad bellum) Melzer (n 4) 14–6.
39
Schmitt (n 29) 95; in a similar vein ibid. 26.
40
Droege (n 4) 559; see also Boothby (n 15) 403 (emphasizing that ‘only death, injury,
damage or destruction to protected persons or objects’ should be considered); with respect to
state practice Schmitt (n 29) 95, 103.
41
Michael Schmitt, ‘Wired warfare: Computer network attack and ius in bello’ (2002) 84
I.R.R.C. 365, 377–8.
42
Ibid. 374; Droege (n 4) 545 et. seq., 560, 578; Dinniss (n 5) 123, 131, 137–8 (threshold
of ‘significant seriousness’); Melzer (n 27) 5; Droege (n 4) 14 (critical towards the requirement
of consequence equal to traditional armed attacks); Tallinn Manual (n 6) 106; Haslam (n 29)
170; Swanson (n 9) 314–5.
43
Jean Pictet (ed.), Commentary on the Geneva Convention for the Amelioration of the
Condition of the Wounded and Sick in Armed Forces in the Field (1952, ICRC reprint 2006)
[Pictet, GC I’] 32 (‘It makes no difference how long the conflict lasts, or how much slaughter
takes place.’).
44
Schmitt (n 41) 373.
45
On such a combined approach Droege (n 4) 547–8.

/ Date: 24/3
armed violence’46 – of a (non-international) armed conflict47 which presupposes a

series of attacks lasting a considerable amount of time.48 It is questionable, however,
whether, in addition, a specific intent to cause injury and destruction, the foreseeability
of these consequences should also be required.49 While such a ‘subjectification’ may
further restrict the effects criterion and in particular avoid a mere quantitative
assessment,50 it seems to conflate the per se objective armed conflict/attack threshold
with the requirements of individual criminal responsibility and thus appears theoret-
ically incoherent. In addition to that that, it would also entail difficult evidentiary
problems.
The second requirement – the attribution of a CNA to one of the parties to the
conflict – may be more difficult to fulfil. Attribution is practically impossible if the
attacker cannot be identified, i.e., the attack comes out of the anonymity of the World
Wide Web and cannot be traced back to a specific user belonging to a party to the
conflict.51 But even if the attack is carried out by identifiable individuals or groups the
question arises whether they are parties to a conflict or whether their acts can be
attributed to a party to the conflict, in particular a State. As to the former question, the
answer depends on a sufficient degree of organization of these groups, i.e., the required
command, control, discipline and hierarchy characteristic for IHL armed groups.52
Groups of persons (‘hackers’) with a mere virtual existence normally lack these
features;53 also, a spontaneous collective attack (like a denial-of-service attack) finding
more and more online followers, does not comply with the organization requirement.54
As to a possible attribution of the acts of these groups to a State the ILC’s rules on
46
Cf. Tadić Jurisdictional Decision (n 20) [70]; incorporated in art 8 (2)(f) ICC Statute
(adopted 17 July 1998, entered into force 1 July 2002, 2187 UNTS 3); see also Schmitt (n 29)
106.
47
48
Melzer (n 4) 24–5 (arguing that the precise threshold has not yet been defined); Dinniss
(n 5) 131. For Hathaway and others (n 3) 850 and Robin Geiss, ‘Cyber warfare: Implications for
non-international armed conflict’ (2013) 89 Int’l. L. Studies 627, 633–4, the necessary threshold
has not yet been reached in practice by an isolated CNA. Kessler and Werner (n 6) 800 generally
point out that there has been, apart from the Stuxnet attack, ‘no incident of cyberwar that
inflicted the widespread devastation and damage usually associated with “war”.’
49
In this sense Schmitt (n 41) 374 (‘either intended to cause injury, death, damage or
destruction … or such consequences are foreseeable.’); also Schmitt (n 29) 94–5; emphasizing
the intention of the attacker also Dinniss (n 5) 132–3.
50
In this vein Melzer (n 4) 16.
51
Cf. Droege (n 4) on the problems of attribution in light of the anonymity of the attacker
(541, 543–5); see also Goldsmith (n 10) 131–2, 134; Hinkle (n 29) 17–8; Dinniss (n 5) 99–102;
Kessler and Werner (n 6) 799.
52
See for the definition Ambos, Treatise ICL II (n 17) 125–6; in our context Schmitt (n 29)
105–6; Geiss (n 48) 634; Dinniss (n 5) 124–5.
53
Droege (n 4) 550–1; Geiss (n 48) 635–6; Melzer (n 4) 24; for a different view apparently
Michael Schmitt, ‘Classification of cyber conflict’ (2012) 17(2) J. Conflict & Sec. L. 245, 256
(arguing that ‘such groups can act in a coordinated manner against the government … take
orders from a virtual leadership, and be highly organized.’).
54
Geiss (n 48) 635.

/ Date: 24/3
State responsibility for wrongful acts55 provide a useful guidance.56 Accordingly, the
fact that a ‘rough’ State may always lay blame for a CNA from its territory on private
hackers in order to elude its State responsibility57 is not relevant in this context since
the existence of an armed conflict with the respective parties will be determined
objectively.
(ii) Geographical scope of the armed conflict

In an international armed conflict between two or more States the hostilities take normally
place in these States or at least in one of them (for example in case of an invasion in this
State). As to a non-international armed conflict Common Article 3 GC I-IV requires the
conflict to take place ‘in the territory of one of the High Contracting Parties.’ Other
provisions58 and the international case law confirm that there must be a territorial link or
nexus of some sort. The Tadić Jurisdictional Decision referred to armed violence ‘within a
State’59 and the ICC Bemba PTC to ‘the confines of a State territory.’60
However, cyber-attacks defy any geographical limits by state territories or borders.61
They may originate in a mobile device moving between different states, pass through a
server or servers located in other states and finally hit the target in yet another state. If
each device or network involved in a cyber attack would become a targetable military
objective this would entail a kind of ‘total cyber war’ breaking up any traditional
geographical limits of the battlefield 62 with ‘far-reaching destabilizing effects on
relations between States.’63 Focusing on the effects of a CNA64 does not mitigate the
risk of such an extension of cyber violence since counter-attacks would always target
55
Cf. ILC, Articles on Responsibility of States for Internationally Wrongful Acts, with
Commentaries (2001) Report of the ILC, 53rd Session (23 April to 1 June and 2 July to 10
August 2001) UN Doc A/56/10 (2001) 20, arts 4–9 (establishing the rules of attribution of acts
of state organs or private groups or agents to a State). On the effective vs. the overall control test
(ICJ Nicaragua vs. ICTY Tadić) in this context see Schmitt (n 29) 104–5. Discussing possible
(‘reciprocal’) countermeasures Hathaway and others (n 3) 857–9; Hinkle (n 29) 14 et seq.;
regarding the ius in bello Dinniss (n 5) 75 et seq.
56
Droege (n 4) 544.
57
Cf. Goldsmith (n 10) 135.
58
Cf. art 1 AP I, and relating to the Protection of Victims of Non-International Armed
Conflicts (adopted 12 December, entered into Force 7 December 1978) 1125 UNTS 609 [AP II],
Art. 8(2)(f) ICC Statute.
59
Ambos (n 17) and main text. See also Prosecutor v. Blaskić (Judgement) ICTY-95-14-T
(3 March 2000) [63]– [64]; Prosecutor v. Hadžihasanović and Kubura (Judgement) ICTY-01-
47-T (15 March 2006) [14]; Prosecutor v. Limaj et al.(Judgement) ICTY-03-66-T (30 November
2005) [84]; Prosecutor v. Milutinović et al. (Judgement) ICTY-05-87-T (26 February 2009)
[127]; Prosecutor v. Perišić (Judgement) ICTY-04-81-T (6 September 2011) [72].
60
Prosecutor v. Bemba (Confirmation of Charges) ICC-01/05-01/08 (15 June 2009) [231].
61
Geiss (n 48) 631, 637; Goldsmith (n 10) 131.
62
Droege (n 4) 565–6.
63
Geiss (n 48) 640.
64
Dinniss (n 5) 135.

/ Date: 24/3
those computers, devices or networks that caused the said effects, and would probably
spread over different territories. A limitation would only be possible if the cyber attack
could be traced back to the computer or device where it originated and if only this
could be a lawful target of a counter attack.
(iii) Nexus between a CNA and the armed conflict

Under conventional IHL the respective war crime must be related to the armed
conflict.65 This so called nexus requirement has been interpreted broadly though, i.e., a
functional relationship between the respective acts and the conflict suffices, but the
respective crimes must not be committed merely on the occasion of the armed conflict,
taking advantage of the resulting chaos.66 To determine the nexus a series of factors
may be taken into account.67
It is clear that a CNA also requires a nexus with an ongoing armed conflict.68 Such
a nexus can be taken to exist if, as under conventional IHL,69 the perpetrator would not
have been able to carry out the attack without the armed conflict.
(iv) Responsible agent

Any person, including a private contractor, acting on behalf of one of the parties to the
conflict, can commit a war crime.70 In the cyber context the participation of civilians is
of particular relevance since especially in this area the recourse to and the reliance on
civilian expertise is indispensable.71 These civilians may be formal members of the
armed forces, including of irregular forces within the meaning of Article 4A(2) GC III,
65
Tadić Jurisdictional Decision (n 20) [70]; Prosecutor v. Aleksovski (Judgement) ICTY-
95-14/1-T (25 June 1999) [45]; Prosecutor v. Musovic et. al. (Judgement) ICTY -96-21-T (16
November 1998) [193]; see also Werle/Jessberger (Principles) (n 13) mn. 1109 et seq. (with
further references).
66
Ambos (n 17) 141.
67
Prosecutor v. Kunarac, Kovac & Vokovic (Appeals Judgement) ICTY-96-23 & ICTY-96-
23/1-A 12 June 2002 [59]
take into account, inter alia, the following factors: the fact that the perpetrator is a combatant;
the fact that the victim is a non-combatant; the fact that the victim is a member of the
opposing party; the fact that the act may be said to serve the ultimate goal of a military
campaign; and the fact that the crime is committed as part of or in the context of the
perpetrator’s official duties.
Concurring Prosecutor v. Katanga & Ngudjolo Chi (Confirmation of Charges) ICC-01/04-01/07-
717 (30 September 2008) [382].
68
Tallinn Manual (n 6) 76; Melzer (n 4) 23.
69
See in this regard Werle/Jessberger (Principles) (n 13) mn. 1111.
70
Jean Pictet (ed.), Commentary on the Geneva Convention relative to the Protection of
Civilian Persons in Time of War (1958, reprint 1994) 212; Werle/Jessberger (Principles) (n 13)
mn. 1113; Tallinn Manual (n 6) 77.
71
Turns (n 1) 289–90 (with a useful distinction of the tasks to be fulfilled); Hathaway and
others (n 3) 854; Lülf (n 12) 79.

10 / Date: 15/5
and as such possess combatant72 and POW status.73 The same applies to members of
organized armed groups74 and participants in a ‘levée en masse’.75 Contract personal
may also be assimilated to mercenaries who do not have combatant or POW status.76
In all other cases civilians lose immunity from attack if they take ‘direct part in
hostilities’.77 This is generally the case if they fulfill three minimum requirements:78 (1)
the respective act must negatively affect the adversary’s military capacity or inflict
substantive harm on him (threshold of harm); (2) a direct link between the act and the
harm inflicted exists (direct causation); (3) the act must be related to the hostilities
(belligerent nexus).79 These criteria can also be applied in the cyber context although
some cyber-specific questions exist, for example, how cyber active civilians should
distinguish themselves from ordinary civilians.80 If a civilian takes direct part depends,
of course, on the circumstances of the specific case81 but a clear-cut example would be
a civilian preparing and activating a virus to be sent to the computer network of another
State since in this case the civilian would actually conduct a cyber attack.82 Also, a
direct participation would generally exist if the attack would not have been possible
without the special expertise of the civilian.83 In contrast, there would be no direct
participation if the civilian only possesses a merely inferior support function84 or if he
only makes malware available online.85
72
This cuts both ways: they would then benefit from the combatant privilege (immunity
from prosecution for lawful acts of war) but would also be lawful target, i.e., lose civilian
immunity.
73
In the case of art 4A(2) GC III they must fulfil the four requirements indicated there; see
generally Melzer (n 4) 34; Turns (n 1) 290; Dinniss (n 5) 140 et seq.
74
Nils Melzer, lnterpretive Guidance on the Notion of Direct Participation in Hostilities
under International Humanitarian Law (ICRC 2009) 31; conc. Schmitt (n 29) 98. On the criteria
see already supra Ambos (n 52) with main text.
75
Cf. art 4A(6) GC III.
76
Cf. art 47(2) AP I; see also see also Dinniss (n 5) 172–5; Turns (n 1) 294.
77
Cf. arts 3 GC I-IV, 51(3) AP I, 13(3) AP II and Tallinn Manual (n 6) Rule 35. See also
Bannelier-Christakis (Ch 16 of this book).
78
These are criteria which resulted from the ICRC consultation process, cf. Melzer (n 74)
46; conc. Schmitt (n 29) 101; Dinniss (n 5) 165–6; see also Ambos (n 17) 156; Turns (n 1) 286.
They have also been adopted by the Tallinn Manual (n 6) 119–20. For a more thorough
treatment see Dinniss (n 5) 161 et seq.
79
This last criterion rules out purely criminal conduct, cf. Tallinn Manual (n 6) 120.
80
Cf. Melzer (n 4) 29–30; Dinniss (n 5) 145 et seq. (especially referring to art 44(3) AP I).
81
For a discussion see Turns (n 1) 286–9, 294–5 (demonstrating the uncertainty of these
criteria and presenting a useful table with possible examples).
82
Tallinn Manual (n 6) 120 with further examples; see also Lin (n 2) 526; Dinniss (n 5) 167.
83
Cf. Melzer (n 74) 53 (‘where the expertise of a particular civilian was of very exceptional
and potentially decisive value for the outcome of an armed conflict …’).
84
Louise D. Beck, ‘Some Thoughts on Computer Network Attack’ (2002) 76 Int’l. L.
Studies 163, 171 (arguing that technicians ‘that actually undertake the attacks’ would be
considered civilians taking direct part in hostilities and would therefore be subject to counter-
attack without the right to POW status pursuant to art 4 (4) GC III); conc. Dörmann (n 15) 9
(‘executing’ a CNA versus mere maintenance of computer networks); Turns (n 1) 293; for a
more nuanced approach Dinniss (n 5) 167–72 (excluding only ‘routine systems maintenance’).
85

11 / Date: 24/3
Here again the issue arises, already discussed above with regard to the attribution
requirement, how to treat a group of hackers which organizes a spontaneous resistance
activity and attacks the computer networks of an occupying force? Does such a group
of persons qualify as an organized armed group as defined above and could for that
reason be attacked?86 Or could their acts attributed to a party to the conflict? Or does
such an activity amount to a ‘levée en masse’ mentioned above? This would require
consideration of the computers or software of the hackers as ‘arms’ carried ‘openly’
(Art. 4A(6) GC III) and their conduct as a spontaneous act of resistance.87
Finally, as to the duration of the participation (‘for such time’) and a (definite)
withdrawal of a cyber participant the traditional problems88 are even magnified in the
cyber context. If one would consider it sufficient that a cyber participant interrupts his
activity for a moment – parallel to a (temporal) withdrawal from the battlefield – it
would become practically impossible to counter-target him since the actual cyber attack
only lasts minutes and the virtual battlefield, in any case, may be the private PC of the
hacker in his apartment. It is for this reason that the duration of the participation should
last as long as the cyber participant engages in repeated cyber operations.89
(c) IHL principles
The commission of a concrete war crime depends to a large extent on the understand-
ing of the traditional IHL principles, i.e., the principles governing the conduct of
hostilities,90 in particular the principles of distinction, proportionality and precaution.91
This is not different with regard to cyber attacks or, more broadly speaking, cyber
operations92 which qualify as ‘hostilities’ in this sense.93 Thus, for example, to
86
See for a discussion Schmitt (n 29) 98–101 (identifying as the hard cases the ones of
persons acting with a common purpose).
87
Rather sceptical Turns (n 1) 293; see also Melzer (n 4) 34 (questioning how the
requirement of ‘carry arms openly’ should be interpreted).
88
Cf. Ambos (n 17) 157 et seq.
89
Schmitt (n 29) 102; the issue was controversial within the Tallinn expert group, cf.
Tallinn Manual (n 6) 121–2.
90
According to the ICRC ‘the concept of “hostilities” refers to the (collective) resort by the
parties to the conflict to means and methods of injuring the enemy, and could be described as the
sum total of all hostile acts carried out by individuals directly participating in hostilities’ (Melzer
(n 74) 43, 44).
91
On the prohibition of perfidy (art 37 AP I) and the difficult delimitation to lawful ruses in
our context see Beck (n 84) 171; Dörmann (n 15) 10–12; Melzer (n 4) 32–3; more recently
Dinniss (n 5) 261–5, 278; Boothby (n 15) 404.
92
These principles apply not only in the context of ‘attacks’ (within the meaning of Art. 49
(1) AP I) but also in the context of broader ‘military operations’ as clearly follows from art 51
(1) and 57 (1) AP I referring explicitly to the latter (cf. Dinniss (n 5) 196 et seq.; in the same
vein Droege (n 4) 555–6; Melzer (n 4) 27; stressing however the difference Schmitt (n 29) 91–3
(arguing that ‘operation’ in art 48 AP I is to be understood as ‘attack’); Lubell (n 11) 261; in a
similar vein the majority of the drafters of the Tallinn Manual (n 6) 177 [with regard to art 58(c)
AP I] ).
93
The threshold is lower than that for an ‘attack’ (art 49(1) AP I, supra note 26 and main
text), cf. Melzer (n 4) 28–9.

12 / Date: 24/3
determine whether the war crime of an intentional attack on civilian objects (Art.
8(2)(b) (ii) ICC Statute) has been committed by way of a CNA, one must distinguish
between civilian and military objects. Similarly, to decide whether a CNA causes
disproportional collateral damage the meaning of proportionality in this context must
be determined.
(i) Principle of distinction94

The distinction between, on the one hand, civilians and combatants and, on the other,
civilian objects and military objectives lies at the heart of IHL and is embodied in
Article 48 AP I.95 It is ‘part of customary international law applicable in both
international and non-international armed conflicts.’96 The principle is often decisive in
determining whether attacks on persons or objects qualify as war crimes or as lawful
acts in armed conflict. It also applies to cyber attacks,97 ‘attack’ to be determined
pursuant to the effects approach discussed above. As to civilians not formal members of
the armed forces or an organized armed group the question of ‘direct participation’ just
discussed arises turning them eventually into military targets.
Particular problems of delimitation arise with regard to the distinction between
civilian objects and military objectives.98 The term ‘civilian object’ is defined in Art. 52
(1) AP I in a negative sense, i.e., as ‘all objects which are not military objectives’.
Military objectives are ‘limited to those objects which by their nature, location, purpose
or use make an effective contribution to military action and whose total or partial
destruction, capture or neutralization, in the circumstances ruling at the time, offers a
definite military advantage.’99 This is a two-pronged test with the terms ‘effective’ and
‘definite’ being most controversial. The ICRC defines the requirement of ‘effective
contribution’ quite narrowly limiting it to purely military targets and excluding
objectives of uncertain advantage.100 A broader view, defended in particular by the US,
includes attacks on targets which limit the enemy’s war-fighting or -sustaining
capabilities.101 Ultimately, the decision must be taken on account of the nature,
94
See also Bannelier-Christakis (Ch 16 of this book).
95
Article 48 AP I reads: ‘In order to ensure respect for and protection of the civilian
population and civilian objects, the Parties to the conflict shall at all times distinguish between
the civilian population and combatants and between civilian objects and military objectives and
accordingly shall direct their operations only against military objectives.’
96
Jean-Marie Henckaerts, Louise D. Beck and Carolin Alvermann, ICRC Study on
Customary International Humanitarian Law, Volume I: Rules (CUP 2005) [ICRC Study I], 25;
see also ibid., rules 1–10 with 3 et seq.
97
Tallinn Manual (n 6) rules 31 and 110.
98
See generally with regard to the distinction between civilians (protected persons) and (de
facto) combatants Ambos (n 17) 146 et seq.
99
Article 52(2) AP I (emphasis added); for a discussion see Dinniss (n 5) 184 et seq.; see
also Schmitt (n 41) 380; Geiss (n 48) 639–40.
100
Claude Pilloud et al., Commentary on the Additional Protocols of 8 June 1977 to the
Geneva Conventions of 12 August 1949 (Nijhoff 1987) 636.
101
Cf. Art. 52(2) AP I; see also Schmitt (n 41) 381; crit. Droege (n 4) 567–8; Dinniss (n 5)
188–9.

13 / Date: 24/3
location, purpose, or use of the target,102 expressing a close nexus between the targeted
object and military action.103 Thus, the decision will always be context-related and on
a case-by-case basis. For example, if combat takes place in a per se civilian area but
civilian buildings like schools or churches are taken as cover by combatants or
insurgents, those buildings turn into military objectives;104 of course, absolute prohib-
itions, e.g. regarding medical establishments,105 must always be respected.106
Another question in this context is whether data can be considered a protected
object. The mainstream position that the term ‘objects’ only covers tangible and visible
objects and not data itself,107 takes a too traditional approach relying on the old
interpretation of the rule which had been developed when the possibility of cyber
attacks must have appeared as mere science fiction. From a modern perspective the
difference between physical and virtual objects becomes, at least in the cyber context,
blurred; therefore, data should, in principle, be covered by the protection.108 In any
case, pursuant to the effects approach one has to look at the overall harm caused
instead of the isolated physical damage.109
The key problem of the applicability of the principle of distinction is the intercon-
nectivity between military and civilian computer systems and the mostly dual-use of
cyber infrastructure.110 Dual-use objects serve both civilian and military purposes but,
as a matter of the law of armed conflict (i.e., a consequence of the principle of
distinction), an object is either of a civilian or military nature.111 In fact, as a rule,
dual-use objects are qualified as military objectives since they normally contribute to
military purposes, i.e., the first prong of the Article 52(2) AP I definition is fulfilled.112
However, the alleged military contribution must effectively be demonstrated and cannot
merely be presumed.113
102
Stefan Oeter, ‘Methods and Means of Combat’ in Fleck (n 13) mn. 442 (‘The formula
used constitutes a general criterion the existence of which can be judged in abstracto’).
103
104
Dörmann, ‘§ 11 VStGB’ in Joecks and Miebach, Münchener Kommentar zum Strafgesetz-
buch, (Vol. 8, 2nd ed, C.H. Beck 2013), mn. 54.
105
Cf. art 19 GC I, art 18 GC IV, art 12 AP I; see also arts 54–56 AP I.
106
For a comprehensive discussion of such prohibitions in our context see Dinniss (n 5) 220
et seq.; see also Dörmann (n 15) 6 et seq.
107
108
In a similar vein Lubell (n 11) 267–8, 271; Melzer (n 27) 11; Melzer (n 4) 31 (both
considering data as ‘objects‘); Dinniss (n 5) 184–5 (focusing on the aim or purpose of an
operation).
109
In the same vein Schmitt (n 29) 96.
110
Melzer (n 4) 30; Droege (n 4) 539, 541; Tallinn Manual (n 6) 169; Turns (n 1) 296–7;
Hathaway and others (n 3) 852–3; Goldsmith (n 10) 134; Dinniss (n 5) 193–5.
111
Cf. Tallinn Manual (n 6) rule 39 and 134 (‘As a matter of law, status as a civilian object
and military object cannot coexist; an object is either one or the other’).
112
cf. ibid. (‘confirms that all dual-use objects and facilities are military objectives, without
qualification’); in the same vein Droege (n 4) 562–3.
113
Dominik Steiger, ‘Civilian objects’, in Rudiger Wolfrum (ed.) Max-Planck-Encyclopedia
of Public International Law (OUP 2008–2013) mn. 12 (‘In the majority of cases, dual-use
objects have to be considered military objectives. However, this is only true as long as the object
makes an effective contribution to military action by its nature, location, purpose and use and if

14 / Date: 24/3
Given that there is no clear-cut separation between civilian and military computer
systems, i.e., that any computer system can be used for both civilian and military
purposes at the same time or interchangeably, the distinction is ‘largely impossible’
and, therefore, the protection offered by the principle of distinction of a limited
practical importance.114 Of course, this also depends on the broader or narrower
reading of the principle and the particular circumstances of the case. In general, it
seems quite plausible to argue that a per se civilian computer system loses its civilian
status if it is used to support military ends.115 For example, if a conflict party uses a –
per se civilian – information system of a hospital to launch cyber attacks these
information systems turn into military objectives.116 It is more difficult to draw the line
if one refers to a whole cyber infrastructure, including the internet. As the military
relies to a large extent on civilian cyber infrastructure in all its operations,117 including
preparing and carrying out an attack, one may argue that this infrastructure per se –
including the IT companies providing and supporting it or even social networks like
Facebook or Twitter118 – makes an effective contribution to the military effort and thus
its destruction offers a definite military advantage.119 Still more broadly one could
argue that such a military use of civilian cyber infrastructure contaminates this
infrastructure to a degree that it turns into a military objective. In this vein, the Tallinn
expert group argues that in cases in which it is unclear, which internet connections are
used for military transmissions, the whole network qualifies as a military target.120 If
one goes even further and let it suffice – contrary to the view defended here – that the
military has the intent to use a civilian cyber infrastructure for military purposes in the
its destruction offers a definite military advantage in the circumstances ruling at the time.’);
ICRC Study I (n 96) 32 (‘As far as dual-use facilities are concerned … practice considers that
the classification of these objects depends, in the final analysis, on the application of the
definition of military objective.’); William J. Fenrick,’ Targeting and proportionality during the
NATO bombing campaign against Yugoslavia’ (2001) 12 E.J.I.L. 489, 494 (‘[It] is situation
dependent. … [Dual-use] objects may become military objectives in certain conflicts depending
on various factors, including the strategic objectives of the parties to the conflict and the degree
to which the conflict approaches total war.’). For a more nuanced view see also Robin Geiß and
Henning Lahmann, ‘Cyber warfare: Applying the principle of distinction in an interconnected
space’ (2012) 45(3) Israel L. Rev. 381, 389 (arguing that, in the physical world, most civilian
objects have no significant military potential and therefore cannot be used in a militarily
conducive way).
114
Geiß and Lahmann ibid. 383, 384–90; in the same vein Lucian E. Dervan‚ ‘Information
warfare and civilian population: How the law addresses a fear of the unknown’ (2011) 3
Goettingen J. Int’l. L. 373, 388; Droege (n 4) 541, 562–6.
115
116
Cf. Lin (n 2) 526.
117
According to Dervan (n 114) 388, ‘it is estimated that 98 percent of all classified
governmental communications and 95 percent of all military communications in the United
States flow through civilian communication systems, not dedicated military networks.’
118
Cf. Tallinn Manual (n 6) 135–7; crit. Droege (n 4) 566–9.
119
Geiß and Lahmann (n 113) 386, 388–9.
120
Tallinn Manual (n 6) 135; cf. ibid (n 113) 388 et seq.

15 / Date: 24/3
future the whole civilian cyberspace would potentially constitute a legitimate military
target.121
A further consequence of the principle of distinction is the prohibition of indis-
criminate attacks,122 although they differ from direct attacks against civilian objects in
that the harm to the protected object does not matter to the attacker. It is questionable
whether this prohibition can be complied with at all in case of cyber attacks to the same
extent as in the case of traditional attacks. If, as argued above, a clear-cut separation
between civilian and military cyber infrastructure is not possible, an attack against a
cyber infrastructure can neither be considered clearly as an attack ‘directed at a specific
military objective’ (Art 51(4)) nor at a purely civilian object. Apart from that, the
means used in a cyber attack, for example a virus like in the Stuxnet attack against the
Iranian military installations, may not be sufficiently controllable, i.e., their effects
cannot be – by definition – reasonably limited and thus cannot be discriminate.123 If
this is the case the respective cyber attack qualifies as ‘method or means of combat the
effects of which cannot be limited’.124 In fact, as correctly asserted by Droege, there is
a twofold burden on the conflict parties: on the one hand, they may not employ cyber
weapons that are indiscriminate by nature and cannot be sufficiently controlled; on the
other hand, in each case of an attack the party has to verify whether the weapon
employed can be and is in fact directed against a specific military target.125
In sum, the principle of distinction could only play a greater role if civil and military
objects could be more clearly separated, for example by the creation of ‘digital safe
havens’ in analogy to demilitarized zones within the meaning of Article 60 AP I.126 As
the law currently stands the principles of proportionality and precaution, to be
discussed in the following, may prove to be more useful to limit cyber attacks.127
121
Geiß and Lahmann (n 113) 386; Pilloud and others (n 100) 636.
122
Cf. art 51(4) AP I:
Indiscriminate attacks are prohibited. Indiscriminate attacks are: (a) those which are not
directed at a specific military objective; (b) those which employ a method or means of
combat which cannot be directed at a specific military objective; or (c) those which employ
a method or means of combat the effects of which cannot be limited as required by this
Protocol; and consequently, in each such case, are of a nature to strike military objectives and
civilians or civilian objects without distinction.
See generally ICRC Study I (n 96), rules 11–13.
123
Boothby (n 15) 393–4; Beck (n 84) 169 called already more than ten years ago the
limited control with regard to the effects of a CAN the ‘most serious problem’; conc. Dörmann
(n 15) 5; see also Dinniss (n 5) 256–7 (discussing the issue under ‘indiscriminate weapons’).
124
Cf. art 51(4)(c) AP I.
125
Droege (n 4) 571.
126
For a critical discussion of this and other possibilities see Geiß and Lahmann (n 113)
383, 390–5; see also ibid. 576–7.
127
See also Tallinn Manual (n 6) Rule 39: ‘An attack on a military objective that is also used
in part for civilian purposes is subject to the principle of proportionality and the requirement to
take precautions in attack’; in the same vein Dervan (n 114) 388.

16 / Date: 24/3
(ii) Principle of proportionality128

The principle is part of customary international law in both international and non-
international armed conflicts.129 It sets limits to the use of means and methods of
warfare and in particular prohibits causing ‘superfluous injury or unnecessary suffer-
ing’130 and ‘widespread, long-term and severe damage to the environment.’131 It defines
indiscriminate attacks, going beyond Article 51(4) AP I, as attacks causing loss of
civilian life and damage to civilian objects which is ‘excessive in relation to the
concrete and direct military advantage anticipated.’132 Thus, an attack producing
so-called collateral damage is not unlawful per se but only if the damage is excessive
with regard to the military advantage.
The principle also applies to cyber attacks causing excessive collateral damage,133
possibly amounting to ‘superfluous injury or unnecessary suffering,’134 either during
transit using civilian infrastructure or through the attack itself.135 It offers, for the time
being, a better protection than the static, less flexible principle of distinction.136 Indeed,
if one follows the strict view that any potential military use of a civilian object turns
this object into a military objective the respective object would be a lawful target and
only the proportionality excessive standard would provide for possible limits of cyber
attacks. Take for example the case of a per se civilian cyber infrastructure like the
electricity network of a major city which is only used to a limited extent for military
purposes but for this reason would be considered dual-use and thus a lawful target. A
CNA on such an infrastructure would probably have a serious civilian impact in cutting
off all households and other civilian sites from the electricity supply. This ‘collateral’
128
See also Gill (Ch 17 of this book).
129
ICRC Study I (n 96), rule 14; Tallinn Manual (n 6) 159. See also Héctor Olásolo,
Unlawful Attacks in Combat Situations: From the ICTY’s Case Law to the Rome Statute (Nijhoff
2008) 155 et seq., 226 et seq., 256 et seq.; Helen Keller and Magdalena Forowicz; ‘A tightrope
walk between legality and legitimacy: An analysis of the Israeli Supreme Court’s judgment on
targeted killing’ (2008) 21(1) L.J.I.L. 189, 213 et seq.; Gerd Hankel, Das Tötungsverbot im
Krieg: Eine Intervention (Hamburger Edition 2011) 22 et seq.; Jason D. Wright, ‘”Excessive”
ambiguity: analysing and refining the proportionality standard’ (2012) 94 I.R.R.C. 819, 838 et
seq. (focusing especially on the ambiguous term ‘excessive’).
130
Cf. arts 22 and 23(e) Annex of the Hague Convention Respecting the Laws and Customs
of War on Land and Its Annex: Regulations Concerning the Laws and Customs of War on Land
(18 October 1907, entered into force 26 January 1910); art 35(1) and (2) AP I. See also Dinniss
(n 5) 252–6. For possible war crimes see art 8(2)(b)(iii), (x), (xx) (xxv) and (e)(xi).
131
Article 35(3) AP I; see also art 55 AP I (in relation to protected objects) and Boothby (n
15) 394. For a possible war crime see art 8(2)(b)(iv).
132
Article 51(5)(b) and 57(2)(a) (iii) and (b) AP I. For a possible war crime see art
8(2)(b)(iv).
133
Tallinn Manual (n 6) rule 51: ‘A cyber attack that may be expected to cause incidental
loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof,
which would be excessive in relation to the concrete and direct military advantage anticipated is
prohibited.’; see also Geiß and Lahmann (n 113) 395.
134
Boothby (n 15) 391–2.
135
136
Geiß and Lahmann (n 113) 395–8, 398; see also Dervan (n 114) 389.

17 / Date: 24/3
civilian harm or damage, while not contravening the principle of distinction, would
have to be balanced against the anticipated military advantage.137
Of course, the proportionality test would only be able to counter the adverse effects
of the strict reading of the principle of distinction if the collateral or incidental damage
brought about by the per se lawful CNA, i.e., ‘loss of civilian life, injury to civilians,
damage to civilian objects, or a combination thereof,’138 would be interpreted
broadly.139 Thus, collateral damage should encompass both direct and indirect effects
of cyber attacks, i.e., the ‘immediate, first order consequences’ of the attack and ‘the
delayed and/or displaced second-, third- and higher-order consequences … created
through intermediate events or mechanisms.’140 In particular, as to incidental ‘damage
to civilian objects’ a broad and dynamic interpretation is called for, including a mere
loss of functionality of an attacked civilian object in the proportionality equation.141 For
the excessive evaluation one must try to determine as precisely as possible the adverse
effects of a CNA on civilian cyber activities and relate them to the military advantage
anticipated: ‘The question is whether the harm that may be expected is excessive
relative to the anticipated military advantage given the circumstances prevailing at the
time.’142 The military advantage is to be determined equally precise (‘concrete and
direct’),143 taking into account the attack as a whole144 and prospectively (‘antici-
pated’),145 i.e., the respective commander has, on the one hand, a ‘fairly broad margin
of judgment,’146 also with regard to the possible collateral damage, but, on the other
hand, faces a reasonableness test, i.e., his judgment must withstand a reasonableness
analysis taking the ‘reasonably well-informed person in the circumstances of the actual
perpetrator’ as the relevant standard.147 Of course, the uncertainty of the indirect
second, third etc. order effects of cyber attacks makes it very difficult, perhaps
impossible, for a commander to correctly anticipate the consequences of the attack.148
It remains controversial, as in traditional IHL, whether a particularly great military
137
See also Tallinn Manual (n 6) 160 with the example of an attack on the GPS.
138
Cf. art 51(5)(b) and 57(2)(a) (iii) and (b) AP I as well as Tallinn Manual (n 6) rule 51.
139
Geiß and Lahmann (n 113) 396–7.
140
Tallinn Manual (n 6) 160; see also ibid 396; Droege (n 4) 572–3; Boothby (n 15) 390,
395, 397–8, 401.
141
In this vein Geiß and Lahmann (n 113) 397–8; Geiss (n 48) 644–5. The Tallinn Manual
experts also agreed that a ‘deprivation of functionality’ may in certain circumstances be included
albeit explicitly excluding ‘de minimis damage’ (n 6, rule 30).
142
Tallinn Manual (n 6) 161; see also Boothby (n 15) 392.
143
Ibid. rule 51 (‘advantage … substantial and relatively close’, referring to ICRC,
Commentary AP, [2209]).
144
Cf. ibid. 162.
145
Ibid. rule 51 (‘assessment of the reasonableness of the determination at the time of the
attack … not to be applied with the benefit of hindsight’).
146
Ibid. 163 referring to ICRC, Commentary AP, para. 2210.
147
Prosecutor v. Galic (Judgment) ICTY-98-29-T (5 December 2003) [58]; see also Tallinn
Manual (n 6) 163 and Beck (n 84) 167 (military advantage ‘clear and obvious’ to the attacker).
148
On the uncertainty re the consequences see also Hathaway and others (n 3) 851; Dinniss
(n 5) 207–8.

18 / Date: 24/3
advantage may outplay particularly serious or extensive damage, i.e., if a certain degree
of damage may pose absolute limits to the proportionality equation.149
(iii) Principle of precaution

The overall objective of this principle is to minimize civilian harm to the greatest extent
possible, regardless of any proportionality consideration as under the just discussed
principle of proportionality. The principle has two limbs, i.e., it refers to precautions in
attack (Art. 57 AP I) and precautions against the effects of attacks (Art. 58 AP I).150
The failure to take such precautions may convert an otherwise permissible attack on a
protected person or object into a war crime. As to precautions in attack, Article 57(2)
AP I lists a series of active measures to be taken by the conflict parties to spare
civilians and civilian objects. In the cyber context, ‘constant care’ must be taken,151
targets must be verified,152 potential incidental effects limited to the greatest extent
possible153 and advance warnings given if cyber attacks may affect the civilian
population.154 The verification and limitation obligations may entail, for example, that
the adversary’s cyber network is mapped before the attack and the attack, as far as
possible, limited to its military components.155 Going beyond that one may even
require that this limited attack is so designed as to avoid any incidental (collateral)
effects with a view to the civilian cyber infrastructure.156 All this requires technical
expertise.157 It is controversial, however, how far precautionary obligations go. While
the normal standard is ‘feasibility,’158 i.e., to do the ‘practicable or practically possible,
taking into account all circumstances,’159 in the case of military operations at sea or in
the air ‘reasonable precautions’ suffice (Art 57(4) AP I), i.e., less than feasibility is
required.160 Thus, in the example of a warship attacked by way of a cyber operation,
two approaches exist: a strict view would require the mapping of the entire cyber
infrastructure of this warship to be able to anticipate the (incidental) effects of the
149
In this vein Pilloud and others (n 100) [1980]; contra Tallinn Manual (n 6) 161.
150
See on its customary law status ICRC Study I (n 96), Rules 15–24.; see also Droege (n 4)
573 et seq.; from an US perspective Wright (n 132) 830–2.
151
Tallinn Manual (n 6) rule 52.
152
Ibid. rule 53; stressing this as the main problem Beck (n 84), 170–1; see also Dinniss
(n 5) 211–2.
153
Tallinn Manual ibid. rule 54 (‘choice of means and methods of warfare … with a view to
avoiding, and in any event to minimizing, incidental injury to civilians’) and rule 56 (choice of
targets with a view ‘to cause the least danger to civilian lives and to civilian objects’). See as
primary norm art 57(3) AP I; on this provision Dinniss (n 5) 216–7.
154
Tallinn Manual ibid. rule 58.
155
Droege (n 4) 573–4.
156
See Tallinn Manual (n 6) 169–70 with the example of inserting malware in a closed
military network in a way to minimize collateral damage.
157
Droege (n 4) 574; ibid. 166.
158
Tallinn Manual (n 6) 164; see also art 58 AP I (‘to the maximum extent feasible’) and
Dinniss (n 5) 211.
159
Cf. Tallinn Manual ibid. 169 with further references in (n 186).
160
Pilloud and others (n 100) 2230 (‘“all reasonable precautions” must be taken, which is
undoubtedly slightly different from and a little less far-reaching than the expression “take all
feasible precautions”’).

19 / Date: 6/5
attack; a more liberal view contends that such a mapping would not be reasonable since
the operation focuses on a target beyond land territory.161
As to the passive precautionary obligation to ‘remove’ civilian objects from military
objectives (Art. 58(a) AP I) the interconnectivity problem already mentioned above
makes this obligation in cyberspace difficult to fulfill: if the civilian and military
infrastructure is intimately connected or – even worse – the cyberspace is a classical
dual use structure it is practically impossible to comply with this obligation, i.e., it is
not ‘feasible’162 in the cyber context.163 Article 58(c) AP I requires ‘other necessary
precautions’ but they are, of course, also predicated upon the practical possibilities (‘to
the maximum extent feasible’).164 Thus, Article 58(c) is a ‘catch-all’ provision165 trying
to ensure protection of the civilian cyber infrastructure by other means than strict
separation, i.e., ‘to ensure a continuing cyber functionality’ with regard to critical
civilian infrastructure, for example by providing backups for power grids.166
3. CYBER ATTACKS AND THE CRIME OF AGGRESSION167

Some authors contend that waging a CNA could constitute a breach of ius ad bellum
and therefore lead to criminal liability for the crime aggression under Article 8bis(1)
ICC Statute.168 This view is, of course, predicated on the assumption that the respective
CNA is carried out by a State since Article 8bis does not encompass the conduct of
non-state actors.169 In any case, it is difficult to envisage a CNA that falls under Article
8bis. While such an attack may in exceptional circumstances amount to an ‘act of
aggression’ within the meaning of Article 8bis(2) lit.(d) ICC Statute it will hardly
amount to ‘a manifest violation’ of the UN Charter as required by Article 8bis(1) ICC
Statute. In addition, pursuant to the so-called leadership clause, criminal responsibility
only arises with regard to ‘a person in a position effectively to exercise control over or
to direct the political or military action of a State’ (Art 8bis(1)). This means that the
persons effectively carrying out a CNA would not be criminally liable under Article
161
Tallinn Manual (n 6) 165 according to which the majority of the experts took the more
liberal view; see also Dinniss (n 5) 217–9.
162
Article 58 AP I: ‘to the maximum extent feasible.’
163
Cf. Geiß and Lahmann (n 113) 392–4 therefore concluding that a segregation obligation
cannot be deduced from this provision; in the same vein Droege (n 4) 575 (‘hardly realistic’).
164
See also Tallinn Manual (n 6) rule 59; with discussion of practical limitations (‘feasibil-
ity’).
165
Ibid. 177.
166
Geiß and Lahmann (n 113) 395; in a similar vein Droege (n 4) 576.
167
See also Roscini (Ch 11 of this chapter).
168
This position is represented by Johnatan Ophardt, ‘Cyber warfare and the crime of
aggression: The need for individual accountability on tomorrow’s battlefield’ (2010) 3 Duke L. &
Tech. Rev. 3, 35; Noah Weisbord, ‘Conceptualizing aggression’ (2009) 20 Duke J. Comp. & Int’l
L. 1 [Weisbord, Conceptualizing aggression]; Noah Weisbord, ‘Judging aggression’ (2011) 50
Columbia J. Trans. L. 82 [Weisbord, Judging aggression]; Weissbrodt (n 4) 369; in a similar vein
Chance Cammack, ‘The Stuxnet worm and potential prosecution by the International Criminal
Court under the newly defined crime of aggression’ (2010) 20 Tulane J. Int’l. & Comp. L. 303.
169
Crit. Ambos (n 17) 203–4.

20 / Date: 24/3
8bis but, at best, their superiors, if they belong to the leadership level and can be held
responsible for the acts of the actual ‘cyber warriors.’
(a) ‘Act of Aggression’ Pursuant to Article 8 bis (2) lit.(a)–(g) ICC Statute?
Paragraph 2 of Article 8bis ICC Statute requires a two-step analysis. First, it is to be

examined whether a CNA would fall under one of the listed acts of aggression.
Secondly, if this is not the case, the question arises whether the list of paragraph 2 is
exhaustive or not.
The listed acts in paragraph 2 are predicated on a ‘use of armed force’ as explicitly
required at the beginning of this paragraph.170 Pursuant to the travaux preparatoires the
term ‘armed force’ is to be understood in a narrow sense referring to the employment of
kinetic force by way of traditional weapons.171 While a broader understanding was
suggested during the negotiations, including the inclusion of cyber attacks in paragraph
2,172 it was finally rejected to avoid affecting ‘the political or economic stability or
exercise of the right to self-determination or violate the security, defence or territorial
integrity of one or more States.’173 Thus, while the negotiators apparently preferred a
narrow understanding excluding cyber attacks at the outset, a broader approach could
be defended on the basis of the effect-based approach applied above with regard to war
crimes. Indeed, as rightly argued by one of the leading negotiators, a ‘contemporary
interpretation of the term armed force could, under some circumstances, include the use
of computer networks as weapons.’174 The general understanding of the relevant
170
This corresponds rather to ‘armed attack’ within the meaning of art 51 UN Charter than
the broader ‘use of force’ within the meaning of art 2(4) UN Charter (for a comparison Melzer
(n 4) 11–2).
171
Cf. Matthew Gillet, ‘The anatomy of an international crime: Aggression at the ICC’
(2013) 13 Int’l. Crim. L. Rev. 829, 838 (explicitly excluding ‘cyber warfare’).
172
Cf. Stefan Barriga, ‘Against the odds: The results of the Special Working Group on the
Crime of Aggression’, in Stefan Barriga, Wolfgang Danspeckgruber and Christian Wenawesser
(eds.), The Princeton Process on the Crime of Aggression – Materials of the Special Working
Group on the Crime of Aggression (Lynne Rienner Publishers 2003–2009) 10 (‘Suggestion were
made to include non-conventional means of aggression beyond the use of armed force, such as
cyber-attacks or economic embargoes’).
173
Cf. SWGCA, June 2008 Report (June 2008), in Assembly of States Parties to the Rome
Statute of the International Criminal Court, Official Records, Resumed 6th sess (June 2008)
ICC-ASP/6/20/Add.1, Annex II, para 35 <http://www.icc-cpi.int/iccdocs/asp_docs/ICC-ASP-6-
20-Add.1%20English.pdf> accessed 24 October 2013. See also Barriga (n 172) 10 (‘there was
no desire to open the proverbial can of worms, and the great majority of delegations considered
the limitation to the use of armed force as appropriate for the purpose of individual criminal
justice’).
174
Barriga (n 172) 10, fn. 44. See with regard to the art 2(4) threshold Michael Schmitt,
‘Cyber operations and the jus ad bellum revisited’ (2011) 56 Villanova L. Rev. 569, 576–7
(proposing a seven-factor test including severity, immediacy, directness, invasiveness, measur-
ability, presumptive legitimacy and responsibility); see also Melzer (n 4) 6 et seq.; Marco
Benatar, ‘The use of cyber force: Need for legal justification?’ (2009) 11 Goettingen J. Int’l. L.
376; Matthew C Waxman, ‘Cyber Attacks and the use of Force’ (2011) 36 Yale .J. Int’l. L. 421;
Michael Gervais, ‘Cyber attack and the laws of war’ (2012) 30 Berkeley J. Int’l. L. 525; crit.
Dinniss (n 5) 63–5. This test has also been adopted by the Tallinn Manual (n 6) 48–51; crit. in

21 / Date: 24/3
provisions of the UN Charter, i.e., Article 2(4) referring to ‘use of force’ and Article 51
referring to an ‘armed attack,’175 as only encompassing military, but not political or
economic sanctions,176 does not contradict this broader approach since this approach
entails that a CNA may, under certain circumstances, amount to a military attack.
As to the listed acts only lit.(b) and (d) can possibly be fulfilled by a CNA. Lit.(b)
requires, in its second alternative, the ‘use of any weapons’ against State territory. If
one defines ‘weapons’ in a traditional sense, as is indeed suggested by the requirement
that it be directed ‘against the territory of another State,’ the typical tools to carry out a
CNA (e.g., by way of computer worms or viruses) would not be covered. Such a
narrow interpretation would however go against the more flexible approach of the ICJ
in the Nuclear Weapons opinion quoted above and there is indeed no convincing reason
to exclude a CNA from the provision if it causes the same or a similar damage as a
conventional weapon.177 In any case, lit.(d), requiring an ‘attack by the armed forces,’
allows for a more liberal interpretation, encompassing cyber attacks carried out by
members of the armed forces against the listed forces of another State. Indeed, a cyber
attack on a developed country, which relies heavily on computer networks to operate its
infrastructure (e.g., traffic control, water supply and the electrical grid) and its armed
forces (e.g., air defense systems, modern fighter jets, drones or communications
equipment) could lead to a partial or complete inoperability of the respective system.
Indeed, in terms of the outcome, it does not matter whether national armed forces are
inoperable due to strikes by ‘conventional’ armed force or due to a cyber attack.178
As to the second question, i.e., whether the list is exhaustive, it has been argued
elsewhere that this is the case.179 Of course, the issue has been controversial during the
this regard Kessler and Werner (n 6) 808–9 (arguing that this ‘stamps the uncertainties
surrounding the scope of the prohibition in the context of cyber attacks’).
175
For a thorough analysis and generally strict reading Dinniss (n 5) 37 et seq., 75 et seq.
176
Generally Albrecht Randelzhofer and Oliver Doerr, ‘Article 2 4)’, in Bruno Simma and
others (eds.) The Charter of the United Nations – A Commentary (Vol 1, 3rd edn., OUP 2012),
mn. 16–20; see in our context: Michael Schmitt, ‘Computer network attack and the use of force
in international law: Thoughts on a normative framework’, (1999) 37 Columbia J. Trans. L. 885,
905–908; Daniel B Silver, ‘Computer network attack as a use of force under Article 2(4) of the
UN Charter’ (2002) 76 Int’l. L. Studies 73, 80 et seq.; Hathaway and others (n 3) 842;
Weissbrodt (n 4) 358–60; Goldsmith (n 10) 133; see on the different scholarly approaches
Dinniss (n 5) 58 et seq.
177
Cf. Cammack (n 168) 322–3 (arguing that ‘many objectives for which armed force was
used in the past are now being realized through nonmilitary, nonforceful pressures’; with regard
to the Stuxnet attack against Iran he argues that according to subpara (b) ‘the allowance of any
weapons used against a territory will qualify’ focusing on ‘the damage or destruction caused’).
178
The only difference is a higher probability of casualties in cases of conventional attacks
(although a cyber-attack may also lead to fatalities, e.g., when it causes the total failure of a
fighter jet’s computer network in flight).
179
Ambos (n 17) 202. For the same view Gerhard Kemp, Individual Criminal Liability for
the International Crime of Aggression (Intersentia 2010) 236; Helmut Satzger, International and
European Criminal Law, (C.H. Beck 2012) 273; Schmalenbach, ‘Das Verbrechen der Aggression
vor dem Internationalen Strafgerichtshof: Ein politischer Erfolg mit rechtlichen Untiefen’ (2010)
65 Juristenzeitung 745, 748; Strapatsas, ‘Aggression’ in Schabas and Bernaz (eds.), The
Routledge Handbook of International Criminal Law (Routledge 2011) 155, 160; leaving it open.

22 / Date: 6/5
negotiations180 and there are views – sometimes invoking Article 4 of Resolution

3314181 – which argue in favor of an open182 or at least semi-open list including acts of
the same nature (eiusdem generis).183 However, such a liberal interpretation does not sit
well with the requirements of foreseeability and certainty demanded by the principle of
legality (nullum crimen sine lege), as embodied in Articles 22–24 ICC Statute.
Accordingly, criminal responsibility cannot be established ex post facto and the
definitions of crimes must be strictly and precisely construed (leges stricta and
certa).184 If the drafters had wanted to apply the eiusdem generis doctrine, they could
have adopted Article 4 of Res. 3314 or included a respective paragraph similar to the
one in Article 7(1)(k) ICC Statute. Yet, they have not even given the UN Security
Council – contrary to Article 4 of Res. 3314 – the right to extend or amend the list of
Article 8bis(2) if it sees fit.185
(b) Manifest violation of the UN Charter (Article 8 bis (1) ICC Statute)?
The threshold clause of Article 8bis(1) requires an ‘act of aggression which, by its
character, gravity and scale, constitutes a manifest violation of the Charter of the
United Nations’. It expresses the qualitative difference between an ‘act’ of aggression
which entails collective responsibility and a ‘crime’ of aggression which entails
individual (criminal) responsibility.186 Its purpose is to exclude minor incidents (e.g.
border skirmishes) or legally controversial cases (e.g. a humanitarian intervention) from
Werle/Jessberger (Principles) (n 13) mn. 1473; Andreas Paulus, ‘Second thoughts on the crime
of aggression’ (2009) 20 E.J.I.L. 1117, 1120 (‘it remains open whether the list is meant to be
exhaustive’).
180
Special Working Group on the Crime of Aggression, ‘June 2008 Report’ (June 2008)
ICC-ASP/6/20/Add. 1, Annex II, printed in: Barriga and Kreß (eds.), The Travaux Preparatoires
of the Crime of Aggression (CUP 2012) 602–14, 608; cf. Robert Heinsch, ‘The crime of
aggression After Kampala: Success or burden for the future?’ (2010) 2 Goettingen J. Int’l. L.
713, 723–4.
181
UNGA Res 3314 (14 December 1974) A/RES/3314, art 4 (explicitly declaring that the
list is not exhaustive and authorizing the Security Council to expand it).
182
Christoph Safferling, Internationales Strafrecht (Springer 2011), mn. 183.
183
Roger S. Clark, ‘Negotiating provisions defining the crime of aggression, its elements
and the conditions for ICC exercise of jurisdiction over it’ (2009) 20 E.J.I.L. 1103, 1105; Roger
S. Clark, ‘Amendments to the Rome Statute of the International Criminal Court considered at the
first Review Conference on the Court, Kampala, 31 May–11 June 2010’ (2010) 2 Goettingen J.
Int’l. L. 689, 696 (‘Clark, GoJIL 2010’); more ambiguously Claus Kreß, ‘Time for decision:
Some thoughts on the immediate future of the crime of aggression: A reply to Andreas Paulus’
(2009) 20 E.J.I.L. 1129, 1137 (‘‘semi-open’ at best […]’); Drew Kostic, ‘Whose crime is it
anyway? The International Criminal Court and the Crime of Aggression’ (2011) 22 Duke J.
Comp. & Int’l. L. 109, 129–130; Ophardt (n 168) 66; see also Heinsch (n 180) 713, 723–6;
Weisbord, Conceptualizing Aggression (n 168) 40.
184
On the nullum crimen principle see Ambos (n 16), 88–93. See also Barriga (n 172) 12;
ibid., ‘Negotiating the Amendments’, in Barriga and Kreß (n 180) 30–31.
185
Schmalenbach (n 179) 747–748; different: Weisbord, Conceptualizing Aggression (n 168)
40.
186
Cf. Ambos (n 17) 199; crit. of the distinction Ilich F Corredor, El Crimen de Agresión en
Derecho Penal Internacional (Universidad del Rosario 2012) 88–9.

23 / Date: 15/5
criminalisation.187 Thus, for example, the 2003 US-led invasion in Iraq, albeit consid-
ered by most international lawyers as an unlawful act of aggression,188 might not have
amounted to a crime of aggression due to the absence of a ‘manifest’ – i.e., from an
objective perspective quantitatively and qualitatively serious189 – ‘violation’ of the UN
Charter in light of the fact that a respectable scholarly view existed according to which
the invasion was justified, especially on the basis of Security Council Resolution 678 of
29 November 1990.190 As for cyber attacks this means that it is difficult to envisage an
attack which would be large and grave enough to amount to a manifest violation of the
Charter. Indeed, as discussed in the previous section, it is even disputed whether cyber
attacks constitute a simple violation of the Charter’s prohibition of the use of force (Art
2(4)) in the first place, especially because the effects approach cannot be employed
without more.
According to the Tallinn Manual a cyber operation constitutes use of force ‘when its
scale and effects are comparable to non-cyber operations rising to the level of a use of
force.’191 The ‘scale and effects’ depend, in turn, on a series of factors to be taken into
account.192 What clearly seems to follow from that is that a cyber operation ‘resulting
in damage, destruction, injury, or death is highly likely to be considered a use of
force,’193 i.e., more than mere economic or political coercion is required.194 Thus, if
one defines a CNA as causing death, injury or severe destruction to objects it amounts
to a use of force. However, it this attack further constitutes a manifest violation of the
Charter is an open question and depends on the specific circumstances of the case.
4. CYBER ATTACKS AND CRIMES AGAINST HUMANITY

Crimes against humanity require that the actual underlying conduct, e.g. murder,
torture, rape or imprisonment, has been ‘committed as part of a widespread or
systematic attack directed against any civilian population.’ (Art 7(1) ICC Statute). This
is the context element of crimes against humanity. While the requirement of an attack
‘against any civilian population’ has its origin in the laws of war and thus comes down
187
See SWGCA, ‘June 2005 Report’ (June 2005) ICC-ASP/4/32, Discussion Paper 3, No. 3,
reprinted in Barriga, Danspeckgruber and Wenaweser (n 172) 197; see also Barriga (n 172) 8;
Barriga (n 180) 29; Roger Clark, ‘Alleged aggression in Utopia’ in William Schabas, Yvonne
McDermot and Niamh Hayes (eds.), The Ashgate Research Companion to International
Criminal Law (Ashgate 2013) 66.
188
See Claus Kreß, ‘Strafrecht und Angriffskrieg im Licht des “Falles Irak”’ (2003) 115
Zeitschrift für die Gesamte Strafrechtswissenschaft 294, 313 et seq. with further references.
189
The term is certainly ambiguous, cf. Paulus (n 179) 1121; for an – not entirely
convincing – explanation see Kreß (n 183) 1137 et seq. The objective perspective is determined
by Element 3 of the Introduction to the Elements of Crimes to art 8bis ICC Statute.
190
Kreß (n 188) 331; critically Paulus (n 179) 1123.
191
192
Cf. ibid. 48–50 (severity, immediacy, directness, invasiveness, measurability of effects,
military character, state involvement and presumptive legality).
193
Ibid. 48.
194
See also ibid. 46.

24 / Date: 6/5
to the distinction between civilians and combatants already discussed above with regard
to war crimes,195 the ‘widespread or systematic attack’ is the peculiar feature of crimes
against humanity. Insofar, the wording of Article 7(2)(a) ICC Statute implies that this
requirement has to be understood qualitatively, i.e., the ‘attack’ must always –
notwithstanding its predominantly ‘widespread’ or ‘systematic’ character – be based on
(‘pursuant to or in furtherance of ‘) a certain policy.196
As to cyber attacks this means that they must, first of all, be carried out pursuant to
a certain policy and, further, be widespread or systematic. The policy requirement
presupposes that such attacks are planned, organized, coordinated or at least tolerated
by a State or organization within the meaning of Article 7(2)(a) ICC Statute. If this is
the case the attack would normally also be qualified as ‘systematic.’197 While a loosely
organized group of hackers acting autonomously would not meet the organizational
requirement, organized armed groups within the meaning of IHL that take recourse to
methods of cyber warfare certainly would.198 If, further, the cyber attacks carried out by
a State or a sufficiently organized group caused severe and extensive damage, in the
sense of the examples given above, the attack could, arguably, also be qualified as
‘widespread.’ Such widespread or systematic cyber attacks may, finally, result in the
killing or extermination of civilian populations or even in one of the other underlying
acts of Article 7 ICC Statute. Of course, ultimately, the fulfilment of the elements of a
crime against humanity will depend on the circumstances of the concrete case.
5. CONCLUSIONS
Individual criminal liability for cyber attacks may rather be imposed for war crimes
than for a crime of aggression. Waging a ‘cyber war’ under violation of the ius ad
bellum will rarely lead to criminal liability for aggression under Article 8bis ICC
Statute, since it is rather difficult to envisage that a cyber attack amounts to an act of
aggression within the meaning of Article 8bis(2) ICC Statute, let alone to a manifest
violation within the meaning of Article 8bis(1) ICC Statute.
IHL applies to cyber attacks without further ado if such attacks are part of an
ongoing conflict. In the absence of such a conflict, the cyber attacks must themselves
be serious enough to pass the armed conflict threshold. This is the case if, following the
effects approach, a cyber attack causes considerable human and other damage, going
beyond mere sporadic and isolated incidents causing only inconvenience or the
temporary shutdown of computer systems. Cyber attacks producing such effects also
qualify as armed attacks within the meaning of Article 49(1) AP I. To qualify as a war
crime a cyber attack must be linked to an ongoing armed conflict. Attribution is
possible if the attacker can be identified and acts on behalf of a conflict party within
the meaning of IHL, i.e., either a State or an organized armed group. Cyber attacks of
less organized groups of individuals which do not qualify themselves as a conflict party
195
For a more restrictive interpretation of this element however Ambos (n 17) 63 et seq.
196
Cf. ibid. 63, 67 et seq.
197
Cf. ibid. 59–61.
198
On the respective dispute in the ICC’s Kenya decision see ibid. 72 et seq.

25 / Date: 24/3
may be attributed to such a party pursuant to the rules of State responsibility.199 For
‘pure’ civilian cyber participants the rules on the direct participation in hostilities apply.
As to the IHL principles governing the conduct of hostilities the principle of
proportionality appears to have the greatest capacity to limit harm to civilians and
civilian objects. In contrast, the principle of distinction is of little practical relevance
given the high interconnectivity between military and civilian computer systems and
the mostly dual-use of cyber infrastructure. The principle of precaution also guides the
conduct of cyber operations but it is itself limited by feasibility or reasonability
considerations. All in all IHL seems to be sufficiently broad and flexible enough to
accommodate the new developments with regard to cyber warfare.200 However, as the
effectivity of the rules often depends on their broad or restrictive interpretation, ‘more
stringent rules’ may prove necessary.201
Cyber attacks passing the armed conflict threshold may also constitute systematic or
widespread attacks within the meaning of Article 7 ICC Statute. In any case, they must
be carried out pursuant to a policy of a State or an organization within the meaning of
Article 7(2)(a) ICC Statute.
199
Supra (n 55).
200
In the same vein Dinniss (n 5) 28–9, 279.
201
In the same vein Droege (n 4) 540, 578.

26 / Date: 24/3

27 / Date: 24/3
PART II
CYBER THREATS AND

INTERNATIONAL LAW

/ Date: 24/3

/ Date: 24/3
7. Cyber terrorism
Ben Saul and Kathleen Heath
1. INTRODUCTION: THE CONCEPT OF CYBER TERRORISM

The threat of cyber terrorism, perceived or actual, arises from the dependence of many
States and their peoples on electronic systems, the Internet and associated social,
economic and physical infrastructures. The Internet is a powerful, cheap, global, and
often anonymous platform that is difficult to control but easy to exploit. As more
critical infrastructure systems are moved online, and more essential services are
delivered via an Internet platform, security vulnerabilities commensurably increase.
The transnational architecture of the Internet also poses difficult jurisdictional problems
for law enforcement and transnational cooperation.
An immediate difficulty in confronting cyber terrorism is the lack of an agreed legal
definition of it. This has resulted in divergent and over-inclusive usages of the term, and
uncertainty about its transnational legal regulation. Put simply, the adjective ‘cyber’
indicates that computer-based or electronic means are employed to perpetrate a terrorist
act, whether by harming computer systems themselves or using them as a conduit to
attack dependent physical infrastructure in the ‘real’ world.
The United Nations Office of Drugs and Crime (UNODC) thus defines cyber
terrorism as the ‘deliberate exploitation of computer networks as a means to launch an
attack … intended to disrupt the proper functioning of targets, such as computer
systems, servers or underlying infrastructure’.1 The UN’s Counter-Terrorism
Implementation Taskforce (CTITF) similarly describes cyber terrorism as the act of
committing ‘terrorist attacks by remotely altering information on computer systems or
disrupting the flow of data between computer systems’.2
One example of an ‘Achilles heel’ in modern societies is the use of supervisory
control and data acquisition (SCADA) systems in public utilities and infrastructure
networks. SCADA systems use computers to monitor and remotely control processes
that exist in the physical world. It is common for such systems to be used to control
railroad traffic switches, sewage treatment and water purification plants, traffic signals,
manufacturing processes, and electricity and gas distribution networks. The unauthor-
ised control of SCADA systems has been recognised as a plausible threat.3
1
UNODC, ‘The use of the Internet for terrorist purposes’ (2012) 11.
2
CTITF, ‘Countering the use of the Internet for terrorist purposes’ (Working Group
Report, CTITF Publication Series, February 2009).
3
Ibid. 6; Hamadoun Touré, ‘Cyberspace and the threat of cyberwar’ in Hamadoun Touré,
The Quest for Cyber Peace (International Telecommunications Union 2011), 7, 9–13; Darren
Pauli, ‘Hackers gain “full control” of critical SCADA systems’ (10 January 2014) IT News
<http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx>
accessed 24 January 2014.
147
/ Date: 7/5
The adjective ‘cyber’ should not, however, be taken to dilute the requirement that an
act also falls within the legal definition or category of terrorism itself. Cyber terrorism
is not a new form of terrorism, but merely a ‘new terrorist tactic’.4 This begs the
complex question of how ‘terrorism’ is defined or regulated in international law,
including the well-known disagreements over ‘state terrorism’ and terrorism by national
liberation movements. Not every interference with a computer system is cyber
terrorism; some interference may be mere cyber crime5 but not terrorism, while others
may be legitimate dissent protected by international human rights law.
Thus far there is no direct or specific international legal response to cyber terrorism,
such as a treaty defining, prohibiting or criminalising it. Instead, in large part cyber
terrorism falls to be residually addressed by existing international legal frameworks,
including the various international anti-terrorism treaties and norms. As discussed
below, for instance, some of the ‘sectoral’ treaties adopted since the 1960s and dealing
with particular manifestations of terrorism may cover certain instances of cyber
terrorism, even if not all facets are addressed.
In addition, all States bear a long-standing, general international law obligation to
diligently prevent and repress terrorist activities emanating from their territory and
directed towards harming other States, whether as prohibited interventions or uses of
force.6 Such obligation is not limited to any particular terrorist means or methods, but
extends to any acts capable of causing terrorist harm. The general international law
obligation is consequently flexible enough to confront new means of perpetrating
terrorism, including cyber attacks. The difficulty here is not the existence of a
normative standard but more practical matters such as proof of State responsibility for
a violation and securing a forum in which to vindicate rights.
Working out what comes within the ambit of cyber ‘terrorism’ also depends on
situating it within the spectrum of other ‘cyber’ harms, from cyber ‘crime’ to cyber
‘attack’, and their associated legal regimes.7 For instance, much discussion has focused
on whether a cyber attack may constitute a prohibited intervention, use of force (under
art 2(4) of the UN Charter) or an armed attack (under art 51 of the Charter) under the
international law on the use of force, including for the purpose of one State exercising
4
Peter Fleming and Michael Stohl, ‘Myths and realities of cyberterrorism’ in Alex P.
Schmid, Eithne Boland and Rebekah Grindlay (eds.), Countering Terrorism Through Inter-
national Cooperation (ISPAC 2001) 30.
5
See Kastner and Mégret (Ch 9 of this book).
6
United Nations General Assembly (UNGA), Declaration on Principles of International
Law concerning Friendly Relations and Cooperation among States in accordance with the
Charter of the United Nations, annexed to UNGA res 2625 (XXV) (1970), [2] (non-
intervention), [8]–[9] (non-use of force); reiterated in numerous UNGA resolutions on terrorism:
3034 (XXVII) (1972); 32/147 (1977), preamble; 34/145 (1979), preamble, [7]; 38/130 (1983),
[4]; 40/61 (1985), [6]; 42/159 (1987), [4], [5(a)]; 44/29 (1989), [3], [4(a)]; 46/51 (1991), [3],
[4(a)]; 49/60 (1994), [4], [5(a)]; 51/210 (1996), [5]; 52/165 (1997), [5]; 53/108 (1999), [5];
54/110 (2000), [5]; 55/158 (2001), [5]; 56/88 (2002), [5]; 57/27 (2003), [5]; 58/81 (2004), [5];
UNGA (60th Session), World Summit Outcome, UN Doc A/60/L.1 (20 September 2005), [86].
7
See Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).

/ Date: 7/5
Cyber terrorism 149
self-defence against another.8 There are related debates about the lawfulness of cyber
weapons or means or methods of warfare under international humanitarian law.9
At a more pedestrian level, certain regional instruments10 and many national laws
already address the wider category of cyber crime, which can variously encompass the
commission of any kind of offence by cyber means (from stalking to fraud or extortion
to terrorism), attacks on information systems, or the misuse of computer systems.11
General offences of cyber crime may obviate the need for a more specific cyber
terrorism offence, unless there are policy reasons (discussed further below) for
differentiating between different types of cyber harms and accordingly designating a
more elaborate palette of offences.
There is as yet no international treaty on cyber crime. However, the UN Convention
against Transnational Organized Crime 200012 enables transnational criminal
cooperation in relation to serious crimes under national law (meaning those punishable
by at least four years’ imprisonment) where the offence is transnational13 and an
organised group is involved. Such groups must be structured, involve three or more
people, exist for a period of time, and aim to commit serious crimes to obtain a
financial or other material benefit (art 2(a)).
In general, terrorism is often distinguishable from ‘ordinary’ transnational organised
crime for private profit because of the political or other ‘public’ motive underlying
terrorism. But it depends on how terrorism is defined; while some national laws include
a political motive element,14 many more do not.15 It can thus overlap with the category
8
Ibid.; see also Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited
interventions?’ (2012) 17 J. Conflict & Sec. L. 211; Nicholas Tsagourias, ‘Cyber attacks,
self-defence and the problem of attribution’ (2012) 17 J. Conflict & Sec. L. 229; Johann-
Christoph Woltag, ‘Cyber warfare’ in Rüdiger Wolfrum (ed.), Max Planck Encyclopedia of
Public International Law (OUP 2010).
9
See Arimatsu (Ch 15 of this book); Gill (Ch 17 of this book); Michael Schmitt (ed.),
Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013); Michael
Schmitt, ‘Classification of cyber conflict’ (2012) 17 J. Conflict & Sec. L. 245; Yoram Dinstein,
‘The principle of distinction and cyber war in international armed conflicts’ (2012) 17 J. Conflict
& Sec. L. 261; David Turns, ‘Cyber warfare and the notion of direct participation in hostilities’
(2012) 17 J. Conflict & Sec. L. 279.
10
See, e.g., Council of Europe Convention on Cybercrime, adopted 23 November 2001,
CETS 185 (entered into force 1 July 2004) (discussed further below); EU Framework Decision
2005/222/JHA on Attacks against Information Systems (24 February 2005) OJ L69/67.
11
See Kastner and Mégret (Ch 9 of this book).
12
Adopted 15 November 2000, 2225 UNTS 209 (entered into force 29 September 2013).
13
An offence is transnational where it is committed in more than one State; or a substantial
part of it is prepared, planned, directed or controlled in another State; or it is committed in one
State but the criminal group has activities elsewhere, or the crime has substantial effects
elsewhere: art 3.
14
As in the UK, Canada, Australia, South Africa and New Zealand: see Ben Saul, ‘The
curious element of motive in definitions of terrorism: Essential ingredient or criminalizing
thought?’ in Andrew Lynch, Edwina MacDonald and George Williams (eds.), Law and Liberty in
the War on Terror (Federation Press 2007) 28.
15
See the numerous national laws cited in UN Special Tribunal for Lebanon (Appeals
Chamber), Interlocutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide,
Perpetration, Cumulative Charging, STL-11-01/I, 16 February 2011, [106].

/ Date: 7/5
of organised crime, particularly given the structured and organised characteristics of

many terrorist groups. More importantly, even terrorist groups with political motives
may still act for profit in certain contexts, particularly if a narrow view is taken of the
immediate intention behind their fundraising activities (whether robbing banks, extort-
ing businesses, or trafficking drugs).
Cyber terrorism is consequently embedded in a thick regulatory field of intersecting
norms addressing the harms caused by illegal cyber activities of various kinds. Such
norms can often overlap and are not mutually exclusive. Thus, the same cyber act could
potentially be regulated by a sectoral anti-terrorism treaty, the law on the use of force
(as an armed attack), international humanitarian law (as a breach of the rules on the
conduct of hostilities), the law of State responsibility (for failure to repress terrorist
activities in one’s territory), regional or domestic cyber crime laws, and the Convention
on Transnational Organized Crime. The dual or multiple legal characterisation of the
same act under different regimes is not necessarily problematic or productive of
conflict; in practice, the issue will often be which legal route is most effective and/or
efficient in countering the threat.
One final conceptual distinction that should be drawn is between cyber terrorism (the
commission of terrorism by cyber means or against cyber targets) and the more general
use of the Internet by terrorist groups. Terrorist organisations may use the Internet to
recruit and train new members, organise and coordinate their activities, finance their
operations, or incite terrorism or spread fear.16 These predicate, precursor or prepara-
tory activities are often described as ‘facilitative’ of terrorism.17 Some international
regulatory measures have aimed to disrupt them, in order to thwart the eventual onset
of terrorism, and in so doing supplement the more reactive, conventional criminal law
controls on terrorism.
For example, Security Council resolution 1624 (2005) calls upon States to prohibit
incitement to commit a terrorist act,18 while resolution 1373 (2001) and the Terrorist
Financing Convention 1999 both address the financing of terrorist acts by any means,
including – and especially – where funds are raised and disbursed electronically.19 A
European Union Framework Decision of 2008 requires EU States to criminalise
provocation to commit a terrorist offence and recruitment and training for terrorism,
while specifically noting that the Internet ‘is used to inspire and mobilise local terrorist
16
These activities formed the focus of the UNODC (n 1). Information and communication
technology can also be incorporated into the execution of a conventional attack which is not
strictly a cyber attack. For example, to coordinate and execute the shooting and bombing attacks
in Mumbai, India in 2008, terrorists used technology including Global Positioning System (GPS)
equipment, mobile phones, satellite imagery and voice-over-Internet-protocol phone numbers:
Emily Wax, ‘Mumbai attackers made sophisticated use of technology’ (3 December 2008)
Washington Post <http://www.washingtonpost.com/wp-dyn/content/article/2008/12/02/AR20081
20203519.html> accessed 29 August 2014.
17
Fleming and Stohl (n 4) 38.
18
UNSC res 1624 (14 September 2005) UN Doc S/RES/1624 para 1(a).
19
The Terrorist Financing Convention makes it an offence to provide or collect funds with
the intention or knowledge that they be used to carry out a terrorist offence.

/ Date: 7/5
Cyber terrorism 151
networks and individuals in Europe’.20 However, such conduct does not constitute
cyber terrorism as such,21 that is, the commission of terrorist acts by cyber means or
against cyber targets.
Security Council resolution 1373 (2001) also requires States to ‘find ways of
intensifying and accelerating the exchange of operational information, especially
regarding use of communications technologies by terrorist groups’.22 This has been
supplemented by the unanimous adoption in the General Assembly of the 2006 UN
Global Counter-Terrorism Strategy, in which States resolved to ‘coordinate efforts at
the international and regional levels to counter terrorism in all its forms and manifes-
tations on the Internet’.23 In support of this resolution, the UNCTITF established a
Working Group on Countering the Use of the Internet for Terrorist Purposes. The Task
Force produced, in collaboration with the UNODC, valuable research about the use of
the Internet for terrorist purposes.24 However, this work has yet to yield any standards
of a ‘norm-creating character’25 that could eventually establish soft or hard law
obligations for States.
This chapter focuses on criminal law responses to cyber terrorism, including through
the existing sectoral treaties, the proposed Draft UN Comprehensive Terrorism Conven-
tion, customary international criminal law, and in regional and selected domestic
criminal laws. It considers the adequacy of the existing international legal framework,
including by comparison with regional and domestic initiatives and in the light of
policy discussions in UN fora. It concludes by asking whether it is necessary or
desirable for the international community to take more direct legislative action against
cyber terrorism, or whether it is sufficient to rely upon the patchwork of general norms
on terrorism and cyber crime.
2. ‘SECTORAL’ INTERNATIONAL ANTI-TERRORISM

CONVENTIONS
As already noted, cyber terrorism has not been specifically prohibited or criminalised at
the international level although some acts of cyber terrorism may nonetheless be
covered by existing terrorism related conventions. Numerous ‘sectoral’ treaties on
transnational criminal cooperation, adopted since the 1960s, target the common
methods of violence used by terrorists (such as hijacking, hostage taking, endangering
maritime facilities and so on),26 but do not create a new international crime of
20
EU Framework Decision 2008/919/JHA amending EU Framework Decision 2002/475/
JHA [28 November 2008], OJ L330, para. 4.
21
See Kalliopi Koufa, Special Rapporteur on Terrorism and Human Rights, ‘Progress
Report’ (27 June 2001) UN Doc E/CN.4/Sub.2/2001/31, 27 [99].
22
UNSC res 1624 para. 3(a).
23
(20 September 2006) UN Doc A/Res/60/288 para. II(12)(a).
24
See UNODC (n 1); CTITF (n 2).
25
North Sea Continental Shelf Cases (Federal Republic of Germany v Denmark; Federal
Republic of Germany v Netherlands [1969] ICJ Rep. 3 42.
26
See, e.g., Convention on Offences and Certain Other Acts Committed on Board Aircraft,
adopted 14 September 1963, 704 UNTS 219 (entered into force 4 December 1969); Convention

/ Date: 7/5
terrorism.27 Such treaties typically require States parties to criminalise certain conduct,
establish extraterritorial jurisdiction over it, and cooperate by prosecuting or extraditing
suspected offenders.
This pragmatic, functional approach enabled the repression of common terrorist
methods while sidestepping the irreconcilable problem of defining ‘terrorism’, espe-
cially during the Cold War when States were unable to agree on the legitimacy of
violence by self-determination movements or State forces. Such an approach was
necessary because it was the only achievable one at the time. This is not, however, an
entirely satisfactory means of regulating the criminal aspects of terrorism.
Because the sectoral treaties were adopted in an ad hoc and reactive fashion, they do
not comprehensively suppress all possible terrorist methods, or even the most com-
monly used ones, and they do not protect all conceivable civilian objects. The treaties
only criminalise violence by terrorists in specific contexts or by particular methods, and
thus fail to prohibit the terrorist killings of civilians by any means or method. Just as
there is no treaty addressing terrorist acts by use of small arms, biological or chemical
toxins, or against public infrastructure or places, there is no treaty on cyber terrorism.
This is despite the great importance of computer networks and electronic infrastructure
to the working of modern economies and societies. The negotiation of new treaties is
typically stimulated by the occurrence of a major attack utilising the means in question.
A serious cyber terrorist attack may thus be the stimulus necessary for political interest
and legal action.
It is unlikely that the drafters of most of the sectoral treaties anticipated the threat of
cyber terrorism. Most of the treaty offences are squarely aimed at physical attacks on
protected targets or by prohibited means. Even so, the offences in some of the treaties
may be sufficiently broad to encompass at least some cyber attacks, particularly where
for the Suppression of Unlawful Seizure of Aircraft, adopted 16 December 1970, 860 UNTS 105
(entered into force 14 October 1971); Convention on the Prevention and Punishment of Crimes
against Internationally Protected Persons, including Diplomatic Agents, adopted 14 December
1973, 1035 UNTS 167 (entered into force 20 February 1977); International Convention against
the Taking of Hostages, adopted 17 December 1979, 1316 UNTS 205 (entered into force 3 June
1983); Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation, adopted 10 March 1988, 1678 UNTS 221 (entered into force 1 March 1992);
Protocol for the Suppression of Unlawful Acts against the Safety of Fixed Platforms Located on
the Continental Shelf, adopted 10 March 1988, 1678 UNTS 304 (entered into force 1 March
1992); Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation,
adopted 23 September 1971 (entered into force 26 January 1973); Protocol on the Suppression
of Unlawful Acts of Violence at Airports Serving International Civil Aviation, adopted 24
February 1988, 974 UNTS 177 (entered into force 6 August 1989); Convention on the Marking
of Plastic Explosives for the Purpose of Detection, adopted 1 March 1991 (entered into force 21
June 1998); International Convention for the Suppression of Terrorist Bombings, adopted 15
December 1997 by UN General Assembly Resolution 52/164 (1997), 2149 UNTS 256 (entered
into force 23 May 2001); International Convention for the Suppression of the Financing of
Terrorism, adopted 9 December 1999 by UN General Assembly Resolution 54/109, 2178 UNTS
229 (entered into force 10 April 2002); International Convention for the Suppression of Acts of
Nuclear Terrorism, adopted 13 April 2005 by UN General Assembly Resolution 59/290 (2005)
(entered into force 7 July 2007).
27
See Ben Saul, Defining Terrorism in International Law (OUP 2006) Ch 3.

/ Date: 24/3
Cyber terrorism 153
the offences are defined by the harm resulting and contemplate any, rather than only
enumerated, means. For example, under the Convention on Unlawful Acts of Violence
at Airports 1988, the offence of destroying or seriously damaging the facilities of an
airport, or disrupting the service of an airport, can be committed ‘using any device,
substance or weapon’.28
Moreover, the Convention on Acts of Nuclear Terrorism 2005 prohibits the use or
damage of a nuclear facility in a manner which releases, or risks the release of,
radioactive material.29 (There is no further requirement that such acts coerce a
government and the offence can be committed by any person.) Such use or damage
could conceivably arise by cyber means. The ‘Stuxnet’ computer worm attack on
Iranian uranium enrichment centrifuges in 2010, allegedly committed by the US and
Israel, is a case in point. Information is limited and it is unknown whether radiation
was released or risked being released. Regardless, it is evident that cyber damage to
nuclear facilities (whether reactors, enrichment installations, or storage depots) is
possible in principle and may risk releasing radioactive material.
Some of the offences under the Convention for the Suppression of Unlawful Acts
against the Safety of Civil Aviation 1971 may extend to cyber acts. For instance, it is an
offence to damage or interfere with navigational facilities if it is likely to endanger the
safe flight of an aircraft.30 Such interference could conceivably be caused by remote
electronic interference with certain facilities vulnerable to it. It is also an offence to
knowingly communicate false information if that is likely to endanger flight safety,31
which again could be occasioned by Internet-based communications technologies.
Similar offences to both of these exist in relation to the safe navigation of ships under
the Maritime Safety Convention 1988.32
Most offences in the sectoral treaties are, however, less likely to cover cyber acts
because they generally require some element of physical attack. This is described in
such terms as ‘violence’ against a person on an aircraft, ship or fixed maritime
platform;33 ‘destroying’ or ‘damaging’ an aircraft, ship or fixed platform;34 seizing or
controlling an aircraft (but only by a person on board), ship or fixed platform by
28
Protocol on the Suppression of Unlawful Acts of Violence at Airports Serving Inter-
national Civil Aviation (n 26) art II.
29
International Convention for the Suppression of Acts of Nuclear Terrorism (n 26) art
2(1)(b).
30
Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation
(n 26) art 1(d).
31
Ibid. art 1(e).
32
Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation (n 26) art 3(e) and (f) respectively.
33
Respectively, Convention for the Suppression of Unlawful Acts against the Safety of
Civil Aviation (n 26) art 1(a); ibid. art 3(b); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(b).
34
Civil Aviation (n 26) art 1(b); Convention for the Suppression of Unlawful Acts against the
Safety of Maritime Navigation (n 26) art 3(c); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(c).

/ Date: 24/3
‘force’, threat of force, or ‘intimidation’;35 or injuring or killing a person in relation to

these kinds of acts.36
It is still possible, however, that the prohibited harms to these protected targets could
be caused by cyber interference with electronic or navigation systems that are critical to
the safety of the protected object, thus bringing cyber attacks within at least some of
the offences (such as by ‘damaging’ a protected object or as a form of ‘intimidation’).
In relation to other offences, however, there is an interpretive question whether cyber
methods can be said to amount to ‘violence’ or a use of ‘force’. There is little
international jurisprudence on this point in relation to the sectoral treaties. Violence is
ordinarily understood as physical force; to the extent that a cyber attack generates such
harmful kinetic effects against a person or object (some may, some may not), it is
conceivable that ‘violence’ or ‘force’ has occurred.
There are further sectoral treaty offences of placing ‘by any means whatsoever’ a
device or substance on an aircraft, ship or fixed platform, where it is likely to endanger
its safety.37 There is another unresolved interpretive question whether using a cyber
‘weapon’, such as a computer virus, worm, or ‘Trojan horse’, may qualify as ‘placing’
a dangerous ‘device’ or ‘substance’ on an aircraft, ship or platform. Those concepts
were drafted with more conventional threats in mind, such as explosives or chemical or
biological materials, but they could be more expansively interpreted in the light of
contemporary threats.
The Internationally Protected Persons Convention 1973 prohibits certain physical
attacks against protected persons (such as murder, kidnapping or other violence), or
other ‘violent attack’ on the person or their liberty, premises, accommodation or
transport which endangers their person or liberty.38 Its emphasis is thus on physical
attack. Still, it is possible in rare cases that a ‘violent attack’ could be perpetrated by,
for instance, cyber interference with flight controls or radar systems guiding an aircraft
carrying such a person. Cyber attacks are even less likely to fall within the strictly
physical conduct covered by the Hostages Convention 1979, which makes it an offence
to seize or detain and threaten to harm a person to compel a third party to do or abstain
from doing any act.
Under the Terrorist Bombings Convention 1997, it is an offence to deploy an
‘explosive or other lethal device’ in a public place, government facility, on public
35
Respectively, Convention for the Suppression of Unlawful Seizure of Aircraft (n 26) art
1(a); Convention for the Suppression of Unlawful Acts against the Safety of Maritime
Navigation (n 26) art 3(a); Protocol for the Suppression of Unlawful Acts against the Safety of
Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(a).
36
Maritime Navigation (n 26) art 3(g); Protocol for the Suppression of Unlawful Acts against the
Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(g).
37
Civil Aviation (n 26) art 1(c); Convention for the Suppression of Unlawful Acts against the
Safety of Maritime Navigation (n 26) art 3(d); Protocol for the Suppression of Unlawful Acts
against the Safety of Fixed Platforms Located on the Continental Shelf (n 26) art 2(1)(d).
38
Convention on the Prevention and Punishment of Crimes against Internationally Pro-
tected Persons, including Diplomatic Agents (n 26) art 2. Protected persons include heads of
state or government, ministers and diplomats.

/ Date: 24/3
Cyber terrorism 155
transport, or in an infrastructure facility, with the intent to cause death or serious injury
or extensive destruction resulting in major economic loss.39 Cyber acts are clearly not
explosives (though explosives can of course be detonated remotely by electronic
means). An ‘other lethal device’ is defined as one designed or capable of causing death,
serious injury or substantial material damage through the release, dissemination or
impact of toxic chemicals, biological agents or toxins, radiation, or similar substances.
That definition is plainly restricted to certain dangerous physical objects and does not
extend to cyber means alone, absent the presence of an explosive or lethal object; a
computer cannot kill a person.
3. CYBER ATTACKS AND A GENERAL INTERNATIONAL CRIME

OF TERRORISM
In part because of a desire to comprehensively plug these gaps in the transnational
repression of terrorist violence, the international community has continued to feel
compelled to pursue a more general international or transnational crime of terrorism.
The long-running saga of international attempts to define and criminalise terrorism,
from the 1930s to the present, is well known.40 The UN Draft Comprehensive
Anti-Terrorism Convention, under negotiation under the auspices of the General
Assembly since 2000, reflects the widest contemporary international consensus on the
issue, albeit subject to a few lingering disagreements.
Article 2(1) of the Draft Convention proposes an offence of terrorism if a person
‘unlawfully and intentionally’ and ‘by any means’ causes: ‘[d]eath or serious bodily
injury to any person’; ‘[s]erious damage to public or private property’; or ‘[d]amage to
property, places, facilities, or systems … resulting or likely to result in major economic
loss’.41 The purpose of such conduct, ‘by its nature or context’, must be ‘to intimidate
a population, or to compel a Government or an international organization to do or
abstain from doing any act’.42
This definition of terrorist offences would cover most instances of cyber terrorism
without being too overbroad or under-inclusive. Unlike the approach in the sectoral
treaties, it is not limited to the stipulation of specific terrorist methods but explicitly
covers ‘any means’ by which the prohibited harms may be committed. The use of cyber
means to harm people, seriously damage property, or cause major economic loss by
damaging property is thus an offence. The purported customary international law crime
of transnational terrorism, recognised by the UN Special Tribunal for Lebanon in 2011,
similarly encompasses any means of committing terrorism,43 although the existence of
39
International Convention for the Suppression of Terrorist Bombings (n 26) art 2(1).
40
See Saul (n 27).
41
UNGA, Measures to Eliminate International Terrorism: Working Group Report (29
October 2001) UN Doc A/C.6/56/L.9, annex I, 16 (informal Coordinator texts).
42
Ancillary offences are found in ibid. 16 (arts 2(2), (3) and (4)(a)–(c)).
43
UN Special Tribunal for Lebanon (Appeals Chamber), Interlocutory Decision on the
Applicable Law: Terrorism, Conspiracy, Homicide, Perpetration, Cumulative Charging, STL-11-
01/I, 16 February 2011, para. 85:

/ Date: 7/5
a customary crime remains much doubted.44 In this respect the Draft Convention
diverges from UN Security Council resolution 1566 (2004), which limits the Council’s
(non-binding) conception of terrorism to acts which are already offences under the
sectoral treaties.45
The Draft Convention definition could thus include, for instance, cyber attacks
against computer systems which control critical public infrastructure such as transport
networks (air, rail, road or sea), water and sewage, or energy supplies (such as
electricity or gas distribution networks). But it would also encompass cyber attacks
causing serious harm to private property, such as the deletion or manipulation of
economic information relating to banking, stock holdings and the like.
In addition, the definition explicitly safeguards certain cyber or cyber-related objects
which may be the target of terrorist attacks (whether by physical or cyber means).
Under article 2(1), ‘property’ expressly includes ‘a place of public use, a State or
government facility, a public transportation system, an infrastructure facility … or the
environment’.46 In turn an ‘infrastructure facility’ is defined in article 1(3) to include
‘communications, telecommunications and information networks’.
Thus an act which causes ‘serious damage’ (whether temporary or permanent) to a
public or private computer, communications or other electronic systems, whether public
or private, is a terrorist offence, whether the damage is inflicted by conventional
physical means (such as setting on fire a building containing computer servers) or
computer-based interference (such as planting a destructive virus). Such an act is an
offence even if the serious damage to a computer system does not have the further
effect of damaging any ‘real world’ property or objects which some computer systems
are capable of controlling.
The definition in the Draft Convention does, however, contain a number of necessary
limitations. Acts must cause death or personal injury, ‘serious’ property damage, or
(i) the perpetration of a criminal act (such as murder, kidnapping, hostage-taking, arson, and
so on), or threatening such an act; (ii) the intent to spread fear among the population (which
would generally entail the creation of public danger) or directly or indirectly coerce a
national or international authority to take some action, or to refrain from taking it; (iii) when
the act involves a transnational element.
See also R v Mohammed Gul [2012] EWCA Crim 280.
44
Ben Saul, ‘Legislating from a radical Hague: The UN Special Tribunal for Lebanon
invents an international crime of transnational terrorism’ (2011) 24 L.J.I.L. 677; Kai Ambos,
‘Judicial creativity at the Special Tribunal for Lebanon: Is there a crime of terrorism under
international law?’ 24 L.J.I.L. 655; Stefan Kirsch and Anna Oehmichen, ‘Judges gone astray:
The fabrication of terrorism as an international crime by the Special Tribunal for Lebanon’
(2001) 1 Durham L. Rev. 32.
45
UNSC res 1566 (8 October 2004) UN Doc S/RES/1566, para. 3:
criminal acts, including against civilians, committed with the intent to cause death or serious
bodily injury, or taking of hostages, with the purpose to provoke a state of terror in the
general public or in a group of persons or particular persons, intimidate a population or
compel a government or an international organization to do or to abstain from doing any act,
which constitute offences within the scope of and as defined in the international conventions
and protocols relating to terrorism.
46
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 2(1)(b).

10 / Date: 7/5
Cyber terrorism 157
‘major economic loss’. While the parameters of ‘serious’ property damage are
somewhat slippery, it indicates that minor damage caused by cyber attacks is excluded.
It is right that cyber attacks that merely ‘disrupt nonessential services or that are mainly
a costly nuisance’ ought to be treated as cyber crime rather than terrorism.47 A former
UN Special Rapporteur on Terrorism and Human Rights emphasised that the label of
cyber terrorism should be reserved for acts intended to cause ‘disruption or destruction
sufficient enough to terrorize the population’.48
Thus ‘hacktivists’ who engage in ‘electronic civil disobedience’,49 such as the global
group Anonymous, would not usually cause sufficient harm to life or property to be
classified as committing terrorist acts. Common hacktivist operations include taking
control of and defacing websites; distributing computer worms or viruses; overloading
a server with external communications requests to prevent it processing legitimate
internet traffic (a ‘denial of service attack’); or using automated programs to bombard
a target with thousands of emails (an ‘email bomb’).50
It remains possible, however, that such activities cause serious economic harm, such
as where corporate websites are disabled resulting in the loss of revenue. An example is
Anonymous’ ‘Operation Avenge Assange’, which targeted payment entities (such as
Paypal and credit card companies) which had bowed to US pressure to refuse to
process donations to Wikileaks.51 Such attacks were instrumentally designed to coerce
corporate and government behaviour. Such acts would not usually, however, be
regarded as ‘terrorism’ in the popular consciousness, illustrating the potential overreach
of the Draft Convention definition.
Even hacking techniques used by terrorist groups will not amount to cyber terrorism
where they do not cause serious damage to persons or property. One example of the use
of these techniques by a terrorist group involved the Liberation Tigers of Tamil Eelam
(LTTE) sending around 800 emails a day to Sri Lankan embassies around the world in
1997.52 The emails read: ‘We are the Internet Black Tigers and we’re doing this to
disrupt your communications’. Embassy networks were disabled for two weeks.
Although sending a strong and intimidatory political message, such disruption should
not be considered an act of cyber terrorism, since it did not harm people or ‘seriously’
damage property. However, if a similar attack disrupted a critical service, such as
emergency medical communications,53 resulting in serious harm, liability for terrorism
could be appropriate.
47
Dorothy Denning, ‘Cyberterrorism’ (Testimony before the Special Oversight Panel on
Terrorism, Committee on Armed Services, US House of Representatives, 23 May 2000).
48
Koufa (n 21) 28 [101].
49
Dorothy Denning, ‘Activism, hactivism and cyberterrorism: The Internet as a tool for
influencing foreign policy’ in John Arquilla and David Ronfeldt (eds.), Networks and Netwars:
The Future of Terror, Crime and Militancy (RAND 2001) 263.
50
Ibid. 263–80.
51
Mark Townsend and others, ‘WikiLeaks backlash: The first global cyber war has begun,
claim hackers’ (12 December 2010) Guardian http://www.theguardian.com/media/2010/dec/11/
wikileaks-backlash-cyber-war accessed 29 August 2014.
52
See Yvonne Jewkes and Majid Yar, Handbook of Internet Crime (Routledge 2013) 198–9.
53
An example provided by Koufa (n 21) para. 101.

11 / Date: 24/3
For similar reasons, State-sponsored cyber attacks which do not cause serious harm
also fall outside the ambit of the Draft Convention offences. One example is attacks on
western government and corporate websites by the Free Syrian Army (aligned with the
Assad regime in Syria).54 Another example is the activities of PLA Unit 61398, a
Chinese Government military unit which has launched cyber attacks on foreign
governments and companies.
A further important limitation in the Draft Convention’s definition of terrorism is that
the purpose of an act must be ‘to intimidate a population, or to compel a Government
or an international organization to do or abstain from doing any act’. A similar ‘special
intent’ element is found in the UN Security Council’s guideline definition of terrorism
in resolution 1566 (2004) and in the purported customary international law crime of
transnational terrorism recognised by the UN Special Tribunal for Lebanon in 2011.55
The Security Council definition suggests a third alternative intent element, ‘the purpose
to provoke a state of terror in the general public or in a group of persons or particular
persons’,56 although that standard is not so different from the other element of
intimidating a population.
Cyber attacks which do not aim to intimidate a population or compel a government
or international organisation will therefore not qualify as terrorism under the Draft
Convention. To some extent this excludes acts which are privately motivated or
narrowly targeted, although it is still possible for perpetrators motivated by private ends
(such as money or revenge, rather than political aspirations) to intimidate populations
or coerce governments. (An example might be hacktivists who extort money from a
government or corporation in exchange for ceasing to damage public or private
property respectively.) The Draft Convention does not additionally require proof of a
political, religious or ideological motive underlying acts designed to intimidate a
population or compel a government. As such, its definition is broader and captures
wider conduct as terrorism than certain common law crimes of terrorism which also
require a political motive.57
An ambiguous but illustrative example is the cyber attack by Vitek Boden in
Queensland, Australia in 2000 (putting aside for present purposes the fact that the
example is purely domestic and involves no transnational element). Driven by a ‘desire
for vengeance’ against his former employer (a local government council which had
terminated his employment),58 Boden used radio equipment and a computer to issue
commands to sewage equipment in the local council area. He caused 800,000 litres of
raw sewage to be released into local parks, rivers, and the grounds of a hotel, causing
substantial environmental damage. After at least 46 such attacks, Boden was arrested
by police officers and convicted of multiple counts of ‘using a restricted computer with
the consent of its controller thereby intending to cause detriment or damage’.59
54
‘Microsoft in more hacking misery’ (21 January 2014) BBC News <http://www.bbc.
co.uk/news/technology-25825781> 29 August 2014.
55
UN Special Tribunal for Lebanon (Appeals Chamber) (n 43) para. 85.
56
UNSC res 1566 (8 October 2004) UN Doc S/RES/1566 para. 3.
57
Saul, (n 14).
58
R v Boden [2002] QCA 164 para. 48.
59
Criminal Code Act 1899 (Qld), s 408E(1) (‘Computer hacking and misuse’); ibid.

12 / Date: 7/5
Cyber terrorism 159
Boden had no ulterior or special intention to intimidate a population, as is one

alternative element of terrorism under the Draft Convention. Nor was he seeking to
compel his former employee, a government (albeit a local shire council), to do or
refrain from doing something (such as to reemploy him, or give him money): he simply
wanted revenge, to punish the council, and presumably thereby to gain some personal
satisfaction from the harm inflicted. Had his employer been a private corporation (such
as a waste management company), there would be no question of compelling a
government within the meaning of the Draft Convention; it would also then be hard to
characterise acts against a single corporation as intimidating a population or part
thereof. In popular consciousness too, Boden’s action would probably not be com-
monly regarded as ‘terrorism’ by other citizens.
Boden’s conduct accordingly lacked the necessary instrumental quality of terrorism
under the Draft Convention, even if he may have caused equivalently serious damage
for other impermissible (cyber criminal) reasons. The legal situation would be different
if, for example, a person had released sewerage to threaten a population, or to
coercively extort a government to pay money, thus changing the nature of the harm and
elevating it to terrorism. The legal distinction between these scenarios is, however,
rather fine, and indicates some awkwardness in the framing of legal liabilities for
terrorism under the Draft Convention. Damaging property to punish or take revenge
against a government is not terrorism, but greedily asking for money is, even if such
extortion is unrelated to political goals or terrorising civilians. This problem of
overbreadth affects the Draft Convention definition in general and is not restricted to
cyber attacks.
There are also various hard cases where the definition in the Draft Convention would
likely classify a cyber attack as terrorism but the act in question may not be commonly
perceived as terrorism in a democratic public’s mind. One example is where air traffic
controllers, in the midst of an industrial dispute, changed the passwords on their air
traffic control computers, to prevent outside workers performing their jobs.60 Such
conduct is plainly dangerous to aircraft and passengers, and was done to coerce the
government in labour negotiations, thus arguably satisfying the definition in the Draft
Convention. But many would be instinctively uneasy about classifying industrial
protest, even dangerous or excessive strike activity, as ‘terrorism’.
Another example is where an anti-coal mining activist issued a fake press release
(using a laptop and mobile phone in a forest), purportedly from a major bank,
announcing that the bank had withdrawn its funding of a mining company for a major
mine development. The company’s share value on the stock market rapidly dropped by
A$314 million, before recovering after the hoax was exposed.61 The hoaxer’s conduct
could conceivably be characterised as terrorism under the Draft Convention: using
cyber means to cause serious private property damage and/or major economic loss,
60
Committee on Freedom of Association, Case No 1913 (Panama), Report No 309 (March
1998) 112.
61
Peter Ker and Ben Cubby, ‘Environmentalist’s hoax triggers $314m Whitehaven share
price fall’ (8 January 2013) Sydney Morning Herald <http://www.smh.com.au/business/
environmentalists-hoax-triggers-314m-whitehaven-share-price-fall-20130107-2cd11.html> ac-
cessed 29 August 2014.

13 / Date: 24/3
arguably intended (in part) to compel the government to revoke its approval of the coal
mine.62 Yet, such an act of environmental protest is far from regarded as ‘terrorist’ in
the popular imagination, even if it may transgress ordinary domestic criminal law. The
hoaxer was actually charged with making a false and misleading statement under
domestic corporations law.63
The above example illustrates the difficulty that even an apparently tightly drafted
definition of terrorism – limited to serious harms committed for prohibited instrumental
purposes – is still likely to capture some non-terrorist conduct. It suggests that good
sense is needed in the selection of charges in the exercise of prosecutorial discretion –
an obvious point, but one necessary to reiterate in a world where too many national
authorities abuse their legal systems to settle political scores. It may further demon-
strate that a ‘carve out’ provision for democratic protest or dissent, which does not
cause personal injury, should be tacked on to the definition of terrorism in the Draft
Convention, just as Australia has done in its federal offence of terrorism.64
While the definition of terrorism in the Draft Convention was settled reasonably
quickly, stimulated by the attacks of 9/11, disagreement remains over its scope of
application to certain non-State and State violence.65 Those disagreements are also
relevant to the regulation of cyber terrorism. Presently the Draft Convention excludes
from its scope the activities of State and non-State armed forces in armed conflict
covered by international humanitarian law66 (even if debate remains about which
groups come within the meaning of armed forces). Thus, cyber attacks by armed forces
in armed conflict cannot be characterised as cyber terrorism.
That does not mean that such forces are free to attack civilians by cyber means or to
destroy cyber targets without impediment. The usual rules of humanitarian law apply,
including the principles of distinction and proportionality and avoidance of weapons
62
The hoaxer asserted that civil disobedience was necessary because the community was
locked out of the approval process and there are few legitimate avenues to protect the
environment: ‘Anti-coal activist Jonathan Moylan granted bail over Whitehaven share hoax’ (23
July 2013) ABC News <http://www.abc.net.au/news/2013-07-23/activist-given-bail-over-
whitehaven-share-hoax/4837432> accessed 29 August 2014.
63
Leo Shanahan, ‘Jonathan Moylan’s Whitehaven hoax case to go to the Supreme Court’
(24 September 2013) The Australian <http://www.theaustralian.com.au/business/mining-energy/
jonathan-moylans-whitehaven-hoax-case-to-go-to-supreme-court/story-e6frg9df-1226726171306
?nk=1ae56ee488f58ce954304122f5fd5f39> accessed 29 August 2014.
64
Criminal Code Act 1995 (Cth), s. 100.1(3).
65
See Measures to Eliminate International Terrorism: Working Group Report (n 41) annex
II 7–8. Little headway was made between 2003 and the present (2014), despite the urgings of
high level UN reports and world leaders’ meetings: United Nations High-Level Panel on Threats,
Challenges and Change, A More Secure World: Our Shared Responsibility (2004); UN
Secretary-General, In larger freedom: Towards development, security and human rights for all
(21 March 2005) UN Doc A/59/2005; Club of Madrid, ‘The Madrid Agenda’ (International
Summit on Democracy, Terrorism and Security, 11 March 2005); 2005 World Summit Outcome
(24 October 2005) UN Doc A/RES/60/1 paras 83–84.
66
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 20(2).

14 / Date: 7/5
Cyber terrorism 161
causing superfluous injury or unnecessary suffering. Most terrorist-type conduct

committed in an armed conflict is prohibited.67
In addition, any act or threat thereof, the primary purpose of which is to spread terror
among the civilian population, is already prohibited by the laws of war.68 The Tallinn
Manual on the International Law Applicable to Cyber Warfare, a publication of the
NATO Cooperative Cyber Defence Centre of Excellence, concludes that this could
include a cyber attack. A breach of this international humanitarian law (IHL)
prohibition amounts to the war crime of spreading terror amongst a civilian popu-
lation.69 This war crime is defined by the special intent of the perpetrator to spread
terror beyond the ordinary incidental fear often felt by civilians living through conflict.
It is therefore appropriate that the lex specialis, humanitarian law, governs the cyber
activities of armed forces in armed conflict, and nothing would be gained by also
addressing such acts under the Draft Convention.
More doubtful is the Draft Convention’s further proposed exclusion of the activities
of State armed forces in the exercise of their official duties in peacetime.70 Numerous
examples of offensive State cyber attacks with a ‘terrorist’ quality can be contemplated:
crashing the computer systems of a foreign central bank, stock market, or commodities
exchange; shutting down oil pipelines carrying heating fuel for civilians in winter;
sabotaging an air traffic control system; or remotely interfering in a dangerous
manufacturing process, thereby endangering workers or causing property damage.
Mention was made earlier of the activities of a Chinese military hacking unit; various
other States, such as the US, also have offensive cyber attack capabilities.
It is true that cyber attacks by State militaries outside an armed conflict may be
covered by the international prohibition on the use of force, the principle of non-
intervention, and international human rights law (including in its extraterritorial
dimension). But it does not follow that there also exists individual criminal liability for
illegal cyber attacks by State military forces, whether against foreign States (military or
civilian) or private persons. Only in limited circumstances is there liability for the
crime of aggression (due to the grave scale of the attack), while a crime against
humanity may only be committed if there is a widespread or systematic attack on a
civilian population.
67
Hans-Peter Gasser, ‘Acts of terror, “terrorism” and international humanitarian law’ (2002)
84 I.R.R.C. 547. See also Bannelier-Christakis (Ch 16 of this book) and Gill (Ch 17 of this
book).
68
Schmitt, Tallinn Manual (n 9) rule 36. This was based on art 51(2) of Protocol Additional
to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of
International Armed Conflicts, adopted on 8 June 1977, 1125 UNTS 3 (entered into force 7
December 1978), and art 13(2) of Protocol Additional to the Geneva Conventions of 12 August
1949, and Relating to the Protection of Victims of Non-international Armed Conflicts, adopted
on 8 June 1977, 1125 UNTS 609 (entered into force 7 December 1978).
69
Prosecutor v Galic, ICTY-98-29-T (5 December 2003) paras 65–66; affirmed in
Prosecutor v Galic (Appeals Chamber Judgment), IT-98-29-A (30 November 2006) paras 87–90.
See also Ben Saul, ‘Crimes and prohibitions of “terror” and “terrorism” in armed conflict:
1919–2005’ (2005) 4 J. of the Int’l L. of Peace and Armed Conflict 264. See Gasser (n 67).
70
Measures to Eliminate International Terrorism: Working Group Report (n 41) art 20(3).

15 / Date: 24/3
In other, perhaps less intense circumstances, however, State militaries would be

exempt from international criminal liability for cyber attacks on other States or
populations in peacetime, even where they cause personal injury or property damage
(and are not justified under the international law of self-defence). Admittedly, criminal
liability will be borne under the Draft Convention by other (non-military) State officials
or agents, including law enforcement officials and security or intelligence services. But
that makes it all the more strange that the same legal responsibility is not borne by
State military personnel under the Convention, when it is difficult to see any principled
or pragmatic need to award them such an exemption.
The adoption of the Draft Convention and its general definition of terrorist offences
would go a long way towards criminalising most instances of cyber terrorism, plugging
the gaps in the existing pastiche of sectoral conventions and obviating the need for a
cyber terrorism-specific convention. With the lingering uncertainty over the fate of the
Draft Convention, however, other parts of the UN system have directly or indirectly
addressed aspects of cyber terrorism.
4. REGIONAL INSTRUMENTS ON CYBER TERRORISM

Greater momentum in defining common offences or creating mechanisms of
cooperation can often be achieved at the regional level because of the smaller number
of States involved. Certainly more progress has been made at the regional level in
addressing cyber crime more generally. The Council of Europe’s Convention on
Cybercrime is a notable example, and has been ratified or acceded to by a majority of
Council of Europe members, as well as a number of non-member States.71 The EU too
has adopted a Framework Decision on Attacks against Information Systems.72
However, little progress has been made on prohibiting cyber terrorism more
specifically. The ASEAN Convention on Counter Terrorism 2007 is the only regional
agreement which directly refers to cyber terrorism. Article VI lists measures taken to
‘strengthen capability and readiness to deal with … cyber terrorism and any new forms
of terrorism’ as an ‘area of cooperation’ between the parties.73 However, it does not
define an offence of cyber terrorism, and only defines ‘terrorism’ by reference to the
international sectoral treaties.74
Other regional bodies have so far declined to create an offence of cyber terrorism.
The Council of Europe’s Committee of Experts on Terrorism has opined that no ‘gaps
exist’ between the Council’s Cybercrime Convention and the Convention on the
Prevention of Terrorism.75 It accordingly suggested that the focus should be on the
71
The Convention has been ratified by 41 countries in total. Non-members who have
ratified include Australia, Japan and the US.
72
EU Framework Decision 2005/222/JHA (n 10).
73
ASEAN Convention on Counter Terrorism 2007 art VI(1)(j).
74
Ibid. art II.
75
Committee of Experts on Terrorism (CODEXTER), Opinion for the Attention of the
Committee of Ministers on Cyberterrorism and the Use of Internet for Terrorist Purposes
(2008) 2.

16 / Date: 7/5
Cyber terrorism 163
effective implementation of those conventions, rather than instigating ‘new negotiations

[which] might jeopardize [the existing conventions’] increasing impact on the inter-
national fight against cybercrime and terrorism’.76 The Committee did suggest,
however, that increased sanctions may be appropriate in cases involving terrorist attacks
against computer systems.77
Notwithstanding the lack of direct regulation of cyber terrorism, some cyber attacks
are still likely to fall within the scope of the wide general definitions of terrorist
offences in some regional instruments. Examples include the Arab Convention on the
Suppression of Terrorism of 1998,78 Organisation of the Islamic Conference Conven-
tion on Combating International Terrorism of 1999,79 and the Shanghai Cooperation
Organisation Convention on Combating Terrorism, Separatism and Extremism of
2001.80 While not a treaty as such, also relevant in is the European Union Framework
Decision on Combating Terrorism of 2002.81
5. CONCLUSION: IS THERE A NEED FOR A CYBER TERRORISM

INSTRUMENT?
The above review of existing legal frameworks on terrorism generally demonstrates that
there is no lacuna in international law that leaves cyber terrorism completely unregu-
lated or unpunishable. Some cyber terrorism comes within some of the sectoral treaties.
The proposed Draft Comprehensive Anti-Terrorism Convention, if adopted, would
conveniently cover most instances of cyber terrorism. Much cyber terrorism can also be
classified as cyber crime under some regional (and many national) laws, and sometimes
under the Convention against Transnational Organised Crime, though there is as yet no
international treaty on cyber crime per se. Other international norms deal with cyber
activities facilitative of terrorism generally.
A question remains whether international law should nonetheless respond more
pointedly or precisely to cyber terrorism, rather than relying upon the incomplete
jigsaw of sectoral and general anti-terrorism norms and the fragmented efforts to
cooperate on cyber crime as a whole. The answer is partly one of sequencing. If the
Draft Comprehensive Convention can be soon adopted, much of the argument for a
separate cyber terrorism agreement is deflated. The very point of a comprehensive
instrument is to capture all forms of terrorism, and to overcome the unsatisfactory ad
76
Ibid. 3.
77
Ibid. 2.
78
Arab Convention on the Suppression of Terrorism, adopted 22 April 1998 (entered into
force 7 May 1999).
79
Organisation of the Islamic Conference Convention on Combating International Terror-
ism, adopted 1 July 1999 (entered into force 7 November 2002).
80
Shanghai Cooperation Organisation Convention on Combating Terrorism, Separatism and
Extremism, adopted 15 June 2001 (entered into force 29 March 2003).
81
EU Framework Decision on Combating Terrorism (2002/475/JHA), 13 June 2002, OJ
L164/3, 22 June 2002, entered into force 22 June 2002; see Ben Saul, ‘International terrorism as
a European crime: The policy rationale for criminalization’ (2003) 11 Eur. J. of Crime, Criminal
L. and Crim. Jus. 323.

17 / Date: 7/5
hoc and partial approach of the sectoral treaties. If the Draft Convention remains in
stasis, however, there are stronger reasons for a cyber terrorism treaty. Likewise, if
there remains no instrument on cyber crime generally, there is a stronger case for a
cyber terrorism specific instrument to combat that narrow type of cyber crime. The
issue is partly therefore which instrument will be developed first to plug the common
normative gaps.
The necessity of pursuing a cyber terrorism instrument partly depends also on
extra-legal policy considerations about the gravity and likelihood of the threat. Opinion
is divided over whether terrorist groups have the capacity or motivation to commit
cyber terrorism.82 To date, there have been no confirmed reports of a cyber terrorism
attack. Two UN reports concur that ‘there is not yet an obvious terrorist threat in the
area’ of cyberspace,83 and that there are ‘few indications of terrorist attempts to
compromise or disable [Information Communications Technology (ICT)] infrastructure
or to execute operations using ICTs’.84 Thus far there has been far more concern about
States launching cyber attacks on each other (such as Russia’s attacks on Estonia in
2007, or Georgia in 2008) than non-State cyber attacks against States, principally
because of the level of technical resources, skills and sophistication often necessary to
mount serious and sustained cyber attacks.
However, some security analysts and policy makers regard the threat of cyber
terrorism as real and likely to intensify. US President Barack Obama described ‘the
cyber threat to our nation’ as ‘one of the most serious … national security challenges
we face’,85 and warned that: ‘Al Qaeda and other terrorist groups have spoken of their
desire to unleash a cyber attack’ on the US.86 The UK classed a ‘cyber attack, including
by … terrorists’ as one of four ‘Tier One’ threats in its National Security Strategy.87
Israeli Prime Minister Benjamin Netanyahu has accused Hezbollah and Hamas of
launching cyber attacks against Israeli infrastructure.88 The question is whether these
concerns are shared widely enough in the international community to impel enough
States to believe it is worthwhile to draft yet another sectoral anti-terrorism treaty,
when many are exhausted by the Draft Convention negotiations.
82
See Denning (n 47).
83
CTITF (n 2) para. 92.
84
Group of Governmental Experts on Developments in the Field of information and
Telecommunications in the Context of International Security: Note by the Secretary General (30
July 2010) UN Doc A/65/201.
85
President Barack Obama, ‘Taking the cyberattack threat serious’ (19 July 2012) Wall
Street Journal.
86
President Barack Obama, ‘Remarks by the President on securing our nation’s cyber
infrastructure’ (Speech, 29 May 2009) <http://www.whitehouse.gov/the-press-office/remarks-
president-securing-our-nations-cyber-infrastructure> accessed 29 August 2014.
87
HM Government, ‘A strong Britain in an age of uncertainty: The national security
strategy’ (Paper presented to Parliament, October 2010) 11. The remaining threats were
international terrorism, international military crises between states, and a major accident or
national hazard.
88
Shlomo Cesana and Ilan Gattegno, ‘Netanyahu: Iran, Hamas stepping up cyberwarfare
against Israel’ (10 June 2013) Israel Hayom <http://www.israelhayom.com/site/newsletter_
article.php?id=9869> accessed 29 August 2014.

18 / Date: 7/5
Cyber terrorism 165
Certainly model cyber crime legislation promoted by the International Telecommuni-

cation Union (ITU) encourages States to more specifically criminalise cyber terrorism
where an underlying cyber crime is committed ‘with the intent of developing,
formulating, planning, facilitating, assisting, informing, conspiring, or committing acts
of terrorism’.89 The model law hinges on national definitions of terrorism. The ITU
explains that ‘[c]ybercrimes … for the purposes of terrorism were deemed to be such a
threat to the rule of law, public safety, and national and economic security that the
Toolkit Project Team believed separate provisions should address these crimes and more
substantial penalties should apply’.90
At present, however, there is little evidence in national legal practice that cyber
terrorism as such is treated as a distinct legal category or offence, whether because
States do not view it as sufficiently threatening, ordinary terrorism or cyber crime laws
are considered adequate, or domestic laws have simply been slow to adapt. Only a few
States, such as India and Georgia, have adopted an express crime of cyber terrorism.91
Certain other States incorporate serious interference, disruption or destruction of
electronic systems as an element of general terrorism offences, as in Australia, the UK
and South Africa.92 Yet others utilise general cyber crime offences, or have laws (as in
China) which recognise that any criminal act can be committed by the use of a
computer.93 In the US, where terrorism is involved the PATRIOT Act increases
penalties for ordinary offences of damaging a federally protected computer.94
One reason for creating a cyber-terrorism specific convention is to address unique
technical difficulties that may demand special measures of prevention and repression.
There may be ‘“computer-specific” gaps in “terrorist-specific” conventions’.95 Exam-
ples of possible necessary technical measures include retention of Internet Service
Provider (ISP) or other Internet related data,96 international standards on encryption,97
the collection and use of digital evidence in courts,98 and the relationship between State
89
ITU Toolkit for Cybercrime Legislation (February 2010), ss 2(d), 3(f), 4(f), 6(h). The
ITU is a unique UN treaty organisation, as its members include not only 193 States, but also 700
private companies operating in the ICT sphere.
90
Ibid. 32.
91
The Information Technology (Amendment) Act 2008 (India), adding s 66F to the
Information Technology Act 2000; Criminal Code of Georgia 2007 art 324 (‘Technological
Terrorism’).
92
Criminal Code Act 1995 (Cth) s 101.1(2)(f) (an electronic system is defined as including
information, telecommunications, or financial systems, and systems used for essential govern-
ment services, an essential public utility, or a transport system); Terrorism Act 2000 (UK)
s 1(2)(e); Protection of Constitutional Democracy against Terrorism and Related Activities Act
2004 (South Africa).
93
Criminal Law of the People’s Republic of China art 287.
94
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act 2001 s 814 (‘Deterrence and prevention of cyber crime’).
95
CODEXTER (n 75) 2.
96
UNODC (n 1) 92.
97
Kelly A Gable, ‘Cyber-apocalyse now: Securing the Internet against cyberterrorism and
using universal jurisdiction as a deterrent’ (2010) 43 Vanderbilt J. Trans. L. 57, 97.
98
UNODC (n 1) [365]ff.

19 / Date: 7/5
security organisations and private companies who offer cyber services.99 There are
peculiar jurisdictional difficulties in investigating and taking enforcement action in
relation to cyber offences, aspects of which may take place across Internet servers in
multiple countries, or using anonymous methods.
These technical challenges are, however, common to both cyber crime and cyber
terrorism and are not unique to the latter. As such, alone they do not provide a
compelling reason to generate a narrow convention on cyber terrorism as distinct from
a wider, more encompassing instrument on cyber crime. It is possible that negotiating a
cyber terrorism instrument could lessen the impetus to agree a wider cyber crime
convention, though conversely agreeing a narrower instrument on terrorism could build
confidence towards a wider crime convention.
Another reason to pursue a special instrument against cyber terrorism is to send an
expressive or stigmatising signal that the international community regards it as
wrongful. While cyber terrorism can often already be qualified as ordinary crime or
terrorism, a special instrument could more pointedly condemn and punish the abuse of
the Internet to commit terrorism, possibly strengthening deterrence and encouraging
stronger international cooperation. Such an instrument could also potentially address
cyber acts facilitative of terrorism, such as the misuse of the Internet for incitement,
recruitment, financing and the like (even though these are already addressed by
separate international standards). There may be effectiveness gains in consolidating and
finessing relevant standards in one place, which may outweigh the conceptual messi-
ness of duplicating international efforts across multiple instruments. This presupposes,
however, that the threat of cyber terrorism justifies singling it out for special treatment,
and currently there is far from international consensus on that point.
A final reason for concluding a convention on cyber terrorism is to promote
consistency between domestic legal regimes and encourage restraint by national
governments when determining the scope of cyber terrorism offences. Mutual assist-
ance, extradition and prosecution of transnational cyber terrorist offences is most
feasible and effective where States broadly agree on the underlying definition of cyber
terrorism offences. As noted earlier, currently there are widely divergent national
approaches to dealing with the problem, inhibiting the potential for cooperation. At the
same time, the lack of an international consensus encourages individual States to
potentially adopt over-broad and rights-abusive definitions of cyber terrorism, a
problem arising in the field of terrorism laws generally.
At the same time, some States have been wary of deepening cooperation on cyber
terrorism for fear that it could lead to the erosion of human rights. In general,
counter-terrorism norms adopted since 9/11 have placed great pressure on fundamental
human rights and freedoms. The Internet is a ‘powerful vehicle for the exercise and
protection of human rights of freedom of opinion and expression’.100 International
legislative overreach could have a chilling effect on the way that people exercise their
rights of opinion and expression over the Internet, and can be readily exploited by
governments to target political activists or dissidents, and unjustifiably infringe on
personal privacy.
99
CTITF (n 2) 7.
100
CTITF (n 2) 23.

20 / Date: 7/5
Cyber terrorism 167
The risk comes not only from the many authoritarian States that make up a
significant part of the international community, but also from democratic States. The
cyber terrorism offence in Indian domestic law, for instance, is not limited to cyber
activities which can be genuinely characterised as terrorist. Instead, it purports to label
as a cyber terrorist any person who accesses restricted information through a computer,
if that information is likely to cause harm such as damaging friendly relations with
foreign States, or injuring public order, decency or morality.101 Punishment can extend
to life imprisonment.
Elsewhere, there has been much criticism of the excessive intelligence collection
methods by US national security agencies which target the emails, Internet usage and
telephone communications of millions of innocent citizens and non-citizens alike.102 A
EU directive mandating lengthy data retention103 has been challenged under national
constitutions for infringing human rights,104 and was declared invalid in 2014 by the
European Court of Justice for excessively infringing the right to privacy.105 Similar data
retention schemes in the UK and Australia faced fierce domestic opposition.106
In principle, transnational cyber terrorism is undoubtedly harmful and worthy of
suppression. But whether further international measures to combat it are a good idea
depends on how the problem is defined, what measures are proposed to confront it, and
whether basic rights will be respected. Otherwise, it is too easy for the juggernaut of
international counter-terrorism cooperation to roll on without regard to the conse-
quences for diminishing essential freedoms.
101
Information Technology Act 2000 (India) s 66F(1).
102
See ‘The NSA Files’, The Guardian <http://www.theguardian.com/world/the-nsa-files>
103
EU Directive 2006/24/EC on the Retention of Data Generated or Processed in Connec-
tion with the Provision of Publicly Available Electronic Communications Services or of Public
Communications Networks and Amending Directive 2002/58/EC (15 March 2006).
104
Bulgarian Supreme Administrative Court, Decision No. 13627, 11 December 2008;
Supreme Court of Cyprus Appeal Case Nos. 65/2009, 78/2009, 82/2009 and 15/2010-22/2010, 1
February 2011; Federal Constitutional Court of Germany, 1 BvR 256/08, 1 BvR 263/08, 1 BvR
586/08, 2 March 2010; Czech Constitutional Court on Act No. 127/2005 and Decree No
485/2005, 22 March 2011.
105
Digital Rights Ireland and Seitlinger and Others, Judgment in Joined Cases C-293/12
and C-594/12, ECJ, 8 April 2014.
106
See Parliamentary Joint Committee on Intelligence and Security, Report of the Inquiry
into Potential Reforms of Australia’s National Security Legislation (May 2013), 150–66; ‘UK’s
data communication bill faces tough criticism’ (14 June 2012) BBC News <http://www.bbc.
com/news/technology-18439226> accessed 29 August 2014.

21 / Date: 7/5
8. Cyber espionage and international law

Russell Buchan
1. INTRODUCTION
Cyberspace has emerged as an indispensable feature of the contemporary era. All actors
within the international system now utilise cyberspace in order to perform their
manifold activities and maximise their potential. Although it goes without saying that
this highly interconnected and instantaneous environment yields enormous benefits,
cyberspace has also become the source of significant threats and vulnerabilities.1
The threat landscape is multifaceted and dynamic. In recent years however the
exploitation of cyberspace for the purpose of espionage has emerged as a particular
concern.2 According to reports, ‘cyber espionage projects [are] now prevalent’.3 Indeed,
there are numerous examples of both State and non-State actors infiltrating computer
networks of State and non-State actors in order to access and collect confidential
information.4 Several high profile instances of cyber espionage have attracted inter-
national attention. In January 2010 Google reported that it had ‘detected a highly
sophisticated and targeted attack against our corporate infrastructure originating from
China that resulted in the theft of intellectual property from Google’.5 Internal
investigations revealed that ‘a primary goal of the attackers was accessing the Gmail
accounts of Chinese human rights activists’.6
1
In the words of US President Barack Obama, ‘[t]hreats to cyberspace pose one of the
most serious economic and national security challenges of the 21st Century for the United States
and our allies’; White House, Cyberspace Policy Review: Assuring a Trusted and Resilient
Information and Communication Infrastructure (2009), <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> accessed 7 October 2014.
2
‘[D]igital espionage and cyber crime remain the biggest threats to both government and
the business community’; National Cyber Security Centre, Cyber Security Assessment
Netherlands (CSAN) (2013) 7, <http://english.nctv.nl/publications-products/Cyber_Security_
Assessment_Netherlands/> accessed 7 October 2014.
3
The Guardian, ‘State-sponsored cyber espionage projects now prevalent’ (30 August
2012) <http://www.theguardian.com/technology/2012/aug/30/state-sponsored-cyber-espionage-
prevalent> accessed 7 October 2014.
4
Mandiant Report, ‘APT1: Exposing one of China’s Cyber Espionage Units’ (2013)
<http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf> accessed 7 October 2014.
5
D Drummond, ‘A New Approach to China’(12 January 2010) Google: Official Blog,
<http://googleblog.blogspot.co.uk/2010/01/new-approach-to-china.html> accessed 7 October 2014.
6
Ibid. Note that China has denied responsibility for these allegations; Ma Zhaoxu, Foreign
Ministry Spokesperson, Remarks on China-related Speech by US Secretary of State on ‘Internet
Freedom’ (22 January 2010), <http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/
2535_665405/t653351.shtml> accessed 7 October 2014.
168
/ Date: 24/3
Cyber espionage and international law 169
In another significant incident of cyber espionage in May 2012 the Russian security
firm Kaspersky Lab detected computer malware (subsequently referred to as the Flame
virus) in computer systems of Iranian Oil Companies which allowed confidential
information to be accessed, monitored and collected. According to reports, this virus
had the capacity to ‘activate computer microphones and cameras, log keyboard strokes,
take screen shots, extract geolocation from images, and send and receive commands
and data through Bluetooth wireless technology’;7 ‘basically an industrial vacuum
cleaner for sensitive information’.8 Although definitive attribution has never been made,
it has been alleged that the US and Israel were the authors of this virus and responsible
for its deployment.9
The publication of the Mandiant Report in February 2013 exposed for the first time
the scale and intensity of cyber espionage in the international community.10 This report
in particular identified China as a persistent perpetrator of cyber espionage. In fact, the
report claimed that a cyber espionage entity known as Unit 61398 has been specifically
created by the Chinese Government and is formally incorporated into the Chinese
People’s Liberation Army. The Mandiant Report suggested that Unit 61398 was
responsible for organising and instigating a massive cyber espionage campaign against
other States and non-State actors, looking to exploit vulnerable computer systems in
order to access sensitive and confidential information with the aim of bolstering
China’s position in the international political and economic order.
Only four months later in June 2013 cyber espionage was again thrust firmly into the
international spotlight when Edward Snowden, a former contractor for the US National
Security Agency (NSA), disclosed through Wikileaks thousands of classified docu-
ments to several media companies including The Guardian newspaper and The
Washington Post. The documents revealed that the NSA had been engaged in a global
surveillance programme. At the heart of this surveillance programme was the collection
of confidential information that was being stored in or transmitted through cyberspace.
In particular, the NSA had been engaged in a sustained and widespread campaign of
intercepting and monitoring private email and telephone communications. This cyber
espionage targeted numerous State and non-State actors, including officials of inter-
national organisations (such as the EU), State organs (including heads of State such as
German Chancellor Angela Merkel and Israeli Prime Minister Ehud Olmut), religious
leaders (the Pope), companies (such as the Brazilian oil company Petrobas), non-
governmental organisations (including UNICEF and Médecins du Monde) and indi-
viduals suspected of being involved in international terrorism.11
7
The Washington Post, ‘U.S., Israel developed Flame Computer Virus to slow Iranian
Nuclear efforts, Officials say’ (19 June 2012), <http://www.washingtonpost.com/world/national-
security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/
06/19/gJQA6xBPoV_story.html> accessed 7 October 2014.
8
BBC News, ‘Flame: Massive cyber attack discovered, researchers say’ (28 May 2012),
<http://www.bbc.co.uk/news/technology-18238326> accessed 7 October 2014.
9
The Washington Post (n 7).
10
Mandiant Report (n 4).
11
For an overview of the Snowden revelations see The Guardian, ‘The Snowden Files –
Inside the surveillance state’ (2 December 2013) <http://www.theguardian.com/technology/2013/
dec/03/tim-berners-lee-spies-cracking-encryption-web-snowden> accessed 7 October 2014.

/ Date: 24/3
These incidents raise important questions concerning the legality of cyber espionage
under international law generally and the adequacy of international law in protecting
State and non-State actors from cyber espionage in particular. To date, these important
international legal questions have received inadequate attention in the literature. This
chapter will therefore attempt to provide answers to some of these legal questions. This
chapter will be structured accordingly. Section 2 formulates a working definition of the
concept of cyber espionage in order to focus the research scope of the chapter. Section
3 examines the role and nature of the practice of cyber espionage in the contemporary
international order. In particular, this section presents cyber espionage as a pernicious
practice that represents a threat to international peace and security and which is thus in
need of international regulation. In light of this, section 4 identifies the international
law implicated by cyber espionage and assesses the extent to which it regulates this
practice. Section 5 offers some conclusions.
2. DEFINING CYBER ESPIONAGE

Although cyber espionage is a relatively new phenomenon, espionage is certainly not.
In fact, espionage has been practised ‘since the dawn of human history’.12 In its
traditional conception espionage describes the practice whereby agents are physically
dispatched into the territory of another State in order to access and obtain confidential
information. States have however exploited developments in innovation and technology
so as to devise more effective methods through which to conduct espionage. With the
discovery of ships, aeroplanes and celestial bodies the sea, the skies and outer space
have all emerged as domains that can be exploited as platforms through which to
commit espionage. It therefore comes as no surprise that since its creation cyberspace
has also been harnessed as a tool through which to commit espionage.
Espionage is defined as ‘the consciously deceitful collection of information, ordered
by a government or organization hostile to or suspicious of those the information
concerns, accomplished by humans unauthorized by the target to do the colleting’.13 In
order to fit the theme of this handbook this chapter is concerned with cyber espionage.
According to the US Presidential Policy Directive entitled ‘U.S. Cyber Operations
Policy’, cyber espionage is defined as ‘[o]perations and related programs or activities
conducted […] in or through cyberspace, for the primary purpose of collecting
intelligence […] from, computers, information or communication systems, or networks
with the intent to remain undetected …’14 Several important features of this definition
12
Katharina Ziolkowski, ‘Peacetime cyber espionage – new tendencies in public inter-
national law’, in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyber-
space: International Law, International Relations and Diplomacy (CCDCOE, 2013) 425.
13
Geoffrey B. Demarest, ‘Espionage in international law’ (1996) 24 Denv. J. Int’l. L. & Pol.
321, 326.
14
US Presidential Policy Directive, ‘U.S. Cyber Operations Policy’ (October 2012)
<http://www.fas.org/irp/offdocs/ppd/ppd-20.pdf> accessed 7 October 2014. Similarly, Lin
defines cyber espionage as ‘the use of actions and operations – perhaps over an extended period
of time – to obtain information that would otherwise be kept confidential and is resident on or

/ Date: 24/3
need to be identified and elaborated upon in order to provide some much needed
clarification to the practice of cyber espionage and, further, to refine the focus of this
chapter.
1. This chapter examines the legality of espionage committed in or through

cyberspace. In this context cyberspace refers to a ‘global domain within the
information environment consisting of the interdependent network of information
technology infrastructure, including the Internet, telecommunications networks,
computer systems, and embedded processors and controllers’.15
2. As with espionage, cyber espionage describes the unauthorised accessing and
copying of confidential information. Cyber espionage however relates to the
accessing and copying of electronic information that is being stored in or
transmitted through cyberspace. Note that cyber espionage requires more than just
gaining access to a computer system; electronic information must also be
copied.16 In many instances the accessing and copying of information occurs
contemporaneously. However, the copying of information is expressly required in
order to distinguish cyber espionage from mere hacking, which describes the
practice of accessing computer systems and networks but does not necessarily
entail the copying of information.17 Further note that cyber espionage is commit-
ted regardless of whether information is lost or damaged. In order for cyber
espionage to be committed all that is required is that confidential information is
accessed and copied. Indeed, the victim may never know that they have been the
victim of this activity, and this is usually when cyber espionage is at its most
effective.
3. The objective of this chapter is to assess the permissibility under international law
of transboundary cyber espionage. This chapter does not therefore consider the
legality of cyber espionage committed by nationals against their own government.
This would be an interesting research project, especially in light of the recent
conviction of Chelsea Manning under the Espionage Act in the US and the
potential trial of Edward Snowden under the same legal framework. However,
such a project would be an examination of national legal rules relating to cyber
espionage. But the issue is that because of the interconnectivity of cyberspace
cyber espionage can be committed remotely by actors physically located in
foreign jurisdictions. Certainly, transboundary cyber espionage can violate the
national (criminal) laws of a State. In May 2014 the US again invoked the
transmitting through an adversary’s computer systems or networks’; Herbert Lin, ‘Offensive

cyber operations and the use of force’ (2010) 4 J. Nat’l. Sec. L. & Pol. 63, 63.
15
Joint Chiefs of Staff, Joint Publication 1-02, DOD Dictionary of Military and Associated
Terms (8 November 2010) (as amended through 15 June 2014) 64. The International Telecom-
munications Union (ITU) describes cyberspace as ‘systems and services connected either
directly or indirectly to the internet, telecommunications and computer networks’; ITU, ITU
National Strategy Guide (Geneva: ITU, 2011) 5, <http://www.itu.int/ITU-D/cyb/cybersecurity/
docs/itu-national-cybersecurity-guide.pdf> accessed 7 October 2014.
16
Ziolkowski (n 12) 429.
17
Whether hacking (as distinguished from cyber espionage) is contrary to international law
is beyond the scope of this chapter.

/ Date: 24/3
Espionage Act when a Grand Jury indicted five Chinese military officers,
allegedly acting at the behest of the Chinese Government, accusing them of
committing cyber espionage in order to obtain important trade secrets from US
companies.18 However, the enforcement of national criminal laws against perpet-
rators that are located in foreign jurisdictions is likely to be extremely difficult,
and so national law will often prove ineffective.19 Ultimately, protection against
transboundary cyber espionage will therefore rest with international law. It is for
this reason that the focus of this chapter is upon the application and effectiveness
of international law.
4. Cyber espionage, like espionage, can be committed during times of peace or
times of armed conflict. As we shall see, there is no specific conventional or
customary international legal framework that regulates peacetime espionage. In
contrast espionage committed during times of armed conflict, and where this
espionage is committed in support of one of the parties to the armed conflict, is
specifically regulated by international humanitarian law, notably Article 46 of
Additional Protocol 1 (1977) to the Geneva Conventions (1949). Due to space
restrictions, and in light of the recent topicality of peacetime cyber espionage, this
chapter will focus exclusively upon the permissibility under international law of
cyber espionage committed during peacetime.
5. Various treaties and in particular arms controls treaties permit States to engage in
surveillance and monitoring of other State parties so as to assure and verify their
compliance with the obligations imposed by the treaty. The accessing and
copying of confidential information that is committed consensually pursuant to a
treaty does not constitute cyber espionage (as defined in this chapter) and does
not raise any international legal concerns, providing of course it is committed
within the parameters stipulated by the treaty. The focus of this chapter is to
examine the international legality of cyber espionage, which by definition
requires the unauthorised exploitation of cyberspace in order to access and copy
confidential information.20
6. Historically, espionage was an activity that was practised by States, against States,
usually targeting important organs of the State such as those relating to defence
and foreign affairs. Significantly, however, and as exemplified by the Snowden
18
The Guardian, ‘Chinese military officials charged with stealing US data as tensions
escalate’ (20 May 2014) <http://www.theguardian.com/technology/2014/may/19/us-chinese-
military-officials-cyber-espionage> accessed 7 October 2014.
19
In relation to the indictment of the five Chinese military officials under the Espionage
Act, Fidler explains that ‘[t]he U.S. government knows the likelihood of successfully prosecut-
ing these individuals for violating U.S. criminal law is virtually nil because the cooperation of
the Chinese government would be necessary for the U.S. to gain custody and conduct a criminal
trial’; David Fidler, ‘Cyber espionage indictment of Chinese officials: IU experts comment’ (19
May 2014) <http://info.law.indiana.edu/releases/iu/2014/05/china-cyber-spying.shtml> accessed
7 October 2014.
20
Similarly, the accessing and copying of confidential information pursuant to a resolution
adopted by the Security Council under Chapter VII UN Charter does not constitute cyber
espionage because it is conducted with legal authority. Such conduct cannot be therefore
regarded as unauthorised.

/ Date: 24/3
revelations, a combination of the widespread use of cyberspace to store infor-

mation and an increasingly interdependent and competitive international environ-
ment has meant that States are also now committing cyber espionage against
non-State actors such as international organisations, non-governmental organ-
isations, companies and even individuals.21 Moreover, it is not just States that
commit cyber espionage. Non-State actors such as companies and individuals
have also recognised the benefits of copying confidential information belonging
to State and non-State actors, and have thus exhibited a tendency to exploit
cyberspace for the purpose of espionage.22
The participation of this multitude of different actors in the practice of cyber espionage
raises many interesting and complex international legal questions. In relation to cyber
espionage committed by States, relevant international law questions include
+ Does cyber espionage violate the principle of non-intervention that is contained in

customary international law?
+ Does cyber espionage constitute an unlawful use of force under Article 2(4) UN
Charter or an armed attack under Article 51 UN Charter?
+ Does cyber espionage constitute a violation of international human rights law, in
particular the right to privacy?
As I have noted, cyber espionage is also committed by non-State actors. As we know,

international law was originally devised in order to regulate inter-State relations, and to
this day retains a predominantly State-centric focus.23 This being said, given the
increasing importance of non-State actors on the international stage international law
has gradually developed the capacity to regulate the activities of non-State actors, even
if this is achieved indirectly by holding States responsible for their behaviour. In the
context of cyber espionage committed by non-State actors relevant international law
questions include
+ Under what circumstances can acts of cyber espionage by non-State actors be

legally attributed to a State?
+ Are States under a duty of due diligence to prevent non-State actors operating in
their territory or subject to their jurisdiction from committing acts that are
injurious to the legal rights of other States?
21
BBC News, ‘Ordinary internet users ‘made up bulk of NSA intercepts’ (6 July 2014)
<http://www.bbc.co.uk/news/world-us-canada-28182494> accessed 7 October 2014.
22
‘A growing array of state and non-state adversaries are increasingly targeting – for
exploitation and potentially disruption or destruction – our information infrastructure including
the Internet, telecommunications networks, computer systems, and embedded processors and
controllers in critical infrastructure’; Director of National Intelligence Dennis C. Blair, Annual
Threat Assessment of the Intelligence Community for the Senate Armed Services Committee,
Statement for the Record (February 2009) 39-40.
23
Jean d’Aspremont, ‘Introduction’ in Jean d’Aspremont (ed.), Participants in the Inter-
national Legal System: Multiple Perspectives on Non-State Actors in International Law
(Routledge, 2011).

/ Date: 24/3
+ Does the World Trade Organisation (WTO) or International Telecommunications

Union (ITU) impose legal obligations upon States to ensure that companies
registered within their jurisdiction respect trade secrets of companies registered in
other States?
Due to space restrictions this chapter cannot address all of these questions. For this
reason, this chapter does not assess the role of international law in regulating cyber
espionage committed by non-State actors. Instead, this chapter assesses the legality
under international law of cyber espionage committed by States. To be clear, this
entails an examination of whether cyber espionage constitutes a violation of the
non-intervention principle contained in customary international law or an unlawful use
of force or armed attack under the UN Charter. Note that this chapter does not consider
whether cyber espionage committed by States against individuals violates international
human rights law. This question is examined in detail elsewhere in this handbook.24
3. CYBER ESPIONAGE AS A THREAT TO INTERNATIONAL

PEACE AND SECURITY
Espionage is often defended on the basis that it serves an important function in
facilitating the maintenance of international peace and security.25 Historically, this
defence has been rooted in classic realist theory; the argument runs that States exist in
a State of nature because the world order does not possess an overarching government
that is capable of protecting State security. In the absence of protection from a
centralised authority, States must assume responsibility for their own survival in the
system. What this means in practice is that States must acquire sufficient material
power, or at least ally with other States in order to bolster and enhance their material
strength, so as to deter potential aggressors and, if necessary, repel them.26 All in all,
international peace and security is maintained where a balance of power is achieved
between States.27
Being able to accurately determine the relative strength of other States is therefore
crucial to achieving a balance of power. In this competitive security environment,
however, States are reluctant to accept as truthful claims by other States relating to their
material capabilities and, moreover, what their intentions are in relation to how those
capabilities will be used. Scholars argue that espionage allows States to access
confidential information about other States and thus better understand their exact
capabilities and intentions. In short, espionage enables States to know each other better.
The consequence is that States are able to take steps to more accurately balance their
24
See Fidler (Ch 5 of this book).
25
See generally Michael Herman, Intelligence Power in Peace and War (CUP, 1996).
26
See generally Kenneth Waltz, Theory of International Relations (Addison-Wesley Pub.
Co. 1979).
27
‘[W]ars usually begin when two nations disagree on their relative strength, and wars
usually cease when the fighting nations agree on their relative strength’; Geoffrey Blainey, The
Causes of War (New York: The Free Press, 1988) 293.

/ Date: 24/3
material power with other States in the system. In this sense, espionage becomes
crucial to the maintenance of international peace and security.28 In the words of one
scholar, ‘[e]spionage is regarded by States as a necessary tool for pursuing their foreign
policy and security interests and for maintaining the balance of power at the inter-State
level. Thus, it has always been a common practice in international relations, even in
time of peace’.29
I reject this realist defence of espionage. Its weakness is that it fails to appreciate that
since at least the inception of the UN Charter in 1945 international relations have been
predicated upon the principle of the sovereign equality of States.30 Indeed, such is the
importance of this principle that it is often considered to be a constitutional norm of the
international community.31 The ‘corollary’ of this principle is that States are legally
precluded from intervening in each other’s internal affairs.32 The objective is to protect
State sovereignty by creating an international covenant of universal applicability that
legally compels States to abstain from intervening in each other’s internal affairs. In
this environment international peace and security is maintained through legal regu-
lation, not the balance of power.33
The consequence is that even if espionage is effective in enabling a State to access
useful information relating to its adversaries capabilities, it must be recognised that this
is necessarily achieved by violating a foundational legal rule of the international
community which is designed to guarantee State survival. Somewhat inevitably,
espionage therefore constitutes a hostile act that threatens State security and inter-
national peace and security more generally.34
In light of this, in recent years the defence of espionage has moved away from realist
theory and towards a more functionalist approach; namely, that espionage is a desirable
feature of international relations because it is a ‘tool that enables functional
cooperation’.35 Baker has been a prominent proponent of this approach.
Baker argues that during the Cold War international peace and security was defined
narrowly, being maintained where armed conflict between States was avoided. In the
contemporary era however Baker contends that international peace and security is
28
Stone has been a particular advocate of this approach; Julius Stone, ‘Legal problems of
espionage in conditions of modern conflict’, in Robert J. Stranger (ed.), Essays on Espionage
and International Law (Ohio State University Press, 1962).
29
Christian Schaller, ‘Spies’ (2009) Max Planck Encyclopaedia of Public International
Law. Parks argues that states regard espionage ‘as a vital necessity in the national security
process’; W. Hays Parks, ‘The international law of intelligence collection’, in John Norton
Moore and Robert Turner (eds.), National Security Law (Carolina Academic Press, 1990) 433.
30
Article 2(1) UN Charter 1945.
31
Bardo Fassbender, ‘The United Nations Charter as constitution of the international
community’ (1998) 36 Columbia J. Trans. L. 529.
32
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States
of America) (Merits) [1986] ICJ Rep 14 para. 202.
33
Russell Buchan, International Law and the Construction of the Liberal Peace (Hart,
2013) 19 ff.
34
See generally Herbert Scoville Jr., ‘Is espionage necessary for our security?’ (1976) 54
Foreign Affairs 482.
35
Christopher D Baker, ‘Tolerance of international espionage: A functional approach’
(2003) 19 Am. U. Int’l. L. Rev. 1091, 1112.

/ Date: 24/3
defined far more expansively, being maintained not just where armed conflict between
States is avoided but also where other important problems facing the world order are
effectively addressed, including those relating to human rights violations, environ-
mental degradation, economic insecurity, widespread poverty, pandemic influenza,
etc.36 Baker submits that these common problems can only be resolved, and thus
international peace and security maintained, where States act in a collaborative and
coordinated manner. International collaboration in resolving common problems is at its
most effective, Baker suggests, when promises and commitments are enshrined in
legally enforceable international rules which are in turn embedded within international
organisations.37
It goes without saying that in order for these international agreements to successfully
achieve their objectives State parties must comply with and discharge the obligations
that these regimes impose. More often than not such regimes will have compliance and
verification mechanisms integrated into them, sometimes through the creation of
international organisations (for example the WTO) and sometimes through international
tribunals (such as the Appellate Body of the WTO). However, Baker argues that in
many instances States are able to circumvent these international regimes, thus under-
mining their effectiveness; ‘conventional verification and assurance techniques repre-
sent an incomplete method for yielding information sufficient to satisfy States that
parties to an agreement are complying with their international obligations’.38
It is here where Baker locates the utility of espionage. Obtaining confidential
information belonging to States enables other States that participate in that legal
framework to accurately determine whether or not such States have complied with their
international obligations.39 Where a State insists that it has complied with its inter-
national obligations and through espionage it is revealed that this is in fact true, a sense
of trust will emerge and so States will become more willing to cooperate across
functional lines and conclude additional international agreements aimed at resolving
common problems that undermine the maintenance of international peace and security.
He explains that:
[m]utual trust between treaty parties increases when espionage affirms that the assurances
provided are accurate. States will be more willing to cooperate with other states in the future
if their espionage confirms that the assurances provided by these parties are truthful.40
Thus, for Baker the benefit of espionage is that it plays a key role in encouraging states
to conclude international legal rules and institutions, a feature of international life that
he considers essential to enabling the maintenance of international peace and security.
Writing in the context of cyber espionage (as opposed to espionage generally as
Baker was), Pelican explains that ‘[t]he benefits to international stability and
36
Ibid. 1099.
37
Ibid.
38
Ibid. 1103.
39
‘When armed with such tools as spying and eavesdropping, states enjoy greater certainty
that they will be able to validate international compliance, or at least detect when other
participants are failing to comply with the treaty’; ibid. 1104.
40
Ibid. 1105 (footnotes omitted).

/ Date: 24/3
cooperation as outlined by … Baker are as relevant today as they ever have been’.41
After explicitly adopting Baker’s reasoning Pelican concludes that cyber espionage
‘should be recognized as a valuable tool for countries in promoting international
stability’42 and that ‘cyber-espionage, like other forms of espionage, should persist
unabated’.43
I disagree with this functional defence of espionage. I agree with Baker that many of
the world’s most pressing problems are now held in common and that in order for these
to be resolved States must address them cooperatively. Indeed, the functional develop-
ment of this cooperation into international law is often indispensable to resolving such
problems. However, international legal frameworks can only be formulated and
implemented if States enjoy close, trusted and effective cooperation. I argue that the
surreptitious and unauthorised collection of confidential information, which as I have
already argued constitutes a clear violation of a State’s constitutional right under
international law to have its sovereignty respected, is not conducive to fostering an
environment imbued with trust and confidence. The consequence, I argue, and in
contrast to Baker’s claim, is that espionage inhibits and deters functional cooperation,
thus preventing States from addressing important matters pertaining to international
peace and security. In this sense, espionage represents a threat to the maintenance of
international peace and security. A good example of the adverse implications that
espionage yields for international cooperation is evident from the Gary Powers
incident. Powers was a pilot of a US plane that was shot down in Soviet Union airspace
on 1 May 1960. After initially asserting that the plane was a weather research aircraft
the US administration eventually conceded that it was an aerial reconnaissance plane,
and Powers was convicted for espionage under Soviet criminal law. This incident
prompted a marked deterioration in relations between the US and the Soviet Union.
Notably, recriminations over the incident meant that the much anticipated Four Powers
Peace Summit that was due to take place in Paris on 16 May 1960 ended in abject
failure. In fact, Soviet President Nikita Khrushchev explicitly blamed the US’s spying
for derailing the talks and subsequently rescinded an invitation he had earlier extended
to President Eisenhower to visit the Soviet Union.44
As we shall see in the next section, States exert sovereignty in cyberspace
notwithstanding the fact that it is a non-physical domain that transcends territorial
borders and which at first sight appears immune from the exercise of State sovereignty.
Thus, the accessing and copying of confidential information located in cyberspace, and
which belongs to entities that fall under the sovereignty of a State (whether this is
public authorities, private companies, individuals, etc), is regarded by States as a
violation of their sovereignty. Given that cyber espionage results in the transgression of
State sovereignty it becomes apparent that cyber espionage jeopardises the potential for
41
Luke Pelican, ‘Peacetime cyber-espionage: A dangerous but necessary game’ (2012) 20
Commlaw Conspectus 363, 385.
42
Ibid. 364.
43
Ibid. 385.
44
BBC News, ‘1960: east-west summit in tatters after spy plane row’ (17 May 1060),
<http://news.bbc.co.uk/onthisday/hi/dates/stories/may/17/newsid_2512000/2512335.stm> ac-
cessed 7 October 2014.

10 / Date: 24/3
close and effective international cooperation and therefore undermines the potential for
States to engage in dialogue and formulate international regulation in relation to
matters that threaten international peace and security. This is well illustrated by Brazil’s
response to the revelations of NSA cyber espionage. When it was revealed that the US
had routinely committed cyber espionage against Brazil, Brazilian President Dilma
Rousseff cancelled a scheduled visit to Washington to meet representatives from the
Obama administration to discuss important issues of international concern. Instead, she
went to New York to formally denounce the NSA’s activities before the UN General
Assembly. Indeed, in doing so she explained that cyber espionage violates State
sovereignty which, in turn, hinders effective cooperation between States:
Friendly governments and societies that seek to consolidate a truly strategic partnership, such
as is our case, cannot possibly allow recurring and illegal actions to go on as if they were
normal, ordinary practice. Such actions are totally unacceptable.45
Importantly, because of the particular features and characteristics of cyber espionage, I

argue that cyber espionage ‘amplifies’ the threat to international peace and security
represented by espionage generally;46 ‘[p]reclusion of espionage endeavours of foreign
States has always been in the national interest of the target State. Cyber espionage,
however, seems to have escalated the threat picture’.47 The reason for this is clear. The
advent of cyberspace and its ability to store huge amounts of important information,
coupled with the speed and ease at which hostile actors can access this data, has
significantly enhanced the opportunity for accessing and copying confidential infor-
mation.48 Thus, ‘[t]he internet is God’s gift to spies’;49 cyberspace has ‘heralded a
‘golden age’ of espionage’.50 It is therefore unsurprising that since the emergence of
cyberspace the practice of espionage has ‘metastasized’;51 and thus why cyber
45
The Guardian, ‘Brazilian President: US surveillance a ‘breach of international law’ (24
September 2013), <http://www.theguardian.com/world/2013/sep/24/brazil-president-un-speech-
nsa-surveillance> accessed 7 October 2014.
46
Office of the National Counterintelligence Executive, ‘Foreign spies stealing US eco-
nomic secrets in cyberspace: Report to Congress on foreign economic collection and industrial
espionage 2009–2011’ (2011) i.
47
48
‘The internet provides a technological platform and target-rich environment for govern-
ments to engage in espionage on a scale, speed, intensity and depth never before witnessed’;
David Fidler, ‘Tinker, Tailor, Soldier, Duqu: Why cyberespionage is more dangerous than you
think’ (2012) 5 Int. J. Crit. Infra. 28, 29.
49
James Lewis from the Centre for Strategic and International Studies explains that ‘[t]he
internet is God’s gift to spies’; quoted in Fidler, ibid.
50
51
David Fidler, ‘Economic cyber espionage and international law: Controversies involving
government acquisition of trade secrets through technologies’ (20 March 2013) 17 A.J.I.L.
Insights, <http://www.asil.org/insights/volume/17/issue/10/economic-cyber-espionage-and-inter
national-law-controversies-involving> accessed 7 October 2014.

11 / Date: 24/3
espionage represents such a serious threat to international peace and security. Fidler is
therefore correct in his assertion that ‘cyberespionage is more dangerous than you
think’.52
The argument that cyber espionage represents a threat to international peace and
security is perhaps easiest to sustain where confidential information is copied that
directly relates to a State’s critical national infrastructure. An example would be reports
that the NSA intercepted the private communications of Heads of State whilst
conducting State business. Indeed, The Guardian newspaper reported that German
Chancellor Angela Merkel’s private communications were monitored for ten years.53
Given the institution targeted (Head of State) and the likely nature of the information
targeted (confidential communications relating to national security), such cyber espio-
nage represents a significant infraction of State sovereignty and is likely to seriously
disrupt cooperation between States and thus their ability to resolve matters that
adversely impact upon international peace and security. According to Chancellor
Merkel’s spokesperson Steffen Seibert, Merkel was ‘livid’ at the revelations that her
private communications had been monitored and telephoned US President Barack
Obama to inform him that the NSA’s actions represented a ‘serious breach of
confidence’ and to demand an explanation.54
For similar reasons there is little difficultly in accepting that international
cooperation is threatened where a State exploits cyberspace in order to obtain
confidential information from a private company that provides services to critical
national infrastructure. For example, the theft of terabytes worth of data on the F-35
fighter plane being developed by Lockheed Martin, a private company, for the US
Government by (allegedly) the Chinese Government represented a ‘direct threat to
national security’ and, moreover, to international peace and security more generally.55
Importantly, I argue cyber espionage constitutes a threat to international peace and
security even where cyberspace is exploited to access and copy confidential infor-
mation that is not immediately linked to critical national infrastructure. The issue is
whether the person or entity whose confidential information has been appropriated falls
under the authority and control – the sovereignty – of the State. If so, a violation of
State sovereignty occurs, international cooperation is disrupted and a threat to
international peace and security arises. As an illustration, in response to revelations that
the NSA had committed cyber espionage against Brazilian citizens, before the General
Assembly the Brazilian President explained that the NSA’s violation of fundamental
human rights constituted a violation of Brazil’s sovereignty, ‘[a] sovereign nation can
never establish itself to the detriment of another sovereign nation. The right to safety of
citizens of one country can never be guaranteed by violating fundamental human rights
52
Fidler (n 48).
53
The Snowden Files (n 11) 9.
54
The Guardian, ‘Angela Merkel’s call to Obama: Are you bugging my phone?’ (24
October 2013), <http://www.theguardian.com/world/2013/oct/23/us-monitored-angela-merkel-
german> accessed 7 October 2014.
55
Alexander Melnitzky, ‘Defending America against Chinese cyber espionage through the
use of active defenses’ (2012) 20 Cardozo J. Int’l. & Comp. L. 537, 545. On this incident see
The Wall Street Journal, ‘Computer spies breach fighter-jet project’ (21 April 2009), <http://
online.wsj.com/news/articles/SB124027491029837401> accessed 7 October 2014.

12 / Date: 24/3
of citizens of another country’.56 Similarly, in response to claims that the NSA had
committed cyber espionage against German citizens, German Chancellor Angela
Merkel explained that ‘[w]e need to have trust in our allies and partners, and now this
must be established again. I repeat that spying among friends is not acceptable against
anyone, and that goes for every citizen in Germany’.57
4. INTERNATIONAL LAW AND ITS APPLICATION TO CYBER

ESPIONAGE
In the previous section I concluded that cyber espionage represents a threat to
international peace and security and, consequently, is a practice that is in need of
international regulation. This section identifies whether and to what extent international
law prohibits cyber espionage.
There is no direct or specific international treaty that regulates cyber espionage. This
does not mean however that this practice is conducted in a legal vacuum. It is inherent
in the nature of such an activity that it can come into conflict with general principles of
international law.58 In the context of cyber espionage, the most relevant of these general
principles are the prohibition against intervention and the prohibition against the use of
force. Although there is fairly limited academic material assessing the permissibility of
cyber espionage under international law, ‘the conventional wisdom’59 is that cyber
espionage is compatible with these principles. Attention will now turn to whether cyber
espionage falls foul of these two prohibitions.
The Principle of Non-Intervention
Although not expressly contained in the UN Charter, in the Nicaragua judgment the
ICJ explained that the principle of non-intervention is nevertheless ‘part and parcel of
customary international law’.60 In this decision the ICJ sought to clarify the scope of
the non-intervention principle. The ICJ explained that:
A prohibited intervention must accordingly be one bearing on matters in which each State is
permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of
a political, economic, social and cultural system, and the formulation of foreign policy.
56
Quoted in US Surveillance a ‘breach of international law’ (n 45).
57
Quoted in The Snowden Files (n 11) 9.
58
‘Long-standing international norms guiding state behaviour – in times of peace and
conflict – also apply in cyber space’; The White House, The US International Strategy for
Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011) 9, <http://
www.whitehouse.gov/sites/default/files/rss_viewer/International_Strategy_Cyberspace_Factsheet.
pdf> accessed 7 October 2014.
59
John Murphy, ‘Cyber war and international law: Does the international legal process
constitute a threat to U.S. vital interests?’ (2013) 89 Int’l. L. Studies 309, 399.
60
Nicaragua (n 32) para. 202.

13 / Date: 24/3
Intervention is wrongful when it uses methods of coercion in regard to such choices, which
must remain free ones.61
Thus, ‘the element of coercion … defines, and indeed forms the very essence of, [a]
prohibited intervention’.62 In this context coercion is defined as the imposition of
circumstances or conditions against a State that compromises or undermines its
sovereignty.63 On the basis that State sovereignty is ordinarily (or perhaps has been
historically) understood as the exercise of exclusive authority and control over
territory,64 coercion is often regarded as at its most obvious and easily detectable where
a State engages in conduct that violates the territorial integrity of another State.65
Traditional espionage, describing the situation where a State sends agents into the
territory of another State to obtain confidential information, constitutes the imposition
of coercion against the territorial integrity of a State and thus constitutes a violation of
the non-intervention principle. As Wright explains, ‘[i]n times of peace … espionage
and, in fact, any penetration of the territory of a State by agents of another State in
violation of the local law is also a violation of the rule of international law imposing a
duty upon States to respect the territorial integrity and political independence of other
States’.66 It therefore follows that ‘any act by an agent of one State committed in
another State’s territory, contrary to the laws of the latter, constitutes intervention’.67
Similarly, it is generally accepted that the use of reconnaissance aeroplanes in the
territorial airspace of another State constitutes an unlawful intervention in the sovereign
affairs of that State.68
Significantly, espionage committed in cyberspace does not result in the transgression
of the territory of a State. This is because, to date, States have failed to subject
61
Ibid. para. 205. See further UN General Assembly Declaration on Principles of
International Law concerning Friendly Relations and Co-operation among States in Accordance
with the Charter of the United Nations (1970) UN Doc A/RES/2625 (XXV).
62
Nicaragua (n 32) para. 205.
63
Philip Kunig, ‘Intervention, Prohibition of’ (2008) Max Planck Encyclopaedia of Public
International Law. See generally Richard N Haass, Intervention: The Use of American Military
Force in the Post-Cold War World (Brookings Institution, 1999).
64
‘The basic legal concept of State sovereignty in customary international law … extends
to the internal waters and territorial sea of every State and to the air space above its territory’;
Nicaragua (n 32), para. 212. See generally Tsagourias’s chapter in this handbook (Ch 1).
65
‘[T]he first and foremost restriction imposed by international law upon a State is that …
it may not exercise power in any form in the territory of another State’; SS Lotus Case (France
v Turkey) [1927] PCIJ Report Series A No. 10, 18. ‘[S]overeignty has always been, in part, based
on the idea of territoriality … The extent of a sovereign’s reach has usually been decided by
geographic borders’; Walter Wriston, The Twilight of Sovereignty: How the Information
Revolution is Changing Our World (New York: Scribner’s, 1992) 7.
66
Quincy Wright, ‘Espionage and the doctrine of non-intervention in domestic affairs’, in
Richard Falk (ed.), Essays on Espionage and International Law (Ohio State University Press,
1962) 12.
67
Ibid. 13.
68
‘It appears that reconnaissance activities [that] are conducted in national airspace …
violate national sovereignty’; Note, ‘Legal aspects of reconnaissance in airspace and outer space’
(1961) 61 Columbia L. Rev. 1074, 1095.

14 / Date: 24/3
cyberspace to territorial claims in the sense of dividing this domain into territorial
units.69 To put the same matter differently, States do not possess territory in cyber-
space.70
But this does not mean that cyber espionage does not violate the non-intervention
principle. What is important to recognise is that the principle of non-intervention is
designed to protect State sovereignty;71 and as Jennings and Watts explain, ‘[s]over-
eignty has different aspects’.72 Crucially, although as I have already noted State
sovereignty is generally understood in terms of the possession of exclusive authority
and control over territory, it is nevertheless well established in international law that
State sovereignty transcends a State’s physical territory and encompasses its authority
and control over national affairs more broadly.73 The principle of State sovereignty
therefore protects both the territorial integrity of a State and its political integrity.74
Thus, even in the absence of intervention in the physical territory of a State, where a
State pursues a course of action that undermines or compromises the political integrity
of another State that conduct is rightly classified as coercive and thus amounts to an
unlawful intervention.
It should be noted here that commentators have argued that a State’s political
integrity will only be compromised or undermined (that is, subject to coercion) where
69
For a more detailed discussion of why states do not possess territory in cyberspace see
Tsagourias’s contribution in Chapter 1 of this handbook. Note however that other commentators
have argued that states do possess territory in cyberspace. Their argument is grounded in the idea
that ‘cyberspace requires physical architecture to exist’, including copper wires, fiber-optic
cables, satellite transponders, microwave relay towers, etc; Patrick W Franzese, ‘Sovereignty in
cyberspace: Can it exist?’ (2009) 64 Air Force L. Rev. 1, 33. In this sense, the internet is a ‘set
of inter-connected computer networks linked to state territory and, thus, is liable to the exercise
of sovereign jurisdiction on a territorial basis’; Teresa Scassa and Robert J. Currie, ‘New first
principles? Assessing the Internet’s challenges to jurisdiction’ (2011) 42 Georgetown J. Int’l. L.
1017, 1079. See also von Heinegg who explains that ‘[s]tate practice provides sufficient
evidence that components of cyberspace are not immune from territorial sovereignty’; Wolff
Heintschel von Heinegg, ‘Territorial sovereignty and neutrality in cyberspace’ (2013) 89 Int’l L.
Studies 123, 126.
70
The one exception maybe Iran’s attempt to create a ‘National Internet’ (referred to as
‘Halal Internet’), which is designed to be completely isolated from the World Wide Web and
under the exclusive control of Iran. It is therefore certainly open to argument that the ‘National
Internet’ maps on to the territory of Iran and thus constitutes a national cyberspace with clearly
defined legal borders – in this sense the ‘National Internet’ can be considered an integral even if
virtual part of Iran’s territory; The Guardian, ‘Iran clamps down on Internet use’ (5 January
2012), <http://ww.guardian.co.uk/world/2012/jan/05/iran-clamps-down-internet-use> accessed 7
October 2014.
71
‘[T]he raison d’être of the non-intervention rule is the protection of the sovereignty of
the State’; Kunig (n 63).
72
Robert Jennings & Adam Watts, Oppenheim’s International Law (Longman, 1996) 382.
73
As Pirker notes, ‘[a] State’s power reaches beyond its territory’; Benedict Pirker,
‘Territorial sovereignty and integrity and the challenges of cyberspace’ in Ziolkowski (n 12) 196.
74
‘Between independent States, respect for territorial sovereignty is an essential foundation
of international relations’, and international law requires political integrity also to be respected’;
Nicaragua (n 32) para 202, citing its judgment in the Corfu Channel (United Kingdom of Great
Britain and Northern Ireland v Albania) [1949] ICJ Rep 35.

15 / Date: 24/3
‘action is taken by one State to secure a change in the policies of another’.75 This
interpretation is important in the context of cyber espionage because cyber espionage
describes the practice of accessing and copying confidential information without
authorisation i.e. cyber espionage does not require the copied information to be used to
impose pressure or influence upon the victim State. Indeed, in many instances a State
will be unaware that it has been the victim of cyber espionage. As a result,
commentators have argued that cyber espionage does not constitute an infraction of the
non-intervention principle:
A forbidden intervention in domestic affairs requires the element of coercion of the other
state. Scholars assert that illegal coercion implies massive influence, inducing the affected
state to adopt a decision with regard to its policy or practice which it would not entertain as
a free and sovereign state. It is clear that clandestine information gathering as such will not
fulfil such requirements.76
However, this is a very narrow understanding of the principle of non-intervention. As I

have explained, the notion of political integrity that is protected by the principle of
non-intervention encompasses the capacity of a state to take decisions in an independ-
ent manner on matters essentially falling within the realm of its national concern. Thus,
a breach of a State’s political integrity arises where its authority and control is
compromised or undermined. There is therefore no requirement that influence (let
alone massive influence) be imposed upon a State to pursue a particular course of
action, or indeed to abstain from one, in order to fall foul of the non-intervention
principle.
In the context of cyber espionage the important question becomes whether States do
in fact exercise sovereignty over information that is resident in or transmitted through
cyberspace. If a State does not exercise sovereignty over information in cyberspace, a
violation of the non-intervention principle cannot occur. In recent years State practice
has effectively resolved this question. State practice reveals that States consider their
sovereignty to extend to information in cyberspace which belongs to government
institutions and to private entities and individuals over which they exercise juris-
diction.77 In its June 2013 Report the Group of Governmental Experts, established
pursuant to General Assembly Resolution 66/24 (2011), explained that ‘[s]tate sover-
eignty and international norms and principles that flow from sovereignty apply to State
conduct of ICT-related activities’.78 This was reinforced by the UN Secretary-General
in his foreword to the report, which encouraged ‘anchoring ICT [information and
communication technology] security in the existing framework of international law and
75
Maziar Jamnejad and Michael Wood, ‘The principle of non-intervention’ (2009) 22
L.J.I.L. 345, 347–8.
76
Ziolkowski (n 12) 433. See also Terry Gill, ‘Non-intervention in the cyber context’ in
Ziolkowski (n 12) 224 (‘the obtaining of information in itself falls short of coercive or dictatorial
interference, and would not constitute ‘intervention’ in the legal sense’).
77
On jurisdiction in cyberspace see Kohl (Ch 2 of this book).
78
UN Doc 68/98 (24 June 2013) 8.

16 / Date: 24/3
understandings that govern State relations and provide the foundation for international
peace and security’.79
The recent practice of States in the context of cyber espionage is especially
revealing, indicating that States exert sovereignty over information in cyberspace which
belongs to entities and individuals over which they exercise jurisdiction and that where
this information is accessed and copied without authorisation an unlawful intervention
occurs. As I have previously noted, in January 2010 Google alleged that China had
infiltrated its computer network in order to access Gmail passwords of human rights
activists in China. As Google is a company registered in the US and therefore subject to
US jurisdiction (and the information belonging to this company falling under US
sovereignty), the US responded to these claims by declaring that the conduct ‘raised
serious concerns’ and demanded an explanation from the Chinese Government.80
Significantly, the US Senate adopted Resolution 405 which stated that ‘this attack was
one in a series of attempts to exploit security flaws and illegally access computer
networks of individuals and institutions through the clandestine installation of phishing
an malware technology’.81
The revelations of NSA’s cyber espionage activities also stimulated a number of legal
rebukes, especially from Brazil. The Brazilian President’s statement before the General
Assembly is informative in so far as it reveals that Brazil considers sovereignty to
extend to information resident in cyberspace and, moreover, where such information is
accessed and copied a breach of international law occurs. Employing strong and
unambiguous language the Brazilian President repeatedly referred to the US’s conduct
as an
intrusion [and that the] [m]eddling in such a manner in the life and affairs of other countries
is a breach of international law [and] as such an affront to the principles that must guide the
relations among them, especially among friendly nations. A country’s sovereignty can never
affirm itself to the detriment of another country’s sovereignty.82
The President further noted that Brazil’s objections to such ‘illegal actions’ had been
communicated to the US by ‘demanding explanations, apologies and guarantees that
such acts or procedures will never be repeated again’.83 China adopted a similar
position, determining that the NSA had ‘flagrantly breached international laws,
seriously infringed upon the [sic] human rights and put global cyber-security under
79
Ibid. 4. See also the remarks of the Chinese Assistant Foreign Minister Zheng Zequang
who explained in 2013 that ‘[i]nternational cyber governance should follow the principles of
state sovereignty and non-interference in other’s internal affairs’; quoted in <http://www.
aspistrategist.org.au/arf-and-how-to-change-the-tune-of-the-cyber-debate/> accessed 7 October
2014.
80
Hillary Rodham Clinton, Secretary of State, Address, Washington, DC: Statement on
Google Operations in China (12 January 2010), <http://www.state.gov/secretary/2009
2013clinton/rm/2010/01/135105.htm> accessed 7 October 2014.
81
Senate Resolution 405, 111th Congressional (my emphasis).
82
US Surveillance a ‘Breach of International Law’ (n 45).
83
Ibid.

17 / Date: 24/3
threat’.84 China declared that the NSA’s conduct ‘deserve[d] to be rejected and
condemned by the whole world’.85
Three final points need to be recorded. First, it is important to recognise that the
claim that espionage (in its traditional conception) is unlawful under international law
has attracted considerable criticism. The argument runs that because espionage is so
widely practised by States customary international law has modified the scope of the
non-intervention prohibition, which now recognises espionage as a permissible excep-
tion to the non-intervention principle. For example, Smith argues that:
because espionage is such a fixture of international affairs, it is fair to say that the practice of
states recognizes espionage as a legitimate function of the state, and therefore it is legal as a
matter of customary international law.86
However, just because espionage is widely practised does not render it permissible
under customary international law. In order for a customary exception to form State
practice must be accompanied by opinio juris.87 Crucially, States overwhelmingly
refuse to accept responsibility for espionage when accused, let alone assert the legality
of this practice. Consequently, State practice of espionage ‘is accompanied not by a
sense of right but by a sense of wrong’88 and to this end State practice and opinio juris
run in opposite directions. Consequently, ‘there is little doctrinal support for a
“customary” defense of peacetime espionage in international law’.89 The same argu-
ment can be made in relation to cyber espionage. As I noted in the introduction to this
chapter, incidents of cyber espionage have increased dramatically in recent years.
However, just because cyber espionage is widely practised by States does not mean that
is it lawful under international law. What is important is whether this practice is
accompanied by a belief that cyber espionage is lawful. As the above discussion of
cyber espionage reveals, when committing cyber espionage States do not advocate that
such conduct is permitted by international law. In fact, they often deny their
involvement in the practice. Moreover, and as we have seen, States which are the
84
Quoted in The Guardian, ‘China demands halt to ‘Unscrupulous’ US cyber-spying
(27 May 2014), <http://www.theguardian.com/world/2014/may/27/china-demands-halt-
unscrupulous-us-cyber-spying> accessed 7 October 2014.
85
Ibid.
86
Jeffrey H. Smith, Symposium, ‘State intelligence gathering and international law:
Keynote Address’ (2007) 28 Michigan J. Int’l. L. 543, 544. Similarly, see Glenn Sulmasy and
John Yoo, ‘Counterintuitive: Intelligence operations and international law’ (2007) 28 Michigan J.
Int’l. L. 625, 628 (‘[s]tate practice throughout history … supports the legitimacy of spying.
Nowhere in international law is peaceful espionage prohibited’).
87
Article 38(1)(b) of the Statute of the International Court of Justice 1945.
88
Wright (n 66) 17.
89
Craig Forcese, ‘Spies without borders: International law an intelligence collection’ (2011)
5 J. Nat’l Sec. L. & Pol. 179, 203. For a similar approach see Simon Chesterman. ‘The Spy Who
Came in from the Cold War: Intelligence and international law’ (2006) 27 Michigan J. Int’l. L.
1071, 1072; Ingrid Delupis, ‘Foreign warships and immunity of espionage’ (1984) 78 A.J.I.L. 53;
Manuel Garcia-Mora, ‘Treason sedition and espionage as political offenses under the law of
extradition’ (1964) 26 University of Pittsburgh L. Rev. 65, 79-80.

18 / Date: 24/3
victims of cyber espionage have protested (often vociferously) that such conduct is
contrary to international law.
Secondly, it is worth reiterating for the sake of clarity that when determining whether
an unlawful intervention in a State’s sovereignty has occurred, it is irrelevant whether
the information that has been copied belongs to State organs, private companies or even
private individuals. Providing that the actor whose information has been accessed and
copied is under the authority and control of the State, appropriation of that information
constitutes intervention in that State’s sovereignty.90
Thirdly, the application of the non-intervention prohibition is subject to the principle
of de minimis non curat lex – which is generally translated from Latin as the law does
not concern itself with trifles. The effect of the de minimis doctrine is to place ‘outside
the scope of legal relief the sorts of intangible injuries, normally small and invariably
difficult to measure, that must be accepted as the price of living in society’.91 Thus, this
maxim signifies ‘that mere trifles and technicalities must yield to practical common
sense and substantial justice’ so as ‘to prevent expensive and mischievous litigation,
which can result in no real benefit to the complainant, but which may occasion delay
and injury to other suitors’.92
Although often described as a maxim, this principle does impose a recognised legal
restriction upon the operation of the non-intervention principle.93 The consequence then
is that acts of cyber espionage that can be regarded as insignificant will not trigger the
non-intervention prohibition; acts of cyber espionage must be sufficiently serious in
order warrant the application of international law. Much will depend upon the context
of the specific case of cyber espionage in question. However, and for the purpose of
illustration, it can perhaps be contended that whilst the unauthorised copying of
information belonging to an important State organ (such as the Ministry of Defence) is
likely to exceed the de minimis threshold, the one-off accessing and copying of
innocuous electronic correspondence of a private individual is unlikely to be considered
sufficiently serious to justify the engagement of international law.
The Prohibition against the Use of Force
Article 2(4) UN Charter, which is reflective of customary international law,94 provides

that ‘[a]ll Members shall refrain in their international relations from the threat or use of
force against the territorial integrity or political independence of any State, or in any
other manner inconsistent with the Purposes of the United Nations’.
Historically, the meaning of the term force within Article 2(4) has been interpreted
restrictively to only prohibit conduct that produces physical harm, namely ‘the
90
In assessing the application of the non-intervention principle to hostile cyber operations
von Heinegg explains that ‘[i]t is irrelevant whether the cyber infrastructure protected by the
principle of territorial sovereignty belongs to or is operated by government institutions, private
entities or private individuals’; von Heinegg (n 69) 129.
91
Jeff Nemerofsky, ‘What is a trifle anyway?’ (2001/2002) 37 Gonzaga L. Rev. 315, 323.
92
Ibid.
93
Jennings and Watts (n 72) 385 ff.
94
Nicaragua (n 32) paras 187–190.

19 / Date: 24/3
destruction to life and property’.95 According to this understanding Article 2(4) does
not extend to attacks against computer systems and networks which do not result in
physical harm. In recent years this position has been criticised on the basis that in the
contemporary era States are heavily reliant upon computer systems and networks and
thus even a cyber attack that does not result in physical harm can still cause significant
amounts of damage and disruption, such as a cyber attack that disables banking
systems or incapacitates important government communications.96 Indeed, it has been
suggested that where these attacks are against computer systems that sustain critical
national infrastructure the disruption may be so severe as to be equivalent to
conventional attacks that cause kinetic harm.97 Commentators have therefore argued
that Article 2(4) should be reinterpreted so as to apply to cyber attacks which although
not manifesting physical harm nevertheless cause damage and disruption equivalent to
a kinetic attack.98
Developing this effects-based interpretation of Article 2(4) Melnitzky argues that
exploiting computer systems in order to acquire highly sensitive and confidential
information (cyber espionage) can, in particularly egregious circumstances, produce
extremely serious adverse effects and should therefore be categorised as a use of force
The severity of the problem of data theft is simply too great and its effects too harmful. […]
The scale of theft is unprecedented. […] Prior to the Internet, looting on such a scale could
only have been accomplished by a military occupation. The effects-based approach require-
ment that a cyberattack must cause damage only previous possible by traditional military
force is therefore satisfied.99
I argue that there is insufficient State practice to support a reinterpretation of the term
force within Article 2(4) to include cyber operations that do not produce kinetic
harm.100 Indeed certain States, most notably the US, have expressly rejected this
approach. In 2012 the then US Legal Advisor Harold Koh unambiguously stated that
cyber operations will only amount to an unlawful use of force where physical harm
95
Ian Brownlie, International Law and the Use of Force by States (Clarendon, 1963) 362.
On the use of force prohibition in the context of cyber operations see Roscini (Ch 11 of this
book).
96
Michael Schmitt, ‘Computer network attack and the use of force in international law:
Thoughts on a normative framework’ (1998-1999) 37 Columbia J. Trans. L. 885.
97
As Melnitzky notes, ‘[m]ilitaries have discovered that sophisticated cyberattacks on their
own can be as debilitating as any conventional or “kinetic” attack’; Melnitzky (n 55) 542.
98
See for example Marco Roscini, Cyber Operations and the Use of Force in International
Law (OUP, 2013) 55; Matthew Waxman, ‘Cyber-attacks and the use of force: Back to the future
of Article 2(4)’ (2011) 36 Yale J. Int’l L. 421, 437.
99
Melnitzky (n 55) 566. For a similar approach see also Jack Goldsmith, ‘How cyber
changes the laws of war’ (2014) 24 E.J.I.L. 129; Todd Huntley, ‘Controlling the use of force in
cyberspace: The application of the law of armed conflict during a time of fundamental change in
the nature of warfare’ (2010) 60 Naval L. Rev. 1, 39; Anna Wortham, ‘Should cyber exploitation
every constitute a demonstration of hostile intention that may violate UN Charter provisions
prohibiting the threat or use of force?’ (2012) 64 Federal Communications Law Journal 643.
100
I develop this argument in more detail in Russell Buchan, ‘Cyber attacks: Unlawful uses
of force or prohibited interventions?’ (2012) 17 J. Conflict & Sec. L. 211.

20 / Date: 24/3
occurs.101 This is also the position adopted by the influential Tallinn Manual, which
attempts to codify the international legal framework relating to the use of force to cyber
warfare.102
On this basis I argue that cyber espionage cannot be regarded as a use of force under
Article 2(4) UN Charter. Indeed, as Fidler concludes, ‘no government regards cyber
espionage of any kind as a prohibited use of force’.103 It is worth noting here that if
cyber espionage cannot amount to a use of force then, a fortiori, it cannot constitute an
armed attack and engage a State’s right to use force in self-defence under Article 51
UN Charter.104
5. CONCLUSION
This chapter has argued that in the contemporary world order international peace and
security can only be maintained where States band together as a cohesive international
community and address common problems in a coordinated and collaborative manner.
In particular, the international community must confront these common problems by
proactively adopting international legal regulation. However, States will only forge and
implement international law where they have trust and confidence in each other’s
commitment to international law. In this chapter I have further reasoned that cyber
espionage results in the violation of State sovereignty and thus breeds distrust and leads
to a deterioration in international relations. In such an environment, I contend, States
are unlikely to formulate and conclude international law in relation to important
international issues that adversely impact upon the maintenance of international peace
and security. When cast in this light, I argue that cyber espionage can be regarded as a
threat to the maintenance of international peace and security.
Leading cyber security experts have noted the difficulty in developing computer
software that provides effective protection against cyber espionage.105 Actors therefore
101
Harold Koh, International Law in Cyberspace (18 September 2012), <http://www.state.
gov/s/l/releases/remarks/197924.htm> accessed 7 October 2014.
102
Warfare (CUP, 2013) 48.
103
Fidler (n 48).
104
‘[C]yber espionage cannot be deemed either a ‘threat’ or ‘use of [armed] force’ in the
meaning of Article 2(4) of the UN Charter, nor an ‘armed attack’ pursuant to Article 51 UN
Charter’; Ziolkowski (n 12) 456. On self-defence in cyberspace see Focarelli (Ch 12 of this
book).
105
See Richard Clarke & Robert Knake, Cyber War: The Next Threat to National Security
and What to Do About it (Harper Collins, 2010). According to Tim Berners-Lee, who is often
accredited with inventing the internet, ‘[i]nternet security is hard. All systems have undiscovered
holes in them, and it’s only a question of how fast the bad guys can discover the holes compared
with how fast the good guys can patch them up’; The Guardian, The Snowden Files – Hands off
my Baby (2 December 2013), http://www.theguardian.com/technology/2013/dec/03/tim-berners-
lee-spies-cracking-encryption-web-snowden> accessed 7 October 2014. Cf Ziolowski who
argues that ‘[t]he only way to counter the threat of foreign States’ cyber espionage is to improve
the cyber security and resilience of the [sic] own IT-systems or computer networks’; Ziolkowski
(n 12) 464.

21 / Date: 24/3
look to law, and in the context of transboundary cyber espionage international law, for
protection from this pernicious activity. However, according to current academic
opinion international law does not prohibit cyber espionage. Fidler, for example, has
declared that ‘the lack of international law … allows cyberespionage to operate in a
legal black hole’.106
In this chapter I have disputed this conclusion, arguing that there is international law
that applies to cyber espionage. In particular, I have argued that cyber espionage
contravenes the non-intervention principle. In order to effectively protect the sover-
eignty of States the non-intervention principle protects not just the territorial integrity
of States but also their political integrity. As I have demonstrated above by reference to
recent State practice, States regard information in cyberspace which belongs to entities
and individuals which fall under their jurisdiction as representing an important element
of their political integrity. For this reason, the unauthorised accessing and copying of
such information is regarded as compromising State sovereignty. Consequently, cyber
espionage amounts to a proscribed intervention under customary international law.
This is not to say that recent calls to build a new international treaty dedicated to
regulating cyber operations (which would include cyber espionage) should not be
pursued.107 An international dialogue on the practice of cyber espionage – and indeed
subsequently a specifically devised and technologically savvy international treaty
regulating conduct in this new domain – would of course be beneficial. However,
formulating international treaties in the field of international peace and security is
notoriously difficult.108 Until this can be achieved we should be reassured that existing
principles of international law apply to State-sponsored transboundary cyber espionage
and provide a certain degree of legal protection against this activity.
106
Fidler (n 48) 29.
107
Benjamin Mueller, ‘The laws of war and cyberspace: On the need for a treaty concerning
cyber conflict’ (June 2014) 8, <http://www.lse.ac.uk/IDEAS/publications/reports/pdf/SU14_2_
Cyberwarfare.pdf> accessed 7 October 2014.
108
‘[I]t has proven very difficult in today’s environment for an international conference to
conclude a global treaty to resolve challenges in the most important areas of international
relations’; Murphy (n 59) 326.

22 / Date: 24/3
9. International legal dimensions of cybercrime

Philipp Kastner and Frédéric Mégret
Hacked computers, virus attacks, massive spam, online fraud, harassment in cyberspace
or ‘cyberstalking’.1 Networked technology has given rise to a new, yet apparently
ubiquitous phenomenon: cybercrimes. According to a 2013 report released by a
software security producer, 7 million people in Canada have been ‘victims’ of
‘cybercrime’ in the past 12 months, at a cost of $3 billion.2 Globally, we are speaking
of 1 million victims per day.3 Are States really losing the fight against cybercrime, as a
British Parliamentary Committee warned in July 2013?4
The internet age has certainly transformed social relations and the economy in ways
that suggest that criminal behaviour will follow suit. The cyberspace has opened up a
whole range of new opportunities for criminal activity that challenge traditional
approaches based on jurisdiction and law enforcement by the nation-State.5 Communi-
cation has become fast and easy. It often passes through multiple jurisdictions,
sometimes in an automated manner. Conventional crimes, like theft and fraud, are
increasingly facilitated by technology and may now take wholly different forms than
they did a few decades ago. In many instances, the offenders and victims of a harmful
conduct are not located in the same jurisdiction. It is because of this typically
deterritorialized nature of cybercriminal activities that legal responses have increasingly
taken an inter- or transnational dimension.
1. THE PHENOMENON OF CYBERCRIME

Cybercrime, which is sometimes also called e-crime, computer crime, net crime,
internet crime or network crime,6 has been defined and categorized in various ways. In
a broad sense, a cybercrime consists of ‘a crime committed against a computer or by
means of a computer’,7 in other words in any criminal activity involving computer
1
On the phenomenon of cyberstalking and legislative responses, see Jonathan Clough,
Principles of Cybercrime (CUP 2010) 365–87.
2
Symantec, ‘2013 Norton Report by Symantec’ <http://www.symantec.com/content/en/us/
about/presskits/b-norton-report-2013.en_ca.pdf> accessed 22 October 2013.
3
Ibid.
4
‘UK “losing” fight against internet crime, warn MPs’ BBC News (30 July 2013)
<http://www.bbc.co.uk/news/uk-politics-23495121> accessed 22 October 2013.
5
See Kohl (Ch 2 of this book).
6
For additional terms, see Clough (n 1) 9.
7
Bernadette H. Schell and Clemens Martin, Cybercrime: A Reference Handbook (ABC-
CLIO 2004) 29.
190
/ Date: 24/3
International legal dimensions of cybercrime 191
technology. What is interesting about the definition therefore is that it focuses on the
instrument or possibly the context rather than the specific social harm caused.
Cybercrimes may result in harm to property or in harm to persons.8 They have
developed from the use of computers to prepare crimes to offences mediated almost
entirely by technology, such as spamming.9 Computer technology has become central
to the commission of various crimes which only exist, at least in their specific form, as
a result of the existence of computer systems. Online fraud, forgery, and ‘phishing’ fall
into this category. Computers and computer systems may also be the target or ‘victim’
of cybercriminal activities. These so-called computer integrity crimes include illegal
access to computer data or systems, commonly referred to as ‘hacking’ or ‘cracking’;
the dissemination of malicious software, such as viruses and worms; and denial of
service attacks that may represent a method of modern terrorism or warfare.10 Finally,
cybercriminal activity may relate to a specific content, with the dissemination of child
pornography and hate speech figuring most prominently in this category.
Due to the increasing digitalization of social relations, it may become necessary to
add another category: ‘crimes’ committed in virtual worlds such as Second Life or in
so-called ‘massively multi-player online role-playing games’ (MMORPGs). While theft
of virtual property, virtual rape and sexual harassment as well as virtual paedophilia
could and should arguably be regulated by the operator of the respective virtual world,
they may also have significant consequences in the real world. Virtual property is
widely traded online and paid for with real money. This means that stolen virtual
property also has value in the real world. The person behind a sexually harassed avatar
may suffer emotional harm and be traumatized in the same way as a victim of
conventional harassment. It is still unclear to which extent the ‘real’ world – including
law enforcement authorities – should be concerned with such ‘virtual’ crimes. It has
been argued that virtual crimes are always ‘grounded in physical reality’ and that,
without harm in the real world, there is no cybercrime.11 Moreover, some virtual
behaviour, even without causing direct harm in the real world, can arguably contribute
to downplaying and normalizing an activity that is criminalized in the physical world,
an obvious example being paedophilia.12 In some instances, the national criminal
system has already responded. The arrest of a Dutch teenager in 2007 for stealing
virtual furniture on Habbo is only one example.13
8
For this categorization, see ibid. 30.
9
For this differentiation, see David S. Wall, Cybercrime: The Transformation of Crime in
the Information Age (Polity 2007) 44–8.
10
For more information on cyber terrorism and cyber warfare, see Saul and Heath (Ch 7 of
this book) and also Part IV of this book.
11
Susan W. Brenner, ‘Fantasy crime’ (2008) 11 Vanderbilt J. of Tech. & Ent. L. 1, 26.
12
A good example is virtual ageplay, where all players are adults but engage, via their
avatars, in sexual behaviour between children and adults. For an overview over the main
arguments, see ibid. 42–3. For the reasoning of the Supreme Court of Canada regarding child
pornography fuelling fantasies that incite offenders, see R v. Sharpe 2001 SCC 2.
13
See ‘‘‘Virtual Theft” Leads to Arrest’, BBC News (14 November 2007) <http://
news.bbc.co.uk/2/hi/7094764.stm> accessed 18 October 2013. In some States, such as in South
Korea, where virtual worlds are particularly popular, law enforcement authorities have created
specialized divisions to address such ‘crimes’.

/ Date: 24/3
In this chapter, we will focus on cybercriminal activities that cannot easily be

regulated by States via already existing means, either because new criminal elements
are involved or because the scale and the transnational element in a particular activity
necessitate international cooperation. While many crimes committed by means of a
computer are not essentially new crimes and can be subsumed under extant definitions
and be dealt with by domestic legal systems, some criminal activities require specific
legal responses at the international level. This chapter will give an overview of these
crimes, examine initiatives that have been undertaken to fight them, and discuss
particular challenges, notably with respect to jurisdiction.
2. THE INTERNATIONAL SUBSTANTIVE LAW OF CYBERCRIME

Several initiatives have been launched at the international level to respond to cyber-
crime, notably by harmonizing existing legislation, defining ‘new’ crimes and by trying
to enhance transnational cooperation. These are a fairly conventional way of dealing
with transnational criminal problems that has long been experimented on in other
contexts and the conventions do not necessarily break any new ground aside from their
subject matter. The most important of these initiatives is the Convention on Cybercrime
of the Council of Europe (CoE Convention) that entered into force in 2004.14 The first
multilateral treaty in the field, and unlike other instruments of the Council of Europe
open to all States, this instrument could, at least theoretically, become applicable
universally, although its flavour has remained distinctively Western so far.15 Other
instruments dealing with cybercrime have been developed in several regions. These
instruments include the 2010 League of Arab States Convention on Combating
Information Technology Offences; the 2001 Commonwealth of Independent States
Agreement on Cooperation in Combating Offences related to Computer Information;
the 2010 Shanghai Cooperation Organization Agreement in the Field of International
Information Security; and the 2012 draft African Union Cybersecurity Convention (AU
Convention). While these instruments are, overall, inspired by the CoE Convention and
adopt similar concepts and approaches,16 several important differences exist. The AU
Convention, for instance, does not envisage the establishment of mechanisms for
cooperation in cybercriminal matters but focuses more generally on cybersecurity;
combating cybercrime is therefore only one approach, along with the organization of
electronic transactions, personal data protection and the promotion of cybersecurity.17
In Europe, another important yet purely regional instrument is the Framework Decision
14
Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004).
15
In early 2014, 41 States, including the non-CoE member States US, Australia and Japan,
had ratified the convention.
16
For a thorough comparison of these instruments, see UN Office on Drugs and Crime,
Comprehensive Study on Cybercrime (February 2013) <http://www.unodc.org/documents/
organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf> accessed
8 October 2013, 63–72 and Annex Three.
17
Draft African Union Convention on Cybersecurity (Version 01/09/2012) parts I–III.

/ Date: 24/3
adopted by the Council of the European Union in 2005.18 With respect to substantive
law, this Framework Decision on attacks against information systems resembles the
CoE Convention in many respects;19 the Framework Decision is, however, more
specific with respect to the procedural law, in particular when it comes to jurisdiction.20
One significant challenge in the global fight against cybercrime consists in the fact
that similar activities may be considered a crime in some countries, such as a massive
spam attack against a specific person or company, but simply an unwanted behaviour in
others akin to, in the case of spam, conventional unsolicited publicity by a company.
‘Hacking’ and ‘cracking’ may be considered harmful activities, to be outlawed and
penalized. But how should we deal with hackers who do not necessarily act with
criminal intent but enter systems for fun or with so-called hacker activists or
‘hacktivists’ who seek, for instance, to circumvent excessive restrictions and online
surveillance of repressive governments? Even if there exists a general consensus among
States regarding which acts – broadly speaking – should be criminalized,21 opinions
and approaches diverge when it comes to the details. There may, for instance, exist a
consensus on the criminalization of a certain conduct related to the content of
webpages in some jurisdictions; in others, such criminalization would be seen as
unduly limiting the freedom of expression. Child pornography and hate speech are
again good examples.22 Issues relating to intellectual property have also proved
divisive, particularly as between developed and developing States, and explain why a
country like Brazil declined to sign the CoE Convention.
The problem is that if not restricted and prohibited globally, in other words without
exception, the content in case may always resurface – legally – on the internet and be
accessible from anywhere in the world. One ‘hole’ in the system is sufficient to make,
by default, any content available on a global scale. Similar problems arise in the
context of copyright. What may be promoted as ‘open access’ or ‘freedom of the
internet’ in one place may represent grave infringements of intellectual property rights
elsewhere. In short, what used to be local problems that could easily be dealt with
domestically now require not only concerted efforts but also far-reaching compromises.
With respect to content-related cybercrimes, however, the territorial restriction of
websites may be an alternative to the harmonization of substantive legal rules.
The CoE is a convenient starting point to discuss current efforts to criminalize
cybercrimes because of its fairly wide ratification and its helpful approach to the
classification of offences. The CoE Convention itself does not criminalize certain acts
but requires States parties to adopt ‘legislative and other measures’ to ensure that the
18
Council of the European Union, Council Framework Decision 2005/222/JHA of 24
February 2005 on attacks against information systems.
19
For a more detailed comparison between the two instruments, see Paul De Hert, Gloria
Gonzáles Fuster and Bert-Jaap Koops, ‘Fighting Cybercrime in the two Europes’ (2006) 77
Revue internationale de droit pénal 503.
20
Council Framework Decision 2005/222/JHA (n 18) section 4.
21
For the summary findings of a survey conducted by the UN Office on Drugs and Crime,
to which 56 States responded, see UNODC/CCPCJ/EG.4/2013/2, paras 13–15.
22
For the recurrent problem of enforcement between different jurisdictions, in this case
because of the accessibility of illegal material in France through a US-based internet provider,
see Yahoo! v. La Ligue contre le racisme et l’antisémitisme 433 F.3d 1199 (9th Cir. 2006).

/ Date: 24/3
offences listed in the Convention are ‘punishable by effective, proportionate and

dissuasive sanctions’ (art 13). With respect to substantive law, the CoE Convention
divides the activities that the States parties are required to criminalize into four
categories: offences against the confidentiality, integrity and availability of computer
data and systems, such as illegal access and interception; computer-related offences,
namely computer-related forgery and fraud; content-related offences, the only one
being related to child pornography; and offences related to the infringement of
copyright and related rights. An additional protocol to the Convention that entered into
force in 200623 pertains to another content-related offence, namely the dissemination of
racist and xenophobic material on the internet.
The offences contained in the first category are offences where a computer or
computer system is targeted intentionally. ‘Illegal access’ refers to the ‘access to the
whole or any part of a computer system without right’ (art 2). The enormous amount of
information stored electronically includes much information that is meant to remain
confidential, such as credit card numbers and medical records, defence secrets and
other sensitive government information as well as information protected by intellectual
property. Gaining access to such information may be valuable for various reasons and
may be precursors to other, possibly more serious offences, such as fraud and identity
theft. Illegal access may consist in a simple unauthorized log in to a computer or
system, for instance by an employee who has found or guessed the password of a
colleague and logs in to her computer or e-mail account; illegal access may also
represent more complex ‘hacking’ into another computer system, for instance by
exploiting vulnerabilities in software programs.24 It is worth noting that existing
national approaches with respect to ‘illegal access’ vary considerably. There is notably
no consensus with respect to requiring additional circumstances, such as the creation of
dangers or damages by the intrusion.25 Penalties for illegal access also vary consider-
ably, as a 2013 study of the UN Office for Drugs and Crimes shows, with the
maximum term of imprisonment being two years or more in roughly two-thirds of
the responding countries, but six months in the case of around 15 per cent of the
responding countries.26
The provision on ‘illegal interception’ aims to protect the privacy of electronic
communication, similar to traditional tapping and recording of telephone communica-
tions.27 ‘Illegal interception’ refers to the ‘interception without right, made by technical
23
Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of
acts of a racist and xenophobic nature committed through computer systems (Council of
Europe), CETS No. 189, 28 January 2003 (entered into force: 1 March 2006). In late 2013, the
protocol had been ratified by 20 States.
24
Clough (n 1) 28.
25
See also Council of Europe, Convention on Cybercrime, Explanatory Report, para 49. The
CoE Convention only speaks of illegal access ‘without right’, which arguably includes those
hackers who are driven by ethical considerations and, for instance, seek to promote privacy
rights or to enhance security by carrying out penetration tests. For the distinction between
‘ethical hackers’ and ‘unethical hackers’ or ‘crackers’, see Wall (n 8) 54–56.
26
UN Office on Drugs and Crime (n 16) 62.
27
Convention on Cybercrime, Explanatory Report (n 25) para. 51. The Explanatory Report,
adopted by the Committee of Ministers of the Council of Europe, does not provide an

/ Date: 24/3
means, of non-public transmissions of computer data to, from or within a computer

system, including electromagnetic emissions from a computer system carrying such
computer data’ (art 3). ‘Data interference’ refers to ‘damaging, deletion, deterioration,
alteration or suppression of computer data without right’ (art 4). This provision covers
the use of malicious software, such as viruses, worms and Trojan horses.28 According
to the second paragraph of the same article, States parties can add the requirement that
the data interference ‘result in serious harm’, as defined by the domestic legislation.29
‘System interference’ means ‘the serious hindering without right of the functioning
of a computer system by inputting, transmitting, damaging, deleting, deteriorating,
altering or suppressing computer data’ (art 5). So-called denial of service attacks, which
seek to ‘overwhelm’ a network,30 are covered under this provision. The attack against
the credit card company MasterCard in retaliation for its decision to cease transferring
donations to WikiLeaks, which paralyzed the system of MasterCard for several hours,31
is a well-known example. The sending of unsolicited e-mail, or ‘spamming’, may also
be subsumed under ‘system interference’ and must therefore be criminalized by the
States parties when constituting a ‘serious hindering’ of the functioning of a system;
the precise threshold of harm required is to be determined by national legislation.32 The
high proportion of spam – approximately 80–90 per cent of all e-mail sent33 – reveals
that spam is not a simple nuisance but a threat to the proper functioning of the
cybersphere. However, not every sending of an unsolicited e-mail constitutes an
offence. The CoE Convention deals only with part of the problem, in other words with
some of its volume-related aspects and none of its content-related aspects.34 This seems
to correspond to a widely shared consensus: no multilateral instrument requires States
to establish the sending of spam as a criminal offence, and only few States have
enacted such legislation.35
Finally, and as part of that first category, the CoE Convention establishes as a
separate offence the production and distribution of devices that are to be used to
commit the above-listed offences against the confidentiality, integrity and availability of
computer data and systems. Under article 6, States are thus required to criminalize the
‘production, sale, procurement for use, import, distribution or otherwise making
available of:
‘authoritative interpretation of the Convention’ but aims to ‘facilitate the application’ of its
provisions. Ibid. para. II.
28
For the distinction between these forms of malicious software, see Clough (n 1) 33–4.
29
Convention on Cybercrime, Explanatory Report (n 25) para. 64.
30
For more information on these attacks, see Clough (n 1) 37–9.
31
‘Operation Payback cripples MasterCard site in revenge for WikiLeaks ban’, BBC News
(8 December 2010) <http://www.theguardian.com/media/2010/dec/08/operation-payback-master
card-website-wikileaks> accessed 18 October 2013.
32
33
For the comparison of several studies, see Clough (n 1) 234.
34
For this distinction, see De Hert, Gonzáles Fuster and Koops (n 19) 510–12.
35
For more information, see UN Office on Drugs and Crime (n 16) 95–6.

/ Date: 24/3
+ a device, including a computer program, designed or adapted primarily for the

purpose of committing any of the offences established in accordance with the
above articles 2 through 5
+ a computer password, access code, or similar data by which the whole or any part
of a computer system is capable of being accessed’ (art 6(1)a).
A few so-called computer-related offences seek to address the commission of ordinary

crimes through the manipulation of computer systems or data. Computer related
forgery refers to the ‘input, alteration, deletion, or suppression of computer data,
resulting in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic’ (art 7), thus extending the forging of tangible
documents to electronic data. The subsequent provision attempts to address the
multiple opportunities of computer-related fraud, such as credit card fraud and the
manipulation of electronic funds, and requires States parties to criminalize ‘the causing
of a loss of property to another person’ by similar means as those listed in article 7,
when committed with the intent to gain an economic benefit (art 8).
Other instruments include additional computer-related offences. The League of Arab
States Convention, for instance, besides demanding States parties criminalize computer-
related fraud and forgery (arts 10 and 11), contains specific provisions on offences
involving money-laundering, human trafficking and drug trafficking (art 16) as well as
terrorism (art 15). The AU Convention follows another approach and requires States
parties to set up as an aggravating circumstance the use of information technology to
commit ordinary crimes, such as fraud, terrorism, and money laundering (art III-40).
The only content-related offence dealt with in the CoE Convention relates to child
pornography and its production, offering, distribution, procurement or possession by
using a computer system (art 9). This provision seeks to protect the sexual exploitation
of persons under 18 years, since ‘[i]t is widely believed that such material and on-line
practices, such as the exchange of ideas, fantasies and advice among paedophiles, play
a role in supporting, encouraging or facilitating sexual offences against children’.36 In
terms of consistency, it is worth highlighting that the CoE Convention allows States to
opt out from certain provisions regarding child pornography. The use of a computer
system to procure or possess child pornography as well as virtual child pornography do
not have to be criminalized; States may also lower the ordinary age limit of a ‘child’
from 18 years to up to 16 years (art 9(3)). What may appear as a minor detail reveals
an inherent problem related to the intended harmonization of substantive law, which is
aggravated by the fact that the Convention does not offer a model law.37 States often
want to retain some flexibility and enact laws corresponding to a societal consensus in
the respective jurisdiction with respect to the appropriateness of punishment. The CoE
Convention attempts to recognize these traditional differences among States by
including specific provisions like the one pertaining to the age limit in the context of
child pornography and, more generally, by leaving the formulation of both substantive
36
37
For this argument, see also Susan W. Brenner, ‘The Council of Europe’s Convention on
Cybercrime’ in Jack M. Balkin and others (eds.), Cybercrime: Digital Cops in a Networked
Environment (New York University Press 2007) 212.

/ Date: 7/5
and procedural provisions to the domestic legislatures. This approach has therefore
been criticized as a ‘watered down compromise of flexible harmonization [that] offers
little to motivate nations to voluntarily relinquish sovereignty in favor of international
regulation.’38 As we will see, this also potentially raises important jurisdictional issues.
Other instruments similarly seek to strengthen the protection of children against
sexual exploitation by requiring States to establish as criminal offences various forms
of conduct relating to child pornography. The Optional Protocol to the Convention of
the Rights of the Child on the Sale of Children, Child Prostitution and Child
Pornography does not deal specifically with the use of computer systems but contains,
in article 2(c) a sufficiently broad definition of child pornography: ‘any representation,
by whatever means, of a child engaged in real or simulated explicit sexual activities or
any representation of the sexual parts of a child for primarily sexual purposes’.39 Few
additional content-related offences appear in other multilateral instruments. The League
of Arab States Convention goes beyond the criminalization of child pornography and
requires States parties to criminalize the ‘production, display, distribution, provision,
publication, purchase, sale, import of [all] pornographic material’ (art 12), with
offences involving child pornography carrying increased punishment. The draft African
Convention contains similar provisions as the CoE Convention with respect to child
pornography (arts III-29 to III-32), but it also demands States criminalize computer-
related acts involving racism and xenophobia (arts III-34 and III-35).
Finally, the CoE Convention contains offences related to the infringements of
copyright and related rights (art 10). No particular conduct is defined; instead, the CoE
Convention refers to domestic law and the obligations undertaken by States pursuant to
a number of international instruments in this area, such as the Bern Convention for the
Protection of Literary and Artistic Works and the Copyright Treaty of the World
Intellectual Property Organization. However, as article 10(1) clarifies, the provision is
intended to cover only those infringements that are committed ‘wilfully’ and ‘on a
commercial scale’.
Clearly, these offences do not encompass all possible cybercrimes. As the Explana-
tory Report to the CoE Convention states, ‘[t]he list of offences included represents a
minimum consensus not excluding extensions in domestic law’.40 By way of example,
the use of computers and computer systems to commit theft and extortion or to engage
in other harmful activities, such as cyberstalking, are not covered. One may therefore
wonder why only some of the crimes already criminalized at the domestic level, such
as forgery, fraud and child pornography, are included in the CoE Convention, but not
others.
38
For this debate, see Miriam F. Miquelson-Weismann, ‘The Convention on Cybercrime: A
harmonized implementation of international penal law: What prospects for procedural due
process?’(2005) 23 John Marshall J. of Computer & Information L. 329, 354.
39
Optional Protocol to the Convention of the Rights of the Child on the Sale of Children,
Child Prostitution and Child Pornography, 25 May 2000, 2171 UNTS 227 (entered into force 18
January 2002) (emphasis added).
40

/ Date: 24/3
Given that around 80 per cent of all cybercrime acts are committed through some
form of organized activity,41 another international instrument that can be relied upon to
some extent in the fight against cybercrime is the United Nations Convention against
Transnational Organized Crime from 2000 (Palermo Convention).42 This Convention
has been ratified almost universally, which makes it a potentially useful instrument to
coordinate the global fight against cybercrime. Most cybercrimes can be subsumed
under the definition of ‘transnational’ as defined in article 3(2) of the Convention,
according to which an offence is transnational when it is: (a) committed in more than
one State; (b) committed in one State but planned, prepared, directed or controlled in
another State; (c) committed in one State but involving an organized group engaging in
criminal activities in more than one State; or (d) committed in one State but has
substantial effects in another State. However, the Palermo Convention is only applic-
able to ‘serious crimes’, which are defined as ‘conduct constituting an offence
punishable by a maximum deprivation of liberty of at least four years or a more serious
penalty’ (art 2(b)) and which are committed for the purpose of obtaining a financial or
other material benefit (art 1(a)(i)); to the laundering of proceeds of a crime (art 6); and
to corruption (art 8). In other words, even though the Palermo Convention is completely
silent on cybercrime, certain serious forms of cybercriminal activities, such as
organized online fraud, are covered.43
3. THE INTERNATIONAL REGIME TO FIGHT CYBERCRIME

The international regime to fight cybercrime is equally dominated by the CoE
Convention which has been ratified by many countries in which the internet and the
cybereconomy have a central place. The Convention seeks to enhance cooperation
between member States. Among other things, States must be prepared to order and
obtain ‘the expeditious preservation of specified computer data’ (art 16) and to ensure
‘the expeditious disclosure … of traffic data’ (art 17). Stored computer data may be
searched and seized by the competent State authorities (art 19); traffic data may be
collected or recorded (art 20), and content data intercepted (art 21), either by the
authorities themselves or by compelling a service provider. These provisions are not
necessarily innovative when compared to existing international criminal law instru-
ments. However, the Convention clearly attempts to deal with the particular volatility of
computer data by adapting existing procedural law to the internet age, with the
41
Expert Group to Conduct a Comprehensive Study on Cybercrime, ‘Comprehensive study
of the problem of cybercrime and responses to it by Member States, the international community
and the private sector’ (UNODC/CCPCJ/EG.4/2013/2, Vienna, February 2013) para. 5.
42
United Nations Convention against Transnational Organized Crime, 15 November 2000,
2225 UNTS 209 (entered into force 29 September 2003).
43
The only reference to computers is made in the provision on training and technical
assistance, which requires States to initiate, develop or improve specific training programmes,
including ‘[m]ethods used in combating transnational organized crime committed through the
use of computers, telecommunications networks or other forms of modern technology’, ibid. art
29.1(h).

/ Date: 24/3
objective of allowing the competent authorities to proceed as rapidly as possible.44 It is

worth noting that, according to article 19, the powers to search and seize are limited to
the State’s respective territory, which means that any transboundary search or seizure
must follow the ordinary channels of mutual legal assistance.45
The powers and procedures referred to in articles 16–21 are subject to a provision on
‘conditions and safeguards’ (art 15), according to which States must ensure the
protection of human rights and liberties, for instance via judicial supervision. These
rights include those protected under international law, such as by the European
Convention on Human Rights (ECHR) and the International Covenant on Civil and
Political Rights. However, as the Explanatory Report notes, it is left to the ‘[n]ational
legislatures … to determine, in applying binding international obligations and estab-
lished domestic principles, which of the powers and procedures are sufficiently
intrusive in nature to require implementation of particular conditions and safeguards’.46
The Convention itself does not offer any specific procedural guarantees of due
process.47
Interestingly, the Convention goes beyond its provisions on substantive law and
requires all States to adopt measures to establish procedures for the purpose of criminal
investigations or proceedings not only for the offences contained in the Convention but
also for ‘other criminal offences committed by means of a computer system’ and ‘the
collection of evidence in electronic form of a criminal offence’ (art 14(2)b and c).
The CoE Convention also contains a number of provisions on mutual assistance and
extradition that follow the overarching principle according to which the parties ‘shall
co-operate with each other … to the widest extent possible for the purposes of
investigations or proceedings concerning criminal offences related to computer systems
and data, or for the collection of evidence in electronic form of a criminal offence’ (art
23). Again, the provisions are drafted with the fact in mind that computer data may
easily be deleted and is often stored for only short periods of time.48 In addition to the
possibility of relying on ‘expedited means of communication, including fax or e-mail’
(art 25), States parties must also designate a 24/7 point of contact to provide immediate
assistance and be able to proceed, for instance, with an expedited preservation or
disclosure of computer data (art 35). With respect to extradition, and similar to other
instruments dealing with transnational crime such as the Palermo Convention, the CoE
Convention contains an aut dedere aut judicare requirement, meaning that States must
either extradite or bring the case before their own national authorities according to the
principle (art 24(6)).
44
The Convention, therefore, emphasizes expeditiousness, for instance of the preservation
and disclosure of computer data. As the Explanatory Report notes, ‘[s]peed and, sometimes,
secrecy are often vital for the success of an investigation.’ Convention on Cybercrime,
Explanatory Report (n 25) para. 133.
45
Ibid. para. 195. The only exception is access to data that is publicly available or if the
consent of the person who has the lawful authority to disclose the data has been obtained.
Convention on Cybercrime (n 14) art 32.
46
47
For a critique of the lack of procedural guarantees, see Miquelson-Weismann (n 38) 341.
48
See Convention on Cybercrime, Explanatory Report (n 25) para. 256.

10 / Date: 24/3
Other instruments contain similar provisions with respect to extradition and mutual
legal assistance, including mechanisms for expedited assistance. While the draft
African Convention only touches on principles of international cooperation in a general
manner and encourages States parties to sign the Convention on mutual legal assistance
(art III-14), the League of Arab States Convention contains detailed provisions on
extradition and mutual assistance (arts 30–43). By way of example, States parties may
be requested to seize, secure or disclose data in their territory, including through
expedited means of communication, such as e-mail, and every State party is required to
establish a 24/7 contact point ‘to ensure the provision of prompt assistance’ (art 43).49
The League of Arab States Convention also resembles the CoE Convention with respect
to grounds for refusal of assistance. A State party may notably not respond to another
State’s request, for instance to preserve or disclose data, if ‘the request concerns an
offence which the requested Party considers a political offence’ or if ‘the requested
Party considers that execution of the request is likely to prejudice its sovereignty,
security, ordre public or other essential interests’.50 Although grounds for refusal
should, generally speaking, be ‘narrow and exercised with restraint’,51 it does not seem
that detailed reasons must be specified if requests for assistance are refused by invoking
one of these provisions.
In sum, the CoE Convention represents a traditional, decentralized criminal law
approach based on the territoriality principle of regulation and enforcement that seeks
to increase the capacity of States to deal with cybercrimes. As Susan W Brenner has
argued, cybercrime is treated in the Convention ‘as an internal threat which is to be
dealt with by the criminal justice system of a nation whose citizens have suffered
‘harm’ from a particular activity’.52 The very fact of criminalizing similar behaviour in
similar terms is in itself a great boost to transnational judicial cooperation, particularly
in the extradition domain where the dual criminality rule typically requires that an
offence exist in both the requesting and requested State.
4. THE PROBLEM OF JURISDICTION53

Crime is traditionally understood to be a largely territorial phenomenon, one in which
‘the perpetrator(s) and victim(s) are all physically present at a specific geographical
point when a crime is committed’.54 At first glance, cybercrime challenges that
49
For a discussion of institutional aspects and a few examples of ways in which such contact
points were established, see Council of Europe, ‘The effectiveness of international co-operation
against cybercrime: examples of good practice’, discussion paper prepared by Pedro Verdelho
(12 March 2008) 21–4 <http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/
documents/reports-presentations/567%20study4-Version7%20provisional%20_12%20March%
2008_.pdf> accessed 6 January 2014.
50
Convention on Cybercrime (n 14) arts 27(4), 29(5), 30(2); the corresponding provision in
the League of Arab States Convention can be found in art 35.
51
52
Brenner (n 37) 210.
53
For a general overview of jurisdiction in cyberspace, see Kohl (Ch 2 of this book).
54
Susan W Brenner, ‘Cybercrime jurisdiction’ (2006) 46 Crime, L. & Social Change 189.

11 / Date: 24/3
framework in a very radical way, almost to the point of making ‘geography irrel-
evant’.55 Cybercrimes are often transnational, even global in their concrete operation,
and not simply as a result of political fiat as in the case of major supranational crimes
(genocide, crimes against humanity or war crimes may, after all, be quite national in
character). However, there is also almost always a certain physicality even to
cybercrime. Criticizing a common overreliance on virtual metaphors in the scholarship,
for example, Orin S Kerr has argued that ‘virtual metaphors will obscure rather than
illuminate the dynamics of computer crime. … what matters is the physical reality of
the network, the actual bits and bytes, rather than the virtual world a user might
imagine’.56 At any rate, both prescriptive and adjudicative/enforcement issues arise that
at the very least complicate issues of jurisdiction.
At the prescriptive level, in the 1980s and 1990s, several countries, especially in
North America and Europe, started to adopt national legislation criminalizing certain
cybercrimes. Since websites can usually be accessed in every country, the content of
each website could be seen as having to comply with the national regulations of every
country from where it is accessible.57 The danger of overregulation, amplified in its
complexity by a still highly fragmented system based on national legislation, is
tangible. However, there is a strong correlation with the actual enforcement jurisdiction.
As Uta Kohl highlights, the:
fact that the existence of enforcement jurisdiction tends to be perceived as a prerequisite for
exercising adjudicative/legislative jurisdiction in respect of transnational criminal activity
means that the subjective territoriality principle, i.e. the country-of-origin approach, is far
more user-friendly for States. … the person responsible for the acts tends to be on the State’s
territory.58
In terms of adjudication and enforcement, even if bolstered with mutual legal assistance
treaties and extradition treaties, domestic laws are insufficient to establish jurisdiction
over many cybercrimes and deal effectively with jurisdictional conflicts, especially in
the case of cybercrimes of the latest generation. It is evident that the territoriality
principle, one of the principles on which national criminal jurisdiction is usually based,
is only of limited use in the context of cybercrime.59 There may be no single locus
delicti in the traditional sense; several offenders may act together yet from different
locations; experienced crackers can route their activities through portals in jurisdictions
without specific legislation; and digital evidence may be dispersed on servers located in
different jurisdictions.
55
Ibid.
56
Orin S Kerr, ‘Virtual crime, virtual deterrence: A skeptical view of self-help, architecture,
and civil liability’ (2005) 1 J. of L., Econ. & Pol’y. 197, 199–200. Kerr criticizes three proposals
associated with virtual metaphors: offensive self-help strategies or ‘cybervigilantism’, ‘architec-
ture regulation’, and civil liability for third-party computer operators.
57
For this debate, see Uta Kohl, Jurisdiction and the Internet (CUP 2007) 24–6. For the
argument that the rise of jurisdictional conflicts has been facilitated by technical developments,
especially those relating to the territorial restriction of websites, see ibid. 104.
58
Ibid. 106.
59
For this argument, see also Fausto Pocar, ‘New challenges for international rules against
cyber-crime’ (2004) 10 European J. on Criminal Policy and Research 27, 36.

12 / Date: 24/3
In most instances, however, the offenders, the victims and the harm caused are very
real. Basing jurisdiction on the principle of nationality and of objective territoriality,
according to which a State may exercise jurisdiction over a conduct having a
substantial effect in its territory, although the conduct occurred outside its territory,
allows States both to prosecute and to seek to protect their own nationals. This
approach is, for instance, adopted by the CoE Convention. While the provisions on
territorial jurisdiction are not very precise in this regard, with article 22(1)(a) only
requiring a State party to adopt measures allowing it to establish jurisdiction for
offences committed ‘in its territory’, the Explanatory Report specifies that an offence
committed ‘in its territory’ includes, for instance, the attack of a computer system in its
territory, even if the attack is launched from outside its territory.60
Should the State of origin and the State of destination both be able to exercise
jurisdiction? Conflicts are inevitable when the specific conduct in question is criminal-
ized in the former but not in the latter. These conflicts can be negative (no State claims
jurisdiction) or positive (multiple States do), both of which are problematic. The CoE
Convention deals with this dilemma to some extent by allowing States, under article
22(2), to opt out from the requirement to exercise jurisdiction over offences committed
by a national if the offence is punishable where it was committed.61 While integrating
the general principle of aut dedere aut judicare,62 the CoE Convention provides little
guidance to resolve jurisdictional conflicts and to avoid competition among law
enforcement authorities. It merely states that: ‘when more than one Party claims
jurisdiction … the Parties involved shall, where appropriate, consult with a view to
determining the most appropriate jurisdiction for prosecution’ (art 22(5)). These
consultations are not mandatory and, as the Explanatory Report specifies, may even be
declined if a State deems them to be an obstacle to its investigations.63
Compared to the CoE Convention, the EU Framework Decision is more specific with
respect to conflicts of jurisdiction. Relying above all on the territoriality and the
nationality principles, three options, in order of preference, are outlined to determine
which member State should prosecute: where the offence has been committed; whose
national has committed the offence; and where the offender has been found.64 The
League of Arab States Convention also establishes a clear order of priority. When
several States claim jurisdiction, the order is as follows: States whose security or
interests have been disrupted; then States in whose territory the offence was committed;
60
61
Convention on Cybercrime (n 14) art 22(1)(d). On negative and positive jurisdiction
conflicts, see De Hert, Gonzáles Fuster and Koops (n 19) 519; see also Susan W. Brenner and
Bert-Jaap Koops, ‘Approaches to cybercrime jurisdiction’ (2004) 4 J. of High Technology L. 1.
62
The provisions on extradition include the following clause:
If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely
on the basis of the nationality of the person sought, or because the requested Party deems that
it has jurisdiction over the offence, the requested Party shall submit the case at the request of
the requesting Party to its competent authorities for the purpose of prosecution and shall
report the final outcome to the requesting Party in due course. Convention on Cybercrime
(n 14) art 24(6).
63
64
See also De Hert, Gonzáles Fuster and Koops (n 19) 519.

13 / Date: 24/3
and finally, the State of the nationality of the offender (art 30(3)). In practice, it appears
that States resolve jurisdictional conflicts on an ad hoc basis through formal and
informal consultations.65 As the UN Office on Drugs and Crimes concluded in 2013,
‘forms of territoriality-based and nationality-based jurisdiction are almost always able
to ensure a sufficient connection between cybercrime acts and at least one State’.66
5. CHALLENGES
Three areas seem to require specific attention in any attempt to deal with cybercrime:
the role of service providers, the impact on rights, and the possibility of non-criminal
preventive measures. First, regarding the regulation of the internet more generally, and
the prevention of, and fight against, cybercrime more specifically, establishing the
liability and responsibility of service providers, which are ‘effectively the gatekeepers
of data on the Internet’,67 may be particularly relevant. Moreover, law enforcement
authorities increasingly seek the cooperation of private companies, such as information
and service providers. Several States have established requirements to retain data for a
certain period and to disclose data following a formal request from law enforcement
authorities.68 The CoE Convention only deals with internet service providers in a few
procedure-related provisions, allowing, for instance, State authorities to compel service
providers to collect or record data.69 Several model legislative texts establish more
extensive responsibilities, for instance, of access and hosting providers, including
monitoring obligations.70
Second, the fight against cybercrime may have an impact on the human rights of
users of computers and the internet, perhaps especially when service providers are
enlisted in an enterprise of surveillance.71 Although cybercrime is a concern for the
public, the potential of cybercrime laws being interpreted by governments in ways that
allow them to better suppress dissent or control populations is high, in ways that are
very reminiscent of debates surrounding the repression of terrorism. The right to
privacy may be violated, as may freedom of expression unduly limited by content-
related restrictions.72 Concerns have been voiced that the CoE Convention was
65
UN Office on Drugs and Crime (n 16) 189.
66
Ibid.
67
Clough (n 1) 8.
68
UN Office on Drugs and Crime (n 16) 144–6.
69
Convention on Cybercrime (n 14) arts 20(1)b and 21(1)b.
70
E.g. the 2010 Model Legislative Texts on Cybercrime/e-Crimes and Electronic Evidence
elaborated by the International Telecommunication Union (ITU)/Caribbean Community
(CARICOM)/Caribbean Telecommunications Union (CTU) and the 2011 Cybersecurity Draft
Model Bill of the Common Market for Eastern and Southern Africa (COMESA).
71
See Fidler (Ch 5 of this book).
72
Joint Declaration on Freedom of Expression and the Internet by the UN Special
Rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the
Media, the OAS Special Rapporteur on Freedom of Expression and the ACHPR Special
Rapporteur on Freedom of Expression and Access to Information, <http://www.osce.org/fom/
78309> accessed 18 October 2013. The Joint Declaration states, for instance, that ‘[c]ontent

14 / Date: 24/3
established thanks to the work of a Committee of Experts with little access for civil
society organizations, especially those concerned with privacy. It should be recalled
that the Convention recognizes States’ quite broad powers to combat even those
cybercrimes that are not actually defined in it. Although the Preamble states that
signatories are ‘mindful of the need to ensure a proper balance between the interests of
law enforcement and respect for fundamental human rights’, it does not itself establish
guarantees to respect such rights, leaving it instead to the States parties to legislate on
proportionality and checks and balances according to already existing obligations under
human rights law. This means that no shared minimal standards with respect to due
process exist for all States parties to the CoE Convention. Most notably, the ECHR,
which may provide particularly useful guarantees in the context of the fight against
cybercrime, is only applicable to the European States which are parties to this
Convention; contrary to the Cybercrime Convention, the ECHR is not open to
non-States parties of the CoE.73 Moreover, there are no provisions in the Convention
outside the Preamble on the protection of personal data, a sensitive issue in light of
States’ extensive surveillance powers and the fact that judicial cooperation under the
Convention may lead to data being shared with States beyond those bound by the EU’s
own relatively protective standards. More generally, the fight against cybercrime has
created concerns that it may impair citizens’ ability and right to ‘seek, receive and
impart information’74 in a context where States may feel empowered to seize or
otherwise obtain computer data without warrants or adopt expansive libel laws when it
comes to the internet.75 However, combating cybercrime should arguably be subject to
particular regulation. Just as some forms of cybercrime, because of their novel
characteristics, demand specific legal responses, some of these responses may represent
a particular threat to human rights. In other words, the potentially far-reaching intrusion
into the lives of internet users, facilitated by automated surveillance and data storage,
ought to be an inherent aspect of any initiatives intended to fighting cybercrime.
Third, criminal law is obviously not the only avenue to combat cybercrime. A
document entitled ‘cybercrime report’ of a software security producer is clearly not
intended to promote criminal law responses to cybercrime but to make the online user
protect herself through technical means. Indeed, when confronted with – increasingly
filtering systems which are imposed by a government or commercial service provider and which
are not end-user controlled are a form of prior censorship and are not justifiable as a restriction
on freedom of expression’ (para. 3.b). For a general discussion of human rights and cyberspace,
see Ch 6 in this volume.
73
For this discussion, in particular with reference to the US and decisions of the Supreme
Court concluding that the ECHR and other international human rights instruments, such as the
International Covenant on Civil and Political Rights, do not create enforceable rights in the US,
see Miquelson-Weismann (n 38) 355–9.
74
This is the language adopted by the 1948 Universal Declaration of Human Rights in art
19.
75
This was, for instance, the case of the highly controversial 2012 Cybercrime Prevention
Act of the Philippines that extended criminal libel to the internet and provided for harsh prison
sentences; the Act has been temporarily suspended by the Supreme Court. For more information
on the 2012 Act, see Human Rights Watch, ‘Philippines: New “Cybercrime” Law Will Harm
Free Speech’ (28 September 2012) <http://www.hrw.org/news/2012/09/28/philippines-new-
cybercrime-law-will-harm-free-speech> accessed 6 January 2014.

15 / Date: 24/3
automated – cybercrimes, we almost instinctively look for a technical defence:

anti-virus programs, spam filters, firewalls, passwords, more secure online payment
systems. Preventive measures are no doubt important. Because of the typically
transboundary nature of cybercriminal activities, cybercrime prevention, such as
awareness-raising campaigns,76 should also go beyond national boundaries, in particu-
lar in order to respond to emerging threats. Educating users to make them vigilant and
take essential security precautions can eliminate many opportunities for cybercriminal
activities. Although many potential offenders will use more sophisticated tools to act or
find users located in places with a generally lower level of cybersecurity, the overall
crime rate is likely to drop. Moreover, the private sector, notably service providers and
software producers, plays an important role, which is why self-regulation, which may
be highly effective, and the sharing of best practices ought to be encouraged and
facilitated.77
Compared to this ready-to-use and easily adaptable digital armada and its more
immediate and tangible impact, attempts to strengthen the transnational legal frame-
work to combat cybercrime may look relatively removed from the site of crimes and ill
adapted to prevent them. Technical responses, however, only deal with the effects and
not with the underlying problem itself. In this sense, legal responses have the potential
to have a more profound impact on criminal behaviour. Investigating and prosecuting
cybercrimes in order to terminate a specific conduct, such as spamming, should thus
not be weighed against the effectiveness of technical avenues. Criminal law is
complementary to security measures78 and has an inherent, if not easily measurable,
deterrent effect.
6. CONCLUSION
It appears that all initiatives, whether at the national, regional or international level,
only react – with a significant delay – to rapidly evolving forms of cybercriminal
activities. It is, indeed, difficult to conceive how law could anticipate future threats, in
other words do more than react and respond. Cybercrime also reveals some of the
shortcomings of the traditional nation-State approach in the field of criminal law: the
monopoly of power has largely become an illusion. States will undoubtedly need to
develop more creative responses. Enhancing harmonization of substantive law and
transnational cooperation via instruments like the CoE Convention is certainly useful,
but several challenges remain, in addition to the Convention’s provisions being
susceptible to different interpretations by its States parties. More comprehensive
approaches that integrate a deeper understanding of the functioning of information
76
For examples of such campaigns organized by governments and the private sector, see UN
Office on Drugs and Crime (n 16) 234–6.
77
E.g. Joint Declaration on Freedom of Expression and the Internet (n 72), para. 1.f.
78
The CoE Explanatory Report recognizes that ‘[t]he most effective means of preventing
unauthorised access is, of course, the introduction and development of effective security
measures. However, a comprehensive response has to include also the threat and use of criminal
law measures’. Convention on Cybercrime, Explanatory Report (n 25) para. 45.

16 / Date: 24/3
technology may be required. In this sense, the emergence of entirely virtual worlds has
already created a renewed need for theorizing about criminal law. Is stealing a virtual
object in a virtual world a crime akin to theft?79 Is virtual child pornography the same
as the real thing? On the one hand, surely killing a virtual avatar is not the same thing
as murder, even though it may be portrayed as such in a game environment. Some have
argued for a relatively light intervention of the criminal law, leaving governance and
disciplining of virtual spaces to their organizers. On the other hand, economic and
social harms may occur as a result of actions occurring entirely in virtual spaces, not to
mention the way in which such spaces may serve to play out or experiment with
criminal behaviour in ways that may well spill over into the real world.
A key question is to what extent we can or should look beyond traditional criminal
law responses and whether cybercrime requires radically new approaches. Is inter-
national law, and the law more generally, ill-equipped to deal with cybercrime?
Additional options to strengthen existing and to propose new national and international
legal or other responses to cybercrime, as identified by a United Nations Office on
Drugs and Crime report in 201380 include the development of international model
provisions on the criminalization of cybercrimes, inter alia, to eliminate ‘safe havens’;
the development of a comprehensive multilateral instrument; and the strengthening of
cooperation in order to deliver enhanced technical assistance to combat cybercrime in
developing countries. Furthermore, suggestions such as the establishment of an
International Cybercrime Court or for the expansion of the competences of the
International Criminal Court over cybercrimes81 may be premature but have been
voiced strongly.
The principle of universality merits consideration in this context. Traditionally,
universal jurisdiction has been reserved for the arguably most serious crimes, including
genocide and crimes against humanity. No traditional jurisdictional link being required,
any State may exercise jurisdiction over such crimes, even if committed outside its
territory by a non-national against non-nationals. It seems unlikely that a consensus
regarding universal jurisdiction over cybercrime will develop anytime soon; most
cybercriminal activities do not ‘shock the consciousness of humanity’82 to the same
degree as the crimes under the jurisdiction of the International Criminal Court. It might
be conceivable, however, to imagine the application of the principle of universal
jurisdiction on a basis closer to its original application to crimes of piracy, as a result of
their occurring in areas that were beyond the jurisdiction of any State. Jurisdiction
would be limited to a restricted list of the most serious cybercriminal activities that are
79
Andrea Vanina Arias, ‘Life, liberty, and the pursuit of swords and armor: Regulating the
theft of virtual goods’ (2007) 57 Emory L J 1301; Brenner, ‘Fantasy Crime’ (n 11); Brian
Simpson, ‘What happens online stays online? Virtual punishment in the real world’ (2011) 20
Information & Communications Technology L. 3.
80
UN Office on Drugs and Crime (n 16).
81
Stein Schjolberg, ‘Recommendations for potential new global legal mechanisms against
global cyberattacks and other global cybercrime: An international criminal tribunal for cyber-
space (ICTC), A Paper for the EastWest Institute (EWI) Cybercrime Legal Working Group’
(2012) <http://www.cybercrimelaw.net/documents/ICTC.pdf> accessed 6 January 2014.
82
Rome Statute of the International Criminal Court, 17 July 1998, UN Doc A/CONF.183/9,
preamble.

17 / Date: 24/3
universally condemned, in which case the State assuming jurisdiction would not need
to establish a nexus according to the conventional criteria of territoriality or nationality.
However, the threshold is likely to be high; the mere fact that an activity is
deterritorialized in nature – as many cybercrimes are – cannot be considered an
automatic justification for any State asserting jurisdiction.
In sum, cybercrime has not yet altered the nature and modalities of international law,
with the current international legal responses rather following traditional approaches
that were already adopted in other areas of transboundary criminal law, such as human
trafficking or drug trafficking. The various multilateral initiatives are valuable, since
they lay the groundwork for greater cooperation between States. However, these
instruments certainly further the risk of creating regional clusters. Global cooperation,
beyond State or regional boundaries, and across the State/non-State divide, is needed to
deal with many forms of cybercrime.

18 / Date: 24/3

19 / Date: 24/3
PART III
CYBER ATTACKS AND THE

JUS AD BELLUM

1 / Date: 24/3

2 / Date: 24/3
10. The notion of cyber operations

Paul Ducheine*
1. INTRODUCTION
(a) Apples and Pears? No, Just (Different) Goals!
Various recent assessments have revealed that ‘digital espionage and cyber crime
remain the biggest threats to both government and the business community’.1 The
so-called Snowden files have shed light on the activities of governmental intelligence
agencies that would have remained unknown to most of us. It appears that intelligence
services and companies around the world conduct operations in and through cyber-
space.2 This is self-evident for public (or governmental) organisations, however, the
number of private enterprises digitally collecting and providing information is growing
steadily.3 Activities include social-media monitoring,4 digital investigation,5 and ordi-
nary marketing research. Most notably, large ICT-companies such as Google, AOL,
Microsoft and applications like Facebook, Whatsapp, Twitter and LinkedIn are also
collecting data for (future) business purposes.6 Google’s knowledge of search-queries
* The author is grateful for the comments delivered by Professor Terry Gill, Mark Roorda,
Willem van Poll and Jelle van Haaster.
1
National Cyber Security Centre, ‘Cyber Security Assessment Netherlands-4’ (CSAN-4,
2014) 7. This national assessment is confirmed by findings of others: Ernst & Young, Under
cyber attack – EY’s Global InformationSecurity Survey 2013 (Ernst & Young 2013); Stephen
Doherty and others, ‘Hidden Lynx – Professional Hackers for Hire’ (Symantec, 17 September
2013) <http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
hidden_lynx.pdf> accessed 12 September 2014.
2
For the description of cyberspace used in this chapter, see Paul A L Ducheine and Jelle
van Haaster, ‘Fighting Power, Targeting and Cyber Operations’ in Proceedings of the 6th
International Conference on Cyber Conflict (2014) (CCDCOE 2014) 303–28, using a five-
layered model consisting of people, cyber-identities, cyber-objects, physical infrastructure
(objects) and geographical locations (of people and infrastructure).
3
For instance services provided by Information Security firms, see Mandiant’s Intelligence
Centre <www.mandiant.com/products/intelligence-center> accessed 12 September 2014, well
known for reporting on China’s alleged Advanced Persistent Threat or see the Dutch niche
company Fox-IT <www.fox-it.com/en> accessed 12 September 2014.
4
See inter alia <http://www.coosto.com/uk/> accessed 12 September 2014. Applications
are offered for: customer service, brand monitoring, campaign monitoring, crisis monitoring,
competitor monitoring and data research.
5
See <www.cyberinvestigationservices.com> accessed 12 September 2014, addressing
internet defamation, cyber harassment, hacking investigation, and cyber security.
6
Recently, a number of those companies advocated more restrictions on governmental
surveillance and reform of legislation in this respect. See <www.reformgovernmentsurveil-
lance.com> accessed 12 September 2014.
211
1 / Date: 7/5
enables it to know more details about individuals than these people know (or realize)
themselves.7 Since a number of these ICT companies are being observed by, or forced
to collaborate with, governmental intelligence agencies, this private (and economic)
information is likely also available for the latter.
Next to espionage and intelligence, the other substantial threat originates from a
group of actors that bears no public responsibility at all: criminals who use cyberspace
as a vector for their actions, as a target for their activity, as a line of communication, or
as a marketplace to sell their ‘products’. In order to counter this threat, stakeholders
varying from individuals to Internet Service Providers (ISPs), from anti-virus vendors
to governments, have taken a variety of countermeasures. These measures may be
preventive in nature by installing firewalls and anti-virus software, or by penalising
cyber crime by implementing (inter alia) the Budapest Cyber Crime Convention.8 In
addition, governments are preparing responses by drafting legislation enabling law
enforcement officials to ‘hack-back’, once designated forms of (cyber) crime have been
discovered.9
However, apart from espionage and crime, cyberspace is also used for a variety of
other purposes. According to David Sanger, the US and Israel produced and used the
famous Stuxnet virus against nuclear production facilities in Iran, delaying its nuclear
program and thereby ‘buying’ time and preventing (or postponing) a physical (military)
aka ‘kinetic’ operation against Iran’s nuclear program.10 This form of cyber sabotage or
‘cybotage’,11 was a complicated, multidimensional and costly operation against an
Industrial Control System (ICS) not connected to the Internet and therefore protected
by (inter alia) a so-called ‘air gap’. This, however, did not hamper the operation and
might become even more likely since researchers have now proved that acoustic signals
may also cross air gaps like these.12 Hence, cyber activities have had (and will have)
effects in the physical domain.
Cyberspace also features and supports warfare, war-related activities and (other)
military operations. In 2007 Syrian air defences did not notice foreign jets bombing a
7
John Lanchester provokingly argues that Google, by virtue of its data, ‘doesn’t just know
you’re gay before you tell your mum; it knows you’re gay before you do’, John Lanchester, ‘The
Snowden files: why the British public should be worried about GCHQ’ The Guardian (3 October
2013) <http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester>
8
(entered into force 1 July 2004).
9
See inter alia Michiel van Blommestein, ‘“Hack back” law would let Dutch police install
spyware, eavesdrop on Skype’ (ZDNet, 3 May 2013) <http://www.zdnet.com/hack-back-law-
would-let-dutch-police-install-spyware-eavesdrop-on-skype-7000014867/> accessed 12 Septem-
ber 2014; and Peter Sommer, ‘Police powers to hack: current UK law’ (2012) 6 Computer and
Telecommunications L. Rev 165.
10
David Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of
American Power (Crown 2012) 188 ff.
11
John Arquilla, ‘Cyberwar is already upon us – But can it be controlled?’ Foreign Policy
(27 February 2012) <http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_
upon_us#sthash.OfFAFk4W.dpbs> accessed 1 March 2014.
12
Michael Hanspach and Michael Goetz, ‘On covert acoustical mesh networks in Air’
(2013) 8(11) J. of Communications 758.

2 / Date: 7/5
The notion of cyber operations 213
nuclear facility at al Kibar. Apparently, the air defences were manipulated from outside,
using cyberspace as an entrance and digital code as tooling.13 During the Second Gaza
War (2012), Israel Defence Force (IDF) and Hamas were battling in cyberspace, using
blogs and tweets as instruments in an information campaign.14 Sympathisers (or
victims) expressed their feelings and ideas as well.15 Characteristically for cyberspace,
geographical dislocation does not hamper groups and individuals from joining conflicts
(and other forms of social behaviour), thus confronting or supporting the warring
parties digitally.16 Hackers bearing the name Anonymous, launched their ‘#OpIsrael’
campaign, defacing and obstructing Israeli websites and e-services.17 Thus, Anonymous
and (h)activist groups alike have entered the realm of conflict,18 partially in pursuance
of their ‘corporate’ mission, but by launching virtual (i.e. cyber) operations, also
entering the domain of operations that are closely related to the physical military
conflict that is being fought by the warring factions as well.
Whichever source is behind these threats, irrespective of the motivation that is
driving such cyber activities, and regardless of where and against what or whom they
are conducted or directed, the common denominator of these forms of social behaviour,
seems – at first glance – to be a military and warlike one, as all of them are referred to
as ‘attacks’, the activities quite often labelled as ‘operations’, and the totality of
operations once and again is characterized as ‘cyber warfare’, as if the whole
phenomenon were militarized.
13
Peter Warren Singer and Allan Friedman, Cybersecurity and Cyberwar – What Everyone
Needs to Know (OUP 2014) 126–8.
14
Tweets from @IDFSpokesman (<https://twitter.com/IDFSpokesperson> accessed 12 Sep-
tember 2014) and IDF–Blog.com, e.g. <www.idfblog.com/wp-content/uploads/2012/11/
checklistinfographic.jpg> (accessed 1 March 2014). See also IDF communication on Hamas in
general (<www.idfblog.com/category/idf-news/terrorism-idf-news/hamas/> accessed 1 March
2014). Hamas operatives’ use of Twitter can be found on <twitter.com/AlqassamBrigade>
(accessed 12 September 2014), for instance with <https://twitter.com/AlqassamBrigade/status/
269186182225747968/photo/1/large> (accessed 2 January 2014), the account was suspended by
Twitter, see NN, ‘Twitter suspends English account of Hamas military wing’ (Al Arabiya News,
12 January 2014) <http://english.alarabiya.net/en/media/digital/2014/01/12/Twitter-suspends-
English-account-of-Hamas-s-military-wing-.html> accessed 15 March 2014.
15
For instance see Occupied Palestine, ‘#GazaUnderAttack | NOV 21, 2012 | LIVE BLOG’
(Occupied Palestine, 21 November 2012) <occupiedpalestine.wordpress.com/2012/11/18/
gazaunderattack-nov-18-2012-live-blog/> accessed 12 September 2014).
16
Garbiella Coleman, ‘Anonymous in context: The politics and power behind the mask’
(Paper No 3, International Governance Innovation, November 2013) <http://www.cigionline.org/
sites/default/files/no3_8.pdf> accessed 1 January 2014.
17
Anonymous, ‘#OpIsrael’ (Youtube, 17 November 2012) <http://www.youtube.com/
watch?v=q760tsz1Z7M> accessed 31 December 2013.
18
I.e. in the factual meaning, without necessarily (directly) participation in the hostilities.

3 / Date: 24/3
(b) The Military in Cyber?
However, despite the belligerent language often used,19 in reality, the portion of
military involvement in cyber activities seems fairly limited. This ought to be nuanced.
Even so, the observation may be true regarding cyber warfare proper, i.e. the conduct of
military cyber operations in the context of an armed conflict in the legal meaning.20
Yet, as cyber operations may not – and most times do not – qualify as cyber warfare
proper, other cyber operations below this threshold are characterized by military
involvement as well. Therefore, the military’s contribution to cyber operations is larger:
quantitatively and qualitatively.
First, the military portion may be larger in numbers (quantity), as some States have
provisions whereby the military are involved through non-military institutional arrange-
ments. Some of the military intelligence and security services operate under civil (i.e.
non-military) legislation and control. Some of the intelligence services have a dual role:
civil and military tasking alike. In addition, some States have a role for military police
forces within the law enforcement domain.
Secondly, although small in numbers, the military may play a crucial and inevitable
role in providing ‘cyber security’. Nowadays, governments increasingly rely on a
multidisciplinary or inter agency approaches to (modern) security threats as is clearly
visible in counter-terrorism and cyber-security policies, thus using the ‘whole of
government’ to face and address modern threats.
(c) Aim, Perspective and Structure
Suitable or not, the term cyber operations seems to become a common denominator for
activities in cyberspace, undertaken with the aim of achieving objectives in or through
this digital domain. The common denominator however, can be, and indeed is, used in
a great variety of situations, by a diversity of actors and, quite obviously, for various
reasons.
The aim of this chapter therefore, is to elaborate on this notion of ‘cyber operations’
as they seem to be used as a universal, a rather generic and non-specific term. As a
starting point, the definition offered by an international group of experts will be used
for this purpose. Cyber operations are defined as: ‘the employment of cyber capabilities
with the primary purpose of achieving objectives in or by the use of cyberspace’.21
The primary perspective will be that of the State. However, as demonstrated above,
since non-State entities have emerged in this domain as well, attention will also be paid
to the characteristics of (a number of) cyber operations conducted by non-State actors.
19
Kenneth Watkin, ‘The cyber road ahead: Merging lanes and legal challenges’ (2013) 89
Int’l. L. Studies 472, 503.
20
See, e.g. Terry D Gill & Paul A L Ducheine, ‘Anticipatory self-defense in cyber context’
in Yoram Dinstein and Fania Domb (eds.), Israel Yearbook on Human Rights (vol 43, Martinus
Nijhoff Publishers 2013).
21
Michael N Schmitt, ‘“Below the threshold” cyber operations: The countermeasures
response option and international law’ (2014) 54 (Forthcoming) Virginia J. of Int’l. L.
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2353898> accessed 13 November 2013.

4 / Date: 7/5
Although some non-State actors may have explicitly formulated a formal strategy as
States (normally) do, a number of them will only have some form of implied
rudimentary articulated ‘corporate goal or end’.22 Whether communicated explicitly or
not, and regardless of its legitimacy, State and non-State actors alike do tend to allocate
resources (means) and undertake activities (ways) in order to achieve those designated
goals or ends. In doing so, non-State actors (at least rational ones) and States both use
strategic objectives at the ‘corporate’ or ‘strategic’ level of their organization. These
strategic objectives are subsequently implemented at the operational level through the
allocation of means, and the definition of ways to employ the latter. These two
characteristics of organizations will be used to describe differences and similarities in
the various cyber operations.
First, for State and non-State entities alike, the differences in objectives at the
strategic level will be exposed (Section 2). Section 3 will then reveal similarities at the
operational level, being the ‘means and methods’ used to achieve these strategic
objectives.
Subsequently, the primary focus will be on State actors, displaying the distinct roles
of States by articulating five strategic paradigms used to characterize cyber activities,
their purposes and institutional frameworks (Section 4). Section 5 then operationalizes
cyber operations (in general) and military cyber operations in particular (Section 6) by
describing specific features and phases.
2. DIVERSITY IN STRATEGIC OBJECTIVES

As stated, States and non-State entities alike will be inspired or driven by implied or
publicly stated national or corporate strategy. Even when merely reacting to ‘events’,
State and non-State activities will be driven or guided by (some basic form of) strategic
notions. This is also true for activities in the digital domain. These strategic notions
may be ‘plain and simple’ for instance, economic profit, or complex, ranging from
enhancing cyber security – as (inter alia) crucial and critical public and private
infrastructure or services are reliant on ICT – to the sophisticated use of cyber
capabilities in the military domain.
Focussing on States, their primary aim will be to enhance (national) security and to
safeguard their (other vital) national interests. These vital interests may be stated in a
grand or national security strategy, or they may be implied in, or deduced from,
national (security) policies. To date, a number of States have explicitly articulated
22
On non-State actors’ strategies, e.g. Lawrence Freedman, Strategy – A History (OUP
2013) 474 ff.; and Peter R Neumann and Michael L Smith, ‘Strategic terrorism: the framework
and its fallacies’ in Thomas G Mahnken and Joseph A Maiolo (eds.), Strategic Studies – A
Reader (Routledge 2008) 342. Some non-State actors have explicitly stated ‘strategic objectives,
e.g. Hamas’ strategy as expressed in its Charter (The Covenant of the Islamic Resistance
Movement (1988) <http://avalon.law.yale.edu/20th_century/hamas.asp> accessed 17 March
2014); and The Syrian Electronic Army at Helmi Noman, ‘The emergence of open and
organized pro-government cyber attacks in the Middle East: The case of the Syrian electronic
army’ (Infowar Monitor, 30 May 2011) <http://www.infowar-monitor.net/2011/05/7349/>
accessed 12 September 2014.

5 / Date: 8/5
thematic national strategies focussing on cyber security issues.23 Other States may
derive their strategic aims from general national strategies. As cyberspace, or the digital
domain, is part of other domains, and other vital interests are increasingly interrelated
and dependent on ICT and digital networks, security in the digital domain (hence cyber
security) may be a part of other vital strategic interests, such as economic security and
physical security. However, as was demonstrated by the recent Dutch Diginotar case,
some parts of a State’s critical infrastructure can be purely digital in nature and
formerly not designated as such. Only after having (thus) emerged as vital to security
interests in general, governments are forced to reconsider the notion of ‘critical’
infrastructure, as was the case in the Netherlands.24
Looking at non-State actors, their strategic notion may differ from that of States.
Regarding legitimate commercial enterprises, their goal will be economic profit, as is
the case for Kaspersky, Norton, Symantec, Google, Facebook et al.25 Of particular
interest are commercial enterprises that appear to be supplying tools enabling others to
conduct cyber activities.26 Cyber activities are part of their business model, if not their
product.27
23
See for an overview of those States e.g.: OECD ‘Cybersecurity policy making at a
turning point: Analysing a new generation of national cybersecurity strategies for the internet
economy’ (OECD Digital Economy Papers, No. 211, OECD Publishing 2012) 66 ff.; CCD COE,
‘National Strategies & Policies’ (NATO Cooperative Cyber Defence Centre of Excellence, 2014)
<https://www.ccdcoe.org/328.html> accessed 1 January 2014; ENISA, ‘National cyber security
strategies – Setting the course for national efforts to strengthen security in cyberspace’ (May
2012) <https://wwwenisaeuropaeu/activities/Resilience-and-CIIP/national-cyber-security-strategies-
ncsss/cyber-security-strategies-paper> accessed 12 September 2014).
24
National Cyber Security Centre, ‘Dossier DigiNotar’ <www.ncsc.nl/english/services/
expertise-advice/knowledge-sharing/files%5B2%5D/dossier-diginotar.html> accessed 2 March
2014. On the impact of the case, see National Cyber Security Centre (n 1) 18: ‘For example IT,
telecommunications and electricity are fundamental for the functioning of many (other) vital
sectors and processes in society. Failure in any one of these sectors can result in damaging
effects in all sectors’.
25
For example:
Symantec’s mission is to make the world a safer place by protecting and managing
information so everyone is free to focus on achieving their goals. It’s a statement that ties our
business goals to a social purpose as we help people, businesses, and governments secure and
manage their information-driven world against more risks at more points, more completely
and efficiently than any other company. Steve Bennett, ‘CEO Letter’ (Symantec)
<www.symantec.com/corporate_responsibility/topic.jsp?id=ceo_letter> accessed 12 September
2014.
26
E.g. the US-based Palantir (<www.palantir.com>), the French company Vupen
(<www.vupen.com/english/>) or Israeli enterprise Terrogence (<www.terrogence.com> all
accessed 12 September 2014).
27
For example:
It is Fox-IT’s mission to make technical and innovative solutions that ensure a more secure
society. We do that through the development of advanced cybersecurity and cyberdefense
services and solutions for our clients around the world. We achieve this through a strong
focus on innovation and a tireless dedication to our clients, our values, and our integrity ()

6 / Date: 24/3
Non-profit organizations such as the TOR-project, Anonymous or CCC,28 as well as

thematic pressure groups such as Bits of Freedom, Privacy First or the Electronic
Frontier Foundation will pursue political and/or ideological goals.29 Their cyber
activities will be more focussed upon freedom of expression, free Internet, net
neutrality, privacy, etc. Cyber may be at the heart of their strategic values, or may offer
leverage as a vector or medium for their activities.
Ideology also seems to be the primary objective of non-State actors that have entered
battlefields and conflicts digitally: Hamas, Hezbollah, the Syrian Electronic Army, and
again, Anonymous cum suis. Apart from ideology, some of these actors may also have
other ambitions that may even resemble those of States: territorial or military. Recent
events have demonstrated that non-State actors, with or without the sponsoring of
affiliated States, have conducted numerous ‘cyber operations’ ranging from purely
ideological (Estonia 2007), in support of (or at least supportive to) military conflict
(Georgia, 2008; Ukraine, 2014), autonomous (Anonymous, 2012) or as part of military
conflict (Hezbollah, 2006; Hamas, 2012).30 In more than one respect, their operations
are quite similar to cyber operations conducted by States (through their organs), and as
such, these operations are as instrumental to corporate strategic aims, as they are for
States.
3. COMMON OPERATIONAL MEANS AND METHODS

Although the strategic objectives of the various actors conducting cyber operations may
differ, in general they use the same capabilities in terms of means and methods. This is
demonstrated by the shared dependency on knowledge and skills that is required to
conduct these activities. Thus, whether operating in governmental service (military and
civil), companies, pressure or activist groups, or in sheer isolation, all cyber operators
or ‘hackers’ – white, grey and black hats alike – require the same skills and expertise.
Apart from personnel, knowledge and skills as a prerequisite for cyber operations,
the ways and means, or in other words, the means and methods to achieve strategic
aims are comparable at the operational level as well. All cyber actors will require
comparable (if not the same) tooling, software and hardware, whether it is their intent
<www.fox-it.com/en/about-us/> accessed 12 September 2014; also ‘Hold Security provides the

best innovative services to meet your company’s needs’ Hold Security <www.holdsecurity.com>
accessed 12 September 2014).
28
On Anomynous, see e.g. Coleman (n 17). See also the German Chaos Computer Club
<http://www.ccc.de/en/> accessed 18 March 2014.
29
E.g. ‘Privacy First takes a professional and evidence-based approach to the various
issues. The preservation of liberty in the private sphere can be perfectly combined with rapidly
changing societal and technological developments.’ Privacy First <www.privacyfirst.eu/>
accessed 12 September 2014. ‘From the Internet to the iPod, technologies are transforming our
society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in
the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line
of defense.’ ‘About’ (EFF) <https://www.eff.org/about> accessed 12 September 2014.
30
On 15–16 March 2014, apparently related to the Ukraine crisis, some of NATO
(affiliated) websites suffered from DDoS, allegedly generated by CyberBerkut.

7 / Date: 24/3
to prevent misuse of cyberspace, or because misuse is their very goal. Taking into
account that the aims of cyber-security companies (e.g. Symantec) and vendors (e.g.
Microsoft) on the one hand, and cyber criminals on the other hand will be opposite,
their ‘business-models’ or in other words, the operational ways to achieve goals, focus
on the same lines of software and code: where it is Symantec’s and Microsoft’s task to
discover and/or to fix vulnerabilities, it is the criminal’s intent to exploit these very
weaknesses.
One of the clearest demonstrations of commonalities at the operational level vis-à-vis
cyber means and methods is monitoring software (and hardware) that is used by
Computer Emergency Response Teams (CERTs), intelligence agencies, law enforce-
ment officials, military units, civilian cyber security companies, as well as organized
criminal groups or hacktivist groups.
Thus, despite strategic differences between States and (some) non-State actors, at the
operational (and tactical) level, there appears to be more similarity as all actors –
conceptually – rely on more or less the same basic requirements (personnel, knowledge
and skills) and means and methods, that is: capabilities and capacities (see Section 5).
With that twofold conclusion in mind, the next sections will take a State perspective as
a starting point in order to further differentiate between the varieties of cyber
operations.31
4. APPLICABLE CYBER PARADIGMS FOR STATES

Looking at cyber activities at the State level, a number of distinct paradigms are
applicable to describe cyber operations.32 These paradigms are demonstrated in national
cyber security strategies worldwide,33 as well as through the instrumental use of cyber
capabilities in furtherance of States’ (other vital) interests.34 These paradigms can be
depicted as parts of a continuum, a spectrum, or to put it differently, as part of a State’s
comprehensive efforts in cyberspace. The paradigms are complementary and over-
lapping.35
These paradigms represent one (or more) of the institutional frameworks enabling
governments (or public authorities) to conduct activities within democratic societies.
They thus offer a legal and social framework for (governmental) behaviour, that is, as
with all social interaction, subject to adjustments that are initiated or inspired by
changes in the security landscape (including ‘new’ threats), public opinion, inter-
national, societal and technological trends. As such, these frameworks reflect the
31
When and where required, special attention will be paid to non-State actors conducting
cyber operations, criminal activities excluded, although the analysis offered may fit their
activities as well.
32
See also Alexander Klimburg and Philipp Mirtl, ‘Cyberspace and governance – A primer’
(Working Paper 65, Austrian Institute for International Affairs, September 2012) 15 <http://
www.oiip.ac.at/fileadmin/Unterlagen/Dateien/Publikationen/Cyberspace_and_Governance_-_
Working_Paper_65_2.pdf> accessed 11 November 2013.
33
See OECD (n 23).
34
E.g. Stuxnet, see also Sanger (n 10).
35
Klimburg and Mirtl (n 32) 15, referring to these paradigms as ‘mandates’.

8 / Date: 7/5
Zeitgeist regarding topics that have reached the political agenda and require or enable
governmental action.36
To date, the issue of ‘cyber security’ has definitely reached the (international)
political and legislative agenda through the process of ‘securitization’, creating a
window of opportunity for amendments or implementation of these frameworks, and
have thus affected the paradigms.37
Two developments served as the driving forces behind today’s frameworks relevant
to cyber operations. First, the changed notion of security after the terrorist attacks of 11
September 2001 functioned as a catalyst for new (and far reaching) security demands
and arrangements. The second development is the increasing interconnectivity between
ICT-applications (including the so-called Internet of Things) and the dependency of
economic, societal and governmental processes on these applications, in other words:
the continuously emergent role of the digital domain, that is, of cyberspace. The latter
seems to have enabled activities that are (allegedly) necessary to effectively counter the
still-existing terrorist threat.38 Be that as it may, recent publications on the scale of
digital surveillance by States and commercial companies alike have brought the
dilemma of privacy versus security to the political agenda as well.39
The frameworks can be understood as the product of Zeitgeist, public opinion,
political attention, public demands, as well as (lack of) audacity and leadership. The
frameworks are tangible through (institutional and ad hoc) arrangements and govern-
mental organizations tasked with designated roles in cyberspace and cyber security.40
In democratic States adhering to the principle of the rule of law, these arrangements
and organizations, at least when exercising public authority (that may interfere with
civil liberties), will have a designated legal basis establishing the organizations and
arrangements in the very first place. In addition, these arrangements and organization
will have to execute their tasks and powers in accordance with legal regimes that are
applicable once these activities are conducted. The designated legal bases and legal
regimes are part of the legal framework that characterizes the various paradigms.
36
On the process of ‘securitization’ in the digital domain, e.g. Maarten Rothman and Theo
Brinkel, ‘Of snoops and pirates: Competing discourses of cybersecurity’ in Paul A Ducheine,
Frans Osinga and Joseph Soeters (eds.), Cyber Warfare: Critical Perspectives (TMC Asser Press
2012) 49.
37
This is the so-called garbage can explaining (bureaucratic and governmental) decision-
making processes.
38
Note that this threat is subject to debate itself. For instance by pointing out that there
have been few subsequent Al Qaida assaults after 9/11. Recently, The New York Times revealed
that the 2012 Benghazi attack on the US Embassy had no affiliation with Al Qaida. See David D
Kirkpatrick, ‘A deadly mix in Benghazi’ New York Times (28 December 2013) <http://
www.nytimes.com/projects/2013/benghazi/?smid=tw-share#/?chapt=0> accessed 12 September
2014.
39
For an overview of Edward Snowden’s revelations see ‘The NSA Files’, The Guardian
<www.theguardian.com/world/the-nsa-files> accessed 12 September 2014. For a critical note on
surveillance required to counter terrorism see TEDx Talks, ‘Living in a surveillance State
(Mikko Hyponen at TEDxBrussels, 1 November 2013)’ (YouTube, 1 November 2013) <http://
www.youtube.com/watch?v=lHj7jgQpnBM> accessed 2 January 2014.
40
Eric Luiijf and Jason Healey, ‘Organisational Structures and Considerations’ in Alexander
Klimburg (ed.), National Cyber Security Framework Manual (CCD COE 2012) 109–10.

9 / Date: 7/5
The rise of these frameworks and paradigms, is evident when analysing States’ cyber
security policies or strategies. Five paradigms and underlying frameworks can be
detected: internet governance and diplomacy, protection, law enforcement, (counter-)
intelligence,41 and military operations.42 They will be explored subsequently below.
Each of these paradigms provides a framework that represents public support, legal
bases, legal regimes, and institutional arrangements. More often than not, these frame-
works are used in a complementary manner. Taken together they enable cyber operations
throughout a wide and fluid spectrum, ranging from ‘the monitoring of governmental
networks by … CERTs, to active protection by shutting down sites once they are under
attack,’ followed by ‘criminal investigations into the source of the ‘attacks’ where criminal
activity was reasonably suspected’.43 These operations may be combined with ‘intelli-
gence operations to, inter alia, ascertain the nature of the threat posed and identify the
source of the threat, possibly resulting in a military response in situations which rise to the
level of a use of armed force by a foreign power or organized armed group, even resulting,
in exceptional cases, in participation in an armed conflict’.44
(a) Internet Governance and Diplomacy
Although this framework does not comprise actual cyber activities, Internet govern-
ance45 and diplomacy46 structure the paradigm applicable to national and international
efforts to shape and create governance in the digital domain.47 As cyberspace – unlike
physical domains – is characterized by a dominant role for non-State actors, both
private and non-governmental,48 the role of States is thus different compared to the
physical world, and to a certain extent rather limited,49 although not irrelevant.50 The
added value of States in this domain lies, inter alia, in the use of ‘classic’ instruments
such as bilateral or multilateral treaties,51 cooperation,52 as well as in their position in
41
Including counter-security.
42
See also Paul A Ducheine et al., ‘Towards a legal framework for military cyber
operations’ in Ducheine, Osinga and Soeters (n 36) 110.
43
As, for instance, in counter-terrorism, see ibid. 110.
44
See ibid.
45
For a definition of Internet governance see WSIS, ‘Tunis Agenda for the Information
Society (WSIS-05/TUNIS/DOC/6(Rev. 1)-E) (2005)’ (ITU 2005) para. 34 <http://www.itu.int/
wsis/docs2/tunis/off/6rev1.html> accessed 15 March 2014.
46
Heli Tiirmaa-Klaar, ‘Cyber diplomacy: Agenda, challenges and mission’ in Klimburg
(n 40).
47
Jovan Kurbalija, ‘E-diplomacy and diplomatic law in the internet era’ in Katharina
Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace International Law,
International Relations and Diplomacy (NATO CCD COE 2013).
48
Laura DeNardis, The Global War for Internet Governance (Yale University Press 2014) 1–2.
49
Luiijf and Healey (n 40) 127.
50
ICANN, ‘Who runs the internet?’ (2013) <http://www.icann.org/en/about/learning/
factsheets/governance-06feb13-en.pdf> accessed 14 March 2014; Ian Walden, ‘International
telecommunications law, the internet and the regulation of cyberspace’ in Ziolkowski (n 47).
51
E.g. Convention on Cybercrime (n 8).
52
E.g. NATO’s efforts through its cyber defence policy (NATO, ‘Chicago Summit Declar-
ation, Issued by the Heads of State and Government participating in the meeting of the North

10 / Date: 7/5
governmental and non-governmental bodies such as the EU,53 UN54 or ITU.55 It is fair
to say that State activities in the field of Internet governance are pro-active and
preventive in nature,56 and are part of States’ overall cyber security interests and
strategies.57
(b) Protection
The second paradigm for State activities in the cyber domain is related to the protection
of (critical) infrastructure.58 In part, this refers to ‘ordinary’ critical infrastructure such
as electricity or waterworks as far as this infrastructure is ‘controlled’ or processed
through cyberspace. Critical infrastructure protection (CIP) primarily refers to physical
protection against accidents, disasters, technical or human failure, and crime. Initially,
this was the domain of internal security. However, driven by terrorist assaults such as
9/11 (New York), Madrid and Bali, the notion of security has evolved and also
encompasses external and other security threats.
Cyber incidents in Estonia (2007) and the spread of the Stuxnet virus (2010) have
had their effect on CIP as well. Since many of the critical or vital services and
installations are controlled through, or depend on, cyberspace, security in the digital
domain is becoming ever more important.59 In addition, vulnerabilities in the digital
domain itself may be the focal point of (in)security issues, regardless of whether these
breaches had a human or technical trigger, or whether they are the result of accidental
or deliberate events. Serious cyber incidents may lead to major disturbances and
disruption of society.60
Protection as a paradigm refers to a range of State activities, varying from prevention
(legislation, imposing incentives for ‘hardening’, physical protection and technical
standards) to responding to security breaches. The establishment of CERTs is just one
of the examples. Looking at the nature of the critical infrastructure and that of
Atlantic Council in Chicago on 20 May 2012’ (Press Release (2012) 062, 20 May 2012)
<http://www.nato.int/cps/en/SID-8DB5C229-B80F4E08/natolive/official_texts_87593.htm?selected
Locale=en> accessed 15 December 2013).
53
E.g. Digital Agenda for Europe (COM(2010) 245 final/2 )’ (2010) <http://ec.europa.eu/
digital-agenda/digital-agenda-europe> accessed 11 December 2013.
54
E.g. UNGA, ‘The right to privacy in the digital age’ (19 December 2013) UN Doc
GA/11475.
55
ITU, ‘Global Cybersecurity Agenda’ (2007) <http://www.itu.int/osg/csd/cybersecurity/
gca/> accessed 15 February 2014. See e.g. WSIS (n 45).
56
Klimburg (n 40) 129.
57
E.g. ‘The Netherlands aims to develop a hub for expertise on international law and cyber
security’ (National Cyber Security Centre ‘National Cyber Security Strategy 2 – From awareness
to capability’ (25 October 2013) 10 <http://www.enisa.europa.eu/activities/Resilience-and-CIIP/
national-cyber-security-strategies-ncsss/NCSS2Engelseversie.pdf> accessed 15 March 2014).
58
Protection is thus one perspective in order to promote the wider notion of overarching
‘security’.
59
The Stuxnet virus was designed to infect a so-called Industrial Control System (ICS) that
was not connected with Internet.
60
On a critical note however, e.g. Sean Lawson, ‘Beyond cyber-doom: Cyber attack
scenarios and the evidence of history (reprint)’ in Ducheine and others (n 42) 277.

11 / Date: 7/5
cyberspace in particular, it is evident that public-private cooperation is a prerequisite

for States in order to ensure effective (implementation of) cyber security policy.
Of particular interest is the issue of ‘governance’ in protective perspective. Various
ideas, i.e. ‘notice and take down’, have been proposed and criticized, demonstrating the
delicate equilibrium in the public-private domain as these ideas require support from
essential private partners.61
Although some legal and legislative issues are covered by other paradigms (e.g. law
enforcement and military operations) it is fair to say that the role of protective powers
and countermeasures is not as sophisticated in cyberspace as they are in other domains.
To date, more than once, States have enacted legislation empowering private security
companies in the physical world to provide armed services.62 Security is thus – once
more – no longer the exclusive domain of State actors. As mentioned above, some
commercial enterprises are rather active in cyberspace as well. Internet service
providers (ISPs) and other digital services alike, play a pivotal role in this paradigm as
well. Where consumers and organizations (small and large) fail to secure their ICT
systems in an effective manner, these services are at the front of fighting spam,
malware or unauthorized intrusions.63
However, apart from the other arrangements relating to law-enforcement, intelligence
or military operations paradigm, State and private contractors usually lack powers to
actually execute cyber operations from a protective perspective. Interestingly, these
powers frequently have been made available in the realm of physical security, for
instance in the field of guarding military infrastructure.64 Paradoxically, Dutch military
guards may thwart an attack against physical military infrastructure, even with the use
of lethal force,65 whereas the Dutch Defence CERT is not empowered to use digital
force to repel or stop cyber attacks against MoDs digital infrastructure and data,
including networks. Until now, such defensive measures, or to put it alternatively, cyber
operations, would be the exclusive realm of other – additional – paradigms.
(c) Law Enforcement
Law enforcement is (thus) one of those alternative paradigms for States, providing for
preventive measures by penalizing cyber crime, repressive measures by empowering
law enforcement agencies to conduct investigations and so forth. The law enforcement
61
See e.g. ‘Notice and takedown policy’ (British Library) <http://www.bl.uk/aboutus/terms/
notice/> accessed 18 March 2014.
62
E.g. in the field of counter-piracy: see Bibi van Ginkel, Frans-Paul van der Putten and
Willem Molenaar, State or Private Protection against Maritime Piracy? A Dutch Perspective
(Clingendael Centre for International Relations 2013).
63
E.g. the ISP Code of Practice and the identification of compromised customer systems in
Australia: Australian Government Attorney-General’s Department ‘Cyber Security Strategy’
<http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx> accessed 15
December 2013.
64
See Ducheine and others (n 42) 114–15. For an European overview of such powers see
Georg Nolte (ed.), European Military Law Systems (De Gruyter Verlag 2003).
65
Article 1 of the Act on the Use of Force by Guards of Military Objects (in: Staatsblad
2003, 134).

12 / Date: 7/5
paradigm ‘comprises a wide set of organisations’ at various levels, i.e. national and
international,66 local and national, and various governmental agencies and depart-
ments.67 To be effective, public-private partnership may be required, as well as
cooperation with national (and other) CERTs and public-private Information Sharing
and Analysis Centres, as well as intelligence and security services.
Apart from (harmonizing and) penalizing cyber crime, enforcement powers in the
digital domain require amendments as well. To date, even ‘classic’ crime investigations
heavily rely on digital investigative techniques, as physical pieces of evidence are
increasingly superseded by digital ones.68 When cyber crime is involved, additional
enforcement and investigative powers will be essential to enhance effective policing
and prosecuting.69 Thus, States are in the process of drafting additional legislation, e.g.
the Netherlands,70 the UK71 and others.72
As in any other domain, powers to execute cyber activities for law enforcement
purposes, will require public support, at least political support, resulting in legislation
providing the legal basis and the applicable legal rules or a code of conduct (i.e. legal
regimes). The legal framework is a common requirement derived not only from the
principles of democratic States, but also from obligations enshrined in international
human rights treaties or customary law.73
Apart from the delicate issues of balancing intrusive powers with human rights,
especially privacy and freedom of expression, the other main dispute concerns the
66
Tiirmaa-Klaar (n 46) 520.
67
Luiijf and Healey (n 40) 122, referring to ‘mandates’ instead of paradigms. See also
Kastner and Mégret (Ch 9 of this book).
68
For a plea to support amendments in this respect: ‘Breaking the backlog of digital
forensic evidence’ (Fox-IT) <www.fox-it.com/en/news/breaking-the-backlog-of-digital-forensic-
evidence/> accessed 15 September 2014.
69
Bert-Jaap Koops, ‘Cybercrime legislation in the Netherlands – Country report for the
18th International Congress on Comparative Law’ (session ‘Internet Crimes’, Washington DC,
25-31 July 2010) <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1633958> accessed 15
September 2014.
70
For the Netherlands: a preliminary draft of the proposal on Cyber Crime III was
published in the beginning of 2013, see Blommestein (n 9). The draft-proposal was due to be
presented to Parliament in the beginning of 2014. The draft (in Dutch) can be found at
<https://www.internetconsultatie.nl/computercriminaliteit/document/726> accessed 15 March
2014. The draft hasn’t been released yet (Spring 2015).
71
For the (rejected) UK amendment to the Regulation of Investigatory Powers Act (RIPA)
2000, see Home Office, Draft Communications Data Bill (Policy Paper, Cm 8359). For US
ideas: Dennis C. Blair and Jon M. Huntsman, ‘The IP Commission Report – The Commission
on the Theft of American Intellectual Property’ (The Commission on the Theft of American
Intellectual Property by The National Bureau of Asian Research, May 2013) <http://
www.ipcommission.org/report/IP_Commission_Report_052213.pdf> accessed 15 March 2014;
on the Cyber Intelligence Sharing and Protection Act (CISPA) see Mark Jaycox and Kurt
Opsahl, ‘CISPA is back: FAQ on what it is and why it’s still dangerous’ (EFF, 25 February
2011) <https://www.eff.org/cybersecurity-bill-faq> accessed 31 December 2013
72
The Explanatory Note (Dutch: ‘Memorie van Toelichting’) to the Dutch preliminary draft
proposal, refers to the situation in Belgium (Dutch: Wet inzake informatiecriminaliteit, Wet van
28 november 2000, Belgisch Staatsblad, 3 februari 2001, nr. 2909), France and Germany.
73
On human rights and cyberspace see Fidler (Ch 5 of this book).

13 / Date: 7/5
extra-territorial application of these law enforcement powers.74 Public international law

principles such as non-intervention and the sovereign rights of States will be major
points of reference in this respect.75
(d) Intelligence and Counter-intelligence
Apart from, and in addition to the law enforcement paradigm, States also rely on a
classic security paradigm called intelligence (and counter-intelligence), including
espionage76 and countering security threats through intelligence and security opera-
tions. Depending on institutional and constitutional arrangements, States have essen-
tially similar tasking for their intelligence and security services. Their primary function
is to gather and analyse information about threats directed against the State and its
population.77 This is based on, and is executed in accordance with applicable law and
political guidance. Collecting information in and through cyberspace is complementary
to the existing set of capabilities being used by these services.78
After the terrorist attacks of 2001, 2004 and 2005 (New York, Madrid, London),
legislation has been amended (or at least drafted and proposed) to (more) effectively
counter the terrorist threat.79 This legislation also includes powers (and regulations) to
gather information (or intelligence) through cyberspace, hence it includes cyber
operations.80 Amendments and supplements to existing legal bases for these powers and
activities, have been the result of a successful attempt to use the window of opportunity
after 9/11. However, as a result of the joint revelations of whistle-blowers, journalists
and activists, these powers and applicable regimes are now up for public scrutiny and
legal review.81 This public and political attention will be of influence to (future) cyber
74
E.g. the Dutch preliminary draft proposal refers – rather briefly – to this controversial
issue by stating ‘much will depend on the nature of the actual cyber enforcement activity [i.e.
hacking back] whether or not public international law will legitimize the conduct of the law
enforcement agencies’ [Translation PD].
75
On non-intervention, sovereignty and counter-measures short of force, see respectively
Terry D Gill, ‘Non-intervention in the cyber context’ in Ziolkowski (n 47); Benedikt Pirker,
‘Territorial sovereignty and integrity and the challenges of cyberspace’ in Ziolkowski (n 47);
Schmitt (n 21). See also Roscini (Ch 11 of this book).
76
77
Adian Wills, Guidebook Understanding Intelligence Oversight (DCAF 2011) 11 <http://
www.dcaf.ch/layout/set/print/content/view/full/36701> accessed 15 September 2014.
78
Klimburg (n 40) 124.
79
E.g., in the US, this involves the Patriot Act (2001), the Protect America Act (PAA) of
2007 and the FISA (Foreign Intelligence Surveillance Act) Amendment Act 2008 (FAA 2008),
see Joris van Hoboken, Axel Arnbak and Nico van Eijk, ‘Obscured by clouds or how to address
governmental access to cloud data from abroad’ (9 June 2013) 5 <http://www.ivir.nl/
publications/vanhoboken/obscured_by_clouds.pdf> accessed 2 January 2014.
80
See Tsagourias (Ch 1 of this book).
81
For an overview of the Snowden revelations, supported by the lawyer-journalist Glenn
Greenwald, Laura Poitras, and publications in the Guardian and Der Spiegel, see e.g. Coderman,
‘Recent Der Spiegel coverage about the NSA and GCHQ’ (Liberationtech, 2 January 2014)
<https://mailman.stanford.edu/pipermail/liberationtech/2014-January/012498.html> accessed 15
September 2014. For the US report on these issues: Richard A Clarke and others, ‘Liberty and

14 / Date: 24/3
operations and renew, inter alia, the debate regarding necessity, effectiveness, human
rights and so on.82
It is illustrative to examine the Dutch intelligence landscape in this respect. The
General Intelligence and Security Service (AIVD) and the Military Intelligence and
Security Service (MIVD) are authorized through the Intelligence and Security Services
Act 2002 (Wiv 2002) to intercept, store and search telecommunications, to gain access
to their content, and to ‘hack’ computer and/or computer based systems.83 Although
they are empowered to intercept traffic (i.e. non cable-bound telecommunications) en
masse, as well as to intercept designated (cable and non-cable bound) telecommunica-
tions, they lack the power to intercept cable-bound communications en bloc.84 To date
however, as the majority of our communication is enabled by cable-bound infrastruc-
ture, this additional power is highly appreciated by the services (and government). In a
recent report, an evaluating committee, confirmed these needs and proposed the
attribution of such (and additional supervisory) powers to relevant agencies.85 However,
as a result of the current public scrutiny of such operations, it will be far from certain
that these amendments will be enacted (in the near future).86
Although most tasks for intelligence services are defensive in nature, a pro-active
stance is also possible. Some States permit their intelligence services ‘to exploit the
information for other purposes, or directly intervene in order to prevent threats from
(re)occurring’.87 The earlier mentioned Stuxnet virus is probably one of the best-known
cases in this respect. Actions undertaken by intelligence services to counter cyber
threats – i.e. counter-intelligence and counter-measures – are in a furtherance of those
that can be found within the protective paradigm, or could be the start of a cyber
operation that fits within the military (covert) paradigm.
Apart from national legislation, intelligence gathering is the subject of international
legal attention as well.88 Although no prohibition of cyber activities per se of cyber
espionage exists in international law, it is clear the intelligence activities in or through
security in a changing world – Report and recommendations of The President’s Review Group
on Intelligence and Communications Technologies’ (12 December 2013) <http://www.
whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf> accessed 14 January
2014.
82
E.g. Dinah PoKempner, ‘Cyberspace and State obligations in the area of human rights’ in
83
Ministerie van Binnenlandse Zaken, ‘Interception of telecommunications by the
AIVD: rules and regulations’ (2013) <https://www.aivd.nl/english/publications-press/@3033/
interception/> accessed 30 December 2013.
84
Articles 24–27 Wiv 2002. See also Ducheine et al., (n 42) 114; and ibid.
85
CWM Dessens, ‘Evaluatie Wet op de inlichtingen- en veiligheidsdiensten 2002 – Naar
een nieuwe balans tussen bevoegdheden en waarborgen’ (2002) <https://www.aivd.nl/publish/
pages/2564/rapport_commissie-dessens_evaluatie_wiv_2002.pdf> accessed 31 December 2013.
86
In face of the opposition as expressed by i.e. Academics against Surveillance, ‘Academics
against Mass Surveillance’ (2013) <http://academicsagainstsurveillance.net/> accessed 31
December 2013.
87
Klimburg (n 40) 124, referring to Cabinet Office, ‘Cyber Security Strategy of the United
Kingdom. Safety, security and resilience in cyber space’ (Policy Paper, 25 November 2011)
<https://www.gov.uk/government/publications/cyber-security-strategy> accessed 1 January 2014.
88

15 / Date: 7/5
cyberspace (cyber operations) may affect various national jurisdictions in a number of

ways. In addition to the fact that the operations may qualify as criminal offences
according to domestic criminal codes, they may also involve violations of civil law,
international private law (intellectual property rights) and trade law.89 Moreover, public
international law may be implicated in a number of ways.90 First of all, diplomatic law
is of relevance here. But more importantly, some of the general principles of
international law, i.e. immunity, State sovereignty, non-intervention as well as the
prohibition on the use of force have an effect on the legal framework within this
paradigm.91 Compared to classic intelligence activities, the extraterritorial dimension,
and thus the international law ramifications are more pronounced as cyber infrastruc-
ture is situated in various jurisdictions and States.92
(e) Military Operations
The last – and in some respects the most extreme – paradigm for States is the one that
could be characterized as military operations.93 The paradigm (and military operations)
comprises: (a) warfare proper (the conduct of military operations within the framework
of armed conflict); and (b) ‘operations other than war’ including peace support (and
enforcement) operations related to conflict, but outside the framework of armed
conflict.94
Military cyber operations, quite often referred to as ‘cyber warfare’ in its generic
meaning, have been preliminary defined95 as the ‘employment of cyber capabilities
with the primary purpose of achieving [military] objectives in or by the use of
cyberspace’.96 These military objectives are translations of a State’s strategic objectives.
This definition is rather broad.
89
David P Fidler, ‘Economic cyber espionage and international law: Controversies involv-
ing government acquisition of trade secrets through cyber technologies’ (2013) 17 A.S.I.L.
Insights 1, 2. See generally on espionage and international law, Simon Chesterman, ‘The spy
who came in from the Cold War: Intelligence and international law’ (2006) 27 Michigan J. Int’l.
L. 1071. On Cyberspace and Intellectual Property Rights see Rahmatian (Ch 4 of this book).
90
Katharina Ziolkowski, ‘General principles of international law as applicable in cyber-
space’ in Ziolkowski (n 47) 169; Pirker (n 75) 202; Gill (n 76) 224; Katharina Ziolkowski,
‘Peacetime cyber espionage – New tendencies in public international law’ in Ziolkowski (n 47)
425.
91
See Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).
92
See also Kohl (Ch 2 of this book).
93
For reasons of clarity and for the purpose of this contribution, the author refrained from
using ‘warfare’ in its more generic meaning: the art of conducting military operations (including
i.a. warfare proper).
94
For an illustrative summary of these operations, see Terry D. Gill and Dieter Fleck, The
Handbook of the International Law of Military Operations (OUP 2010).
95
See Cyberspace and General Principles of International Law (Part I of this book).
96
Michael N Schmitt (ed.) Tallinn Manual on the International Law Applicable to Cyber
Warfare: Prepared by the International Group of Experts at the Invitation of the NATO
Cooperative Cyber Defence Centre of Excellence (CUP 2013), 258, referring to this notion as
‘cyber warfare’.

16 / Date: 7/5
Others definitions are more specific, e.g. the Dutch Advisory Council on Inter-
national Affairs (AIV) and Advisory Committee on Issues of Public International Law,
in their joint advice to the Netherlands Government, meaning: ‘the conduct of military
operations to disrupt, mislead, modify or destroy an opponent’s computer systems or
networks by means of cyber capabilities’.97 This rather specific and enemy centric
definition refers to three key criteria:
+ the presence of a military operation aimed at achieving a political or military

advantage;
+ the causing of damage to the opponent’s [sic] cyber infrastructure; and
+ the use of cyber capabilities (since computer systems can also be destroyed using
kinetic capabilities).98
The UK-based Chatham House steers away from this enemy-centric definition and
applies a more liberal – at least from a legal and law of armed conflict point of view –
characterization, concluding that ‘cyber warfare [sic] can enable actors to achieve their
political and strategic goals without the need for armed conflict’.99
Taking note of contemporary military doctrine, the military – alongside economic
power, diplomatic power and information – are comprehensively used as one of the
instruments of State powers to achieve goals by influencing actors through the
application (or threat) of ‘fighting power’.100 Hence, the actors to be influenced could
be opponents or enemies, however, neutral actors will be encouraged to stay (at least)
neutral or even persuaded to partner with the military, whilst supportive actors will be
encouraged to remain supportive.101 The military is thus instrumental to the State’s
strategic interests and goals, providing for a number of strategic functions: anticipation,
prevention, deterrence, protection, intervention, stabilization, and normalization.102
97
Advisory Council on International Affairs and Advisory Committee on Issues of Public
International Law, ‘Cyber Warfare (report no. 77/22, 2011)’ 9 <www.aiv-advice.nl> accessed 31
December 2012, also using ‘cyber warfare’.
98
Ibid. 9.
99
Paul Cornish et al., ‘On cyber warfare’ (A Chatham House Report) 37 <http://www.
chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwar
fare.pdf> accessed 1 January 2012, preceded by a definition: ‘Cyber warfare can be a conflict
between States, but it could also involve non-State actors in various ways. In cyber warfare it is
extremely difficult to direct precise and proportionate force; the target could be military,
industrial or civilian or it could be a server room that hosts a wide variety of clients, with only
one among them the intended target’.
100
E.g. UK Ministry of Defence, ‘Joint Doctrine Publication 0-01 (JDP 0-01) (4th edn.)’
(November 2011) 4-1 <https://www.gov.uk/government/uploads/system/uploads/attachment_
data/file/33697/20111130jdp001_bdd_Ed4.pdf> accessed 17 March 2014.
101
E.g. Ducheine and van Haaster (n 2).
102
David Jordan et al., Understanding Modern Warfare (CUP 2008). E.g. Ministerie van
Defensie, ‘Netherlandse Defence Doctrine’ 37 <http://www.defensie.nl/binaries/defensie/
documenten/publicaties/2013/11/20/defence-doctrine-en/defensie-doctrine_en.pdf> accessed 12
September 2014. In a similar way: US Department of Defense, ‘Doctrine for the Armed Forces
of the United States (Joint Publication 1) (updated 25 March 2013, Joint Chiefs of Staff 2013),

17 / Date: 24/3
In conclusion, cyber operations are characterized by the employment of cyber

capabilities with the primary purpose of achieving military objectives by influencing
actors in or by the use of cyberspace.
The military operations paradigm in kinetic and cyber situations alike, provides an
institutional framework guaranteeing social legitimacy (public support),103 as well as
legal legitimacy or legality:104 a proper legal basis to launch operations,105 and
adherence to the applicable legal regimes for the conduct of operations.106 As in any
other military operation, an ‘adequate’ legal basis is required before it is decided upon
and undertaken.107 Legal regimes refers to those rules that are applicable once an
operation commences.108 One could think of the law of armed conflict (hereafter:
LOAC), human rights law, and military codes.109 In addition, although they do not
qualify as ‘law’ proper, operational and political guidelines governing the use of force,
known as Rules of Engagement (ROE), national caveats, or Tactical Directives et al are
considered to be part of the ‘legal regimes’. Both legal bases and legal regimes make
I–10 – I–11. UK Ministry of Defence (n 101) 1–8 – 1–11 – quoting Field Marshal Viscount
Alanbrooke – uses the term Military Strategy, being the:
art to derive from the [policy] aim a series of military objectives to be achieved: to assess
these objectives as to the military requirements they create, and the pre-conditions which the
achievement of each is likely to necessitate: to measure available and potential resources
against the requirements and to chart from this process a coherent pattern of priorities and a
rational course of action.
103
The UK and Dutch doctrines use ‘legitimacy’ as an overarching framework: UK Ministry
of Defence (n 100) 1–22, ‘Legitimacy encompasses the legal, moral, political, diplomatic and
ethical propriety of the conduct of military force’; and Ministerie van Defensie (n 102) 99,
‘Legitimacy has a legal and an ethical side. Legal legitimacy primarily requires a legal basis for
the mission. Secondly, legitimacy is based on the observance of rules that apply during the
mission’.
104
See Paul A Ducheine and Eric H. Pouw, ‘Legitimizing the use of force: Legal bases for
operation enduring freedom and ISAF’ in Jan van der Meulen et al. (eds.), Mission Uruzgan:
Collaborating in Multiple Coalitions for Afghanistan (Amsterdam University Press 2012) and
Paul A. L. Ducheine and Eric H. Pouw, ‘Controlling the use of force: Legal regimes’ in Jan van
der Meulen et al. (eds.), Mission Uruzgan: Collaborating in multiple coalitions for Afghanistan
(Amsterdam University Press 2012), both available on <http://www.uva.nl/binaries/content/
documents/personalpages/d/u/p.a.l.ducheine/nl/tabblad-twee/tabblad-twee/cpitem%5B8%5D/asset>
105
This is normally a prerogative of the Executive branch, see Sascha Hardt, Luc Verhey and
Wytze van der Woude (eds.), Parliaments and Military Missions (Europa Law Publishing 2012)
and Nolte (n 64).
106
Legal basis and legal regimes are covered by the denominator of ‘legality’: UK Ministry
of Defence (n 100) 1–22.
107
Ducheine and others (n 42) 112. See also Roscini (Ch 11 of this book); Focarelli (Ch 12
of this book).
108
Some LOAC rules even apply before operations are launched: e.g. regarding the
dissemination of LOAC and the employment of legal advisors.
109
See Arimatsu (Ch 15 of this book); Bannelier (Ch 16 of this book); Gill (Ch 17 of this
book).

18 / Date: 7/5
up the legal framework for military cyber operations, covering the whole spectrum of
(pro-)active, passive, offensive and defensive cyber operation.110
(f) Law Enforcement – Intelligence – Military Operations
Cyber activities within the law enforcement, intelligence and military operations
paradigm, apart from their unique legal and institutional framework share more than
just the mere existence of that framework. Moreover, in addition to the fact that these
three paradigms involve the explicit authorization for the use of governmental powers
that may interfere with the rights and liberties of citizens, in more than one respect,
these paradigms will use the common means and methods, the same vectors, some
standard form of phasing, and more or less the same type of personnel. These
similarities will be analysed in the subsequent section. As mentioned, the primary focus
will be on State activities.
5. OPERATIONALIZING CYBER OPERATIONS

As was evident from the description of the paradigms on the State level, the three of
them share similarities as they rely on common skills, knowledge, techniques and
tactics, capacities and capabilities, in other words in means and methods. Notwithstand-
ing the fact that law enforcement, intelligence and military operations are governed by
distinct frameworks and paradigms, thus serving different ends and objectives, a
common model to (describe and thus) operationalize cyber operations is available. This
descriptive six-phased model is useful in explaining the modus operandi of (a number
of) cyber operations.
Although the model itself may be helpful to understand cyber operations in general,
it remains crucial to realize that the designated paradigm is of influence for the
objectives of the operations defined, and thus for the effects that are to be achieved
through these operations.111 The model comprises six phases that – in full or in part –
may characterize and describe a typical cyber operation:112
110
Ducheine and others (n 42) 112.
111
To some extent, activities and actors that have not received detailed attention so far, e.g.
cyber crime/criminals or hactivism/hacktivists, ‘follow’ this model as well.
112
Various descriptions are used, e.g. Lech J. Janczewski and Andrew M. Colarik, Cyber
Warfare and Cyber Terrorism (Information Science Reference 2008) 121; Tom Olzak, ‘The five
phases of a successful network penetration’ (TechRepublic, 16 December 2008) <http://www.
techrepublic.com/blog/it-security/the-five-phases-of-a-successful-network-penetration/701/> ac-
cessed 17 March 2014, both using five; Jason Andress and Steve Winterfeld, Cyber Warfare:
Techniques, Tactics and Tools for Security Practitioners (Syngress 2011) 171, using nine (plus
one: obfuscating). Markus Maybaum, ‘Technical methods, techniques, tools and effects of cyber
operations’ in Ziolkowski (n 47) 103, uses seven (based on Irving Lachow, ‘Active cyber defence
– A framework for policymakers’ (Center for a New American Security Policy Brief , February
2013) <http://www.cnas.org/files/documents/publications/CNAS_ActiveCyberDefense_Lachow_
0.pdf> accessed 15 September 2014; This concept was originally presented in Eric M Hutchins,
Michael J Cloppert and Rohan M Amin, ‘Intelligence-Driven Computer Network Defense

19 / Date: 7/5
+ reconnaissance,
+ design,
+ intrusion,
+ action,
+ camouflage, and
+ exfiltration.
Subject to the particular purpose of the operation, one or more of the phases can be
expected. During an intelligence operation with the objective to scan the infrastructure
of other actors, an initial operation may be limited to scanning ports, thus the
operations will have one phase only: reconnaissance. With the information thus
gathered, a more targeted operation may be designed to gather additional information
on the hardware and software configuration of the actor’s ICT system, encompassing
all phases, with again an intelligence objective. Based on the collected information
(taken together with other sources) a supplementary law enforcement operation could
be started to gather criminal evidence, again going through all of the seven phases. In
addition, as a spin-off of the two operations, a designated military operation could be
drafted as well, again using one of more of the phases described.
It will be evident that these three examples will be governed by their respective
paradigmatic framework, including the legal frameworks. All three operations, will
require an objective (end), will need means (operators and tools), and will use methods
requiring a plan, an addressee (or ‘target’), techniques tactics and skills.113 For military
operations, these elements are not fully covered by military doctrine (yet). Without
going into details, these rather ‘novel’ operations are therefore briefly described
below.114
6. OPERATIONALIZING MILITARY CYBER OPERATIONS

The military instrument of power will be used to achieve strategic objectives (of
various kinds). Whether employed unilaterally or in a comprehensive manner together
with other instruments of power, allies and relevant stakeholder to address (for
instance) a conflict, the military plans and executes operations to influence other actors.
Obviously, these actors may be opposing forces, but more generically, these actors may
Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains’ (6th Annual
International Conference on Information Warfare and Security, Washington, March 17–18, 2011)
<http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-
Paper-Intel-Driven-Defense.pdf> accessed 15 September 2014. This discussion of the kill-
chain concept is also informed by MITRE Corporation, ‘Active defense strategy for cyber’
(July 2012); Charles Croom, ‘The cyber kill chain: A foundation for a new cyber security
strategy’ (2010) 6(4) High Frontier 52–6.
113
In general, this also holds true for cyber activities with a hacktivist or criminal purpose.
114
Using a model derived from: Paul A Ducheine and Jelle van Haaster, ‘Cyber-operaties en
militair vermogen’ (2013) 182 Militaire Spectator 368, 387, see also Ducheine and van Haaster
(n 2).

20 / Date: 7/5
also be friendly/supportive or neutral actors.115 The military instrument, or, as referred

to in doctrine, ‘fighting power’ comprises three components: conceptual, moral and
physical (see Figure 10.1).
Physical dimension
Objects
Effect Physical
Physical component
Persons
component
Conceptual Moral
component component Moral Conceptual
Psyche
component component
Cyber Effect
identity
Cyber
object
Virtual dimension
© van Haaster and Ducheine, 2014.
Figure 10.1 Fighting power in cyber operations

Through military operations, designed to achieve designated effects for strategic
objectives, other actors are affected by alterations in their sources of power, either
disruptively or constructively. Military operations – including cyber operations – will
be directed ‘against’ the fighting power of another actor in order to achieve these
effects. The addressees or ‘targets’ of these operations may be found in the physical
(personnel, tangible objects, materiel and infrastructure) or virtual dimension. The latter
comprises the psyche of personnel and information in general. By supporting actors
with training, equipment or information, the physical, moral and conceptual component
of their fighting power will increase, whereas attacking personnel, objects and
manipulating information will decrease the (coherence between the) components of
fighting power.
Characteristic for cyberspace are – apart from the physical layers containing
geographic locations, persons and tangible objects/materiel/infrastructure – two layers
representing virtual elements.116 First, the cyber persona layer contains cyber identities,
i.e. the virtual reflection of persons, e.g. e-mail addresses, Facebook-accounts, etc.
Secondly, the logical network layer contains what could be called cyber objects (as a
contrast to tangible objects in the physical dimension), e.g. applications (software or
code) and IP-addresses e.a. Although all physical layers (geography, physical infra-
structure and persons) can be affected (or targeted) as in any other operation, the
uniqueness of cyber operations lies in the fact that the virtual dimension (as in
115
For references, see Joint Doctrine Publications of various States, e.g. Ministerie van
Defensie (n 102); US Department of Defense (n 102); UK Ministry of Defence (n 100). For a
detailed analysis see Ducheine and van Haaster (n 2).
116
See Tsagourias (Ch 1 of this book).

21 / Date: 7/5
Information Operations) offers new opportunities to influence actors. By addressing (or

targeting) the cyber persona layer (i.e. cyber identities) and the logical network layer
(i.e. cyber objects), disruptive and constructive effects can be achieved through cyber
operations.
Conceptually, although thorny questions have arisen, which remain to be addressed,
the operational processes for physical or kinetic military operations and cyber opera-
tions are similar. This is also the case for the military process called ‘targeting’,117
through which objectives are stated, potential targets selected, the available means are
listed and evaluated with an eye to effectiveness and collateral consequences, the means
are designated and prepared, and the action is executed and evaluated.118
Evidently, this brief conceptual description of military cyber operations is not unique
for the military paradigm, as its operationalization can be used by analogy in other
operations as well. What remains exclusive, though, for military cyber operations, is the
paradigm and the (legal) framework that is authorizing and governing these activities.
Unlike other paradigms, the (strategic) objectives defined are the most far reaching (or
extreme) in its ends, means and effects.
7. CONCLUSION
This chapter set out to examine the phenomenon of cyber operations as a common
denominator for cyber activities and analysed differences in strategic or ‘corporate’
objectives (for States and non-States alike), the similarities in terms of means to
achieve those objects and the ways those means are employed on the operational level
(of States and non-State actors). Moreover, five distinct paradigms are used to shape
cyber activities on the State level. Three of those paradigms provide the legal basis for
governmental powers that may interfere with human rights and privileges: law
enforcement, intelligence and military operations. The latter paradigm represents the
most far-reaching framework for governmental action.
Having said that, it is noteworthy to add that cyberspace and its actors are influenced
by military jargon. Notwithstanding the idiom used – think of attacks, targeting,
cyberwar – the majority of cyber activities are of a non-military nature. However, it
appears that the main actors in cyberspace are intelligence agencies (governmental) or
enterprises (corporate), and criminals (varying from individual to organized crime), and
that the main objectives of cyber operations are sabotage, espionage, subversion,119 and
crime!
117
William H Boothby, The Law of Targeting (OUP 2012) 378 ff.
118
E.g. Robert Fanelli and Gregory Conti, ‘A methodology for cyber operations targeting
and control of collateral damage in the context of lawful armed conflict’ in Christian Czosseck,
Rain Ottis and Katharina Ziolkowski (eds.), Proceedings of the 4th (2012) International
Confrence on Cyber Conflict (CCD COE 2012) <http://www.ccdcoe.org/publications/2012
proceedings/5_5_Fanelli&Conti_AMethodologyForCyberOperationsTargeting.pdf> accessed on
12 September 2014.
119
See National Cyber Security Centre (n 1) and Thomas Rid, ‘Cyber war will not take
place’ (2012) 35 J. of Strategic Studies 5.

22 / Date: 7/5
11. Cyber operations as a use of force

Marco Roscini *
1. INTRODUCTION
Article 2(4) of the UN Charter famously provides that ‘[a]ll Members [of the United
Nations] shall refrain in their international relations from the threat or use of
force against the territorial integrity or political independence of any state, or in any
other manner inconsistent with the Purposes of the United Nations’. This provision is
generally considered to reflect customary international law and, at least with
regard to its core, also jus cogens.1 It is generally accepted that the fact that Article
2(4) was adopted well before the Information Age does not necessarily prevent
its application to cyber operations.2 States and international organizations that
have affirmed the applicability of the existing rules on the use of force in the
cyber context include Australia,3 Hungary,4 China,5 Cuba,6 the European
* This chapter is based on and updates considerations developed in the author’s book Cyber
Operations and the Use of Force in International Law (OUP 2014) 44–67, and takes into
account events and law as of March 2014.
1
The customary nature of art 2(4) has been recognized by the International Court of
Justice (ICJ) in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US)
(Merits, Judgment) [1986] ICJ Rep. 1986 [Nicaragua Case] paras 187–90. See also Legal
consequences of the construction of a wall in the occupied Palestinian territory (Advisory
Opinion) [2004] ICJ Rep. 2005 para. 87. Several authors have argued that only the core
prohibition contained in art 2(4), that of aggression, is a peremptory norm of general
international law (Roberto Ago, Addendum to the Eighth Report on State Responsibility (1980)
II/1 Yearbook of the ILC 44; Rein Müllerson, ‘Jus ad bellum: Plus Ça Change (Le Monde) Plus
C’Est la Même Chose (Le Droit)?’ (2002) 7 J. Conflict & Sec. L. 149, 169; Natalino Ronzitti,
Diritto internazionale dei conflitti armati (4th edn., Giappichelli 2011) 33.
2
The US Department of Defense defines ‘cyberspace operations’ as ‘[t]he employment of
cyberspace capabilities where the primary purpose is to achieve objectives in or through
cyberspace’ (US Department of Defense, Dictionary of Military and Associated Terms (Joint
Publication 1–02, 8 November 2010, as Amended Through 15 March 2014) 64 <http://www.
dtic.mil/doctrine/new_pubs/jp1_02.pdf> accessed 15 March 2014).
3
UNGA ‘Developments in the field of information and telecommunications in the context
of international security’ (15 July 2011) UN Doc A/66/152 6.
4
‘Welcome speech by János Martonyi, Minister of Foreign Affairs of Hungary’ (Budapest
Conference on Cyberspace, Opening Session, 4 October 2012) <www.cyberbudapest2012.hu/
welcome-speech-by-janos-martonyi-hungarian-minister-of-foreign-affairs> accessed 15 March
2014.
5
Li Zhang, ‘A Chinese perspective on cyber war’ (2012) 94 I.R.R.C. 801, 804.
6
UN Doc A/57/166/Add.1, 29 August 2002, 3.
233
1 / Date: 7/5
Union,7 Iran,8 Italy,9 Mali,10 the Netherlands,11 Qatar,12 the Russian Federation,13 the
UK,14 and the United States.15 On the basis of the views submitted by UN member
States, the 2013 Report of the Group of Governmental Experts set up by the UN
General Assembly to examine threats in cyberspace also found that ‘[i]nternational
law, and in particular the Charter of the United Nations, is applicable and is essential
to maintaining peace and stability and promoting an open, secure, peaceful and
accessible ICT [Information and Communications Technologies] environment’.16
For Article 2(4) and its customary counterpart to apply to cyber operations, however,
three conditions must be met: 1) the cyber operation needs to be attributed to a State:
conduct by private individuals or armed groups does not fall within the scope of the
provision, not even when it results in damage comparable to that caused by States;
2) the cyber operation must amount to either a ‘threat’ or a ‘use of force’; 3) the threat
or use of force must be exercised in the conduct of ‘international relations’. As to the
first condition, the problems concerning the identification of the origin and the
attribution of cyber operations to States are well-known and are probably the main
obstacle to the application of Article 2(4) in the cyber context. They are however
7
Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
(JOIN(2013) 1 final, 7 February 2013) 15–16 <http://ec.europa.eu/information_society/
newsroom/cf//document.cfm?doc_id=1667> accessed 15 March 2014. See also ‘Speech by EU
High Representative Catherine Ashton on Cyber security: an open, free and secure Internet’
(SPEECH/12/685, Budapest, 4 October 2012) 3 <http://europa.eu/rapid/press-release_SPEECH-
12-685_en.htm> accessed 15 March 2014.
8
Alireza Miryousefi and Hossein Gharibi, ‘View from Iran: World needs rules on
cyberattacks’ (The Christian Science Monitor, 14 February 2013) <www.csmonitor.com/
Commentary/Opinion/2013/0214/View-from-Iran-World-needs-rules-on-cyberattacks-video> ac-
cessed 15 March 2014.
9
Governo Italiano, La posizione italiana sui principi fondamentali di Internet (17
September 2012) 5 <www.governo.it/backoffice/allegati/69257-8014.pdf> accessed 15 March
2014.
10
UNGA, ‘Developments in the field of information and telecommunications in the context
of international security (Addendum)’ (9 September 2009) UN Doc A/64/129/Add.1 7.
11
Government of Netherlands, ‘Dutch Government Response to the AIV/CAVV Report on
Cyber Warfare’ 5–6 <www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/
2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-bijlage-regeringsreactie-
en.pdf> accessed 15 March 2014.
12
UNGA ‘Developments in the field of information and telecommunications in the context
of international security’ (20 July 2010) UN Doc A/65/154 9–10.
13
Russian Federation, Conceptual Views on the Activities of the Armed Forces of the
Russian Federation in the Information Space (unofficial translation by CCDCOE, 9 September
2000) 6 <www.ccdcoe.org/strategies/Russian_Federation_unofficial_translation.pdf> accessed 15
March 2014.
14
UNGA 65/154 (n 12) 15.
15
See e.g. Harold Koh, ‘International law in cyberspace’ (Speech at the USCYBERCOM
Inter-Agency Legal Conference, 18 September 2012) in Carrie Lyn D. Guymon (ed.), Digest of
United States Practice in International Law (United States Department of State 2012) 593,
594–595, <www.state.gov/documents/organization/211955.pdf> accessed 15 March 2014.
16
UNGA ‘Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security’ (24 June 2013) UN Doc
A/68/98 8.

2 / Date: 7/5
Cyber operations as a use of force 235
beyond the scope of this chapter, which will assume that a cyber operation has been
conclusively attributed to a State.17 The reference to ‘international relations’ in Article
2(4) entails that the cyber operations must not only be by a State, but also against
another State: a State, therefore, is not prohibited by this provision to threaten or resort
to cyber operations against non-State actors within its territory, not even when the
operations amount to a threat or a use of force.18 Finally, for Article 2(4) to apply, the
cyber operation must qualify either as a threat or as a use of force. This chapter will
focus only on the latter: as, in its 1996 Advisory Opinion on the legality of the threat or
use of nuclear weapons, the International Court of Justice (ICJ) linked the legality of
threats, be they explicit or implied in certain conduct, to the legality of the use of force
in the same circumstances,19 the considerations developed below in relation to cyber
operations as a use of force also apply, mutatis mutandis, to those amounting to threats
of the use of force.20
The determination of the threshold above which a cyber operation amounts to a use
of force has proved to be a very contentious issue. The present chapter will address this
problem and will first establish what is meant by ‘armed’ force and whether cyber
operations can qualify as such. It will then distinguish between cyber attacks and cyber
exploitation and, within the former, between cyber attacks that cause, or are reasonably
likely to cause, physical damage to persons or property, those that incapacitate
infrastructures without physically damaging them, and other cyber attacks and cyber-
related conduct. The overall purpose is to identify which of the above types of cyber
activities may qualify as a use of force and are therefore prohibited by Article 2(4) of
the UN Charter.
2. CYBER OPERATIONS AS ARMED FORCE

As Article 2(4) of the UN Charter only prohibits the threat and the use of ‘armed’ force
and not other forms of coercion,21 the question is whether cyber operations can qualify
as such. ‘Armed force’ is not identified on the basis of the authors of the forceful
action, i.e. the armed forces, as otherwise States would easily avoid the application of
the prohibition by outsourcing such actions to intelligence agencies or private contrac-
tors. In fact, incidents involving the armed forces but not the use of weaponry, like the
violation of airspace or territorial waters by military aircraft or ships, are usually
17
On the identification and attribution problems, see Roscini (*) 33–40; Nicholas
Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’ (2012) 17 J. Conflict &
Sec. L. 229, 233–43.
18
The situation would be different if the non-State actors were located on and operated
from the territory of another State.
19
Legality of the threat or use of nuclear weapons (Advisory Opinion) [1996] ICJ Rep.
1996 [Nuclear weapons] para. 47. This conclusion was reaffirmed in the Guyana and Suriname
Arbitral Award, 17 September 2007, 47 (2008) International Legal Materials 166, 229–30,
para. 439.
20
Specifically on cyber operations and threats of force, see Roscini (*) 67–9.
21
Ibid. 45–6.

3 / Date: 24/3
treated as violations of sovereignty, but not as a use of force under Article 2(4).22 The
presence of a coercive intention is also per se not sufficient to identify armed force.
Indeed, ‘armed force’ is nothing other than an extreme form of intervention that, like
economic and political coercion, is characterized by the intention of the coercing State
to compel the victim State into doing or not doing something through a ‘dictatorial
interference’ in its internal or external affairs.23 Both the use of force and the broader
notion of intervention, then, imply a coercive intention, and what differentiates the two
must be found elsewhere.
Whether or not cyber operations fall within the scope of Article 2(4) depends
ultimately on which of the three main analytic approaches to understanding the nature
of a use of armed force is accepted. The instrument-based approach focuses on the
means used to commit an act, i.e. weapons, and has been traditionally employed to
distinguish armed force from economic and political coercion. This approach has been
criticized for being centred on instruments defined by their physical characteristics: as
such – it has been claimed – it is ill-suited to be extended to digital codes and would
lead to the conclusion that cyber operations can never be a use of force under Article
2(4), even when they result in physical damage.24 The target-based approach argues
that cyber operations reach the threshold of the use of armed force when they are
conducted against a national critical infrastructure (NCI), whatever their effects on such
infrastructure or the nature of the operation might be.25 This approach, however, is
over-inclusive in that it would also qualify as a use of force those cyber operations that
only cause inconvenience or merely aim to collect information as long as they target a
NCI. Another problem with this view – it has been argued – is that there is no generally
accepted definition of ‘NCI’.26
The approach that has received most support is based on the effects of the action:
unlike other forms of coercion, armed force has direct destructive effects on property
and persons.27 Therefore, any cyber operation that causes, or is reasonably likely to
22
Oliver Dörr, ‘Use of force, prohibition of’ in Rüdiger Wolfrum (ed.), Max Planck
Encyclopedia of Public International Law (2nd edn., OUP 2012), vol X, 607, 611.
23
Hersch Lauterpacht, International Law and Human Rights (Stevens & Sons Ltd 1950)
167. As the ICJ emphasized, ‘[t]he element of coercion, which defines, and indeed forms the
very essence of, prohibited intervention, is particularly obvious in the case of an intervention
which uses force’ directly or indirectly (Nicaragua Case (n 1), para. 205). On the principle of
non-intervention, see section 3.C of this chapter.
24
Stephanie Gosnell Handler, ‘The new cyber face of battle: Developing a legal approach to
accommodate emerging trends in warfare’ (2012) 48 Stan. J. Int’l. L. 209, 226–227; Matthew C.
Waxman, ‘Self-defensive force against cyber attacks: Legal, strategic and political dimensions’
(2013) 89 Int’l. L. Studies 109, 111.
25
Walter G Sharp, Cyberspace and the Use of Force (Aegis Research Corp 1999) 129–32.
See similarly Christopher C. Joyner and Catherine Lotrionte, ‘Information warfare as inter-
national coercion: Elements of a legal framework’ (2011) 12 E.J.I.L. 825, 855, who argue that
stealing or compromising sensitive military information could also qualify as an armed attack
(and a fortiori a use of force) ‘even though no immediate loss of life or destruction results’.
26
For a discussion of the different definitions of NCI, see Roscini (*) 55–8.
27
See e.g. Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interven-
tions?’ (2012) 17 J. Conflict & Sec. L. 211, 212; Heather H Dinniss, Cyber Warfare and the
Laws of War (CUP 2012) 74.

4 / Date: 24/3
cause, the damaging consequences normally produced by kinetic weapons would be a

use of armed force.28 This view, however, does not take into account that the
dependency of modern societies on computers, computer systems and networks has
made it possible to incapacitate physical infrastructures without destroying them.
Another problem with this approach is that directness is not necessarily an inherent
characteristic of the use of armed force: the UN General Assembly’s Declaration on the
Definition of Aggression, for instance, qualifies as an ‘act of aggression’, i.e. ‘the most
serious and dangerous form of the illegal use of force’,29 not only bombings and
invasions, but also actions which do not necessarily entail direct destructive effects,
such as the violation of a stationing agreement, a naval blockade, and allowing the use
of the territory by other States for the purpose of perpetrating aggression.30 In the
Nicaragua judgment, the ICJ also qualified the arming and training of armed groups –
not directly destructive actions – as a use of force.31
It is submitted, therefore, that it is preferable to identify ‘armed’ force by reference to
the instruments used. This is consistent with the ordinary meaning of the expression:32
according to Black’s Law Dictionary, ‘armed’ means ‘[e]quipped with a weapon’ or
‘[i]nvolving the use of a weapon’.33 Unlike mere intervention, armed force entails the
contemporary presence of two elements: the use of weapons and an intention to
coerce.34 As a consequence, a limited use of weapons by a State that is not directed at
exercising coercion on another State, as in the case of police measures at sea,
interception of trespassing aircraft or international abductions, does not fall under the
scope of Article 2(4), but may be a violation of other norms, such as the duty to respect
another State’s sovereignty.35 Similarly, economic measures that cause starvation
among the population are not a use of armed force in spite of their severe humanitarian
consequences and of their coercive intention, because they do not entail the use of
28
Dinstein has, for instance, argued that ‘what counts is not the specific type of ordnance,
but the end product of its delivery to a selected objective’ (Yoram Dinstein, ‘Computer network
attacks and self-defense’ (2002) 76 Int’l. L. Studies 99, 103). Silver also opines that ‘physical
injury or property damage must arise as a direct and foreseeable consequence of the CNA
[Computer Network Attack] and must resemble the injury or damage associated with what, at
the time, are generally recognized as military weapons’ (Daniel B. Silver, ‘Computer network
attack as a use of force under Article 2(4) of the United Nations Charter’ (2002) 76 Int’l. L.
Studies 73, 92–3).
29
Definition of Aggression, GA Res 3314 (XXIX), 14 December 1974, Preamble.
30
Ibid. art 3(c), (e), and (f).
31
Nicaragua Case (n 1) para. 228.
32
According to art 31(1) of the 1969 Vienna Convention on the Law of Treaties, ‘[a] treaty
shall be interpreted in good faith in accordance with the ordinary meaning to be given to the
terms of the treaty in their context and in the light of its object and purpose’ (UNTS, vol 1115,
331 ff.)
33
Bryan A. Garner (ed.), Black’s Law Dictionary (9th edn., Thomson-West 2009), 123.
34
As has been observed, ‘[t]he essential feature which characterizes the prohibition of the
use of force is … not the intrusion into the sovereign realm of another State, nor is it even the
element of coercion as such, but only an intrusion or coercion accompanied by the special
features of military weaponry and its actual use’ (Dörr (n 22) 611).
35
See Olivier Corten, The Law Against War. The Prohibition on the Use of Force in
Contemporary International Law (Hart 2010) 66–7.

5 / Date: 1/4
weapons: economic measures may be enforced with the use of weapons, but are not
weapons themselves, as implied in Article 41 of the UN Charter.36
Although there is no binding definition of ‘weapon’ either in jus ad bellum or jus in
bello instruments, Black’s Law Dictionary defines it as ‘[a]n instrument used or
designed to be used to injure or kill someone’.37 The ICRC Study on Customary
International Humanitarian Law defines weapons as ‘means to commit acts of violence
against human or material enemy forces’.38 Rule 1(ff) of the HPCR Manual on
International Law Applicable to Air and Missile Warfare (the ‘HPCR Manual’) also
attaches one main characteristic to a weapon: the capability to cause either injury/death
of persons or damage/destruction of objects.39 Similarly, a leading commentator has
defined weapons as including ‘any arms … munitions … and other devices, com-
ponents or mechanisms intended to destroy, disable or injure enemy personnel, matériel
or property’.40 The minimum common denominator of the above definitions is the
violent consequences produced by the instrument. Weapons, therefore, are identified by
their effects, not by the mechanisms through which they produce destruction or
damage.41 If this is correct, armed force prohibited by Article 2(4) could be defined as
the form of intervention by a State to exercise coercion on another State that involves
the use of instruments (weapons) capable of producing violent consequences. At a
closer look, then, the debate between the supporters of the instrument-based and
effects-based approaches to establish whether cyber operations are a use of armed force
loses much of its significance, as the two approaches should be combined: it is the
instrument used that defines armed force, but the instrument is identified by its
(violent) consequences. The focus on instrumentality explains why the ICJ qualified
arming and training of armed groups as a use of force:42 although not directly
destructive, those activities are strictly related to weapons, as they aim at enabling
someone to use them.
If, then, a use of armed force under Article 2(4) requires weapons, the next step in
the analysis is to establish whether malware can qualify as such. In its Advisory
Opinion on the legality of the threat or use of nuclear weapons, the ICJ made clear that
Articles 2(4), 51 and 42 of the UN Charter ‘do not refer to specific weapons. They
apply to any use of force, regardless of the weapons employed’.43 There is then no
reason why the weapons covered by these provisions should necessarily have explosive
effects or be created for offensive purposes only: the use of certain dual-use non-kinetic
36
Art 41 of the UN Charter includes the ‘complete or partial interruption of economic
relations’ in the list of ‘measures not involving the use of armed force’.
37
Garner (n 33) 1730.
38
Jean-Marie Henckaerts & Louise Doswald-Beck, Customary International Humanitarian
Law (CUP 2005) vol I, rule 6.
39
Program on Humanitarian Policy and Conflict Research [HPCR], Manual on Inter-
national Law Applicable to Air and Missile Warfare (CUP 2013) 49.
40
Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed
Conflict (2nd edn., CUP 2010) 1.
41
Katharina Ziolkowski, ‘Computer network operations and the law of armed conflict’
(2010) 49 Military Law & Law of War Rev. 47, 69.
42
43
Nuclear weapons (n 19) para. 39.

6 / Date: 24/3
weapons, such as biological or chemical agents, against a State would undoubtedly be

treated by the victim State as a use of force in the sense of Article 2(4). According to
Brownlie, this is so because chemical and biological weapons are commonly referred to
as forms of ‘warfare’ and because they can be used to destroy life and property:44 both
arguments would suit at least some malware as well. In particular, several States have
included cyber technologies in their military doctrines, refer to cyberspace as to a fifth
domain of warfare and have set up military units with specific cyber expertise.45 The
Russian Foreign Minister warned that the destructive effects of information weapons
‘may be comparable to that of weapons of mass destruction’.46 Belarus made the same
analogy.47 Kazakhstan observed that ‘information technology advances may be misused
as information weapons during armed conflicts’.48 Cuba also remarked that ‘[i]nfor-
mation and telecommunication systems can be turned into weapons when they are
designed and/or used to damage the infrastructure of a State, and as a result, can put at
risk international peace and security’.49 Spain recalled the ‘[u]se of the Internet as a
weapon, i.e., its use as a means to launch attacks against critical infrastructure
information systems or the infrastructure of the Internet itself’.50 The US Air Force
includes cyber capabilities in its legal review of weapons under Article 36 of Additional
Protocol I51 and the US Joint Vision 2020 expressly refers to the employ of non-kinetic
weapons in the area of information operations.52 Finally, the UK National Security
Strategy emphasizes that ‘activity in cyberspace’ is ‘a military weapon for use by states
and possibly others’.53
44
Ian Brownlie, International Law and the Use of Force by States (Clarendon Press 1963)
362.
45
See the examples mentioned in Roscini (*) 3–4, 9–10.
46
Letter dated 23 September 1998 from the Permanent Representative of the Russian
Federation to the United Nations addressed to the Secretary-General, UN Doc A/C.1/53/3, 30
September 1998, 2, <www.un.org/ga/search/view_doc.asp?symbol=A/C.1/53/3&Lang=E>
47
of international security’ (10 August 1999) UN Doc A/54/213 3.
48
of international security’ (8 July 2009) UN Doc A/64/129 5.
49
UNGA A/66/152/Add.1 (n 3) 2.
50
UNGA A/64/129/Add. 1 (n 10) 10.
51
United States Department of Air Force, ‘Air Force Instruction 51–402’ (27 July 2011)
<www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB424/docs/Cyber-053.pdf> accessed 15 March
2014. Art 36 of Additional Protocol I provides that:
[i]n the study, development, acquisition or adoption of a new weapon, means or method of
warfare, a High Contracting Party is under an obligation to determine whether its employ-
ment would, in some or all circumstances, be prohibited by this Protocol or by any other rule
of international law applicable to the High Contracting Party (text in UNTS, vol 1125, 3ff).
52
Joint Chiefs of Staff, ‘Joint Vision 2020 – America’s Military: Preparing for Tomorrow’
(June 2000) 23, <www.fs.fed.us/fire/doctrine/genesis_and_evolution/source_materials/joint_
vision_2020.pdf> accessed 15 March 2014.
53
Prime Minister, ‘A Strong Britain in an Age of Uncertainty: The National Security
Strategy’ (Cm 7953, 2010) 29 <www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/

7 / Date: 7/5
All the above supports the view that ‘cyber … must be looked upon as a new means
of warfare – in other words, a weapon: no less and no more than other weapons’.54 The
Commentary to the HPCR Manual confirms that ‘[m]eans of warfare include non-
kinetic systems, such as those used in EW [electronic warfare] and CNAs [Computer
Network Attacks]. The means would include the computer and computer code used to
execute the attack, together with all associated equipment’.55 The Commentary further
specifies that death, injury, damage, or destruction ‘need not result from physical
impact … since the force used does not need to be kinetic. In particular, CNA
hardware, software and codes are weapons that can cause such effects through
transmission of data streams’.56 Like missiles, cyber weapons include a delivery
system, a navigation system and a payload.57 The delivery system could go from
e-mails to malicious links in websites, hacking, counterfeit hardware and software.
System vulnerabilities are the main navigation systems that provide entry points for the
payload by enabling unauthorized access to the system. The payload is the component
that causes harm: if the code, however sophisticated, is designed solely for the purpose
of infiltrating a computer and exfiltrating information, it would not be a ‘weapon’ in the
sense highlighted above, as it is neither intended to nor capable of causing violent
consequences.58
3. THE APPLICATION OF ARTICLE 2(4) OF THE UN CHARTER

TO DIFFERENT TYPES OF CYBER OPERATIONS
When a cyber operation conducted by a State against another employs a weapon and is
accompanied by a coercive intent, then, it potentially amounts to a use of armed force
under Article 2(4) of the UN Charter. Not all cyber operations,59 however, entail the use
of a ‘weapon’, which distinguishes cyber exploitation from cyber attacks. Cyber
exploitation refers to unauthorized access to computers, computer systems or networks,
in order to collect information, but without affecting the functionality of the accessed
system or corrupting, amending or deleting the data resident therein. As has been
observed, ‘[t]he primary technical difference between cyber attack and cyberexploitation
is in the nature of the payload to be executed – a cyber attack payload is destructive
@dg/@en/documents/digitalasset/dg_191639.pdf?CID=PDF&PLA=furl&CRE=nationalsecurity
strategy> accessed 15 March 2014.
54
Yoram Dinstein, ‘Cyber war and international law: Concluding remarks at the 2012
Naval War College International Law Conference’ (2013) 89 Int’l. L. Studies 276, 280. Schmitt
also notes that ‘[w]ith the advent of CNA, today the computer is no less a weapon than an F-16
armed with precision weapons’ (Michael N Schmitt, ‘Computer network attack: The normative
software’ (2001) 4 Ybk of Int’l. Humanitarian L. 53, 56).
55
HPCR Manual (n 39) 31.
56
Ibid. 49.
57
Fred Schreier, ‘On cyberwarfare’, (DCAF Horizon 2015 Working Paper no 7, 2012)
66–67 <www.dcaf.ch/Publications/On-Cyberwarfare> accessed 15 March 2014.
58
Thomas Rid and Peter McBurney, ‘Cyber-weapons’ (2012) 157(1) RUSI J 6, 11.
59
See Ducheine (Ch 10 of this book).

8 / Date: 24/3
whereas a cyberexploitation payload acquires information nondestructively’.60 Although

they are often labelled in the press as ‘cyber attacks’, cyber exploitation operations are
different as they focus on intelligence collection, surveillance and reconnaissance rather
than on system disruption and may be preliminary to a cyber attack (whether amounting
to a use of force or not) that they aim to enable, for instance by mapping the architecture
of the network or operating system to be attacked or by identifying previously unknown
vulnerabilities. Stealing security data or intellectual property from governments and
corporations may also be an aim in itself and is a major threat to national security and
commerce.61
Cyber exploitation may violate the sovereignty of a State when it entails an
unauthorized intrusion into cyber infrastructure located on its territory,62 but ontolog-
ically can never amount to a use of armed force in the sense of Article 2(4) of the UN
Charter, as it does not involve the use of weapons, i.e. cyber capabilities with a payload
designed to produce violent consequences.63 In contrast, cyber attacks are those cyber
operations, whether in offence or in defence, aimed at altering, deleting, corrupting or
denying access to computer data or software for the purposes of: (a) propaganda or
deception; and/or (b) partly or totally disrupting the functioning of the targeted
computer, computer system or network, and related computer-operated physical infra-
structure (if any); and/or (c) producing physical damage extrinsic to the computer,
computer system or network. A cyber attack can therefore go from relatively innocuous
psychological operations, such as website defacement, to acts that cause havoc in
military campaigns by generating misinformation, or acts resulting in major disruption
of services and loss of property and lives. A ‘cyber attack’ may be a use of force under
Article 2(4) of the UN Charter, an ‘armed attack’ in the sense of Article 51 for
self-defence purposes64, or an ‘attack’ under Article 49(1) of Protocol I Additional to
the 1949 Geneva Conventions on the Protection of Victims of War, but care should be
taken not to see these expressions as coterminous.65 In particular, cyber attacks can
60
Herbert S. Lin, ‘Offensive cyber operations and the use of force’ (2010) 4 Journal of
National Security Law & Policy 63, 64.
61
As has been noted, ‘the cyber context changes the scale and consequences of theft and
espionage to a degree that can result in harm to the country at least as severe as a physical
attack’ (Jack Goldsmith, ‘How cyber changes the laws of war’ (2013) 24 EJIL 129, 133). As a
consequence of the cyber intrusions allegedly originating from China, the US Government
adopted a new strategy to combat intellectual property theft (White House ‘Administration
Strategy on Mitigating the Theft of U.S. Trade Secrets’ (February 2013) <www.whitehouse.gov//
sites/default/files/omb/IPEC/admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.pdf>
accessed 15 March 2014).
62
Wolff Heintschel von Heinegg, ‘Territorial sovereignty and neutrality in cyberspace’
(2013) 89 Int’l. L. Studies 129.
63
For a critical analysis of views that qualify ‘cyber espionage’ as a use of force, see
Katharina Ziolkowski, ‘Peacetime cyber espionage – New tendencies in public international law’
in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. Inter-
national Law, International Relations and Diplomacy (CCDCOE 2013) 425, 451–7. On cyber
espionage, see also Buchan (Ch 8 of this book).
64
On cyberattacks and self-defence see Focarelli (Ch 12 of this book).
65
On cyber attacks as ‘armed attack’ under art 51 of the UN Charter and as ‘attack’ under
the law of armed conflict see Roscini (*) 70–77, 178–82.

9 / Date: 7/5
potentially fall under the scope of the prohibition contained in Article 2(4) when they
entail the use of cyber tools capable of producing certain harmful consequences. The
different sets of consequences deriving from a cyber attack will be examined in the
following sub-sections in order to determine when they amount to a use of force.
(a) Cyber Attacks Causing, or Reasonably Likely to Cause, Physical Damage to

Property, Loss of Life, or Injury of Persons
There is general agreement that, if a cyber attack employs capabilities that cause, or are
reasonably likely to cause, physical damage to property, loss of life or injury of persons
in a manner equivalent to kinetic attacks through the alteration, deletion or corruption
of software or data, it would fall under the prohibition contained in Article 2(4) of the
UN Charter. Rule 11 of the Tallinn Manual on the International Law Applicable to
Cyber Warfare (the ‘Tallinn Manual’), for instance, provides that ‘[a] cyber operation
constitutes a use of force when its scale and effects are comparable to non-cyber
operations rising to the level of a use of force’.66 In his speech at the US Cyber
Command (CYBERCOM), the then US Department of State’s Legal Advisor, Harold
Koh, also argued that ‘if the physical consequences of a cyber attack work the kind of
physical damage that dropping a bomb or firing a missile would, that cyber attack
should equally be considered a use of force’.67 Koh cites, as examples of cyber
operations amounting to a use of force, ‘(1) operations that trigger a nuclear plant
meltdown; (2) operations that open a dam above a populated area causing destruction;
or (3) operations that disable air traffic control resulting in airplane crashes’.68 It should
be noted that physical damage to property, loss of life and injury of persons are only
secondary or tertiary effects of a cyber attack resulting from the corruption, alteration
or deletion of data or software.69 This is, however, not necessarily a problem for the
application of the jus ad bellum rules: in the Nicaragua judgment, the ICJ expressly
66
Warfare (CUP 2013) [Tallinn Manual] Rule 11. The Manual, that aims to identify how the lex
lata applies to cyber operations above the level of the use of force, was prepared by a group of
experts at the invitation of NATO’s Cooperative Cyber Defence Centre of Excellence (CCD-
COE) but does not reflect NATO doctrine or the official position of any State or organization.
67
Koh (n 15) 595.
68
Ibid.
69
The primary effects are those on the attacked computer, computer system or network, i.e.
the deletion, corruption, or alteration of data or software, or system disruption through a
Distributed Denial of Service (DDoS) attack or other cyber attacks. As Waxman notes, ‘modern
society’s heavy reliance on interconnected information systems means that the indirect and
secondary effects of cyber-attacks may be much more consequential than the direct and
immediate ones’ (Matthew C Waxman, ‘Cyber attacks and the use of force: Back to the future of
Article 2(4)’ (2011) 36 Yale J. of Int’l. L. 421, 445). On the multiple effects of cyber attacks, see
William A Owens, Kenneth W Dam, and Herbert S Lin, Technology, Policy, Law, and Ethics
Regarding U.S. Acquisition and Use of Cyberattack Capabilities (The National Academies Press
2009) 80. See also Pia Palojärvi, A Battle in Bits and Bytes: Computer Network Attacks and the
Law of Armed Conflict (Erik Castrén Institute of International Law 2009) 32; William H
Boothby, ‘Methods and means of cyber warfare’ (2013) 89 Int’l. L. Studies 387, 390.

10 / Date: 24/3
recognized that intervention that uses armed force may occur either directly or
indirectly.70
No cyber attack has so far been reported to have caused injuries or deaths of persons.
If one excludes the almost legendary case of the explosion of a Soviet gas pipeline in
Siberia in June 1982, apparently caused by a logic bomb inserted in the computer-
control system by the Central Intelligence Agency (CIA),71 the first known use of
malicious software designed to produce material damage to physical property by
attacking the Supervisory Control and Data Acquisition (SCADA) system of a NCI is
Stuxnet. Using four unknown vulnerabilities, Stuxnet was allegedly designed to force a
change in the gas centrifuges’ rotor speed at the Natanz uranium enrichment plant in
Iran, inducing excessive vibrations or distortions that would eventually damage the
centrifuges.72 As a result, the International Atomic Energy Agency (IAEA) reported
that Iran stopped feeding uranium into thousands of centrifuges at Natanz, a claim
denied by the Iranian authorities.73
One could ask whether there is a minimum threshold of gravity that the destructive
consequences of a cyber attack need to reach in order to be a violation of Article 2(4)
and not only of the principle of non-intervention. Koh, for instance, appears to
distinguish between injury/death of persons on the one hand and damage to property on
the other when he argues that it is ‘[c]yber activities that proximately result in death,
injury or significant destruction’ that would be considered a use of force:74 in his view,
then, while any death or injury would turn a cyber operation into a use of force, only
destruction that is significant enough would qualify. Beyond the cyber context, Corten
maintains that ‘there is a threshold below which the use of force in international
relations, while it may be contrary to certain rules of international law, cannot violate
article 2(4)’:75 examples are international abductions, extraterritorial enforcement
measures, international police operations, hot pursuit and police measures at sea, and
the interception and neutralization of aircraft entering a State’s airspace without
authorization. Similarly, in its 2009 Report, the Independent International Fact-Finding
Commission on the Conflict in Georgia found that ‘[t]he prohibition of the use of force
covers all physical force which surpasses a minimum threshold of intensity’ and that
‘[o]nly very small incidents lie below this threshold, for instance the targeted killing of
single individuals, forcible abductions of individual persons, or the interception of a
70
Nicaragua Case (n 1) para. 205. See Dinniss (n 27) 66.
71
Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) 4.
72
David Albright, Paul Brannan and Christina Walrond, ‘Did Stuxnet Take Out 1,000
Centrifuges at the Natanz Enrichment Plant?’ (ISIS Report, 22 December 2010) 6 <http://isis-
online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf> accessed 15 March
2014.
73
William J. Broad, ‘Report suggests problems with Iran’s nuclear effort’, The New York
Times (23 November 2010) <www.nytimes.com/2010/11/24/world/middleeast/24nuke.html>
accessed 15 March 2014. On the legality of Stuxnet and other cyber operations against Iran, see
Marco Roscini, ‘Cyber operations as nuclear counterproliferation measures’ (2014) 19 J.
Conflict & Sec. L. 133–57.
74
Koh (n 15) 595 (emphasis added). It should, however, be recalled that, according to the
US position reflected in Koh’s speech, there is no distinction between ‘use of force’ and ‘armed
attack’.
75
Corten (n 35) 55.

11 / Date: 7/5
single aircraft’.76 There seems to be some cautious support for this view in the 1998
ICJ’s Fisheries Jurisdiction Judgment: while Spain argued that the forcible measures
against the Estai amounted to a violation of Article 2(4), the Court found that ‘the use
of force authorized by the Canadian legislation and regulations falls within the ambit of
what is commonly understood as enforcement of conservation and management
measures’ and that ‘[b]oarding, inspection, arrest and minimum use of force for those
purposes are all contained within the concept of enforcement of conservation and
management measures according to a “natural and reasonable” interpretation of this
concept’.77
There is nothing, however, in the wording of Article 2(4) suggesting that uses of
force should be distinguished according to their gravity: as Ago notes, Article 2(4)
prohibits ‘any kind of conduct involving any assault whatsoever on the territorial
sovereignty of another State, irrespective of its magnitude, duration or purposes’.78
Whether or not a ‘minimum use of force’ is a violation of Article 2(4) must ultimately
depend on the circumstances of each case: what can be said is that the more invasive
and damaging the use of (cyber) weapons, the more the affected State will be inclined
to treat it as a use of force.
Whether data can be equated to physical property for the purposes of Article 2(4), so
that their deletion, alteration or corruption qualify per se as a use of force even when
they do not also result in physical damage to property, loss of life, bodily injury, or
malfunction of infrastructures, is a hotly debated question. In August 2012, for
instance, a virus destroyed the data of about 30,000 company computers of Saudi
Aramco, the world’s largest oil producer. The deleted data were replaced with a burning
American flag.79 John Murphy notes that ‘[i]f one views data as a form of property,
indeed a very important form or property, in the modern world, a mass loss of data
could constitute an armed attack’ (and therefore, a fortiori, a use of force).80 There is
no indication, however, that States are willing to interpret Article 2(4) so broadly: as a
commentator has argued, the mere destruction of data, even when of considerable
importance, is not a use of force, as its ‘effects cannot be equated to the effects usually
caused or intended by conventional or BC [biological and chemical] weapons,
76
Independent Fact-Finding Mission on the Conflict in Georgia, ‘Report of the Independent
Fact-Finding Mission on the Conflict in Georgia’ (vol II, September 2009) 242 <www.ceiig.ch/
Report.html> accessed 15 March 2014.
77
Fisheries Jurisdiction (Spain v Canada) (Judgment) [1998] ICJ Rep 1998 para. 84
(emphasis added). See similarly the Report of the Commission of Inquiry (Denmark–United
Kingdom) on the Red Crusader incident, 23 March 1962 [1967] 35 Int’l. L. Rep. 485 ff.
78
Ago (n 1) 41. Similarly, Melzer argues that art 2(4) prohibits all uses of force, regardless
of their magnitude and duration (Nils Melzer, Cyberwarfare and International Law (UNIDIR
2011) 8 <www.isn.ethz.ch/Digital-Library/Publications/Detail/?lng=en&id=134218> accessed 15
March 2014).
79
‘Saudi Aramco says cyber attack targeted kingdom’s economy’, Al Arabiya News (9
December 2012) <www.alarabiya.net/articles/2012/12/09/254162.html> accessed 15 March
2014. Oil production, however, remained uninterrupted.
80
John F. Murphy, ‘Cyber war and international law: Does the international legal process
constitute a threat to U.S. vital interests?’ (2013) 89 Int’l. L. Studies 309, 325.

12 / Date: 24/3
especially not to the physical destruction of the objects’.81 If not of Article 2(4), cyber
attacks deleting, modifying or corrupting data without consequences in the analogue
world may however be a violation of the principle of non-intervention, as will be seen
later.82
(b) Cyber Attacks Severely Disrupting the Functioning of Infrastructures
If cyber attacks employing capabilities that cause or are reasonably likely to cause
material damage to property or persons can be equated to kinetic attacks, there is
disagreement on whether disruptive cyber operations, i.e. those aimed at rendering
ineffective or unusable infrastructures without physically damaging them,83 also
amount to a violation of Article 2(4) of the UN Charter.84
It is this chapter’s contention that disruptive cyber operations also fall under the
scope of Article 2(4) if the disruption caused is significant enough to affect State
security, or, to use the words of the 2012 US Presidential Policy Directive 20, ‘national
security, public safety, national economic security, the safe and reliable functioning of
“critical infrastructure,” and the availability of “key resources”’.85 This is certainly the
case of cyber operations that severely disrupt defence-related NCIs.86 The 1999 US
Department of Defense’s Assessment of International Legal Issues in Information
Operations, for instance, argues that ‘corrupting the data in a nation’s computerized
systems for managing its military fuel, spare parts, transportation, troop mobilization,
or medical supplies’, therefore seriously interfering ‘with its ability to conduct military
operations’, might be treated as a use of force.87 If a cyber operation seriously
disrupting defence functions is considered a use of force, this conclusion must also be
correct for a cyber operation that aims at taking control of networked weapons and
weapon systems of another State, such as missiles, satellites and drones.88
81
Katharina Ziolkowski, ‘General principles of international law as applicable in cyber-
space’, in Ziolkowski (n 63) 135, 174.
82
See below, sec 3(c).
83
The language is borrowed from the definition of ‘neutralize’ contained in US Department
of Defense’s Dictionary of Military and Associated Terms (n 2) 187.
84
The Tallinn Manual’s (n 66) rules largely neglect disruptive cyber operations because of
lack of consensus among the Group of Experts with regard to their nature and legality.
85
‘US Presidential Policy Directive/PPD–20’ (October 2012) 3 <www.theguardian.com/
world/interactive/2013/jun/07/obama-cyber-directive-full-text> accessed on 15 March 2014.
86
Ziolkowski (n 41) 73–4; Tsagourias (n 17) 232.
87
US Department of Defense ‘An Assessment of International Legal Issues in Information
Operations’ (May 1999) 18 <www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf>
88
A computer virus has for instance been reported to have infected US drones’ cockpits
(‘US drones infected by key logging virus’ Aljazeera (8 October 2011) <www.aljazeera.com/
news/americas/2011/10/201110816388104988.html> accessed 15 March 2014). The virus appar-
ently originated in China and had the purpose of collecting unmanned aerial vehicle (UAV) data.
It was inserted in the military’s network through compromised PDF files (Robert Johnson, ‘New
evidence suggests China’s hacking into US drones using Adobe Reader and Internet Explorer’

13 / Date: 7/5
Cyber attacks that severely disrupt other NCIs such as emergency and rescue
services, energy, public health, transportation, food and water supply will in most cases
also result, or will be likely to result, in some physical damage to property or persons.
In particular, prolonged electricity shortage due to a cyber attack disrupting the national
grid is likely to have severe negative repercussions on other NCIs and on virtually all
sectors of society. But even when no physical consequences arise, as in the case of
cyber attacks against the banking and finance, government and communications
sectors, ‘a flexible interpretation [of Article 2(4)] according to the evolution of
weaponry and the logic behind this provision does not prevent a broadening of its
prohibition in order to incorporate new uses of force’.89 Indeed, as has been observed,
‘[i]f law is to remain effective over time, it must be responsive to context’ and ‘[t]his
axiom is no less true in cyberspace than in the kinetic environment’.90 The concept of
dynamic, or evolutive, interpretation, which is also implied in Article 31(3)(b) of the
Vienna Convention on the Law of Treaties,91 has been employed by the ICJ on several
occasions. In the Judgment on the Dispute Regarding Navigational and Related Rights
(Costa Rica v Nicaragua), for instance, the ICJ found that ‘where the parties have used
generic terms in a treaty … [they] must be presumed, as a general rule, to have
intended those terms to have an evolving meaning’.92 The Court gave the example of
‘commerce’,93 but the same reasoning could be applied to ‘force’. It is interesting, for
instance, that Panama noted that misuse of information and telecommunication systems
is a ‘new form of violence’, thus highlighting that violent effects are not limited to
physical damage.94 The increasing dependency of States on computer systems and
Business Insider (22 December 2011) <www.businessinsider.com/chinas-hacking-into-us-drones-

using-adobe-reader-and-internet-explorer-2011-12> accessed 15 March 2014). Chinese hackers
are also suspected to have interfered with US satellites used for earth observation (Charles
Arthur, ‘Chinese hackers suspected of interfering with US satellites’ The Guardian (27 October
2001) <www.guardian.co.uk/technology/2011/oct/27/chinese-hacking-us-satellites-suspected>
accessed 15 March 2014).
89
Antonio Segura-Serrano, ‘Internet regulation and the role of international law’ (2006) 10
Max Planck Ybk of UN L. 191, 224–5.
90
Michael Schmitt, ‘The law of cyber warfare: Quo vadis?’ (2014) 25 Stan. L. & Pol’y. Rev.
269, 272.
91
According to art 31(3)(b) of the Vienna Convention, treaties shall be interpreted taking
into account, inter alia, ‘any subsequent practice in the application of the treaty which
establishes the agreement of the parties regarding its interpretation’. Such practice includes
‘documents, arrangements, and actions that express a specific understanding of the treaty’
(Matthias Herdegen, ‘Interpretation in international law’ in Wolfrum (ed.), Max Planck Encyclo-
pedia (n 22), vol VI, 260, 263). See also Rudolf Bernhardt, ‘Evolutive treaty interpretation,
especially of the European Convention on Human Rights’ German Ybk of Int’l. L. 42 (1999), 11,
15.
92
Dispute Regarding Navigational and Related Rights (Costa Rica v Nicaragua) (Judg-
ment) [2009] ICJ Rep. 2009 para. 66. See also Legal Consequences for States of the Continued
Presence of South Africa in Namibia (South West Africa) notwithstanding Security Council
Resolution 276 (1970) (Advisory Opinion) [1971] ICJ Rep. 1971 para. 53, where the Court
found that ‘an international instrument has to be interpreted and applied within the framework of
the entire legal system prevailing at the time of the interpretation’.
93
Dispute Regarding Navigational and Related Rights (ibid) para. 70.
94
UN Doc A/57/166/Add.1, 29 August 2002, 5.

14 / Date: 24/3
networks to provide critical services for the society as well as the increasing severity
and sophistication of cyber attacks should thus be taken into account when interpreting
Article 2(4). As a report suggests, focusing only on destructive consequences on
individuals and property is reductive in the cyber context, as ‘modern society depends
on the existence and proper functioning of an extensive infrastructure that itself is
increasingly controlled by information technology’: therefore, ‘[a]ctions that signifi-
cantly interfere with the functionality of that infrastructure can reasonably be regarded
as uses of force, whether or not they cause immediate physical damage’.95 Melzer
concurs and remarks how the kinetic equivalence doctrine, that considers as a use of
force only those cyber operations that cause material damage comparable to kinetic
weapons, is too restrictive.96 Similarly, Tsagourias emphasizes that ‘a cyber attack on
critical State infrastructure which paralyses or massively disrupts the apparatus of the
State should be equated to an armed attack, even if it does not cause any immediate
human injury or material damage’.97 Indeed, the limits of the doctrine of kinetic
equivalence become evident if one considers that, under this doctrine, a cyber attack
that shuts down the national grid or the stock exchange for a prolonged time would not
be a use of armed force, while the physical destruction of one server in theory would.
An ‘interpretive reorientation’98 of Article 2(4) that also includes in the scope of the
provision cyber attacks causing serious disruption of essential services without destroy-
ing infrastructures would also reflect the trend in modern warfare to favour incapacita-
tion to destruction. For instance, in the 1999 Operation Allied Force against Yugoslavia,
NATO targeted switching stations instead of generation stations to enable fast repair
after the conflict and used carbon-graphite filaments in such a way as to cause only
temporary incapacitation of electricity.99 The Rules of Engagement distributed to the
US Military Forces in Operation Iraqi Freedom also provided that attacks at the enemy
infrastructure, lines of communication and economic objects should be aimed at
disabling and disrupting them, avoiding destruction whenever possible.100 Like non-
lethal weapons, cyber warfare should be understood in this context.101
95
Owens, Dam & Lin (n 69) 254. Similarly, Brown and Poellet argue that:
[a]lthough no actual kinetic event may occur, the reliance of modern societies on electricity
for health care, communications, and the delivery of essential services makes it clear this
would qualify as a kinetic-like effect and would therefore constitute a military attack if the
disruption were for a significant period of time.
(Gary Brown & Keira Poellet, ‘The customary international law of cyberspace’ (2012) 6(3)
Strategic Studies Quarterly 126, 137.)
96
Melzer (n 78) 14.
97
Tsagourias (n 17) 231.
98
Waxman (n 69) 437.
99
Dominik Steiger, ‘Civilian objects’ in Wolfrum (ed.), Max Planck Encyclopedia (n 22)
vol II, 185, 187.
100
Human Rights Watch, ‘Off target. The conduct of the war and civilian casualties in Iraq’
(2003) 138–9, <www.hrw.org/reports/2003/usa1203/usa1203.pdf> accessed 15 March 2014.
101
NATO has defined non-lethal weapons as ‘weapons which are explicitly designed and
developed to incapacitate or repel personnel, with a low probability of fatality or permanent
injury, or to disable equipment, with minimal undesired damage or impact on the environment’

15 / Date: 24/3
Although it is not the only decisive factor as the supporters of the target-based
approach suggest, the critical character of the targeted infrastructure is an important
element to consider in order to establish when a disruptive cyber operation amounts to
a use of force under Article 2(4), in particular as an indication of the severity of its
effects on a State. It is especially helpful to exclude that the operation is a use of force:
if the targeted infrastructure is not a NCI, it is highly unlikely that the consequent
disruption will affect a State’s essential functions and its internal public order. A cyber
attack on a NCI, however, is not necessarily always a use of force, for instance when it
disables it only for a very limited time or with limited effects.
Some States have expressly qualified the disruption of certain infrastructures, in
particular those related to the economy, as a use of force. Mali has for instance claimed
that ‘[t]he use of an information weapon could be interpreted as an act of aggression if
the victim State has reasons to believe that the attack was carried out by the armed
forces of another State and was aimed at disrupting … economic capacity, or violating
the State’s sovereignty over a particular territory’.102 A Russian senior military officer
has reportedly declared that ‘the use of Information Warfare against Russia or its armed
forces will categorically not be considered a non-military phase of a conflict whether
there were casualties or not’.103 The US Department of Defense’s Assessment of
International Legal Issues in Information Operations refers to a nation’s air traffic
control system, its banking and financial system, and public utilities and dams as
examples of targets that, if shut down by a coordinated computer network attack, might
entitle the victim state to self-defence.104 The 2011 Department of Defense’s Cyber-
space Policy Report maintains that the US reserves the right to use ‘all necessary
means’ against ‘hostile acts’, including ‘significant cyber attacks’, directed not only
against the US Government or military but also the economy.105 The US Presidential
Policy Directive 20 identifies the following ‘significant consequences’ of cyber
operations that require presidential approval: ‘[l]oss of life, significant responsive
actions against the United States, significant damage to property, serious adverse U.S.
foreign policy consequences, or serious economic impact on the United States’.106
Finally, when submitting its views on information security to the UN Secretary-
General, the US has argued that ‘under some circumstances, a disruptive activity in
cyberspace could constitute an armed attack’ (and therefore a use of force).107
(‘NATO Policy on Non-Lethal Weapons’ (Press Statement, 13 October 1999) <www.nato.int/

docu/pr/1999/p991013e.htm> accessed 15 March 2014).
102
UNGA A/64/129/Add. 1 (n 10) 8.
103
Quote from the speech of a senior Russian military officer, cited in Vida M. Antolin-
Jenkins, ‘Defining the parameters of cyberwar operations: Looking for law in all the wrong
places?’ (2005) 51 Naval L. Rev. 132, 166.
104
US Department of Defense (n 87) 18.
105
US Department of Defense, ‘Cyberspace Policy Report. A Report to Congress Pursuant
to the National Defense Authorization Act for Fiscal Year 2011’ (Section 934, November 2011)
4 <www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%
20Report_For%20webpage.pdf> accessed 15 March 2014.
106
US Presidential Policy Directive (n 85) 3.
107
UNGA A/66/152/Add.1 (n 3) 18 (emphasis added).

16 / Date: 24/3
An objection that is often raised is that a cyber attack that shuts down economic
targets such as the stock exchange and disrupts financial markets amounts to economic
coercion and not to armed force.108 This is not correct, for two reasons. First,
economic coercion does not have a specific target, while the cyber attack would be
undertaken against an identifiable infrastructure. Secondly, while economic coercion,
such as an oil embargo, employs the economy as a means of pressure, in a cyber attack
that incapacitates the financial market or cripples a State’s banking system the economy
is rather the target, while the means employed is malware. Therefore, if the stock
exchange or other financial institutions were to be bombed kinetically and the markets
disrupted as a consequence, this would certainly be considered a use of armed force,
and not economic coercion, even though the economic consequences of the action
would probably outweigh the physical damage to the buildings: one cannot see why the
same conclusion should not apply when the stock exchange, instead of being bombed,
is shut down for an extended period of time by a virus in its computer system.109 Such
scenario would arguably be seen as having more in common with a surgical kinetic
attack than with the 1973 Organization of the Petroleum Exporting Countries (OPEC)’s
oil embargo. If, however, the disruption caused is not severe, ‘the cyber attack may be
less likely to be regarded as a use of force than a kinetic attack with the same
(temporary) economic effect, simply because the lack of physical destruction would
reduce the scale of the damage caused’.110
It should be stressed again that, if all cyber attacks that employ capabilities resulting
in damage to physical property or persons are a use of force, those without physical
consequences fall under the scope of Article 2(4) only when they go beyond mere
inconvenience and cause significant disruption of essential services by rendering
ineffective or unusable critical infrastructure.111 It is only in these cases that the effects
of disruption can be equated to those of destruction caused by traditional armed force.
A week-long cyber attack that shuts down the national grid, and thus leaves millions of
people without electricity, cripples the financial market and the transport system, and
prevents government communications is likely to be treated as a use of force, whether
or not physical damage ensues.112 On the other hand, a cyber attack that shuts down a
university network is not a use of force, even if it causes prolonged and severe service
disruption, because the services affected are not critical. The 2014 DDoS attacks that
targeted Ukraine’s mobile communication networks during the confrontation with the
Russian Federation over Crimea also did not fall under the scope of Article 2(4) even if
it had been demonstrated that they were attributable to Russia, as they caused neither
108
See e.g. Elizabeth Wilmshurst, ‘The Chatham House Principles of international law on
the use of force in self-defence’ (2006) 55 I.C.L.Q. 963, 965.
109
Brown & Poellet (n 95) 138; Lin (n 60) 74.
110
Lin ibid. 74.
111
Antolin-Jenkins (n 103) 172; Ziolkowski (n 41) 74–5.
112
The scenario is inspired by the ‘Cyber ShockWave’ simulation staged by the Bipartisan
Policy Center (Ellen Nakashima, ‘War game reveals U.S. lacks cyber-crisis skills’ The
Washington Post (17 February 2010) <http://articles.washingtonpost.com/2010-02-17/news/
36782381_1_cyber-attack-cyber-coordinator-cyber-shockwave> accessed 15 March 2014).

17 / Date: 24/3
material damage nor significant disruption of essential services.113 A different conclu-

sion may perhaps be reached with regard to the much more severe DDoS attacks
against Estonia in 2007.114
Those worried that, by qualifying seriously disruptive cyber operations as a use of
force, the risk of inter-State conflicts will increase should be reassured: indeed, a use of
force, in itself, is not sufficient to entitle the victim State to react in self-defence, unless
it is serious enough to amount to an ‘armed attack’.115 Apart from the stigma attached
to it, then, the only consequence of qualifying seriously disruptive cyber operations as
a use of force is that they could not be undertaken in countermeasure, which certainly
is a welcome result, considering the severe negative impact that they might have on the
public order of today’s digitally reliant societies.116
(c) Other Cyber Attacks
Cyber attacks not resulting, or not reasonably likely to result, in material damage to
property, loss of life or injury of persons, or severe disruption of essential services are
not a use of force and are therefore not a violation of Article 2(4) of the UN Charter:
when attributed to a State, however, they can amount to a violation of the principle of
non-intervention in the internal affairs of another State.117 Intervention is ‘the manifes-
tation of a policy of force’.118 What characterizes intervention and differentiates it from
a mere violation of sovereignty is the element of coercion: a State exercises abusive
pressure on another State in order to coerce it, through certain means, to do or not to do
something ‘on matters in which each State is permitted, by the principle of State
sovereignty, to decide freely’, such as ‘the choice of a political, economic, social and
cultural system, and the formulation of foreign policy’.119 What distinguishes interven-
tion from a violation of Article 2(4) is that it can occur ‘with or without armed
force’.120
113
Dave Lee, ‘Russia and Ukraine in cyber “Stand-Off”’, BBC News (5 March 2014)
<http://www.bbc.co.uk/news/technology-26447200> accessed 15 March 2014. DDoS attacks aim
to inundate the target system with excessive calls, messages, enquiries or requests in order to
overload it and force its shut down.
114
For the facts, see Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber Incidents.
Legal Considerations (CCDCOE 2010) 18 ff <www.ccdcoe.org/publications/books/legal
considerations.pdf> accessed 15 March 2014.
115
116
Art 50(1)(a) of the ILC Articles on the Responsibility of States for Internationally
Wrongful Acts, Ybk of the ILC, 2001, vol II, Part Two, 30.
117
See Commentary to Rule 10 of the Tallinn Manual (n 66) 44.
118
Corfu Channel (United Kingdom v Albania) (Merits, Judgment) [1949] ICJ Rep 1949 35.
119
Nicaragua Case (n 1) para 205. According to the ICJ, ‘[i]ntervention is wrongful when it
uses methods of coercion in regard to such choices, which must remain free ones. The element
of coercion… defines, and indeed forms the very essence of, prohibited intervention’ (ibid). See
Maziar Jamnejad and Michael Wood, ‘The principle of non-intervention’ (2009) 22 L.J.I.L.
345–81.
120

18 / Date: 24/3
According to the ICJ, the principle of non-intervention is ‘part and parcel of

customary international law’.121 Even though it is not expressly mentioned in the UN
Charter, the principle has been incorporated in a plethora of international agree-
ments.122 Paragraph 1 of the 1965 UN General Assembly Declaration on the Inadmis-
sibility of Intervention in the Domestic Affairs of States and the Protection of their
Independence and Sovereignty also condemns ‘armed intervention and all other forms
of interference or attempted threats against the personality of the State or against its
political, economic and cultural elements’, while paragraph 2 proclaims that ‘[n]o State
may use or encourage the use of economic, political or any other type of measures to
coerce another State in order to obtain from it the subordination of the exercise of its
sovereign rights or to secure from it advantages of any kind’: the language is broad
enough to include cyber attacks below the level of the use of force.123 In its third
principle, the 1970 Declaration on Friendly Relations condemns all forms of interven-
tion using analogous language.124 The 1976 Declaration on Non-interference can also
be extended to cyber operations where it condemns ‘all forms of overt, subtle and
highly sophisticated techniques of coercion, subversion and defamation aimed at
disrupting the political, social or economic order of other States or destabilizing the
Governments seeking to free their economies from external control or manipulation’.125
Several of the situations described in the subsequent 1981 General Assembly Declar-
ation on the Inadmissibility of Intervention and Interference in the Internal Affairs of
States would also perfectly fit certain cyber operations.126 In particular, the Declaration
recalls
[t]he right of States and peoples to have free access to information and to develop fully,
without interference, their system of information and mass media and to use their information
media in order to promote their political, social, economic and cultural interests and
aspirations, based, inter alia, on the relevant articles of the Universal Declaration of Human
Rights and the principles of the new international information order (para 2(I)(c)).
A 1989 bilateral treaty between the US and the Soviet Union on the prevention of
dangerous military activities also prohibits ‘interfering with command and control
networks in a manner which could cause harm to personnel or damage to equipment of
the armed forces of the other Party’.127 Article I(9) of the treaty, in particular, defines
121
Ibid. para. 202.
122
See e.g. art 8 of the 1933 Convention on the Rights and Duties of States; art 19 of the
Organization of American States’ Charter; art 4 of the African Union’s Constitutive Act; art
2(2)(e) of the Charter of the Association of Southeast Asian Nations; art 2 of the Charter of the
Shanghai Cooperation Organization; art 2(4) of the Charter of the Organisation of the Islamic
Conference.
123
UNGA Res 2131 (XX) (21 December 1965) (emphasis added).
124
Declaration on Friendly Relations, UNGA Res 2625 (XXV) (24 October 1970). See also
Principle VI of the Helsinki Final Act of the Conference on Security and Co-operation in Europe
(CSCE), 1 August 1975, (1975) 14 International Legal Materials 1293, 1294–5.
125
UNGA Res 31/91 (14 December 1976) para 4.
126
UNGA Res 36/103 (9 December 1981).
127
Art II(1)(d) of the Agreement on the Prevention of Dangerous Military Activities (1989)
28 International Legal Materials, 877 ff. The treaty is still in force.

19 / Date: 24/3
‘[i]nterference with command and control networks’ as ‘actions that hamper, interrupt
or limit the operation of the signals and information transmission means and systems
providing for the control of personnel and equipment of the armed forces of a Party’.
There is no difficulty, then, in qualifying disruptive cyber attacks short of the use of
force as unlawful interventions when they are used ‘to coerce another State in order to
obtain from it the subordination of the exercise of its sovereign rights and to secure
from it advantages of any kind’.128 Indeed, in the twentieth century the notion of
‘intervention’ was broadened as a consequence of the increased cooperation among
States allowing more subtle ways of interference than the use of force:129 a further
broadening of the notion to include cyber attacks is now necessitated by the
interconnectivity of networks and the reliance of modern societies on information
systems.130
Not only may cyber attacks that cause low-level disruption be unlawful interventions,
but also those that deface websites in order to foment civil strife in a State or the
sending of thousands of e-mails to voters in order to influence the outcome of political
elections in another State.131 In September 2012, for instance, Azerbaijan denounced
cyber attacks conducted by a so-called ‘Armenian Cyber Army’ under the ‘direction
and control’ of Armenia that were ‘aimed at glorifying terrorists and insulting their
victims, as well as at advocating, promoting and inciting ethnically and religiously
motivated hatred, discrimination and violence’.132 As has been observed, if a broadcast
‘is deliberately false and intended to produce dissent or encourage insurgents, the
non-intervention principle is likely to be breached’.133 Hostile propaganda and defama-
tion are condemned in the above mentioned 1976 Declaration on Non-interference and
1981 Declaration on Non-intervention.134
(d) Conduct Related to Cyber Attacks
It has been seen that, according to the ICJ, it is not only the direct use of weapons by
a State against another State that amounts to a use of force, but also enabling someone
else to use those weapons: the arming and training of armed groups, therefore, is a
violation of Article 2(4), even though not an armed attack.135 If this view is extended to
the cyber context, one must conclude that the supply of malware by a State to an armed
128
Declaration on Friendly Relations (n 124) third principle.
129
Philip Kunig, ‘Intervention, Prohibition of’ in Wolfrum (ed.), Max Planck Encyclopedia
(n 22) vol VI, 289, 290.
130
Of course, cyber operations that amount to a use of force are, a fortiori, an intervention.
131
Tallinn Manual (n 66) 45. The UN General Assembly has condemned external interfer-
ence in electoral processes in several resolutions: see e.g. UNGA Res 60/164 (2 March 2006).
132
Letter dated 6 September 2012 from the Chargé d’affaires a.i. of the Permanent Mission
of Azerbaijan to the United Nations addressed to the Secretary-General (7 September 2012) UN
Doc A/66/897–S/2012/687 1.
133
Jamnejad & Wood (n 119) 374.
134
Para 2(II)(j) of the Declaration on Non-intervention, for instance, prohibits ‘[t]he duty of
a State to abstain from any defamatory campaign, vilification or hostile propaganda for the
purpose of intervening or interfering in the internal affairs of other States’.
135

20 / Date: 24/3
group acting against another State and the training of such group to conduct cyber
attacks are also a use of force.136 This is the opinion of the Group of Experts that
drafted the Tallinn Manual.137 This conclusion, however, is correct only when the
supply of malware and the training enable the group to conduct cyber attacks
amounting to a use of force, and not other types of cyber operations below that
threshold.
Similarly, if one transposes Article 3(f) of the Definition of Aggression in the cyber
context, a State that knowingly allows another State to use its cyber infrastructure in
order to launch a cyber attack amounting to an act of aggression against a third State
would commit an act of aggression itself, and therefore would breach the prohibition of
the use of force.138 It appears, for instance, that North Korea’s cyber warfare Unit 121
is at least partially stationed in China due to the limited internet connections in North
Korea, although the involvement of the Chinese Government is unclear.139 Article 3(f),
however, would only potentially apply to situations where the cyber operation in
question amounts to an act of aggression, not to any use of force and even less to cyber
operations below that threshold, such as cyber exploitation.
On the other hand, according to the ICJ, the ‘mere supply of funds’ to armed groups
does not amount to a use of force, although it ‘undoubtedly’ qualifies as unlawful
intervention.140 A State that finances the cyber operations of an armed group against
another State, therefore, may breach the principle of non-intervention in the internal
affairs of that State, but not Article 2(4).141
4. CONCLUSIONS
The provisions on the use of force contained in the UN Charter apply to cyber
operations even though the rules were adopted well before the advent of cyber
technologies: the lack of ad hoc provisions does not mean that cyber operations may be
conducted by States against other States without restrictions. This chapter has argued
that a cyber operation is a use of armed force when it entails the use of a ‘weapon’
accompanied by a coercive intention. This occurs not only in the case of cyber attacks
designed to cause physical damage to property, loss of life or injury of persons, but also
of cyber attacks employing capabilities that render ineffective or unusable critical
infrastructures so to cause significant disruption of essential services, even when they
136
An example is the alleged cyber training of members of the Syrian dissidents by the US
State Department (Jay Newton-Small, ‘Inside America’s secret training of Syria’s digital army’,
Time (13 June 2012) <http://swampland.time.com/2012/06/13/inside-americas-secret-training-of-
syrias-digital-army> accessed 15 March 2014).
137
138
Art 3(f) of the Definition of Aggression includes among the acts of aggression: ‘[t]he
action of a State in allowing its territory, which it has placed at the disposal of another State, to
be used by that other State for perpetrating an act of aggression against a third State’.
139
Richard A. Clarke & Robert K. Knake, Cyber War. The Next Threat to National Security
and What To Do About It (Harper Collins 2010) 27–8.
140
141
Schmitt (n 90) 280.

21 / Date: 24/3
do not materially damage those infrastructures. Indeed, the increasing digitalization of

today’s societies has made it possible to cause considerable harm to States through
non-destructive means: physical infrastructures can be incapacitated by affecting their
operating systems, with consequent disruption of services but without the need to
destroy them. An evolutive interpretation of Article 2(4) should take this into account.
As to cyber attacks conducted by States but falling below the level of the use of
force, ie those that do not result in material damage to property, loss of life or bodily
injury, or severe disruption of essential services, they may be a violation of the
principle of non-intervention in the internal affairs of other States if they are ‘the
manifestation of a policy of force’,142 i.e. if they are accompanied by an intention to
coerce the target State to do or not to do something ‘on matters in which each State is
permitted, by the principle of State sovereignty, to decide freely’.143 On the other hand,
cyber exploitation in order to exfiltrate information may be a violation of the
sovereignty of the targeted State when it entails an unauthorized intrusion into the
cyber infrastructure located on its territory, but not intervention and even less a use of
force, as it lacks the coercive element and does not involve the use of a destructive
payload capable of resulting in physical damage to property, loss of life, injury of
persons, or malfunction of infrastructure.
142
Corfu Channel (n 118) 35.
143

22 / Date: 24/3
12. Self-defence in cyberspace

Carlo Focarelli
1. INTRODUCTION
Self-defence is permitted under Article 51 UN Charter and customary international law,
as the ICJ stated in the Nicaragua Case.1 Article 51 reads:
Nothing in the present Charter shall impair the inherent right of individual or collective
self-defence if an armed attack occurs against a Member of the United Nations, until the
Security Council has taken measures necessary to maintain international peace and security.
Measures taken by Members in the exercise of this right of self-defence shall be immediately
reported to the Security Council and shall not in any way affect the authority and
responsibility of the Security Council under the present Charter to take at any time such
action as it deems necessary in order to maintain or restore international peace and security.2
In the system of the Charter the right of self-defence basically allows a State, either
individually or collectively, to respond militarily to an armed attack until the UN
Security Council takes measures necessary to maintain international peace and security.
Self-defence thus clearly constitutes an exception to the general prohibition on the
threat and use of force set out in Article 2(4) UN Charter.
The question as to whether the international law rule on self-defence applies to cyber
attacks is much debated. No explicit international law rules exist specifically applicable
to self-defence in cyberspace and the law of self-defence predates the advent of cyber
operations. A treaty on cyber operations is unlikely in the foreseeable future, one of the
reasons being that the most vulnerable States are at the same time those most capable
of conducting cyber attacks.3 A treaty for cyber disarmament has been proposed by the
Russian Federation, but opposed by the United States4 and fiercely resisted by the
private commercial cyber sector at the 2012 World Conference on International
1
Case concerning Military and Paramilitary Activities in and against Nicaragua (Nicara-
gua v. United States) (Merits) (Judgment of 27 June 1986) [1986] ICJ Rep. 14 para. 176.
2
On Article 51 see Bruno Simma et al. (eds)., The Charter of the United Nations: A
Commentary (OUP 2013).
3
Michael Schmitt, ‘Cyber operations and the jus ad bellum revisited’ (2011) 56 Villanova
L. Rev. 569, 604.
4
John Markoff and Andrew E Kramer, ‘US and Russia differ on a Treaty for Cyberspace’,
New York Times (27 June 2009) <http://www.nytimes.com/2009/06/28/world/28cyber.html?page
wanted=all> accessed 30 November 2013. It has been observed that the US plans to use the
Internet for offensive purposes, as it is believed it has done with Stuxnet (see section 3 below):
cf. Mary E O’Connell, ‘Cyber security without cyber war’ (2012) 17 J. Conflict & Sec. L. 187,
206.
255
1 / Date: 7/5
Telecommunications.5 As a result the question translates into asking whether and to

what extent the rules applying to physical (or ‘kinetic’) armed attacks also apply to
cyber attacks.
While this chapter is confined to self-defence, there are at least two connections
between the use of force in cyberspace discussed in the previous chapter and armed
attacks analysed here worth considering: first, there can be no cyber armed attack
justifying self-defence when such an attack does not amount to a ‘use of force’ in the
first place; secondly, a cyber counter-attack in self-defence may exceed the limitations
imposed by law to the right of self-defence and become an unlawful ‘use of force’.
Finally, some terminological observations are in order before addressing the issue of
self-defence in cyberspace. The term ‘cyber’, coming from ‘cybernetics’, is usually
linked with ‘space’. The idea of ‘cyberspace’, associated with McLuhan’s image of the
‘global village’ and William Gibson’s state of ‘consensual hallucination’,6 is found in
the well-known ‘Declaration of the Independence of Cyberspace’ made by John Barlow
in 1995, defining cyberspace as a space which ‘does not lie within [States’] borders’
and ‘a world that is both everywhere and nowhere’.7 It has been noted, however, that
cyberspace is not a space at all.8 Cyberspace is ‘no more than the interconnection of
electronic pathways’,9 a technology of inter-connection between people who are
located in the physical world, under the authority of one or more States, this
interconnection being possible by a physical infrastructure which is predominantly
made up of trans-ocean fibre optic cables and, to a small extent, of satellites.10
5
See Meyer (Ch 13 of this book); David Gross & Ethan Lucarelli, ‘The 2012 World
Conference on International Telecommunications: Another brewing storm over potential UN
regulation of the internet’ (Who’s Who Legal, 30 April 2012) <http://www.whoswholegal.com/
news/features/article/29378/the-2012-world-conference-international-telecommunications-brewing-
storm-potential-un-regulationinternet> accessed 30 November 2013; David Meyer, ‘ITU chief
claims Dubai meeting “Success”, despite collapse of talks’ (ZDnet, 14 December 2012)
<http://www.zdnet.com/itu-chief-claims-dubai-meeting-success-despite-collapse-of-talks-70000
08808> accessed 30 November 2013.
6
Marshall McLuhan, Understanding Media: The Extensions of Man (Gingko Press 1964)
6; W. Gibson, Neuromancer (Ace Books 1984) 69.
7
<https://projects.eff.org/~barlow/Declaration-Final.html> accessed 30 November 2013.
8
Mark Graham, ‘Time machines and virtual portals: The spatialities of the digital divide’
(2011) 11 Progress in Development Studies 215–217 <http://pdj.sagepub.com/content/11/3/
211.full.pdf+html> accessed 30 November 2013; Mark Graham, ‘Cyberspace’ (ZeroGeography,
3 November 2011) <http://www.zerogeography.net/2011/11/cyberspace.html> accessed 30
November 2013.
9
US Supreme Court, Reno v. American Civil Liberties Union, 521 U.S. 844, 889–90
(1997). According to the US Department of Defense cyberspace is ‘a global domain within the
information environment consisting of the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers’ (US Department of Defence, ‘Quadrennial Roles and
Missions Review Report’ (January 2009) <www.defense.gov/news/jan2009/qrmfinalreport_
v26jan.pdf> accessed 30 November 2013).
10
See PriMetrica, ‘The Submarine Cable Map’ <http://www.submarinecablemap.com>

2 / Date: 25/3
Self-defence in cyberspace 257
2. TOPICALITY OF CYBER SECURITY

States are increasingly going on line and their critical national infrastructure is more
and more controlled by networked computer systems, especially in technologically
advanced societies. In doing so, States seek to gain a comparative advantage and be
more competitive but this makes them increasingly vulnerable and they must ‘patrol’
cyberspace to prevent cyber threats and to respond timely and effectively to such
threats. States appear to be willing to use cyberspace, accept its risks but at the same
time militarize cyberspace in order to respond to cyber threats. A few data taken from
recent international practice may illustrate the topicality of cyber security today.
According to the International Telecommunication Union (ITU) ‘by end 2013…
there will be an estimated 2.7 billion people using the Internet worldwide’.11 In 2011
there were 403 million unique variants of malware, compared to 286 million in 2010
and nearly 5,000 new vulnerabilities were discovered in 2011.12 Since 2007 ITU has
been working on its Global Cyber-security Agenda and in 2011 it entered into an
agreement with the International Multilateral Partnership Against Cyber Threats
(IMPACT), an international public-private initiative dedicated to enhancing the global
community’s capacity to prevent, defend and respond to cyber threats. The 2011 ITU
‘National Cybersecurity Strategy Guide’ presented a ‘National Cybersecurity Strategy
Model’ together with, inter alia, an overview of legal, technical and procedural
measures.13
Since 2001 up to December 2012 the UN General Assembly has adopted a number
of resolutions noting that ‘the dissemination and use of information technologies and
means affect the interests of the entire international community’. At the same time, the
General Assembly warned that ‘these technologies and means can potentially be used
for purposes that are inconsistent with the objectives of maintaining international
stability and security and may adversely affect the integrity of the infrastructure of
States to the detriment of their security in both civil and military fields’.14
NATO expressly referred to cyber security in its 2010 Strategic Concept. It noted that
it will ‘develop further its ability to prevent, detect, defend against and recover from
11
ITU, ‘Measuring the Information Society 2013’ (Report, Executive Summary, ITU 2013)
1 <http://www.itu.int/dms_pub/itu-d/opb/ind/D-IND-ICTOI-2013-SUM-PDF-E.pdf> accessed 30
November 2013.
12
Symantec, ‘Symantec report finds that more than a third of global targeted attacks are
aimed against small businesses’ (10 July 2012) <http://www.symantec.com/about/news/release/
article.jsp?prid=20120710_01> accessed 30 November 2013.
13
See ITU, ‘ITU National Cybersecurity Strategy Guide’ (2011) <http://www.itu.int/ITU-
D/cyb/cybersecurity/docs/ITUNationalCybersecurityStrategyGuide.pdf> accessed 30 November
2013.
14
UNGA Res 56/19, ‘Developments in the field of information and telecommunications in
the context of international security’ (7 January 2002). See subsequently UNGA Res 58/32
(December 2003); UNGA Res 59/61 (3 December 2004); UNGA Res 60/45 (8 December 2005);
UNGA Res 61/54 (6 December 2006); UNGA Res 62/17 (5 December 2007); UNGA Res 63/37
(2 December 2008); UNGA Res 64/25 (2 December 2009); UNGA Res 65/41 (8 December
2010); UNGA Res 66/24 (2 December 2011); UNGA Res 67/27 (3 December 2012). On the role
of the UN see Henderson (Ch 22 of this book).

3 / Date: 7/5
cyber-attacks’.15 Every year, since 2008, a high-level NATO Cyber Conference has
been organized in Tallinn (Estonia) by the NATO Cooperative Cyber Defence Centre of
Excellence (CCDCOE),16 the latest Conference (at the time of writing) having been
held in June 2013.17 The Centre has drafted, inter alia, a ‘Manual on the International
Law Applicable to Cyber Warfare’, published in 2013.18 The 2012 Chicago Summit
Declaration reiterated the commitment of Member States to ‘develop further our ability
to prevent, detect, defend against, and recover from cyber attacks’.19
Since 2008 many States, in addition to the European Union, have developed National
Strategies and Policies concerning cybersecurity.20 An increasing number of States are
also establishing intelligence or military cyber units and commands to address cyber
threats.21 For example, in 2004 the European Network and Information Security
Agency (ENISA) was established as a body devoted to achieving a high and effective
level of network and information security within the EU.22 In the US, in January 2008
US President George W. Bush launched the ‘Comprehensive National Cybersecurity
Initiative’ (CNCI)23. In 2010 the US Department of Defense established CyberCom-
mand, as a sub-unit of Strategic Command, with a view to being prepared ‘to respond
to hostile acts in cyberspace’ and, accordingly, to reserving ‘the right, under the laws of
armed conflict, to respond to serious cyber-attacks, with a proportional and justified
military response, at the time and place of its choosing.24 In May 2011 US President
Obama stated that ‘the United States will respond to hostile acts in cyberspace’ since
15
‘Active Engagement, Modern Defence: Strategic Concept for the Defence and Security of
the Members of the North Atlantic Treaty Organization Adopted by Heads of State and
Government at the NATO Summit in Lisbon (19-20 November 2010) para. 19 <http://
www.nato.int/nato_static/assets/pdf/pdf_publications/20120214_strategic-concept-2010-eng.pdf>
accessed 30 November 2013.
16
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) <http://ccdcoe.org>
17
CyCon 2013 (5th International Conference on Cyber Conflict) 4-7 June 2013, proceed-
ings at <http://ccdcoe.org/429.html> accessed 30 November 2013.
18
Warfare (CUP 2013) available online at <https://www.ccdcoe.org/249.html> accessed 30
November 2013.
19
Chicago Summit Declaration issued by the Heads of State and Government participating
in the meeting of the North Atlantic Council in Chicago (20 May 2012) para. 49 <http://
www.nato.int/cps/en/natolive/official_texts_87593.htm#cyber> accessed 30 November 2013. On
NATO and cyberspace see Ziolkowski (Ch 20 of this book).
20
See Wessel (Ch 19 of this book); ITU, ‘Strategies for Cybersecurity and Critical
Information Infrastructure Protection (CIIP)’ (ITU) <http://www.itu.int/ITU-D/cyb/cybersecurity/
strategies.html> accessed 3 September 2014.
21
E.g. US Cyber Command (USCYBERCOM).
22
ENISA was set up by Regulation (EC) No 460/2004 of the European Parliament and of
the Council on 10 March 2004.
23
National Security Council, The Comprehensive National Cybersecurity Initiative (2009)
<http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative>
24
William Lynn, ‘Announcement of the Department of Defense Cyberspace Strategy at the
National Defense University’ (U.S. Department of Defense, 14 July 2011) <http://www.
defense.gov/speeches/speech.aspx?speechid=1593> accessed 30 November 2013.

4 / Date: 8/5
‘[a]ll states possess an inherent right to self-defense’, thus reserving ‘the right to use all
necessary means – diplomatic, informational, military, and economic – as appropriate
and consistent with applicable international law’.25 The same year the Obama Admin-
istration concluded that ‘[t]hreats to cyberspace pose one of the most serious economic
and national security challenges of the 21st Century for the United States and our
allies’.26 In 2012 the Secretary of the US Department of Homeland Security (DHS)
called for cyber-security intelligence information sharing with private sector companies
as critical infrastructure providers (such as gas companies, water suppliers, etc.) ‘which
are at constant risk of cyber-attack’.27 A similar concern has also been raised within
NATO.28
3. KEY CASES THUS FAR

While cyber attacks, broadly defined, are very frequent (and routinely reported, for
example, by Symantec and McAfee, two respected anti-virus companies29), very few
cyber attacks have made headlines thus far as ‘attacks on states’ and have been cited in
military security discussions. A few words on some well-known cases recently occurred
(concerning Estonia in 2007, Syria in 2007, Georgia in 2008, and Iran in 2010) may be
useful for present purposes.
In April 2007 Estonia, one of the most wired societies in Europe at the time and a
pioneer in the development of ‘e-government’, was paralyzed by a cyber attack for a
few weeks.30 The attack was clearly prompted by the Estonians’ relocation of the
Soviet World War II memorial. Many critical infrastructures, including the banking
system, several government services and much of the media, broke down. The attack
consisted of a simultaneous huge number of information requests which overloaded and
blocked the entire system (so called ‘Distributed denial of service’ (DDoS)). Estonian
authorities referred the case to NATO adumbrating the notion that NATO should have
25
White House, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness
in a Networked World’ (Washington, May 2011) <http://info.publicintelligence.net/WH-
InternationalCyberspace.pdf> accessed 30 November 2013.
26
White House, ‘Cyberspace Policy Review: Assuring a trusted and resilient information
and communications infrastructure’ (Washington, 2009), <http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf> accessed 30 November 2013.
27
Eric B. Parizo, ‘Napolitano calls for cybersecurity intelligence information sharing’
(TechTarget, 10 September 2012) <http://searchsecurity.techtarget.com/news/2240162981/
Napolitano-calls-for-cybersecurity-intelligence-information-sharing> accessed 30 November
2013.
28
See NATO, ‘Working with the private sector to deter cyber attacks’ (10 November 2011)
<http://www.nato.int/cps/en/natolive/news_80764.htm4> accessed 30 November 2013.
29
See e.g. McAfee, ‘McAfee labs threats report: Third Quarter 2013’ <http://www.
mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf> accessed 3 September 2014;
Symantec, ‘Symantec 2013 Internet Security Threats Report’ <http://www.symantec.com/
security_response/publications/threatreport.jsp> accessed 3 September 2014.
30
See e.g. Mark Landler & John Markoff, ‘Digital fears emerge after data siege in Estonia’,
New York Times (29 May 2007) <http://www.nytimes.com/2007/05/29/technology/29estonia.
html?pagewanted=all&_r=0> accessed 30 November 2013.

5 / Date: 25/3
reacted as a matter of Article 5 of the North Atlantic Treaty.31 NATO, however, rejected
the claim. A NATO official simply said that: ‘This is an operational security issue,
something we’re taking very seriously’. Mr Jaak Aaviksoo, the Estonian Defence
Minister who had raised the matter with NATO, acknowledged that: ‘At present, NATO
does not define cyber-attacks as a clear military action. This means that the provisions
of Article V of the North Atlantic Treaty, or, in other words collective self-defence, will
not automatically be extended to the attacked country’, adding that, ‘Not a single
NATO defence minister would define a cyber-attack as a clear military action at
present’.32 The Russian Federation was suspected of being behind the attack, but it
denied any involvement and there is no conclusive evidence suggesting that it was
actually involved.33
In September 2007, Israel supposedly disabled the Syrian networked air defence
system when its air force penetrated the Syrian air space and bombed a suspected
nuclear site without being engaged or even detected.34
In August 2008, a number of cyber attacks hit Georgia immediately before and
during the Russian occupation of Ossetia. This prevented the Georgian authorities from
keeping information flowing to the national and international media. The Russian
Federation was immediately suspected, but in this case too there is no conclusive
evidence of its actual involvement.35 As is apparent, in both the Syrian case and in the
Georgian case, unlike the Estonian case, cyber attacks preceded and/or accompanied a
conventional attack.
31
Article 5 NATO reads:
The Parties agree that an armed attack against one or more of them in Europe or North
America shall be considered an attack against them all and consequently they agree that, if
such an armed attack occurs, each of them, in exercise of the right of individual or collective
self-defence recognised by Article 51 of the Charter of the United Nations, will assist the
Party or Parties so attacked by taking forthwith, individually and in concert with the other
Parties, such action as it deems necessary, including the use of armed force, to restore and
maintain the security of the North Atlantic area. Any such armed attack and all measures
taken as a result thereof shall immediately be reported to the Security Council. Such
measures shall be terminated when the Security Council has taken the measures necessary to
restore and maintain international peace and security.
32
Ian Traynor, ‘Russia accused of unleashing cyberwar to disable Estonia’, Guardian
(Brussels, 17 May 2007 <http://www.guardian.co.uk/world/2007/may/17/topstories3. russia>
33
Joshua Davis, ‘Hackers take down the most wired country in Europe’, Wired Magazine
(21 August 2007), <http://www.wired.com/politics/security/magazine/15-09/ff_estonia?current
Page=all> accessed 3 September 2014.
34
Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National
Security and What To Do about It (Harper Collins 2010) 1–8.
35
Jon Swaine, ‘Georgia: Russia “conducting cyber war”’, The Telegraph (11 August 2008)
<http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-
cyber-war.html> accessed 2 September 2014; Lesley Swanson, ‘The era of cyber warfare:
Applying international humanitarian law to the 2008 Russian-Georgian Conflict’ (2010) 32
Loyola Los Angeles Int’l. & Comparative L. J. 303; Eneken Tikk et al., Cyber Attacks Against
Georgia: Legal Lessons Identified (CCDCOE 2008) <http://www.carlisle.army.mil/DIME/
documents/Georgia%201%200.pdf> accessed 30 November 2013.

6 / Date: 7/5
Finally, in June 2010 a malware (i.e. a malicious software, a ‘worm’ in this case)
called ‘Stuxnet’ hit approximately 1,000 centrifuges at Iran’s Natanz nuclear enrich-
ment facility, in addition to thousands of other computers elsewhere in the world.
Stuxnet targeted industrial control systems, known as programmable logic controllers
(PLCs), made by Siemens. In this case, Israel and the US were suspected of the
attack,36 but, once again, without any conclusive evidence (although recently there have
been revelations confirming this allegation). Iran also accused the German engineering
firm Siemens of helping Israel and the US launch Stuxnet by providing information
about a Siemens-designed control system (SCADA) used in Iran’s nuclear sites.37
Neither the US and Israel have denied computer experts’ claims that they were behind
the development of Stuxnet. In October 2011, Stuxnet’s successor, Duqu, came to light.
It uses a zero-day exploit to install spyware that records keystrokes and other system
information.38 In the Iranian case the cyber attack, like in the Estonian case, was not
accompanied by a conventional attack; however, unlike in the Estonian case, it was
caused by a malware rather than by a DDoS.
These cases have been differently assessed in legal terms in the literature. For
example, Lucas argues for the justifiability of the Syrian, Georgian, and Stuxnet cases
and the unjustifiability of the Estonian case in the light of the just war doctrine.39
O’Connell denies that all such attacks amounted to the equivalent of an Article 51
‘armed attack’.40 Buchan argues that while Stuxnet did cause damage capable of
establishing a violation of Article 2(4) UN Charter, the Estonia case was one of a
violation of the principle of non-intervention.41 According to Tsagourias neither the
36
William J. Broad, John Markoff & David E Sanger, ‘Israeli test on worm called crucial in
Iran nuclear delay’, New York Times (15 January 2011) <http://www.nytimes.com/2011/01/16/
world/middleeast/16stuxnet.html?pagewanted=all> accessed 30 November 2013; Johnatan
Fildes, ‘Stuxnet work “Targeted high-value Iranian assets”’, BBC News (23 September 2010)
<http://www.bbc.co.uk/news/technology-11388018> accessed 30 November 2013; James Hider,
‘Computer virus used to sabotage Iran’s nuclear plan “built by US and Israel”’, The Australian
(17 January 2011) <http://www.theaustralian.com.au/news/world/computer-virus-used-to-
sabotage-irans-nuclear-plans-built-by-us-and-israel/story-e6frg6so-1225989304785> accessed 30
November 2013.
37
Saeed K. Dehghan, ‘Iran accuses Siemens of helping launch Stuxnet cyber-attack’, The
Guardian (17 April 2011) <http://www.guardian.co.uk/world/2011/apr/17/iran-siemens-stuxnet-
cyber-attack?INTCMP=SRCH> accessed 30 November 2013.
38
Symantec (n 12).
39
George R. Lucas, ‘Permissible preventive cyberwar: Restricting cyber conflict to justified
military targets’ in Luciano Floridi and Mariarosaria Taddeo (eds.), Philosophy of Engineering
and Technology (UNESCO Conference on Ethics and Cyber Warfare, University of Hertford-
shire, 1 July 2011); Randall R. Dupert, ‘The Ethics of cyberwarfare’ (2010) 9 J. of Military
Ethics 384.
40
O’Connell (n 4) 201–2.
41
Russell Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interventions’
(2012) 17 J. Conflict & Sec. L. 211, 225–6.

7 / Date: 25/3
Estonian nor the Georgian case fell within the definition of armed attack for
self-defence purposes since the disruption they caused was contained and manage-
able.42
4. PREVAILING APPROACHES TO CYBER THREATS IN LEGAL

DOCTRINE
The key issue in the cyber attack debate is about whether cyber security should be
ensured by militarizing cyberspace and being prepared to respond kinetically if
necessary or by relying on ‘civil’ law enforcement measures. Most commentators on
the international law applicable to cyber war scenarios are in fact experts on the use of
force and often closely tied to the military.
It is first to be noted that a number of commentators argue that international law has
(or should have) no role at all in cyber security because it would leave the military
‘unable to fight, or even to plan for, a war in cyberspace’.43 Others find it difficult to
apply the existing rules of international law concerning the use of force by way of
analogy to cyber operations and argue for an ‘updated’ looser interpretation of such
rules so as to apply in the cyber context, often resuming an approach furthered during
the Cold War in relation to nuclear deterrence.44 Still others reply that the better
analogy is with the law enforcement paradigm managed by civil authorities applying to
maritime piracy or to chemicals used as weapons.45
The typical general approach adopted in the international law literature with regard
to major cyber threats is whether jus ad bellum applies,46 or whether and to what extent
42
Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’ (2012)
17 J. Conflict & Sec. L. 229, 232.
43
Stewart A. Baker & Charles J. Dunlap, ‘What is the role of lawyers in cyberwarfare?’,
ABA Journal (1 May 2012) <http://www.abajournal.com/magazine/article/what_is_the_role_of_
lawyers_in_cyberwarfare> accessed 20 June 2012; Stewart A Baker, ‘Denial of service, against
cyberwar with arcane rules and regulations’ Foreign Policy (30 September 2011) <http://
www.foreignpolicy.com/articles/2011/09/30/denial_of_service?hidecomments> accessed 30
November 2013.
44
Matthew C. Waxman, ‘Cyber-attacks and the use of force: Back to the future of Article
2(4)’ (2011) 36 Yale J. of Int’l. L. 421. See previously Mike McConnell, ‘To win the cyber-war,
look to the Cold War’, Washington Post (8 February 2010) B 1 <http://www.washington
post.com/wp-dyn/content/article/2010/02/25/AR2010022502493.html> accessed 30 November
2013; Mike McConnell, ‘How to win the cyber war we are losing’, Washington Post (28
February 2010) <http://www.washingtonpost.com/wp-dyn/content/article/2010/02/25/AR201002
2502493.html> accessed 30 November 2013.
45
Noah Schachtman & Peter Singer, ‘The wrong war: The insistence on applying Cold War
metaphors to cybersecurity is misplaced and counterproductive’ (Brookings, 15 August 2011)
<http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_shachtman.aspx> accessed
30 November 2013; Ryan Singel, ‘White House Cyber Czar: “There is no cyberwar”’, Wired
Magazine (4 March 2010) <http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar>
46
E.g. Marco Roscini, ‘World wide warfare: Jus ad bellum and the use of cyber force’
(2010) 14 Max Planck Ybk. of UN L. 85–130; Schmitt (n 3).

8 / Date: 25/3
jus in bello applies,47 with some authors covering both fields.48 Some scholars
endeavour to stretch existing rules to cyber attacks by assuming that new treaties are
unlikely and perhaps undesirable; while others call for new rules, given the un-
precedented nature of cyber weapons. Most studies come from US scholars49 and often
analogize international law so as to apply it to cyber warfare,50 with few exceptions.51
Most studies accept that cyber attacks may amount to an unlawful ‘use of force’
prohibited by international law as well as to an ‘armed attack’ justifying (conventional
or ‘kinetic’) self-defence and to ‘armed conflict’ capable of triggering the application of
international humanitarian law in cases where substantial damage and destruction are
caused. While many accept that the effects should be ‘comparable’ to those of
conventional attacks and, in particular, should hit ‘critical infrastructure’, different
views have been taken with respect to the threshold which justifies a military response.
Finally, most studies merely hint at the key issues of identification of the attacker and
of legal attribution of the attack to a State.52 The difference if any between ‘cyber
crime’, ‘cyber terrorism’ and ‘cyber war’ remains blurred. Methodology is also rarely
addressed.53
5. CYBER ATTACKS AS ‘ARMED ATTACKS’ UNDER ARTICLE 51

UN CHARTER AND GENERAL INTERNATIONAL LAW
Article 51 mentions ‘the inherent right of individual or collective self-defence if an
armed attack occurs’. The right of self-defence consists of using armed force
47
Michael Schmitt, ‘Wired warfare, computer network attack and jus in bello’ (2002)
I.R.R.C 365; Knut Dörmann, ‘Applicability of the Additional Protocols to computer network
attacks: An ICRC approach’ in Karin Byström (ed.), International Expert Conference on
Computer Network Attacks and the Applicability of International Humanitarian Law: Proceed-
ing of the Conference (Stockholm: Swedish National Defence College, 17–19 September 2004);
Jenny Döge, ‘Cyber warfare: Challenges for the applicability of the traditional laws of war
regime’ (2010) 48 Archiv des Völkerrechts 486; Michael Schmitt, ‘Cyber operations and the jus
in bello: key issues’ (2011) 41 Israel Ybk on Human Rights 113. See also Part IV of this book.
48
E.g. Michael Schmitt, ‘Computer network attack and the use of force in international
law: Thoughts on a normative framework’ (1999) 37 Colum. J. Transnat’l. L. 885–937; Heather
H. Dinniss, Cyber Warfare and the Laws of War (Cambridge: CUP 2012); Marco Roscini, Cyber
Operations and the Use of Force in International Law (Oxford: OUP, 2014).
49
For a recent, interesting statement by the US Department of State’s the Legal Advisor on
the US position concerning the role of international law in cyberspace, see Harold H. Koh,
‘International Law in Cyberspace’ (U.S. Department of State, USCYBERCOM Inter-Agency
Legal Conference, 18 September 2012) <http://www.state.gov/s/l/releases/remarks/197924.htm>
accessed 25 February 2014.
50
Scott J. Shackelford, ‘From nuclear war to net war: Analogizing cyber attacks in
international law’ (2008) 27 Berkeley J. of Int’l. L. 191–251.
51
O’Connell (n 4) 209, arguing that ‘it is time … to turn to cyber disarmament and a focus
on peaceful protection of the Internet’ against the growing emphasis in the literature on
militarising cyber security.
52
For a succinct discussion on identification and attribution, see Roscini (n 46), 96–102.
53
Dinniss (n 48).

9 / Date: 7/5
unilaterally ‘if an armed attack occurs’. For a response to possibly qualify as

self-defence, armed force has to be used both by the attacker and by the victim of the
attack.
(a) Attacks in Cyberspace
The term ‘cyber attack’ is perhaps the most commonly used today to describe attacks in
cyberspace, but others are often found in the literature, notably ‘cyber network attack’
(CNA). According to the definition of the US Department of Defense, routinely
accepted as authoritative, a ‘Cyber Network Attack’, is: ‘[a]ctions taken through the use
of computer networks to disrupt, deny, degrade, or destroy information resident in
computers and computer networks, or the computers and networks themselves’.54
NATO adopts this definition, adding that: ‘[a] computer network attack is a type of
cyber attack’.55 What amounts to an ‘attack’ in cyberspace is in fact a complex issue for
a variety of reasons.56
First, not every hostile cyber act is an ‘attack’ for the purposes of justifying a per se
unlawful reaction, let alone a kinetic counter-attack. For example, a DDoS attack is the
result of a huge number of apparently ‘ordinary’ requests for information.57 It is the
number and the intent of the master computer rather than the one of the controlled
computers that make such requests ‘hostile’. The question about how ‘good’ and ‘bad’
requests can rapidly be distinguished is very difficult and generally requires infor-
mation from private-sector Internet Service Providers (ISPs) on their traffic, which is
usually confidential.
Secondly, there is a variety of potentially relevant cyber attacks that produce very
different effects, such as DDoS attacks (as occurred in Estonia and Georgia), malware
(as occurred in Iran), so-called ‘backdoors’ or ‘trapdoors’ (i.e. undocumented ways of
gaining access to a program, online service or an entire computer system for future
intrusion), etc. Unlike conventional and nuclear weapons, cyber attacks may have very
54
US Department of Defense, ‘Dictionary of Military and Associated Terms’ (Joint
Publication 1-02, 8 November 2010, as amended through 15 November 2013) <http://
www.dtic.mil/doctrine/new_pubs/jp1_02.pdf> accessed 30 November 2013.
55
NATO Standardization Agency, ‘NATO Glossary of Terms and Definitions’ (AAP-6,
2013) 2-C-11 <nsa.nato.int/nsa/zPublic/ap/aap6/AAP-6.pdf> accessed 30 November 2013.
56
The term ‘cyber attack’ (CA) is perhaps the most commonly used, but others are often
found in the literature, in particular Cyber Network Attack (CNA). In the past, Information
Warfare (IW) was also used. Other terms, referring to particular operations in the Net, include
Information Operation (IO), Cyber Network Exploitation (CNE) and Cyber Network Operation
(CNO). See Roscini (n 46) 91–3; Garry D. Brown and Owen W. Tullos, ‘On the spectrum of
cyberspace operations’, Small Wars J. (11 December 2012) <http://smallwarsjournal.com/print/
13595> accessed 30 November 2013. For sake of brevity I will refer to ‘cyber attack’ hereinafter.
For a general overview, see Michael Schmitt, ‘“Attack” as a term of art in international law: The
cyber operations context’ in Christian Czosseck, Rain Ottis & Katharina Ziolkowski (eds.),
Proceedings of the 4th International Conference on Cyber Conflict (CCDCOE 2012) 283–93,
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2184833> accessed 30 November 2013.
57
Hakem Beitollahi & Geert Deconinck, ‘A dependable architecture to mitigate distributed
denial of service attacks on network-based control systems’ (2012) 4 Int’l. J. of Critical
Infrastructure Protection (2012) 107–23.

10 / Date: 25/3
diverse effects, which may or may not cause destruction, so they cannot be treated as a
single homogenous category. For example, a DDoS attack may hit only one single State
(as occurred in Estonia), whereas a malware may propagate thorough the global net (as
occurred with Stuxnet).
Finally, the difference between a ‘cyber attack’ amounting to an ‘armed attack’
(which could possibly justify a military response in self-defence) and ‘cyber crime’58
(which would be treated as an ordinary crime falling within the criminal jurisdiction of
one or more states) is often unclear.
(b) ‘Use of Force’ as Part of an ‘Armed Attack’
Under Article 51 UN Charter in order for self-defence to be permitted an ‘armed

attack’ must have occurred. An ‘armed attack’ for the purposes of Article 51 is a form
of ‘use of force’59 under Article 2(4) UN Charter in the first place. Many writers, by
adopting a combination of the ‘effect-based’ (or ‘equivalence-based’) and the ‘target-
based’ approaches and dismissing the ‘instrument-based’ approach, have maintained
that a cyber attack can constitute a ‘use of force’ under Article 2(4). It is suggested that
what matters is not the ‘instrument’ used (i.e. the weapon) but rather the effects
produced (which have to be approximately equivalent to those produced by conven-
tional weapons)60 or, for some, the (military or sensitive) target.61 The term ‘force’ in
Article 2(4) means armed force and by ‘armed force’ is meant, as the ICJ pointed out
in the 1996 Nuclear Weapons Opinion, ‘any use of force, regardless of the weapons
employed’,62 supposedly including not only nuclear weapons but also other ‘dual-use’
weapons such as chemical and biological weapons.63 Although not being ‘armed’ in the
traditional sense, cyber attacks may thus amount to a ‘use of force’ under Article 2(4).
As such, when amounting to ‘aggression’ they could even constitute a crime against
peace and eventually fall within the jurisdiction of the ICC.64
(c) ‘Armed Attack’ for Self-defence Purposes
However, not any ‘use of force’ is an armed attack for self-defence purposes.65 Under
Article 51 only an ‘armed attack’ justifies self-defence,66 but the term ‘armed attack’ is
58
See Kastner & Mégret (Ch 9 of this book).
59
See Roscini (Ch 11 of this book).
60
See e.g. Yoram Dinstein, ‘Computer network attacks and self-defense’ (2001) 76 Int’l. L.
Stud. 99, 103.
61
Christopher Joyner & Catherine Lotrionte, ‘Information warfare as international co-
ercion: Elements of a legal framework’ (2001) 12 E.J.I.L. (2001) 825, 855.
62
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep.
226, para. 39.
63
Roscini (n 46) 106.
64
Ibid. 111–13.
65
Waxman (n 44) 421.
66
Oil Platforms (Islamic Republic of Iran v United States) (Judgment of 6 November 2003)
[2003] ICJ Rep. 161 para. 51.

11 / Date: 7/5
not defined by Article 51 or any other treaty rule.67 While the term was probably
considered ‘self-evident’ in 1945,68 in the Nicaragua case the ICJ noted that ‘there
appears now to be general agreement on the nature of the acts which can be treated as
constituting armed attacks’.69 Famously, the Court has distinguished ‘the most grave
forms of the use of force from other less grave forms’,70 holding that there are
‘measures which do not constitute an armed attack but may nevertheless involve a use
of force’. In the Court’s view the supply of weapons and logistical support to rebels or
‘a mere frontier incident’ do not qualify as armed attacks under Article 51, although
they are unlawful uses of force under Article 2(4).71 In any event self-defence is
permitted only when the armed attack exhibit certain ‘scale and effects’.72 By such
standard, a cyber attack will constitute an ‘armed attack’ under Article 51 if its scale
and effects meet the threshold corresponding to the ‘most grave’ forms of the ‘use of
force’.73 The Institut de Droit International endorsed this view in its Santiago
Resolution of 2007 on self-defence.74
67
Nicaragua Case (Merits) (n 1) para. 176 (‘a definition of the “armed attack” which, if
found to exist, authorizes the exercise of the “inherent right” of self-defence, is not provided in
the Charter, and is not part of treaty law’).
68
Ian Brownlie, International Law and the Use of Force by States (Clarendon Press 1963)
278.
69
Nicaragua Case (Merits) (n 1) para. 195.
70
Ibid. paras 191, 210; Oil Platforms (n 66) paras 161, 186–187.
71
72
Ibid. paras 191 and 195. For a comment on the terms ‘scale’ and ‘effects’ see Avra
Constantinou, The Right of Self-Defence under Customary International Law and Article 51 of
the UN Charter (Sakkoulas 2000) 63–4.
73
The Legal Advisor U.S. Department of State, Koh (n 49) has recently stated in the
specific context of cyber attacks that:
the United States has for a long time taken the position that the inherent right of self-defense
potentially applies against any illegal use of force. In our view, there is no threshold for a use
of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that
is not to say that any illegal use of force triggers the right to use any and all force in response
– such responses must still be necessary and of course proportionate.
However, the position of one state is irrelevant to general international law: see e.g. the 2006
Jones judgment by the UK House of Lords [2006] UKHL 26, para. 22 (‘one swallow does not
make a rule of international law’ per Lord Bingham of Cornhill), and the 2012 Jurisdictional
Immunities of the State judgment by the ICJ ([2012] ICJ Rep. 99 paras 83 and 88, both
criticizing the (only) Italian jurisprudence favouring a ‘humanitarian exception’ to the jurisdic-
tional immunity of foreign states accused of serious violations of human rights.
74
Institut de Droit International, ‘Present Problems of the Use of Armed Force in
International Law. A. Self-defence’ (10A Resolution, Session de Santiago, 27 October 2007)
para. 5 http://www.idi-iil.org/idiE/resolutionsE/2007_san_02_en.pdf.
An armed attack triggering the right of self-defence must be of a certain degree of gravity.
Acts involving the use of force of lesser intensity may give rise to countermeasures in
conformity with international law. In case of an attack of lesser intensity the target State may
also take strictly necessary police measures to repel the attack. It is understood that the
Security Council may take [effective measures necessary to maintain or restore international
peace and security].

12 / Date: 25/3
While the term ‘use of force’ in Article 2(4) is generally meant to include non-kinetic
action, the term ‘armed’ in Article 51 may be understood as to imply the use of
weapons. However, as hinted earlier, in the 1996 Nuclear Weapons Advisory Opinion
the ICJ stated that Article 2(4), Article 51 and Article 42 UN Charter ‘do not refer to
specific weapons’ and hence ‘apply to any use of force, regardless of the weapons
employed’. According to the Court ‘[t]he Charter neither expressly prohibits, nor
permits, the use of any specific weapon, including nuclear weapons’.75
The question then arises as to when a cyber attack amounts to an ‘armed attack’ and
justifies self-defence. Cyber attacks conducted as part of an overall ‘classic’ military
kinetic operation, such as attacks against enemy command and control or air defence
systems, are subject to the international law rules (concerning the recourse to force and
international humanitarian law) applicable to kinetic armed attacks.76 As for standalone
cyber attacks, many commentators agree that here again the effect- and target-based
approaches to the interpretation of Article 51 should be adopted, although setting the
bar higher: a cyber attack is held to amount to an ‘armed attack’ when it causes death
or injury to persons or damage to property similar in scale and effects to kinetic
attacks,77 which may easily occur when the ‘critical infrastructure’ of the State (or other
political entity such as the EU) is hit,78 such as the shutdown of computers controlling
waterworks and dams leading to the flooding of inhabited areas.79 Rule 13 of the
Tallinn Manual adopts this approach.80 Other kinds of attacks may not reach the
threshold. It has been suggested, for example, that the mere destruction or damage of
data, standing alone, would not suffice since, otherwise, the vast majority of cyber
attacks would qualify as armed attacks and justify self-defence.81 Moreover, an
intention-based approach seems to have only a secondary relevance, what counts being
objective effects, even on a third State which is not the intended target of the attack.82
In Oil Platforms the ICJ specified that an armed attack has to be carried out ‘with the
specific intention of harming’, although it is unclear whether the Court meant a general
requirement for self-defence or merely referred to the instant case. Since cyber attacks
may well hit third States, the Court’s position seems to imply that States other than the
intended target State may not respond in self-defence.83
Whether customary international law, in addition to Article 51 UN Charter, permits
self-defence against cyber attacks is controversial. The question arises because inter-
national customary law still applies ‘separately from international treaty law’.84 Some
75
See Legality of the Threat or Use of Nuclear Weapons (n 62).
76
Schmitt (n 3) 588.
77
For a number of hypothetical examples, see ibid; Dinstein (n 60).
78
For the view that ‘a cyber attack on critical state infrastructure which paralyses or
massively disrupts the apparatus of the State should be equated to an armed attack, even if it
does not cause any immediate human injury or material damage’ see Tsagourias (n 42) 231.
79
Dinstein (n 60) 105; Yoram Dinstein, War, Aggression and Self-Defence (5th edn, CUP
2011) 212 para. 559.
80
Schmitt (n 18) rule 13.
81
Schmitt (n 3) 589.
82
Ibid. 590.
83
Oil Platforms (n 66) para. 64.
84

13 / Date: 7/5
scholars have answered the questions negatively.85 Others have countered that even in
the absence of actual practice usus is made up also of ‘verbal acts’ and ‘is more a
qualitative than a quantitative criterion’, and in any event several States and, to use the
ICJ’s language’,86 ‘specially affected’ non-State entities (for example NATO) have
taken a stance in favour of the right to self-defence against cyber attacks and triggered
a process, which is ongoing, which may lead ‘in the forthcoming years’ to the
formation of a customary rule.87 The issue is, however, of little practical relevance
since virtually all States are parties to the UN Charter and, as a specific consequence in
relation to self-defence, it is difficult to imagine a real ‘gap’ between Article 51 and
customary international law. A reaction by a non-State entity not being a party to the
UN Charter, such as NATO, would very likely be seen as a reaction of its Member
States in the form of collective self-defence under Article 5 of the NATO Treaty.88
(d) ‘Critical Infrastructure’ Targeted by Cyber Attacks89
The notion of ‘critical infrastructure’ is relatively novel and difficult to define.90 It has
to do, inter alia, with ‘national security’ but not any threat to the national security of a
State justifies a response in self-defence and the notion of ‘national security’ itself is
unclear.91 Moreover, the notion of ‘critical infrastructure’ varies in time and space. It
also depends on the very process of State informationalization since what was not seen
as ‘critical’ in the past or under other circumstances may become ‘critical’ as a result of
the State informationalization process itself.92 To complicate matters, in most States
critical infrastructures are often owned by the private sector.93
Broadly speaking, critical infrastructure is defined as the assets that are essential for
the functioning of a society and economy, notably for the supply of essential services.
85
See e.g. Schmitt (n 48) 921 (‘Neither practice, nor opinio juris, is in evidence’);
Shackelford (n 50) 219 (‘it is yet impossible as a matter of customary international law to argue
that IW is illegal, especially given that state practice routinely shows otherwise’).
86
North Sea Continental Shelf (Federal Republic of Germany v Denmark and Federal
Republic of Germany v Netherlands) (Merits) (Judgment of 20 February 1969) [1969] ICJ Rep
4 para. 73.
87
Roscini (n 46) 123–30.
88
See (n 31).
89
See also Roscini (Ch 11 of this book).
90
Eric T. Jensen, ‘Computer attacks on critical national infrastructure: A use of force
invoking the right to self-defense’ (2002) 38 Stanford J. of Int’l. L. 207.
91
Theodore Christakis, ‘L’Etat avant le droit? L’exception de “sécurité nationale” en droit
international’ (2008) 112 R.G.D.I.P. 5, 8–16.
92
UNGA Res 58/199 (23 December 2003) UN Doc A/RES/58/199 recognizes that ‘each
country will determine its own critical information infrastructures’ defined as ‘such as those used
for, inter alia, the generation, transmission and distribution of energy, air and maritime transport,
banking and financial services, e-commerce, water supply, food distribution and public health –
and the critical information infrastructures that increasingly interconnect and affect their
operations’; see also UNGA Res 64/211 (21 December 2009) on the ‘Creation of a global
culture of cybersecurity and taking stock of national efforts to protect critical information
infrastructures’.
93
Roscini (n 46) 118.

14 / Date: 25/3
It refers to such infrastructures as power plants, water systems, dams, gas pipelines,
chemical plants and reactors, transports (airlines, ferries, railways, highways, etc,),
energy networks for production, transport and distribution (such as gas pipelines, gas
storage facilities, electric trunks, electric transformers, energy generation plants and
fuel distribution), financial and bank networks, water and food distribution, ICT
networks such as Internet (both its physical and virtual infrastructure), radio, TV
networks, cabled broadcast and satellite communications, the health system, govern-
ment and military networks and emergency networks.
For example, EU Council Directive 2008/114/EC of 8 December 200894 establishes a
procedure for the identification and designation of European critical infrastructures
(‘ECIs’) and a common approach to the assessment of the need to improve their
protection (Art 1), defines ‘critical infrastructure’ as ‘an asset, system or part thereof
located in Member States which is essential for the maintenance of vital societal
functions, health, safety, security, economic or social well-being of people, and the
disruption or destruction of which would have a significant impact in a Member State
as a result of the failure to maintain those functions’ (Art 2(a)). This definition has
recently been reiterated in Directive 2013/40/EU of the European Parliament and of the
Council of 12 August 2013 on attacks against information systems.95
The US ‘Patriot Act of 2001’ defined critical infrastructure as those ‘systems and
assets, whether physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on security,
national economic security, national public health or safety, or any combination of
those matters’.96 It has been suggested that a cyber attack against a State’s military
assets and capability amounts to an armed attack for self-defence purposes97 and that:
cyber attacks on the controlling information technology for a nation’s infrastructure that had
a significant impact on the functioning of that infrastructure (whether or not it caused
immediate large-scale death or destruction of property)would be an armed attack for Article
51 purposes, just as would a kinetic attack that somehow managed to shut down the system
without such immediate secondary effects.98
94
Council Directive 2008/114/EC of 8 December 2008 on the identification and designa-
tion of European critical infrastructures and the assessment of the need to improve their
protection [2008] OJ L 345/75).
95
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013
on attacks against information systems and replacing Council Framework Decision 2005/222/
JHA [2013] OJ L 218/8.
96
Section 1016 (e) of Public Law 107-56 of 26 October 2001, ‘The Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001’ commonly known as the ‘USA Patriot Act’ <http://epic.org/privacy/
terrorism/hr3162.pdf> accessed 30 November 2013.
97
Herbert S. Lin, Kenneth W. Dam & William A. Owens (eds.), Technology, Policy, Law
and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies
Press 2009) 245 (‘cyber attacks that compromise the ability of units of the DOD to perform the
DOD’s mission might well be regarded as an armed attack, and indeed STRATCOM has the
authority to conduct response actions to neutralize such threats’).
98
Ibid. 254.

15 / Date: 25/3
Others have replied that much depends on the effects of the attack and the military
character of the target is hardly relevant;99 moreover, although this may be the case in
State practice, it is not law as it stands.100 The same definition has been used by
Executive Order No 13636 of 12 February 2013, ‘Improving Critical Infrastructure
Cybersecurity’.101
Unsurprisingly NATO has also considered its own ‘contribution to meet security
challenges to critical infrastructure’, assuming that ‘[t]he impact of attacks against
critical infrastructure can be devastating to the livelihoods of modern societies’ and
‘[t]he increasing reliance on complex and networked technology and access to global
markets make our societies highly vulnerable to disruptions’.102
6. ANTICIPATORY SELF-DEFENCE103
Is anticipatory self-defence permitted against a mere threat of cyber attack or against an
attack which does not reach the threshold of an ‘armed attack’? The question is highly
debated and the ICJ abstained from pronouncing on it in the Nicaragua Case.104 In
Armed Activities in Congo the Court opined that ‘Article 51 of the Charter may justify
a use of force in self-defence only within the strict confines there laid down’ and ‘does
not allow the use of force by a State to protect perceived security interests beyond these
parameters’.105 A few States accept that anticipatory self-defence is permitted, arguing
that technological advances in weapons make anticipatory self-defence a matter of
necessity, whatever the language of Article 51. Most States, however, seem to take the
opposite stand, believing that a broad notion of anticipatory self-defence based on
remote attacks shades off into a justification of aggression, which is unquestionably
prohibited. In its 2007 Resolution on self-defence the Institut de Droit International
99
Schmitt (n 3) 589.
100
Ibid. 604.
101
White House, ‘Improving Critical Infrastructure Cybersecurity’ (Executive Order No
13636 of 12 February 2013) <http://www.whitehouse.gov/the-press-office/2013/02/12/executive-
order-improving-critical-infrastructure-cybersecurity> accessed 25 February 2014.
102
See NATO Emerging Security Challenges Division ‘The World in 2020 – Can NATO
Protect Us? The Challenges to Critical Infrastructure’ (Conference Report 10 December 2012,
Brussels) <http://natolibguides.info/ld.php?content_id=1675627> accessed 3 September 2014.
103
The terminology on self-defence against ‘threats’ rather than (ongoing or already
occurred) attacks is anything but univocal. Different terms are often used and even identical
terms may have different meanings in different authors and in international practice depending,
inter alia, on the nature, level or imminence of the threat. In this chapter the term ‘anticipatory
self-defence’ is used as an umbrella term whereas other terms, such as ‘pre-emptive’ ‘preventive’
and ‘interceptive’ self-defence, will be referred to below with the meanings attached to them by
specific authors or in specific contexts.
104
Nicaragua Case (Merits) (n 1) para. 194 (‘reliance is placed by the Parties only on the
right of self-defence in the case of an armed attack which has already occurred, and the issue of
the lawfulness of a response to the imminent threat of armed attack has not been raised.
Accordingly the Court expresses no view on that issue’).
105
Armed Activities on the Territory of the Democratic Republic of the Congo v Uganda
(Judgment) [2005] ICJ Rep. 168 paras 143 and 148.

16 / Date: 25/3
stated that: ‘The right of self-defence arises for the target State in case of an actual or
manifestly imminent armed attack’, there being ‘no basis in international law for the
doctrines of “preventive” self-defence in the absence of an actual or manifestly
imminent armed attack’.106 The Institut thus seems to accept anticipatory self-defence
in case it is necessary to face a ‘manifestly imminent’ – hence, impliedly, not merely
hypothetical or remote – armed attack. This is a reasonable position and is shared by
the UN legal doctrine,107 although the Non-Aligned Movement (NAM) appears firmly
against any form of anticipatory self-defence.108
Article 51, when read literally, seems to require that an attack is underway. As is well
known, the literature is divided. Some argue that self-defence is permitted faced with
an ‘imminent’ threat, relying on US Secretary of State Webster’s famous statement of
1841 in Caroline, which was affirmed by the Nuremberg Tribunal,109 whereby the
necessity for self-defence must be ‘instant, overwhelming, leaving no choice of means,
and no moment of deliberation’.110 Others argue that Article 51 prohibits anticipatory
self-defence.111 Still others have introduced a middle-path notion of ‘interceptive’
self-defence, i.e. a reaction to an attack already launched and about to strike the target
even if the target has not yet been hit.112 The 2002 ‘Bush Doctrine’, reaffirmed by the
US in its ‘2006 National Security Strategy’, admitted anticipatory self-defence in very
broad terms, i.e. even when the threat is not imminent but possible or merely
prospective and linked it with the military reaction to the ‘war on terror’.113 The 2010
National Security Strategy by US President Obama does not mention pre-emption
although it does not reject it either and reserves the right of the US to act unilaterally
if necessary.114
In the 1996 Nuclear Weapons Advisory Opinion the ICJ, noting ‘the fundamental
right of every State to survival, and thus its right to resort to self-defence, in accordance
106
Institut de Droit International (n 74) paras 3 and 6.
107
For example, in its 2004 ‘a more secure world: Our shared responsibility’ Report the
UN-mandated High-Level Panel on Threats, Challenges and Change distinguished between
lawful ‘pre-emptive’ self-defence when the attack is imminent, and unlawful (unless authorized
by the Security Council) ‘preventive’ self-defence when the alleged attack is too remote (UN
Doc A/59/565 paras 188–192). This opinion has apparently been endorsed by the UN
Secretary-General in his ‘In larger freedom: Towards development, security and human rights
forall’ (Report, 21 March 2005) UN Doc A/59/2005 para. 124.
108
UNGA, ‘NAM Comments on the High-level Panel Report’ (28 February 2005) UN Doc
A/59/PV, 43 <http://www.un.int/malaysia/NAM/Positionpaper280205.doc> accessed 25 Febru-
ary 2014.
109
Trial of the Major War Criminals (Judgment) [1946] (1947) 41 A.J.I.L. 172, 205.
110
John B. Moore, A Digest of International Law (Government Printing Office 1906) vol 2,
409–10.
111
E.g. according to Christine D. Gray, International Law and the Use of Force (3rd edn.,
OUP 2008) 165 and 213 (‘[t]here is very little international support for this [Bush] doctrine of
pre-emptive self-defence’).
112
Dinstein (n 79) 203–5.
113
See Christine D. Gray, ‘The Bush doctrine revisited: The 2006 National Security Strategy
of the USA’ (2006) 5 Chinese J. of Int’l. L. 555.
114
White House, ‘National Security Strategy’ (May 2010) <http://www.whitehouse.gov/
sites/default/files/rss_viewer/national_security_strategy.pdf> accessed 3 September 2014.

17 / Date: 25/3
with Article 51 of the Charter, when its survival is at stake’, observed that ‘it cannot
reach a definitive conclusion as to the legality or illegality of the use of nuclear
weapons by a State in an extreme circumstance of self-defence, in which its very
survival would be at stake’.115 It is a fact, however, that Article 51 refers to the
condition that ‘an armed attack occurs’ and it is the provision thus formulated that
binds Member States. The term ‘inherent’, far from indicating that Article 51 resumed
the pre-Charter rule on permissibility of anticipatory self-defence,116 simply seems to
take note that self-defence reflects the universal principle vim vi repellere licet. In the
1981 Osirak incident, many States condemned anticipatory self-defence,117 and they
have eventually continued to do so on other occasions. In the 2004 report A More
Secure World the UN-mandated High-Level Panel distinguished between lawful ‘pre-
emptive’ self-defence when the attack is imminent, and unlawful (unless authorized by
the Security Council) ‘preventive’ self-defence when the alleged attack is too remote,118
an opinion which has apparently been endorsed by the UN Secretary-General119 but
opposed by the Non-Aligned Movement (NAM).120
Article 51 and its expression ‘if an armed attack occurs’ remain, even under the
terms of the ICJ Nuclear Weapon Opinion, the basic parameter. On balance, it seems
that the international community does not accept anticipatory self-defence as a general
rule, but could see it as a justification on a case-by-case basis. The general rule is thus
that anticipatory self-defence is prohibited and that its permissibility depends on the
reaction of the international community as a whole in each case. Any attempt to
articulate the law further goes too far. Thus understood, anticipatory self-defence is not
permitted under Article 51, which has to be read literally, and rather overlaps with the
State of necessity in general international law as a justification for an otherwise
unlawful use of force.121 Not surprisingly preventive self-defence was permitted and
closely linked to self-preservation in the nineteenth century when recourse to force in
general was, unlike today, permitted. It may be condoned ex post by the international
community on a case-by-case basis if the threat to the State proves well-founded on the
basis of the knowledge and inferences which can be drawn at the moment of
115
Legality of the Threat or Use of Nuclear Weapons (n 62) para. 97.
116
D W. Bowett, Self-Defense in International Law (Praeger 1958) 188–92. Against this
view see Brownlie (n 68) 428–36.
117
UN Doc SCOR, 36th year, 2280th-2283rd, 2286th and 2288th meetings, and UNSC Res
487 (1981) (19 June 1981) adopted unanimously, condemning the attack.
118
UNGA, ‘Note by the Secretary-General’ (2 December 2004, A more secure world: Our
shared responsibility, Report of the High-Level Panel on Threats, Challenges and Change) UN
Doc A/59/565 paras 188–192.
119
UNSG, ‘In Larger Freedom (n 107) para 124.
120
‘Comments of the Non-Aligned Movement on the observations and recommendations
contained in the Report of the High-Level Panel on Threats, Challenges and Change’ (28
February 2005) UN Doc A/59/PV 14–15 <http://www.un.int/malaysia/NAM/Positionpaper
280205.doc> accessed 30 November 2013.
121
Cf. Article 25 UN ‘Draft Articles on Responsibility of States for Internationally Wrongful
Acts, with Commentaries’ (2001) GAOR 56th Session Supp. 10, 43. For some further
observations on the point see Carlo Focarelli, International Law as Social Construct: The
Struggle for Global Justice (OUP 2012) 367–8.

18 / Date: 7/5
deliberation. In any event, Article 51 applies and justifies ‘interceptive’ self-defence,122

while military intervention against a ‘threat to peace’ authorized by the UN Security
Council, when this is permitted, is justified under Chapter VII.
Concerning the threats of cyber attack, the Caroline criteria are thought by some to
be still valid and to apply.123 It has been suggested that anticipatory self-defence is ‘a
reasonable accommodation’ to present circumstances permitted when an ‘overtly
hostile intent’ to launch a cyber attack exists together with a decision to attack and the
planned attack is likely to generate armed attack consequences.124 In particular,
anticipatory self-defence is permitted if the prospective attack: (a) is part of an overall
operation culminating in armed attack; (b) is an irrevocable step in an imminent and
probably unavoidable attack; and (c) the response is a last resort measure to effectively
counter the attack.125 This position sounds sensible on the one hand, but, on the other
and at the same time, quite artificial. It is sensible because, given the speed of
electronic operations and their possible immediate devastating effects, only anticipatory
self-defence makes sense and leaves the attacked State an effective possibility of
defending itself. But it is also artificial, or purely speculative, because cyber attacks are
extremely difficult to trace even after their occurrence and it is difficult to see how the
target State may take action without hitting arbitrarily the supposed potential source of
attack.
7. CONDITIONS CONCOMITANT TO THE EXERCISE OF

SELF-DEFENCE
Self-defence has to be carried out by complying with necessity and proportionality, as
the ICJ stated in the Nicaragua Case126 and in Oil Platforms,127 Rule 14 of the Tallinn
Manual affirms such requirements.128 The threshold may suffer from some alteration as
a result of the unique features of cyber attacks.
Necessity requires that no other reasonable option is available other than force (such
as non-forcible measures or cyber defences) to effectively repel the attack, or to deter a
threat of (an imminent) attack if anticipatory self-defence is accepted. For example, if
passive cyber defences are sufficient to repel an ongoing attack (or to deter a
prospective attack) forceful measures are not necessary.129 This implies that States have
an obligation to put in place passive or active cyber defences (not amounting to a
prohibited use of force130) in order to block electronically cyber attacks and thus prove
122
See Dinstein (n 79).
123
Schmitt (n 48), 932–3.
124
Schmitt (n 3) 592–3.
125
Schmitt (n 48) 932–3.
126
127
Oil Platforms (n 66) paras 161, 183, 196–198.
128
129
In principle ‘passive’ cyber defences such as firewalls and antivirus software, which
merely block attacks are internationally lawful acts, although they may amount to a violation of
an international law rule other than that prohibiting the use of force.
130
Schmitt (n 3) 586.

19 / Date: 25/3
that such defences are insufficient to attain the aim of self-defence. For example, the
2020 NATO report states that ‘Over time, NATO should plan to mount a fully adequate
array of cyber defence capabilities, including passive and active elements’.131 It is
worth noting that necessity applies to both kinetic and cyber counter-attacks in
self-defence. In particular, cyber self-defence causing harm similar to kinetic (forceful)
self-defence is permitted only when lesser cyber counter-attacks reasonably capable of
repelling the attack (or deterring an imminent attack if anticipatory defence is accepted)
are unavailable.
Proportionality requires that, once force is deemed to be necessary, the amount of
force used does not exceed what is sufficient to repel or, if anticipatory self-defence is
accepted, to deter the threat of attack. A few States and some commentators have relied
on the ‘accumulation of events’ or ‘pin prick’ doctrine of armed attack so as to justify
an otherwise disproportionate response. In the Nicaragua Case the ICJ seems not to
dismiss this doctrine,132 but avoided explicitly discussing the point in subsequent cases
either.133 It is worth noting that, just like necessity, proportionality applies to both
kinetic and cyber counter-attacks in self-defence. Cyber self-defence causing harm
similar to kinetic (forceful) self-defence is thus permitted only when a smaller amount
of force is insufficient to repel the attack (or to deter an imminent attack). Of course,
cyber self-defence may prove inherently inadequate so that recourse to kinetic
self-defence is not only necessary but also proportionate, provided it is scaled to the
purpose of repelling or, if anticipatory self-defence is accepted, deterring the threat of
attack. It is often believed that a response in kind is inherently proportionate but this
depends on the notion of proportion accepted: e.g., if proportion refers to the harm
suffered it may well be that the same action causes very different levels of harm in
different states.134 As a result proportionality applies also to reactions in kind. The
131
NATO Emerging Security Challenges Division (n 102) 45.
132
133
Gray (n 113) 155–6; Dinstein (n 79) 206–7 and 255.
134
See e.g. Dapo Akande & Thomas Liefländer, ‘Clarifying necessity, imminence, and
proportionality in the law of self-defense’ (2013) 107 A.J.I.L. 563, 566–8, distinguishing three
conceptions of proportionality ‘each ha[ving] different implications’ (no more force than
necessary, commensurability with the attack or the threatened attack, damage inflicted propor-
tionate to the pursued objective). It is worth noting that similar problems exist with non-forcible
countermeasures. In the 1978 Air Services Award the Arbitral Tribunal articulated the condition
of proportionality by observing that countermeasures must have ‘some degree of equivalence
with the alleged breach’ this being ‘a well-known rule’ which both Parties had recognized and
invoked in the instant case; however, in the Tribunal’s view, ‘judging the “proportionality” of
countermeasures is not an easy task and can at best be accomplished by approximation’ taking
into account ‘not only the injuries suffered by the companies concerned but also the importance
of the questions of principle arising from the alleged breach’ (cf. Case concerning the Air
Service Agreement of 27 March 1946 between the United States and France (Award) [1978] 18
Reports of International Arbitral Awards 417 para. 83). What was meant by ‘questions of
principle’ is unclear; still, the Tribunal’s view was unquestionably that damages alone were
inadequate for an accurate assessment of proportionality. See further on this Focarelli (n 121)
351–2.

20 / Date: 25/3
application of the ‘accumulation of events’ to cyber operations is rather contro-

versial.135
Immediacy seems more a necessity than a requirement in a cyber context, where
speed is key. It is commonly accepted that immediacy has to be understood flexibly.
This applies a fortiori in a cyber context when considering that it may take a long time
to trace the attack back to its originator or for damage to occur after the attack. Rule 15
of the Tallinn Manual sets out such a requirement.136
8. COLLECTIVE SELF-DEFENCE
Article 51 permits collective self-defence in addition to individual self-defence, i.e.
armed action against an armed attack by a State other than the attacked State. The
possibility of collective self-defence may be stipulated in a military alliance treaty, as is
the case with Article 5 of the NATO Treaty,137 or more generally in bilateral and
multilateral mutual assistance treaties. However, as the 2020 NATO report pointed out,
‘there may well be doubts about whether an unconventional danger – such as a cyber
attack or evidence that terrorists are planning a strike – triggers the collective defence
mechanisms of Article 5’.138 And yet ‘the risk of a large-scale attack on NATO’s
command and control systems or energy grids could readily warrant consultations
under Article 4 and could possibly lead to collective defence measures under Article
5’.139 Rule 16 of the Tallinn Manual adopts this approach.140
Self-defence in general, including collective self-defence, may be resorted to
unilaterally, without any authorization of the Security Council, although it must cease if
and when the Council takes action. However, it is permitted only – in addition to the
requirements of necessity, proportionality and immediacy – on the basis of a request by
(and hence with and within the consent of) the attacked State, as the ICJ specified in
the Nicaragua Case141 and in Oil Platforms.142 In other words, it is not for third States
to determine whether another State has been the victim of an armed attack. Should the
response not conform to such a requirement, the counter-attack by a third State is an
unlawful use of force.
Cyber attacks may easily spread through networks and it may be difficult to identify
the ‘attacked’ State which has the right to consent to a counter-attack. Many States may
well be considered attacked and entitled to react in individual self-defence. It is also
necessary that all Member States of a mutual assistance treaty agree on considering a
certain cyber attack as an attack justifying collective reaction. Moreover, treaty
135
Roscini (n 46) 120.
136
137
See (n 31).
138
‘NATO 2020: Assured Security, Dynamic Engagement. Analysis and Recommendations
of the Group of Experts on a New Strategic Concept for NATO’ (17 May 2010) 20
<www.nato.int/strategic-concept/expertsreport.pdf> accessed 30 November 2013.
139
Ibid. 45.
140
141
142
Oil Platforms (n 66) para. 188.

21 / Date: 7/5
provisions on collective self-defence generally entitle all Member States to react but do
not provide an obligation to do so and it is therefore reasonable to expect that they take
part in the collective response only when it fits with their national interest. For instance,
in the case of Estonia NATO Member States were very slow to agree on responding in
self-defence.143
9. SELF-DEFENCE AGAINST NON-STATE ACTORS

The question whether non-State actors may carry out an ‘armed attack’ under Article 51
is heatedly debated.144 Self-defence has been traditionally understood as a State
reaction against another State. The ICJ seems to have endorsed the view that
self-defence is an inter-State measure,145 although some of its judges have argued for
the admissibility of ‘self-defence against non-State actors’.146 However, Article 2(4)
specifies that the ‘use of force’ prohibited has to come from a State and an ‘armed
attack’ under Article 51 is a per se prohibited ‘use of force’ in the first place. Unlawful
acts by private individuals or groups in principle fall within the criminal law of the
territorial State and the international law rules concerning the allocation of criminal
jurisdiction, criminal mutual assistance (including extradition) and, in extreme cases,
national and international prosecution of international crimes according to the ‘law-
enforcement’ paradigm. It is in principle for the State to prevent transnational crime
and to punish perpetrators.
However, certain States in the territory of which harm was caused by criminal acts
committed by private individuals or groups (rebels or alleged terrorists) from another
State have invoked self-defence even in cases where such criminal acts were not
attributable to this latter State. On the occasion of the War on Afghanistan in 2001 most
States, the UN Security Council and other international organizations apparently
endorsed the view that self-defence was permitted against Afghanistan regardless of the
attacks suffered being performed on behalf of the State of Afghanistan. In relation to
the Israeli-Lebanese War in 2006 most States apparently accepted Israel’s contention
that self-defence against Hezbollah was permitted, at least when the territorial State
(like Lebanon in that case) proves unable to prevent the attacks and even asks for
assistance from the international community, although many States and commentators
pointed out that the reaction was out of proportion to the extent that Israel targeted
Beirut and Lebanese areas other than those from which the attack had been
143
Schmitt (n 3) 598.
144
Noam Lubell, Extraterritorial Use of Force against Non-state Actors (OUP, 2010);
Theresa Reinold, ‘State weakness, irregular warfare, and the right to self-defense post-9/11’
(2011) 105 A.J.I.L. 244.
145
Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory
(Advisory Opinion) [2004] ICJ Rep. 136 para. 139; Armed Activities on the Territory of the
Democratic Republic of the Congo v Uganda (n 105) para. 160.
146
Legal Consequences of the Construction of a Wall (n 145) para. 139.

22 / Date: 25/3
launched.147 There is in legal doctrine some support for self-defence against non-State
actors accompanied by a trend by its advocates to regard its critics (as well as the ICJ’s
jurisprudence on the matter) as ‘conservative’.148 Another similar trend consists in
admitting self-defence against non-State actors as a corollary of the responsibility to
protect doctrine specifically understood as a ‘duty to prevent’.149 In its 2007 Resolution
on self-defence the Institut de Droit International stated that ‘Article 51 of the Charter
as supplemented by customary international law applies as a matter of principle’ and
provided only ‘some preliminary responses to the complex problems’ arising out of the
matter, concluding that ‘The State from which the armed attack by non-State actors is
launched has the obligation to cooperate with the target State’.150
The debate raged when in Resolution 1368 (2001) and in Resolution 1373 (2001) the
UN Security Council affirmed the inherent right to self-defence without specifying
whether the source of the armed attack had to be a State, apparently suggesting that the
attribution requirement and the concomitant acceptance of the concept of a ‘private’
armed attack could be abandoned.151 There are clear signs of possible abuse and likely
divergence of views among States. For example, according to the Russian Federation,
Resolution 1373 (2001) also covers Chechen rebels and justifies self-defence against
States (such as Georgia) from the territory of which they launch their attacks.152 Not
surprisingly, the Russian appeal to the doctrine of self-defence against non-State actors
was immediately opposed by one of its stronger advocates, the US, each, of course,
147
Cf UN Doc S/PV.5489 of 14 July 2006 and S/PV.5492 of 20 July 2006. See Gray (n 111)
241–4; more generally, see Jörg Kammerhofer, ‘The armed activities case and non-state actors in
self-defence law’ (2007) 20 L.J.I.L. 89.
148
Reinold (n 144) 245, 260, 262 and 285.
149
Lee Feinstein & Anne-Marie Slaughter, ‘A duty to prevent’ (2004) 83 Foreign Affairs
136. See generally Carlo Focarelli, ‘Ahead to the past? Responsibility to protect and the global
system’ (2012) 1 Gro. J. Int’l. L. 1 <grojil.org/0-focarelli.pdf> accessed 30 November 2013.
C. Focarelli, Responsibility to Protect in the Global System, in Peter Hilpold (ed.), Responsibility
to Protect (R2P): A New Paradigm of International Law? (Leiden and Boston: Brill/Nijhoff,
2015), pp. 417–438.
150
Institut de Droit International (n 74) para. 10.
151
See e.g. Thomas M Franck, ‘Terrorism and the right of self-defense’ (2001) 95 A.J.I.L.
839, 840; Christopher Greenwood, ‘International law and the pre-emptive use of force:
Afghanistan, Al-Qaida, and Iraq’ (2003) 4 San Diego Int’l. L. J. 7, 17.
152
The Russian Federation accused Georgia of failure to comply with UNSC Res 1373 (28
September 2001) UN Doc S/RES/1373, pointing out that such failure justified self-defence under
art 51 UN Charter. According to Russia:
If the Georgian leadership is unable to establish a security zone in the area of the
Georgian-Russian border, continues to ignore UNSC Res 1373 (28 September 2001) and does
not put an end to the bandit sorties and attacks on adjoining areas in the Russian Federation,
we reserve the right to act in accordance with Article 51 of the Charter of the United Nations.
Cf. Statement by Russian Federation President Vladimir Putin, ‘Annex to Letter dated 11
September 2002 from the Permanent Representative of the Russian Federation to the United
Nations Addressed to the Secretary-General’ UN Doc S/2002/1012, 2–3.

23 / Date: 7/5
being concerned with their own private ‘enemies’.153 In fact, cross-border military
incursions against alleged terrorists operating in neighbouring States are generally
condemned assuming that the crimes committed by the targeted individuals and groups
fall within the law enforcement paradigm and do not justify self-defence against the
territorial State. For example, a Colombian raid against the FARC in the territory of
Ecuador, in 2008, was condemned in the OAS Permanent Council by Resolution 930
(2008).154 Furthermore, the definition of the crime of aggression adopted at the 2010
Review Conference of the ICC Statute of Kampala does not mention the harbouring of
irregular forces. It only includes, by mirroring UN General Assembly Resolution 3314
(XXIX) of 14 December 1974 and in line with the ICJ Nicaragua Case Judgment, the
active sending of armed bands by, or on behalf of, a State to carry out acts of armed
force against another State.155
Furthermore, attribution is very relevant here. In theory, a ‘non-State’ actor is by
definition an entity which acts privately with no connection at all with a State.156
However, ‘sponsorship’ by a State is frequently invoked as a characteristic of
‘self-defence against non-State actors’. On attribution, and more precisely on ‘control’
as an attribution criterion, it is well known that the ICJ and the ILC on the one hand,
and the ICYT on the other, has taken different views albeit in different legal
contexts.157 Attribution may actually take several different forms and degrees of State
involvement, such as tolerance, causality, complicity, etc.158 This ambiguity tends to
153
Steven L. Myers, ‘Echoing Bush, Putin asks U.N. to back Georgia attack’, New York
Times (12 September 2002) A9; ‘US warns Russia over Georgia strike’ BBC News (13
September 2002) <http://news.bbc.co.uk/2/hi/world/europe/2254959.stm> accessed 30 Novem-
ber 2013.
154
OAS Permanent Council Res. 930 of 6 March 2008 <http://www.oas.org/consejo/
resolutions/res930.asp> accessed 30 November 2013.
155
ICC Res RC/Res 6 (11 June 2010) annex I, art 8bis (1) and (2) <http://www.icc-cpi.int/
iccdocs/asp_docs/Resolutions/RC-Res.6-ENG.pdf>. See also Kai Ambos, ‘The crime of aggres-
sion after Kampala’ (2011) 53 German Ybk of Int’l. L. 463; Stefan Barriga and Leena Grover, ‘A
historic breakthrough on the crime of aggression’ (2011) 105 A.J.I.L. 517.
156
On attribution in cyber self-defence see Tsagourias (n 42) 233–43; for the international
evidentiary standard to be applied, see O’Connell (n 4) 202.
157
Prosecutor v. Dusko Tadić (Appeal Judgment of 15 July 1999) [1999] No ICTY-94-1-A
paras 99–145; Nicaragua Case (Merits) (n 1) para. 115; Application of the Convention on the
Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and
Montenegro) (Judgment) [2007] ICJ Rep 43 paras 403–407.
158
The question about the criteria for attributing acts of non-state actors to a state in a
state-orientated interpretation of self-defence have been developed, inter alia, by Elizabeth
Wilmshurst, ‘The Chatham House Principles of International Law on the use of force in
self-defence’ (2006) 55 I.C.L.Q. 963–72; Daniel Bethlehem, ‘Self-defense against an imminent
or actual armed attack by nonstate actors’ (2012) 106 A.J.I.L. 769. In our view these suggestions
are no doubt interesting intellectual exercises but of little relevance (if not occasionally in fact
campaigning for the stronger states) when it comes to establishing existing law. For some
sharable critical comments, see Michael J Glennon, ‘Law, power, and principles’ (2013) 107
A.J.I.L. 378 (‘Bethlehem’s proposed principles … substitute the opinio juris of the powerful for
the practice of all’); ME O’Connell, ‘Dangerous departures’ (2013) 107 A.J.I.L. 380 (‘Bethlehem
offers to rewrite the rules, legalizing practices that today are violations of international law’);
Gabor Rona and Raha Wala, ‘No thank you to a radical rewrite of the jus ad bellum’ (2013) 107

24 / Date: 7/5
make the issue overlap with that of self-defence against a failure of the State to prevent
cross-border harmful action by private individuals or groups allegedly amounting to an
‘armed attack’ for self-defence purposes.159
There is no doubt that the duty of prevention of private cross-border harmful action
is established in general international law. As famously held in the 1941 Trail Smelter
Award ‘under the principles of international law … no State has the right to use or
permit the use of its territory in such a manner as to cause injury … in or to the
territory of another or the properties or persons therein’.160 Similar dicta had already
been made, in relation to the utilization of international watercourses, by an Arbitral
Tribunal in the 1928 Island of Palmas Award161 and by the PCIJ in the 1929 Oder River
Commission Judgment.162 The principle was later restated by the ICJ in general terms
in the 1949 Corfu Channel Judgment in terms of ‘every State’s obligation not to allow
knowingly its territory to be used for acts contrary to the rights of other States’,163 and,
specifically referring to environmental protection, in the 1996 Nuclear Weapons
Advisory Opinion,164 in the 1997 Gabčíkovo-Nagymaros Judgment,165 and in the 2010
Pulp Mills Judgment,166 as well as in Article 3 of the 1992 Biodiversity Convention.167
The principle has been recently thoroughly analysed by the ILC special rapporteur on
natural disasters.168 Briefly, a State’s failure to prevent private actors on its territory
from causing damage in the territory of another State constitutes an internationally
A.J.I.L. 387 (‘Bethlehem’s proposed principles … would reverse more than a century of
humanitarian and human rights progress’); Dire Tladi, ‘The nonconsenting innocent state: The
problem with Bethlehem’s principle 12’ (2013) 107 A.J.I.L. 570, 576 (Bethlehem’s ‘principle 12
[admitting in certain circumstances the armed reaction against a state without its consent] is
based on an erroneous assessment of customary international law and state practice and on an
acontextual interpretation of Article 51’).
159
Roscini (n 46) 102.
160
Trail Smelter Case (United States v Canada) (Award) [1941] United Nations Reports of
International Arbitral Awards (2006) 1905, 1965 <http://legal.un.org/riaa/cases/vol_III/1905-
1982.pdf> accessed 30 November 2013.
161
Island of Palmas Case (Netherlands v United States) (Award) [1928] United Nations
Reports of International Arbitral Awards (2006) 829, 839 <http://legal.un.org/riaa/cases/vol_II/
829-871.pdf> accessed 30 November 2013.
162
Territorial Jurisdiction of the International Commission of the River Oder (Judgment)
[1929] PCIJ Ser. A. No. 23 27.
163
Corfu Channel (United Kingdom v Albania) (Merits) (Judgment) [1949] ICJ Rep 4 22.
164
Legality of the Threat or Use of Nuclear Weapons (n 62) para. 29, ruling that the
principle ‘is now part of the corpus of international law relating to the environment’.
165
Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) [1997] ICJ Rep 7 paras
53 and 140.
166
Case concerning Pulp Mills on the River Uruguay (Argentina v Uruguay) (Judgment)
[2010] ICJ Rep. 2010 para. 101, holding that ‘the principle of prevention, as a customary rule,
has its origins in the due diligence that is required of a State in its territory’ and reiterating what
the Court had already stated in the 2006 Order (Case concerning Pulp Mills on the River
Uruguay (Argentina v Uruguay) (Provisional Measures Order) [2006] ICJ Rep. para. 72.
167
Convention on Biological Diversity (concluded 5 June 1992, entered into force 29
December 1993) 1760 UNTS 79.
168
See Carlo Focarelli, ‘Duty to protect in cases of natural disasters’ in Rüdiger Wolfrum
(ed.), Max Planck Encyclopaedia of Public International Law (OUP 2013).

25 / Date: 7/5
unlawful act. Non-forcible countermeasures are thus permitted. The point is whether
such a failure amounts to an ‘armed attack’ under Article 51, assuming that it would be
so if directly carried out by (or if attributable to) a State, or in any case if it constitutes
an international unlawful act of the State justifying self-defence.169
Self-defence against a State’s failure to prevent private trans-border harm is distinct
from self-defence against non-State actors as generally understood. The former is
directed against a State’s unlawful act, deriving from its failure to prevent private
individuals and groups from causing cross-border harm through an action that if carried
out by a State would amount to an ‘armed attack’ for self-defence purposes; while the
latter appears as directed against the allegedly responsible individuals and groups as a
response to their action and regardless of any attribution of their conduct to the State
from the territory of which harm has been caused.
It has been argued that in the cyber context States would be willing to apply the
same standard as in the terrorism context.170 One might contend that in cyberspace the
need for self-defence against non-State actors, however theorized, is particularly
compelling. But if this view is accepted then what is talked about is an autonomous
rule applying in cyberspace, a rule which, however, has little if any basis in existing
international law and is thus only promoted, since the data and practice available
concerning physical space are contentious at best. In UN General Assembly Resolution
55/63 of 4 December 2000 States are called upon to ‘ensure that their laws and practice
eliminate safe havens for those who criminally misuse information technologies’, with
no reference to self-defence or means other than those falling within the law
enforcement paradigm.171 It is a fact that ‘substitutive’ or ‘extra-territorial’ law
enforcement by other States is rooted in an imperial global order with the stronger
States (never the weaker ones for obvious reasons) operating as the ‘international
police’, inevitably to further their particular interests, along the lines (or abusing) of the
‘just war’ doctrine.172
It is thus difficult to accept that an armed reaction, whether called ‘self-defence’ or
otherwise, is permitted against a State’s lack of due diligence173 in preventing cyber
attacks from within its jurisdiction. This is not to imply, of course, that failure to
prevent is not internationally unlawful, nor that peaceful remedies against it (such as
countermeasures) are also prohibited. Even more difficult is to accept that an armed
reaction against a State as a whole is permitted insofar as this is the only way to hit
those private individuals who have launched an attack. Some links between the State –
provided that there is a ‘State’ – and the individuals who have launched the attack have
to exist. In other words, the whole debate should focus on the criteria of attribution
actually adopted in international practice, which may well be different in different
contexts, rather than on self-defence against ‘pure’ non-State actors.
169
See Mahmoud Hmoud, ‘Are new principles really needed? The potential of the
established distinction between responsibility for attacks by nonstate actors and the law of
self-defense’ (2013) 107 A.J.I.L. 576, 577–8.
170
Schmitt (n 3) 598–603.
171
UNGA Res 55/63 (4 December 2000) para. 1, on ‘Combating the criminal misuse of
information technologies’.
172
Focarelli (n 121) 358–62.
173
See Antonopoulos (Ch 3 of this book).

26 / Date: 7/5
10. SOME SCEPTICISM BY WAY OF CONCLUSION

It is almost a commonplace today in the literature to conceive of cyber attacks, under
certain circumstances, as ‘use of force’, ‘armed attack’ and/or ‘armed conflict’.174 This
approach is aimed at identifying an appropriate legal framework and, typically, at
justifying or ‘legitimizing’ cyber and kinetic actions or reactions of various kinds while
prohibiting others. Cyber space is imagined as a battle space similar to physical space
in which hostilities can be conducted similarly to acts performed in physical space. An
effect-based interpretative approach is often preferred to others in order to conclude
that certain cyber operations are ‘equivalent’ to kinetic operations, for either ‘use of
force’ or ‘armed attack’ or ‘armed conflict’ purposes, and are therefore subject to the
same legal regime. Some hopefully healthy scepticism on this narrative is not out of
place.
Analogies and speculative conjectures abundantly feed the debate to the point of
sounding often artificial. Internet has little to do with ‘space’, however this is
defined,175 and shares no analogy with kinetic activities carried out in physical space,
although its use may produce grave consequences in the physical world. No doubt
crimes may be committed through cyber operations, even amounting to international
crimes, but in an inter-State (rather than imperial) global world, crimes fall in principle
within the State law-enforcement paradigm. This is, for example, the approach to cyber
attacks recently adopted by Directive 2013/40/EU of the European Parliament and of
the Council of 12 August 2013 on attacks against information systems.176 The obvious
objections to this argument are that criminal prosecution by one or another State and
existing treaties may prove inadequate while the consequences of a cyber attack may be
highly destructive.177 Moreover, faced with a devastating cyber attack the UN Security
Council may not be willing or may not reach the consensus to take measures under
Chapter VII of the Charter.178
The counter-objection is that analogical reasoning in use of force contexts are quite
perilous. The appeal to existing international law on the use of force may disguise,
given the high uncertainty of the analogised rules deemed to be applied, the willingness
of a few strong States to free ride ‘legitimately’ with no really constraining rules. The
very basic concepts relied on to trigger the applicability of the international law on the
174
For a valuable exception, see O’Connell (n 4).
175
See (n 8).
176
See Directive 2013/40/EU of the European Parliament and of the Council (n 95).
177
Tikk and others (n 35) 29.
178
There seems to be little doubt that the Security Council may use its discretion and
determine that a certain cyber attack amounts to a ‘threat to the peace’ or even to an ‘act of
aggression’ or a ‘breach of the peace’ according to art 39 UN Charter, and take ‘enforcement
measures’ (peaceful sanctions or military response) against the ‘source’ of the cyber attack,
whether a state or a non-state actor. The Council may presumably also take ‘cyber sanctions’ or
impose a ‘cyber blockade’ and it may arguably authorize the use of kinetic force, although art 42
reads ‘by air, sea, or land forces’ which literally would exclude cyber attacks. See Marco Benatar
and Kristof Gombeer, ‘Cyber sanctions: Exploring a blind spot in the current legal debate’ in 4th
European Society of International Law Research Forum (Estonia, 27–28 May 2011) <http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1989786> accessed 30 November 2013.

27 / Date: 7/5
use of force (‘use of force’, ‘armed attack’ and ‘armed conflict’) do not coincide even
where they are defined by one and the same word. For example, the term ‘attack’ refers
to a particular category of military operations under Article 49(1) of the 1977
Additional Protocol I to the 1949 Geneva Conventions, whereby ‘attacks’ are ‘acts of
violence against the adversary, whether in offence or in defence’, which has a different
legal meaning from the same word used in Article 51 UN Charter. The notions of ‘use
of force’, ‘armed attack’ and ‘armed conflict’ and their different meanings in different
legal settings, together with their inferred ‘equivalents’ in cyber space, make ‘upstream’
the whole picture quite aleatory despite the possible soundness of ‘downstream’
deductions made to identify the rules applicable to one or another hypothetical
scenario. The analogy instrument is here questionable in itself; the parameters of the
analogies made are uncertain even in their kinetic context; and the effect-based test
concerning the notion of ‘armed attack’ may in fact lead to several very different
conclusions depending on the circumstances. It seems that only a case-by-case
assessment of the overall perception by the international community as a whole can
reasonably be expected. Besides, the more likely scenario is an armed response in
kinetic terms to a cyber attack attributed to private individuals or groups, although very
difficult if not impossible to attribute to a State, and here again the rules analogised are
themselves very open to doubt even in their original conventional scenario.
The way forward seems to be the negotiation and creation of ad hoc international
institutions and rules for the Internet. It has been suggested that cyber attacks can
properly be viewed as violations of the non-intervention principle; as such, they would
not justify self-defence but, as international unlawful acts, alternative non-forcible
responses or coercive measures, possibly defensive, such as countermeasures or
measures adopted or authorized by the UN Security Council.179 The regulation of the
Internet is no doubt highly problematic and involves a huge variety of complex issues,
including the corporate private sector as well as States and non-State actors concerned
with online censorship. At the same time some regulation is clearly necessary,
hopefully one in line with international human rights standards. Efforts should be
redoubled to raise global awareness of the scale and effects of crimes committed in the
Internet, especially against critical infrastructure, so as to take appropriate coordinated
steps in preventing and punishing them just as has been done in respect of other very
serious transnational crimes, including international crimes. No ‘global policeman’ can
really and effectively patrol the Net.
Clearly, there is an underlying logic of escalation in cyberwar. The more a State
resorts to cyberspace to get more competitive and stronger vis-à-vis other relevant
actors, the more it becomes vulnerable to cyber attacks, the more it will feel in danger
and be inclined to ‘equate’ cyber attacks to kinetic attacks so as to ‘legitimately’
respond militarily. Most importantly, even assuming that States will exceptionally apply
the existing rules on self-defence described above, they have to meet the necessity
requirement concerning their continuing obligation to implement passive and active
(short of prohibited ‘force’) electronic defences prior to the alleged cyber attack and be
179
O’Connell (n 4) 199 and 202–6; Buchan (n 41) 221–7; Roscini (n 46) 110–11.

28 / Date: 7/5
as far as possible in a position to avoid kinetic force to defend themselves from cyber
operations.180
What is then the ‘cyber use of force’ debate hugely developed in recent years for? In
addition to trying hypothetically to identify reasonable rules, the key purpose so far is
twofold: deterring possible attacks and promoting the rules which could possibly
govern major cyber attacks at the moment when they occur so as to have at that very
moment the international community ‘prepared’ to share the view that the attack is
indeed ‘equivalent’ to a kinetic attack which justifies a kinetic response. By dissemin-
ating the opinion that the law is the one found in most official statements and
publications, their authors and sponsors are being contributing to the belief that this ‘is’
the law. This institutional and doctrinal campaign may prove successful and shape the
law in the future, perhaps and hopefully for the better, although this is different and
should be kept distinct from the law as it stands.181
180
On reducing vulnerability see Jeffrey S. Katz, ‘Smart grid security and architectural
thinking’ (White Paper, IBM) <http://www.ibm.com/smarterplanet/global/files/us__en_us__
energy__smartgridsecurity_and_architecturalthinking_katz.pdf> accessed 30 November 2013.
181
For a socio-constructivist approach to international law along these lines, see Focarelli
(n 121).

29 / Date: 7/5
13. Some thoughts on cyber deterrence and public

international law*
Eric Myjer
1. THE PROBLEM: INTRODUCTION

When it became clear that the Obama Administration was developing specific internal
rules on the use of cyber weapons and drones, the New York Times reported on
February 3 2013,1 that a secret legal review on the use of cyber weapons concluded that
the US President has the broad power to order a pre-emptive strike ‘if the US detects
credible evidence of a major digital attack looming from abroad’. The article said that
in the next few weeks the US Administration would approve the first rules on how the
military ‘can defend, or retaliate against a major cyber-attack’. There was reference to
intelligence agencies carrying out searches of ‘faraway computer networks’ for ‘signs
of potential attacks on the US’. Furthermore, it was said ‘international law allows any
country to defend itself from threats, and the US has applied that concept to conduct
pre-emptive attacks’. It was reported that cyber weapons were so powerful that ‘like
nuclear weapons- they should only be unleashed on the direct orders of the president
(the commander in chief)’. Not surprisingly, one of the subheadings (captions) is
‘Cyber weaponry is perhaps the most complex arms race’. This impression that there is
something like an arms race going on is supported by the fact that the US is acquiring
an offensive cyber capacity, as appears from the leaked ‘Presidential Decision Directive
signed by President Obama in 2012,2 but also that a State like South Korea3 is
developing such an offensive cyber capacity. According to a report by the EastWest
Institute, at present more than a dozen States are pursuing offensive cyber capabilities.
It concludes that there is a militarization of cyberspace ‘which drives the urgent need to
* The author would like to thank Jonathan Herbach and Karel Wellens for their comments
on a draft of this chapter.
1
David E. Sanger and Thom Shanker, ‘Broad powers seen for Obama in cyberstrikes’, New
York Times (3 February 2013) <http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-
obama-in-cyberstrikes.html?pagewanted=all> accessed 2 October 2014. See also (2013) 18(1) J.
Conflict & Sec. L. 1–4.
2
See International New York Times, 7 April 2014. See also ‘Presidential Policy Directive
PPD-20’ (U.S. Cyber Operations Policy, 2012) <fas.org/irp/offdocs/ppd/ppd-20.pdf> accessed 2
October 2014; Glen Greenwald and Ewan MacAskill, ‘Obama orders US to draw up overseas
target list for cyber-attacks’, The Guardian (7 June 2013) <http://www.theguardian.com/world/
2013/jun/07/obama-china-targets-cyber-overseas> accessed 2 October 2014.
3
Zachary Keck, ‘South Korea seeks cyber weapons to target North Korea’s nukes’, The
Diplomat (21 February 2014) <http://seclists.org/isn/2014/Feb/43> assessed 4 June 2014.
284
1 / Date: 15/5
Some thoughts on cyber deterrence and public international law 285
shield civilian critical infrastructure from peacetime cyber incidents, whether by

accident or design’.4
Critical infrastructures5 are under a constant threat of digital attacks. These attacks
may be conducted by States, or by non-State actors, merely to destabilize economic
relations, to steal information, but also for terrorist purposes. It is, however, also
possible that these attacks take place for military reasons, possibly in support of a
military attack with conventional means. An example of a combined strike was
Operation Orchard, which was the bombing raid by Israel on a nuclear reactor site at
Dayr ez-Zor in North Syria in 2007, whereby the Israeli military combined electronic
warfare with precision strikes.6 ‘It appears that the Israeli Air Force prepared for the
main attack by taking out a single Syrian radar site at Tall al-Abuad close to the
Turkish border’.7 The other possibility would be, at least in theory, that a State (or
non-State actor) would have the capability for a full-blown paralyzing attack against
another State by making use of its cyber capability.
Cyber weapons, like drones, for obvious reasons challenge the conflict and security
lawyer, for many fundamental questions arise. For instance, what is the legal basis for
a government hacking into ‘faraway computer networks’? Is it just part of an open
competition between the technologically most advanced States, or is it a variation on
intelligence gathering by national technical means (NTMs) as in the past? When do
these activities cross the threshold of threat or use of force? Can cyber operations ever
be the equivalent to use of force? And when and how are States allowed to react?
And does it make a difference whether it is a State or a non-State actor that is
threatening? Pre-emptive and preventive military action was the cornerstone of The US
National Security Strategy, as presented by the Bush administration in September
2002.8 Is this still the current US Security Strategy? Has there been a change in the
general opinion among public international lawyers that there is no legal basis for a
pre-emptive or preventive strike but only for self-defence against an armed attack
(article 51 UN Charter),9 or when there is an imminent attack, or as Yoram Dinstein
puts it, interceptive self-defence?10 More in general, how are the self-defence criteria
under the UN Charter, such as armed attack, proportionality and necessity, to be
applied? Have new rules of customary law in this realm been developed? But most
importantly do we have to conclude that a cyber-deterrent strategy11 is being developed,
either via self-defence or via retaliation? The mere mention of a possible preventive US
4
Bruce W. McConnell and Greg Austin, ‘A measure of restraint in cyberspace, reducing
risk to civilian nuclear assets’ (East West Institute, 2014) 10.
5
See section 2 below.
6
Thomas Rid, Cyber War Will Not Take Place (OUP 2013) 42.
7
Ibid.
8
‘The National Security Strategy of the United States of America’ (September 2002)
<www.state.gov/documents/organization/63562.pdf> accessed 2 October 2014.
9
See for instance ‘Pre-Emptive action’, Report by the Netherlands Government’s Advisory
Council on International Affairs (AIV) and the Advisory Committee on Issues of Public
International Law (CAVV), No. 36, AIV/No 15, CAVV, July 2004 <http://www.cavv-advies.nl/
Publications> accessed 2 October 2014.
10
Yoram Dinstein, War, Aggression and Self-Defence (5th edn, CUP 2001) 203–4.
11
‘Editorial’ (2013) 1 J. Conflict & Sec. L.

2 / Date: 25/3
reaction with extremely powerful cyber weapons against the possibility of a cyber threat
brings back memories of the early deterrence discussions with regard to nuclear
weapons.12 This chapter looks at the question of whether what we see is indeed a
cyber-deterrent strategy and whether a parallel can be drawn between the deterrent
strategies in the nuclear realm and such a strategy with regard to a possible cyber-attack by
States in cyberspace and projected generic (preventive) replies by States to such threats.
Furthermore, the chapter will deal with the question of whether such a cyber deterrent is
allowed under public international law. This focus on cyber deterrence is a State actor
approach which therefore largely leaves out how to deal with non-State actors, and in
that sense only deals with part of the problem of possible offensive cyber operations.
Although it concerns the question of deterrence and cyber-security in general, I will
finally also look at the question of what we can learn from this discussion with regard
to cyber-security of nuclear assets like nuclear power plants. Does it inform us on
particular ways to improve nuclear security?
Before focusing on deterrence as such, the next section will briefly discuss the issue
of cyber-security of critical structures, especially with regard to such nuclear assets.13
2. SECURITY AGAINST CYBER THREATS

(a) General
There are many ways in which the security of States could be threatened. On the one
hand the military security14 of a State could be endangered, which refers to security
from interference by military means. The security of a State could for instance be
threatened solely by military kinetic means or it could be done by a combination of
military and cyber means, whereby for instance a cyber operation is aimed at disrupting
the control by radars prior to a military attack on military targets. These security threats
fall within the traditional realm of (collective) self-defence.
Of a different order would be a cyber attack conducted solely on civilian critical
(information) infrastructures that are crucial to the operation of the State and whereby
cyber attacks could range from annoying disruptions of systems, to chaos and
enormous damage comparable to damage caused by an armed attack. This is about
cyber-security, meaning security from interference by cyber means. In both these
instances the central question is how to prevent such interference by either a military
attack or by a comparable cyber operation, a cyber attack for short. And what should be
done to prevent such an attack, or in the case of an actual attack? It will be clear that
12
On the broader use of an information advantage already in 1996 see Joseph S. Nye and
William A. Owens, ‘America’s information edge’ (1996) 75(2) Foreign Affairs 20–36, 20 for
instance, where they remark: ‘This information advantage can help deter or defeat traditional
military threats at relatively low cost.’
13
McConnell & Austin (n 4).
14
On the concept of military security and the ban on the use of force see Eric P.J. Myjer,
‘The law of arms control, military security and the issues: An introduction’ in Eric P.J. Myjer
(ed.). Issues of Arms Control Law and the Chemical Weapons Convention (Martinus Nijhoff
Publishers 2001) 2–4.

3 / Date: 7/5
there is a blurring of the lines between these two instances especially since the effects
of such cyber attacks could be comparable to those of an armed attack. After a general
discussion this contribution will, in concluding, also look at cyber security of critical
infrastructures of civil nuclear assets.
(b) Cybersecurity of Critical Infrastructures: The Objects and the Risks
Security in the cyber domain is a problem. Critical infrastructures are continuously

being hacked by outsiders that either attempt to interrupt these information structures,
or intend to inflict permanent damage.15 It thereby concerns cyber attacks on these
structures.
The term critical infrastructure16 is defined in this chapter in the same way as by the
European Commission, namely referring to those physical and information technology
facilities, networks, services and assets which, if disrupted or destroyed, would have a
serious impact on the health, safety, security or economic well-being of citizens or the
effective functioning of governments.
Critical infrastructure includes services related to:
+ energy installations and networks;

+ communications and information technology;
+ finance (banking, securities and investment);
+ health care;
+ food;
+ water (dams, storage, treatment and networks);
+ transport (airports, ports, intermodal facilities, railway and mass transit networks
and traffic control systems);
+ production, storage and transport of dangerous goods (e.g. chemical, biological,
radiological and nuclear materials);
+ government (e.g. critical services, facilities, information networks, assets and key
national sites and monuments).17
15
Barron-Lopez reports that ‘of the roughly 200 cases of hacking attacks the cybersecurity
team at the Department of Homeland Security handled in 2013, more than 40 percent were in
the energy sector’, which showed the energy sector to be the most vulnerable of the critical
infrastructures to attacks. Laura Barron-Lopez, ‘Cyber threats put energy sector on red alert’,
The Hill (12 June 2014) <http://thehill.com/policy/technology/209116-cyber-threats-put-energy-
sector-on-red-alert> accessed 2 October 2014.
16
See also Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17(2) J. Conflict & Sec. L. 231, where the author refers to attacks on critical state
infrastructure. With regard to a definition thereof in his view ‘most definitions agree that certain
services such as security, food, water, transportation, banking and finance, health and energy,
governmental and public services constitute critical infrastructure’. See James C. Mulvenon et.
al., ‘Addressing cyber instability’ (Cyber Conflict Studies Association 2012) 339–63.
17
Commission (EC), ‘Critical Infrastructure Protection in the fight against terrorism’
(communication) COM(2004) 702 final, 20 October 2004.

4 / Date: 25/3
Critical Information Infrastructure (CII) refers to the information systems, networks

and data that support the safe or reliable operation of critical infrastructure.18 The
critical information infrastructures interconnect and affect their operations.19
Attacks on any of the critical infrastructures could lead to enormous damage. In
particular interference via cyber attacks on production, storage and transport of
dangerous goods (e.g. chemical, biological, radiological and nuclear materials) is
extremely worrisome since it might lead to effects comparable to those of weapons of
mass destruction. If one takes the example of radiological and nuclear materials the
dangers that flow from the release of these materials in the environment are enormous,
as illustrated by the case of the March 2011 Fukushima20 incident in Japan. The
Stuxnet21 cyber attack against Iran’s nuclear enrichment program at Natanz shows that
interfering with civilian nuclear assets is not a mere theoretical possibility, but has in
fact occurred leading to approximately 1,000 centrifuges spinning out of control.22
Even though it is assumed that the Natanz facility merely is one of the steps in the
production of nuclear weapons by Iran, it demonstrates the vulnerability of nuclear-
related facilities in general to cyber operations.
It is therefore vital to protect such infrastructures from outside interference to prevent
possible large-scale damage to people and the environment. In other words, by reducing
the risk to civilian nuclear assets nuclear security will be improved. Compare in this
context the Digital Agenda for Europe adopted by the European Commission.23
One particular element of the critical infrastructure that needs to be protected and
bears close resemblance to the more ‘classic’ area of military security, and arms control
is the case of a nuclear power plant. There is a dual use dimension to this particular
information infrastructure, for a cyber attack resulting in interference with, or damage
to, a nuclear power plant could turn it via the effects thereof into a (small-scale) nuclear
weapon. In its report A Measure of Restraint in Cyberspace24 the EastWest Institute
presents in no uncertain terms the urgency of acting to protect critical information
18
McConnell & Austin (n 4) 10.
19
UNGA Res 58/199 (30 January 2004) UN Doc A/RES/58/199 on the Creation of a global
culture of cybersecurity and the protection of critical information infrastructures defines the
relationship between critical infrastructures and the critical information infrastructures as
follows: ‘Noting the increasing links among most countries’ critical infrastructures – such as
those used for, inter alia, the generation, transmission and distribution of energy, air and
maritime transport, banking and financial services, e-commerce, water supply, food distribution
and public health – and the critical information infrastructures that increasingly interconnect and
affect their operations’.
20
See for instance ‘Fukushima accident’, World Nuclear Association (16 September 2014)
<http://www.world-nuclear.org/info/safety-and-security/safety-of-plants/fukushima-accident/>
accessed 2 October 2014.
21
See for instance Rid (n 6) 43–5; McConnell & Austin (n 4) 10–11; Russell Buchan,
‘Cyber attacks: Unlawful uses of force or prohibited interventions?’ (2012) 17(2) J. Conflict &
Sec. L. 219–21.
22
McConnell & Austin ibid. See also Rid ibid. 43–6.
23
Commission (EC) ‘A Digital Agenda for Europe’ (Communication) COM(2010)245 final,
19 May 2010.
24
McConnell & Austin (n 4).

5 / Date: 25/3
infrastructures and in particular to reduce the risks to civilian nuclear assets.25 The
report warns of the militarization of cyberspace which ‘drives the urgent need to shield
civilian critical infrastructure from peacetime cyber incidents, whether by accident or
design’26 and underscores the necessity for international agreements.
In what way could for instance the protection of a nuclear power plant be realized?
Protection could of course be improved by making sure that such critical infrastructures
are detached from the general cyber network (system) and has a standalone, solely
facility related cyber network. The report of the EastWest Institute mentions that a
practical beginning may be ‘to quarantine selected critical information infrastructure
(CII) from cyber attacks during peacetime as a measure of restraint’.27
With regard to the protection in peacetime of critical infrastructures, which are of a
civilian nature, it needs to be stressed that in considering its protection in this
contribution we will look at it from the perspective of deterrence and defence, which
both concern ius ad bellum rules. Of course more generally a State’s ‘classic’
deterrence and defence by military means is always aimed at the preservation of a
peacetime situation. With regard to cyber operations that may be threatening critical
infrastructures, however, another focus could have been to focus on the internet as
primarily belonging to the sphere of economic and communications activity where, as
quite rightly argued by Mary Ellen O’Connell, ‘civil law enforcement officials, have
primary jurisdiction’.28 This, however, is not the perspective taken in this chapter,
which is driven by the debate on creeping militarization of cyberspace.29 The Cyber
Conflict Studies Association (CCSA) refers to this approach as the ‘warfare approach’,
which is characterized by a militarized outlook on cyber conflict’.30 Interesting in this
respect is where Thomas Rid, remarks that ‘[w]hat has been militarized is the debate
about cyberspace’.31
The approach taken in this chapter does not mean that all the premises associated
with those32 who draw Cold War parallels with regard to cyber security are automatic-
ally accepted. An important point to take into consideration is Rid’s argument that
cyberspace is not a fifth domain of warfare for it ‘is not a separate domain of military
25
See also the Report of Working Group 2 –Managing Cyber Threat- to the Nuclear
Industry Summit 2014, which was held prior to the 2014 Nuclear Security Summit in The Hague
<https://www.nis2014.org/uploadedfiles/nis2014-wg2report_mct_final.pdf> (accessed 24 April
2015).
26
McConnell & Austin (n 4) 10.
27
Ibid.
28
Mary E. O’Connell, ‘Cyber security without cyber war’ (2012) 17(2) J. Conflict & Sec. L.
188.
29
See Introduction.
30
Mulvenon et. al. (n 16) 290. Other approaches discussed in their report are the technical
approach, the criminal approach and emerging approaches like public health, environmental and
irregular warfare (283– onwards).
31
‘[I]f militarizing cyberspace means establishing robust cyber defences, than cyberspace
has not been militarized. What has been militarized is the debate about cyberspace’. Rid (n 6)
174.
32
On participants in the cyber debate who make comparisons with the Cold War and nuclear
weapons, see ibid. 170.

6 / Date: 7/5
activity’,33 which led him to conclude that ‘the debate on national security and defence
would be well served if debating war was cut back to the time tested four domains’.34
One of the questions under consideration in this chapter is how do defensive and
offensive cyber operations fit in, like those mentioned earlier as in the case of the US,35
when considering the protection of critical (information) infrastructures? More specific-
ally could they be regarded as part of a cyber-deterrent strategy, and is such a deterrent
strategy allowed for under public international law?
3. PROTECTION VIA DETERRENCE: THE CONCEPT OF

DETERRENCE AND ITS CENTRAL ELEMENTS36
What deterrence basically comes down to is making clear to any potential opponent
that if you dare to attack me you may expect, at a minimum, a reply in kind, that will
be devastating to your potential. It may also include the message that even if attacked
my capacity to make such a reply will be preserved by a guaranteed second strike, so
a first strike will not give an advantage. Deterrence in international relations therefore
is about deterring a potential aggressor by projecting the reply that will follow in case
of an attack. It is about preventing an attack by making known to any possible
aggressor such a substantial reply that it will forsake such an attack. Morgan refers to
‘threats to inflict unacceptable harm on the attacker’. In his words this can be done by
‘a stout defense’ or ‘through retaliation’.37 When it concerns the projection of a
33
Ibid. 166.
34
Ibid. The four domains refer to land, sea, air and space.
35
See sources mentioned in (n 2).
36
See on deterrence in general Eric P.J. Myjer, Militaire Veiligheid door Afschrikking,
verdediging en het geweldverbod in het Handvest van de Verenigde Naties Military Security via
Deterrence, Defence and the ban on the use of force in the United Nations Charter (in Dutch)
(Kluwer 1980).
37
In international politics:
deterrence refers to efforts to avoid being deliberately attacked by using threats to inflict
unacceptable harm on the attacker in response. The threatened harm can be inflicted by a
stout defense, frustrating the attack or making it too costly to continue, or by turning its
success into a pyrrhic victory. Or it can be inflicted through retaliation. (And through a
combination of the two).
Patrick M Morgan, ‘Applicability of traditional deterrence concepts and theory to the cyber
realm’ in National Research Council ‘Proceedings of a Workshop on Deterring Cyberattacks:
Informing Strategies and Developing Options for U.S. Policy’ (The National Academies Press
2010) 55. See also his early theoretical study on deterrence: Patrick M. Morgan, Deterrence a
Conceptual Analysis, Sage Library of Social Research, Volume 40, 1977. Libicky chooses to
equate deterrence with retaliation and not also with defence. See Martin C. Libicky, Cyber-
deterence and Cyberwar (RAND Corporation 2009) 7:
If deterrence is anything that dissuades an attack, it is usually said to have two components:
deterrence by denial (the ability to frustrate the attacks) and deterrence by punishment (the
threat of retaliation). For purposes of concision, the use of deterrence in this work refers to
deterrence by punishment. This is not to deny that defense has no role to play – indeed, the
argument here is that it does play the greater role and rightfully so. Our discussion of

7 / Date: 15/5
credible defence in case of attack nothing is wrong, for each State is entitled to defend
itself both under conventional law ex Article 51 UN Charter and under customary law.
An example of this is the recent statement by the Secretary General of NATO, who, in
the context of the Ukraine political standoff, remarked, ‘Today, we will show our
steadfast commitment to NATO’s collective defence. Defence starts with deterrence.’38
He went on, ‘So we will take the necessary steps to make it clear to the world that no
threat against NATO Allies will succeed.’ This case of deterrence via the projection of
defence is about self-defence and is therefore not a forbidden threat to use force ex
Article 2(4) UN Charter, although the distinction sometimes may be rather subtle. Of
course this self-defence needs to answer to principles like necessity, proportionality and
immediacy. A totally different case, however, is threatening retaliation by the projection
of a blatant use of force, meaning use of force breaching these principles. Deterrence
via retaliation, however, is highly questionable from the point of view of public
international law. This, however, did not prevent the nuclear weapon States from
adopting such a strategy. Even since the end of the Cold War this nuclear-deterrence
strategy has been maintained and is still being applied.39 The projected reply in case of
an attack by nuclear means is through retaliation by nuclear means.
Given the fact that next to a defensive cyber capacity at present also a so-called
offensive cyber capacity is being developed,40 the question is whether this might lead to
a similar deterrent strategy in the cyber area, namely a cyber deterrence, that would not
only deter with the projection of a credible defensive capability and a credible will to
apply it in case of an attack (which is not possible in the case of nuclear deterrence, as
will be explained) but also via the projection of retaliation via offensive means? To start
with: Would it be possible to retaliate against a particular (specific) cyber aggressor?
Could the attacker be identified quickly and without any reasonable doubt? And, more
generally, would it be a viable and acceptable strategy? And if so would it be allowed
for under public international law, or is it a forbidden threat with regard to the use of
force?
Before attempting to answer these questions, the next section will first give a short
description of how nuclear deterrence developed with its projection of massive
devastation via retaliation with offensive means, which ultimately leads to Mutual
Assured Destruction (MAD).
deterrence (by punishment) asks whether it should be added to defense (deterrence by

denial). Also, […] deterrence by denial and deterrence by punishment are synergistic with
one another in some ways. Nevertheless, from this point on, deterrence refers to deterrence
by punishment; the rest is defense.
See for a different approach to cyber deterrence Eric T Jensen, ‘Cyber deterrence’ (2012) 26
Emory Int’l. L. Rev. 773–824.
38
‘Today, we will show our steadfast commitment to NATO’s collective defence. Defence
starts with deterrence. So we will take the necessary steps to make it clear to the world that no
threat against NATO Allies will succeed.’ ‘Statement by NATO Secretary General Anders Fogh
Rasmussen at the start of the NATO Foreign Affaires Meeting’ (NATO, 1 April 2014).
39
Interestingly before the Russian usurpation of the Crimea few policy makers in the West
were willing to face this fact.
40
See (n 2). Also see McConnell & Austin (n 4) 10: ‘More than a dozen states are now
pursuing offensive cyber capabilities’.

8 / Date: 7/5
4. NUCLEAR DETERRENCE
Deterring a potential aggressor by showing a credible capacity for defence or retaliation
and a credible will to apply it in case of an attack as a strategy has existed for a very
long time. Given that defence against nuclear weapons is not possible, nuclear
deterrence with retaliation as its core element started when, after World War II the US
was still the sole possessor of nuclear weapons.
It later became known as the strategy of massive retaliation, in which the US
strategic retaliatory capacity was central. Its prime aim was to deter Soviet aggression.
This strategy originated, to a large extent, from budgetary constraints that made it
difficult to build up US conventional forces to outweigh what were assumed to be the
superior Soviet conventional forces. In his famous speech in January 1954 to the
Council on Foreign Relations the US Foreign Minister, John Foster Dulles, presented
the strategy of deterrence and the role of nuclear weapons. A crucial element in his
so-called massive retaliation speech was where he remarked: ‘The way to deter
aggression is for the free community to be willing and able to respond vigorously at
places and with means of its own choosing.’41 It was, in other words, about organizing
maximum security at minimal costs. Central to this strategy is deterrence via retaliation
not via defence. This strategy is also important because it can be regarded as the first
systematic theory of deterrence in the age of the Cold War.42
Although the Dulles speech took place four years after the first explosion of a Soviet
atom bomb, and a few months after that of a thermo-nuclear weapon, it would still take
some time before the possibility that the Soviet Union could answer with similar means
was taken into consideration. That, however, changed after it became apparent that the
Soviet Union had also developed the capability to deliver nuclear weapons in reply.
This introduced the so-called balance of terror that would, in the end, lead via the
concept of mutual deterrence to that of mutually assured destruction, which still forms
part of present-day security strategy with regard to nuclear weapons, in which
deterrence plays a predominant role. Two elements were crucial in this strategy. The
first is that a nuclear attack would have devastating consequences against which a
proportional defence would be impossible. This made it essential to threaten with
retaliation in kind in case of a nuclear attack (a so-called first strike). For this to be a
credible threat in reply it was essential that such retaliation in a second strike was
possible. This second strike potential was realized via the so called Triad, a combin-
ation of nuclear weapons on submarines, airplanes and on land-based missiles, whereby
an attacker would never be able to make a first strike whereby the full nuclear
inventory of the opponent would be annihilated (destroyed). Next to that a ‘watertight’
defensive shield against incoming missiles was technically not possible, although in the
early 1980s research into this possibility was given a boost under Ronald Reagan with
41
John F. Dulles, ‘The evolution of Foreign Policy’ (1954) 30 Department of State Bulletin.
See Bernard Brodie, Strategy in the Missile Age (Princeton University Press 1971) 241. See also
three months later John F. Dulles, ‘Policy for Security and Peace’ (1945) 32 Foreign Affairs
353–64.
42
Alexander L. George and Richard Smoke, Deterrence in American Foreign Policy, Theory
and Practice, (Columbia University Press 1974) 25. See also Myjer (n 36) 49.

9 / Date: 7/5
the Strategic Defense Initiative, or so called ‘Star Wars’ strategy. This led to accepting
mutual vulnerability of which the ABM (anti-ballistic missile) treaty43 was an expres-
sion.
At least at the strategic level this doctrine still operates and answers the basic idea of
deterrence, namely deterring a potential aggressor by mirroring the nuclear reply that
will follow in case of an attack. Given a guaranteed second strike capability of nuclear
weapons with the opposing parties this led to a mutual-deterrence strategy with the risk
in case the deterrence failed of MAD of both nuclear power blocks. This is what this
strategy generally is referred to. Interestingly this survived the Cold War and is still the
current strategy with regard to the nuclear weapons.44 This is still the case in spite of
the fact that in 2002 under George W Bush the US withdrew from the ABM Treaty, in
order to be able to further develop and eventually install missile shields, thereby
bringing into question the US’s willingness to accept the premise of the nuclear-
deterrent strategy, namely to remain vulnerable to a possible nuclear attack. Since to
this day no effective nuclear shield has been developed, there is still this mutual
vulnerability. What is different, however, is that nowadays there are more nuclear
weapons and nuclear weapons States than in the 1950s, with India, Pakistan, Israel and
North Korea now also nuclear weapon States.
On the question of whether this strategy is in conformity with public international
law the International Court of Justice (ICJ) gave its ambivalent advisory opinion (see
below).
5. NUCLEAR DETERRENCE AND PUBLIC INTERNATIONAL

LAW: THE NUCLEAR WEAPONS CASE
The only time the ICJ addressed the concept of deterrence was when it was raised in
the Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) (1996).45 In
it the Court, however, decided not to pronounce on it:
43
Treaty between the United States of America and the Union of Soviet Socialist Republics
on the Limitation of Ant-Ballistic Missile Systems (26 May 1972).
44
Whether there still is a situation of MAD or whether the US is developing nuclear
primacy was raised by Keir A. Lieber and Daryl G. Press, ‘The rise of U.S. nuclear primacy’
(2006) 85(2) Foreign Affairs and further developed in Keir A. Lieber and Daryl G. Press, ‘The
end of MAD? The nuclear dimension of U.S. primacy’ (2006) 30(4) Int’l. Sec. 7–44. The Essay
in Foreign Affairs led to a response by a number of authors denying the Lieber and Press thesis
and stressing that there still is a MAD situation. See Peter C. Flory, ‘Nuclear exchange: Does
Washington really have (or want) nuclear primacy? (2006) 85(5) Foreign Affairs.
45
Legality of the threat or use of nuclear weapons (Advisory opinion) [1996] ICJ Rep. 1996
229. Deterrence is also referred to either directly, or indirectly, in the context of the proceedings
instituted on 24 April 2014 by the Republic of the Marshall Islands against the United Kingdom
of Great Britain and Northern Ireland, against the Islamic Republic of Pakistan and against the
Republic of India, re ‘obligation to pursue in good faith and conclude negotiations leading to
nuclear disarmament’. See the respective applications with the ICJ.

10 / Date: 7/5
67. The Court does not intend to pronounce here upon the practice known as the ‘policy of
deterrence’. It notes that it is a fact that a number of States adhered to that practice during the
greater part of the Cold War and continue to adhere to it […]46
The argument about deterrence was raised in the context of the question whether there
existed a rule of customary international law prohibiting the threat or use of nuclear
weapons as such. According to the ICJ on the one hand States:
which hold the view that the use of nuclear weapons is illegal have endeavoured to
demonstrate the existence of a customary rule prohibiting this use. They refer to a consistent
practice of non-utilization of nuclear weapons by States since 1945 and they would see in
that practice the expression of an opinio iuris on the part of those who possess such
weapons.47
On the other hand, there were some States:
which assert the legality of the threat and use of nuclear weapons in certain circumstances,
invoked the doctrine and practice of deterrence in support of their argument. They recall that
they have always, in concert with certain other States, reserved the right to use those weapons
in the exercise of the right to self-defence against an armed attack threatening their vital
interests. In their view, if nuclear weapons have not been used since 1945, it is not on account
of an existing or nascent custom but merely because circumstances that might justify their
use have fortunately not arisen.48
Against the background of these arguments the ICJ decided not to pronounce on the
‘policy of deterrence’.
It notes that it is a fact that a number of States adhered to that practice during the greater part
of the Cold War and continue to adhere to it. Furthermore, the Members of the international
community are profoundly divided on the matter of whether non-recourse to nuclear weapons
over the past fifty years constitutes the expression of an opinio iuris. Under these
circumstances the Court does not consider itself able to find that there is such opinio iuris.49
The Court, however, made clear that both the rules of ius ad bellum and of ius in bello
(the humanitarian law of armed conflict) with customary law principles like proportion-
ality and necessity also apply.
Nevertheless the Court considers that it does not have sufficient elements to enable it to
conclude with certainty that the use of nuclear weapons would necessarily be at variance with
the principles and rules of law applicable in armed conflict in any circumstance.50
Also the ‘fundamental right of every state to survival, and thus its right to resort to
self-defence, in accordance with Article 51 of the Charter, when its survival is at
46
Ibid. para. 67.
47
Ibid. para. 65.
48
Ibid. para. 66 [emphasis added].
49
Ibid. para. 67.
50
Ibid. para. 95.

11 / Date: 25/3
stake’,51 was taken into consideration, as was the fact that it could not ignore ‘the
practice referred to as “policy of deterrence”’.52 The Court then concluded, by seven
votes to seven with the President’s deciding vote, what widely is referred to as a
non-liquet,53 that it is ‘led to observe that it cannot reach a definitive conclusion as to
the legality or illegality of the use of nuclear weapons by a State in an extreme
circumstance of self-defence, in which its very survival would be at stake’.54 Given that
deterrence is about projecting the reply in case of attack, with this conclusion regarding
the use of nuclear weapons in self-defence also no definitive conclusion can be drawn
whether the projection of this ‘self defence by nuclear weapons’ is legitimate
self-defence or a forbidden threat to use force ex Article 2(4) UN Charter. In other
words it leaves open the question regarding the legitimacy of nuclear deterrence.
6. CYBER DETERRENCE
This section looks at the question whether a cyber-deterrent strategy comparable to the
nuclear-deterrent strategy is possible. The reason to make such a comparison is because
of some apparently common characteristics of the way the US announced its nuclear-
deterrent strategy and its cyber strategy, namely the prevention of threats of vital
interests via the projection of indiscriminate offensive nuclear means against nuclear
attacks or via offensive cyber means in the case of a cyber attack.
The reason for trying to assess whether in cyberspace one is also witnessing the
development of a strategy of deterrence, however, is not that cyber attacks that occur
can be one-on-one compared with attacks by nuclear weapons. The consequences of
cyber attacks will have to be measured individually.
When looking at some of the central elements of nuclear deterrence the conclusion is
clear that cyber deterrence (deterring cyber attacks with cyber means) by projection of
a cyber threat comparable to the threat under nuclear deterrence is – at present –
technically not possible.
The crucial difference between nuclear deterrence and cyber deterrence is that the
deterrent threat in the former case is retaliation, and in the latter case might be either
defence or retaliation. This is the case in spite of the suggestion by the ICJ in the
Nuclear Weapons case that this might be qualified as a defensive option in cases where
the survival of a State is at stake.55
51
Ibid. para 96.
52
Ibid.
53
See on this for instance I. Dekker and W. Werner, ‘The completeness of international law
and Hamlet’s dilemma’ (1999) 68(3) Nordic J. of Int’l. L. 225.
54
Legality of the threat or use of nuclear weapons (n 45) para. 97. See also the lengthy
dissenting opinion of Judge Weermantry, and in particular on deterrence (VII- pp. 76–9), where
he discusses in particular the concept of deterrence.
55
Ibid. decision E:
It follows from the above-mentioned requirements that the threat or use of nuclear weapons
would generally be contrary to the rules of international law applicable in armed conflict, and
in particular the principles and rules of humanitarian law;

12 / Date: 25/3
In its report Addressing Cyber Instability the CCSA56 looked into the question to
what extent nuclear deterrence and cyber deterrence can be compared. It goes back to
the basics of the strategies on deterrence of theorists like Thomas Shelling or Jerome
Kahn, although the latter author is not explicitly referred to. It concludes that ‘the
current strategic cyber environment is structurally unstable, marked by an inability to
establish credible deterrence [and strong incentives to strike pre-emptively]’.57 To a
great extent the system of nuclear deterrence on the other hand is transparent in that it
is known what the effect of nuclear weapons can be, that it is known who the nuclear
weapon States are, and that the nuclear capacity of these States is known and that these
States and relevant sites, are being monitored via National Technical Means, like
satellites. And given the triad of nuclear launch possibilities, it is generally accepted
that a guaranteed second strike exists. In that sense nuclear deterrence answers
deterrence as formulated by the US Strategic Command:
Deterrence [seeks to] convince adversaries not to take actions that threaten U.S. vital interests
by means of decisive influence over their decision-making. Decisive influence is achieved by
credible threatening to deny benefits and/or impose costs, while encouraging restraint by
convincing the actor that restraint will result in an acceptable outcome.58
When applying some of these criteria to the technical possibility of a convincing

cyber-deterrent threat, either via retaliation or via defence, some uncertainties stand
out.59 To start with it is not clear who the potential adversaries are. They may be States,
or they may be non-State actors, and given the broad availability of cyber means, they
may be innumerable. And in case of a cyber attack it may be very difficult, if not
impossible, to attribute60 the attack and therefore impose the projected costs. And how
to know for sure that it is a case of a cyber attack and not a mere case of (economic)
espionage? Also the cyber network may be unstable, because the same cyber network
that is under attack may need to be used for the execution of the retaliatory or defensive
cyber deterrent threat and the system itself might not be able to transmit the reply.61
And if the deterrent threat of applying a so-called (retaliatory) offensive cyber capacity
would be executed might this not lead to total destruction, for instance, as a result of
However, in view of the current state of international law, and of the elements of fact at its
disposal, the Court cannot conclude definitively whether the threat or use of nuclear weapons
would be lawful or unlawful in an extreme circumstance of self-defence, in which the very
survival of a State would be at stake.
(seven votes to seven, by the President’s casting vote).
56
Mulvenon et. al. (n 16).
57
Ibid. 31.
58
U.S. Department of Defense, ‘Deterrence Operations: Joint Operating Concept’ (Version
2.0 December 2006) <http://www.dtic.mil/futurejointwarfare/concepts/do_joc_v20.doc> ac-
cessed 2 October 2014, as quoted in ‘Reprinted Letter Report from the Committee on Deterring
Cyberattacks’ in National Research Council (n 37) 350.
59
See more details in National Research Council (n 37) 350–9.
60
On the difficulties of attribution see Tsagourias (n 16) 233–onwards; Rid (n 6) 139–62.
61
This may not affect the passive defence of the information structures, but at least the
active defence. This would put a ‘premium’ on a first strike, or even be an incentive to use
kinetic force in reply.

13 / Date: 25/3
completely infecting cyberspace?62 Might it then not ‘blow up in the face’ of the State
reacting with a retaliatory strike since it is the same cyberspace that attacker and
attacked are making use of? If so, it would be a form of cyber retaliation comparable to
retaliation by nuclear weapons and its all-encompassing consequences. And, given that
the system might break down, can a guaranteed second strike capability be projected?
That nuclear deterrence and cyber deterrence are different in character was also made
clear in a report from the Committee on Deterring Cyberattacks
[…] But it is an entirely open question whether cyber deterrence is a viable strategy.
Although nuclear weapons and cyber weapons share one key characteristic (the superiority of
offence over defence), they differ in many other key characteristics, […] What the discussion
below [in the report] will suggest is that nuclear deterrence and cyber deterrence do raise
many of the same questions, but that the answers to these questions are quite different in the
cyber context than in the nuclear context.]63
The conclusion therefore appears clear that a convincing strategy of cyber deterrence
with the projection of a convincing retaliatory cyber threat, at present at least, is not
possible.
However, deterrence is not solely realized via the projection of a retaliatory strike. It
could also be realized via the projection of, in terms of Morgan, a robust64 self-defence
of both a passive and an active nature. In the discussion referred to in the Introduction,
that the US is acquiring an offensive cyber capacity, the suggestion is that such means
are exclusively of an offensive character. Although of course it concerns questions of
specific cyber technology, there also appears to be an element of semantics. For when
a so-called offensive cyber capacity would be used as a means of cyber deterrence via
the threat of retaliation it would not work for reasons discussed above. However, could
not the same cyber technology be used for both offensive and defensive purposes?
In other words, when one considers the application of a restricted use of this
so-called offensive cyber capacity, like the application of traditional military means,
which could both be used offensively or defensively, the logical question appears to be
whether it is possible to make a similar distinction between the way a digital capacity
is used (applied), namely either offensively or defensively, or is an offensive digital
capacity by definition different in character from a defensive digital capacity? If the
former is the case, then it would come down to the way cyber power is being applied
and not what label has been attached to the specific cyber capacity. Would it in that
case not be better to speak of a cyber capacity that can be applied either offensively or
defensively? The different categories that one finds in the leaked Presidential Policy
Directive / PPD-20 of October 201265 in that respect are intriguing for besides Network
62
This follows from the very interconnectivity of cyberspace, which is one of its great
assets, but at the same time also constitutes its greatest vulnerability.
63
U.S. Department of Defense (n 56); Libicky (n 37) iii: ‘Thus, deterrence and warfighting
tenets established in other media do not necessarily translate reliably into cyberspace.’ See also
Ch III, Why Cyberdeterrence is Different, 39–74.
64
I regard this qualification indicating a serious and optimal self-defence, taking into
consideration the applicable principles of public international law.
65
Presidential Policy Directive PPD-20 (n 2); Greenwald & MacAskill (n 2).

14 / Date: 7/5
Defense,66 it refers to Defensive Cyber Effects Operations (DCEO)67 and to Offensive

Cyber Effects Operations.68 Both categories are intended to produce effects outside US
Government networks. The defensive operation does so ‘for the purpose of defending
or protecting against imminent threats or on-going attacks or malicious cyber activity
against U.S. national interest from inside or outside cyberspace’. The offensive
operations appear not to be related to the defensive operation’s purpose, but seem to be
open ended since it merely refers to ‘to enable or produce effects outside United States
Government networks’.
Deterrence by the projection of a defence that can convincingly deny a potential
attacker (any) benefits either actively or passively therefore appears a more viable
deterrent strategy. Although a number of the same uncertainties, as discussed above,
with regard to the technical possibility of a reply to a cyber attack apply, such a
restricted approach aimed at an optimal defence appears more realistic and therefore
more convincing. On the balance between defence and offense in the context of cyber
attacks Rid comes down on the defence side: ‘Cyber attack, proponents of the
offense-dominance school argue, increases the attacker’s opportunities and the amount
of damage to be done while decreasing the risks (sending special code is easier than
sending Special Forces).’69 However, Rid convincingly makes the case that in adding
up a number of arguments ‘it appears that cyberspace does not favour the offense, but
actually has advantages for the defence in stock’.70 Furthermore, deterrence by the
projection of defence appears to answer to a State’s inherent right to self-defence in
case of an armed attack and therefore would be in accordance with public international
law. The compatibility of cyber deterrence with public international law is looked at in
the next section.
66
‘Programs, activities, and the use of tools necessary to facilitate them … Network defense
does not involve or require accessing or conducting activities on computers, networks, or
information or communications systems without authorization from the owners or exceeding
access authorized by the owners’. Presidential Policy Directive PPD-20 (n 2) 2.
67
Defensive Cyber Effects Operations (DCEO): Operations en related programmes or activities

– other than network defence or cyber collection –conducted by or on behalf of the US
Government, in or through cyberspace, that are intended to enable or produce cyber effects
outside US Government networks for the purpose of defending or protecting against
imminent threats or ongoing attacks or malicious cyber activity against US national interests
from inside or outside cyberspace.
ibid. 3 [emphasis added].
68
‘Offensive Cyber Effects Operations: Operations and related programmes or activities –
other than network defense, cyber collection, or DCEO – conducted by or on behalf of the US
Government, in or through cyberspace, that are intended to enable or produce cyber effects
outside the US Government networks;’ ibid. 3 [emphasis added].
69
Rid (n 6).
70
Ibid. 167–9.

15 / Date: 25/3
7. CYBER DETERRENCE AND PUBLIC INTERNATIONAL LAW

Cyber deterrence with the threat of a retaliatory use of force could in most cases not be
attacker-specific and would not answer the demands of public international law since
the projected threat in case of an attack is a use of force that by definition would
neglect the applicable criteria of proportionality and necessity. Also such strategy
would not take into account the distinction between use of force and an armed attack,
as well as the further self-defence criteria and the law of armed conflict criteria.
Nuclear deterrence cannot be taken as a precedent for that is a special case, where the
ICJ has apparently taken the political realities (‘practices’) into consideration. Nuclear
deterrence is about deterring via a threat of a retaliatory strike, which would lead to
MAD. Such a strategy in fact comes down to self-destruction and not to actual
self-defence. Nuclear deterrence works as long as there is no nuclear attack. The
assumption thereby is that no nuclear exchange has taken place as yet because of the
deterrent threat, but this cannot be proven. Careful reading of the ICJ advisory opinion
provides all the arguments why from a legal point of view this strategy is highly
questionable, but that it is embedded in political reality. The political reality is that
nuclear deterrence is central to the superpowers’ strategy, whereby the mere possession
of large quantities of nuclear weapons already contributes to nuclear deterrence and
nuclear weapons so far have not been used (excepting Hiroshima and Nagasaki). This
led the ICJ to the conclusion that use of nuclear weapons might be legal when used as
a measure of last resort in cases where the survival of that State would be at stake.
(This conclusion in itself has strengthened nuclear deterrent strategy!). Although the
ICJ did not formulate the political reality argument in those terms this is what its
advisory opinion comes down to.
Although a cyber attack is different from a kinetic attack, it may still amount to a use
of force that is forbidden. The rules of the UN Charter relating to the threat and use of
force ‘apply to any use of force, regardless of the weapons employed’ as the ICJ
pronounced in the Nuclear Weapons case.71 In his excellent report on Cyber Operations
in International Law72 Michael Schmitt convincingly explains how cyber operations
may fall under force as meant in Article 2(4) UN Charter. When then does a cyber
operation become such use of force given that for instance economic and political
coercion, which are of a non-kinetic nature are no such uses of force? In that sense
according to the Tallinn Manual: ‘A cyber operation constitutes a use of force when its
scale and effects are comparable to non-cyber operations rising to the level of a use of
force.’73 For Schmitt ‘the threshold for use of force therefore lies somewhere along the
71
Legality of the threat or use of nuclear weapons (n 45) para. 39. On the use of force in
cyberspace see Roscini (Ch 11 of this book).
72
Michael Schmitt, ‘Cyber operations in international law: The use of force, collective
security, self-defence, and armed conflicts’ in National Research Council (n 37) 153–60.
73
Michael Schmitt (ed.), Tallinn Manual on The International Law Applicable to Cyber
Warfare (CUP 2013) (Tallinn Manual) Rule 11 (definition of use of force).The Tallinn Manual,
which is the result of a lengthy research project by a group of international experts, at this
moment can be regarded as the most authoritative publication on issues of cyber war and public
international law. See also Michael Schmitt, ‘International law in cyberspace: The Koh speech
and Tallinn Manual juxtaposed’ (2012) 54 Harvard Int’l. L. J. 13–37.

16 / Date: 25/3
continuum between economic and political coercion on the one hand and acts which
cause physical harm on the other’.74 Earlier Schmitt identified seven factors that are
likely to be taken into account when assessing whether a cyber operation could be seen
as a use of force, namely: severity; immediacy; directness; invasiveness; measurability;
presumptive legitimacy; and responsibility.75 But even if a cyber operation can be
classified as a clear instance of use of force this leaves us to consider two issues,
namely that Article 2(4) UN Charter not only forbids the use of force, but also the
threat to use force. The other issue is that there is gap between Article 2(4) and Article
51 UN Charter since not all use of force would allow for forceful protective measures
in self-defence, but only use of force that amounts to an armed attack.
The point of departure therefore is that under public international law both the threat
and use of force in international relations are forbidden, and that the only exceptions to
this rule are use of force in self-defence or a mandate to use force by the Security
Council under Chapter VII in case of a threat to the peace, breach of the peace or act
of aggression. Self-defence may only take place in case of an armed attack, as
described in Article 51 Charter. These are the familiar rules in case of a traditional
military (kinetic) armed attack and the possibility of a legitimate military reply. But
how then to determine whether a cyber attack amounts (comes down) to the equivalent
of an armed attack?
According to the Tallinn Manual a cyber operation can be equated with use of force
when its scale and effects are comparable.76 In order to identify cyber operations that
could be described as uses of force (primarily based on Schmitt’s criteria (factors)) the
Tallinn Manual mentions the following as factors that could be taken into consider-
ation: severity, immediacy, directness, invasiveness, State involvement, presumptive
legality measurability of effects and military character.77 Use of force, however, is not
identical to an armed attack. This distinction between use of force in Article 2(4) and
armed attack in Article 51 is apparent from the Charter. It means that in order to be
able to act in self-defence the cyber operation in scale and effects needs to be equal to
an armed attack.
In order to establish that a cyber operation would not only be a forbidden use of
force ex Article 2(4) UN Charter but would amount to an armed attack as meant in
Article 51 UN Charter it would be necessary to not only apply Schmitt’s seven criteria,
but also to decide that the consequence of the application of a cyber operation would be
equal to a ‘traditional’ armed attack. In this Schmitt takes a consequence based
approach. ‘Applying the consequence based approach, armed attack must also be
understood in terms of the effects typically associated with the terms ‘armed’. The
essence of an ‘armed’ operation is the causation, or risk thereof, of death of or injury to
persons or damage to or destruction of property and other tangible objects’,78 like
74
Schmitt (n 72) 155.
75
Ibid. 155–6.
76
Tallinn Manual (n 73) 47. On cyber attacks and self-defence see Focarelli (Ch 12 of this
book).
77
Tallinn Manual ibid. rule 11, paras 9 and 10.
78
Schmitt (n 72) 163.

17 / Date: 25/3
critical infrastructures.79 When the conclusion is that the cyber operation amounts to an
armed attack as meant in Article 51 UN Charter use of force self-defence is allowed
for. With Schmitt, I am of the opinion that such use of force in self-defence could
involve both cyber means as well as kinetic means.80 This use of force would need to
be in accordance with the principles of necessity, proportionality81 and immediacy;82
also the Security Council would need to be informed. Projecting the intention to make
use of this right to self-defence in case of a cyber attack amounting to an armed attack
would be a lawful threat to use force as the ICJ made clear in the Nuclear Weapons
Case: […] if it is to be lawful, the declared readiness of a State to use force must be a
use of force that is in conformity with the Charter’.83 This could be seen as deterrence
via self-defence.
With the conclusion that a cyber attack may amount to an armed attack against
which self-defence is allowed for, which may involve both cyber means and kinetic
means, from the perspective of deterrence this logically would lead to a more refined
model, whereby the deterrent threat of defence (denying of the gains sought by the
cyber attacker) could be done either by cyber means, by a combination of cyber and
kinetic means, or even solely by kinetic means. Opting for such a more comprehensive
deterrence mode risks leading to a definitive militarization of cyberspace. It could, for
instance, be the option for a State that does not have advanced cyber means at its
disposal, but is strong in traditional military (kinetic) hardware.
Furthermore there is the much-debated84 question, whether a State has to wait with
its self-defence until the armed attack of Article 51 UN Charter has materialized, or
whether it may also defend itself in case of an imminent attack. Such imminent armed
attack would, in my opinion, have to be one that is under way, in other words, an
irreversible attack. This position is close to that taken by Dinstein who refers to
interceptive self-defence.85 Where the concept of imminence in the traditional debate
79
See also Tsagourias (n 16) 231.
80
Schmitt (n 72) 167.
81
‘The submission of the exercise of the right to self-defence to the conditions of necessity
and proportionality is a rule of customary international law.’ As the Court stated in the case
concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United
States of America) [1986] ICJ Rep. 1986 para. 176: ‘there is a specific rule whereby self-defence
would warrant only measures which are proportional to the armed attack and necessary to
respond to it, a rule well established in customary international law’. ‘This dual condition
applies equally to art 51 of the UN Charter, whatever the means of force employed’: Legality of
the threat or use of nuclear weapons (n 45) para. 41. See also Judith Gardam, Necessity,
Proportionality and the Use of Force by States (CUP 2004).
82
This is a different criterion than the immediacy principle of Schmitt. Here it refers to the
reaction time and the length of the self-defence operation. Compare also Dinstein (n 10) 233–4.
Schmitt formulates an immediacy principle as one of the principles to decide whether a cyber
operation amounted to a use of force, namely ‘The sooner consequences manifest, the less
opportunity States have to seek peaceful accommodation of a dispute or to otherwise forestall
their harmful effects. Therefore, States harbour a greater concern about immediate consequences
than those which are delayed or build slowly over time’: Schmitt (n 72) 156.
83
Legality of the Threat or Use of Nuclear Weapons (n 45) para. 47.
84
See Dinstein (n 10) 203–onwards.
85
Ibid.

18 / Date: 7/5
on the use of force has already led to much debate because of its inherent complexities,
with regard to the cyber domain it appears even more complex. Also the Tallinn
Manual takes imminence as its criterion for the right to use force in self-defence.86
What then amounts to imminence is a complicated matter. The majority of the
international group of experts that authored the Tallinn Manual rejected an approach
that ‘requires that the armed attack be about to be launched, thereby imposing a
temporal limitation on anticipatory actions’.87 Instead they opted for an approach
whereby ‘it may act anticipatorily only during the last window of opportunity to defend
itself against an attack that is forthcoming’.88 This is a complicated analysis to make
especially with regard to cyber operations that may take place at high speed. The
Tallinn Manual therefore concludes: ‘(T)he lawfulness of any defensive response will
be determined by the reasonableness of the victim-State’s assessment of the situ-
ation.’89 However laudable this may sound, it suggests a transparency that in case a
State has made a wrong judgement that State would always be liable. In most cases,
however, this would be highly unlikely given the character of digital traffic, and the
problems of attribution. And who then could make a final and authoritative determin-
ation of the reasonableness of the assessment after the fact? Given that it concerns
self-defence ex Article 51 that would lead us automatically to the Security Council. But
it seems highly unlikely that it will be able to make such a determination since it will
always involve either a P5 State, or a client State. This interpretation of imminence
therefore risks crossing over into pre-emptive or preventive self-defence,90 which
rightly could be interpreted by another State at which it is directed as an armed cyber
attack, in short offensive use of force which allows for self-defence. This is an
extremely dangerous and circular situation that should be prevented. The criterion of
imminence in cyber defence operations therefore needs to be clarified.
Finally, some observations can be made regarding critical infrastructures in general,
and in particular the production, storage and transport of dangerous goods (e.g.
chemical, biological, radiological and nuclear materials) or energy installations and
networks like those of nuclear power plants. Critical (information) infrastructures as
discussed earlier in Section 2(b) above are clear civilian objects, with civilian workers.
Under the principle of distinction, which is a core principle of humanitarian law, the
civilian population and civilian objects may not be the object of an attack. In the
86
‘The right to use force in self-defence arises if a cyber armed attack occurs or is
imminent. It is further subject to a requirement of immediacy’: Tallinn Manual, rule 15, (n 73)
60.
87
Ibid. 61(4).
88
Ibid.
89
Ibid. 62(6).
90
This would be contrary the position taken in the Tallinn Manual (n 73) 62, where it rejects
preventive strikes: ‘preventive strikes, that is, those against a prospective attacker who lacks
either the means or intent to carry out an armed attack, do not qualify as lawful anticipatory
self-defence’. See also Schmitt, ‘International Law in Cyberspace (n 73) 23–4, where he remarks
‘that the devil is in the detail’ and then discusses positions taken by the Tallinn Manual experts
on anticipatory self-defence. He, however, does not get into the question how in practice to make
the distinction between a situation where anticipatory self-defence is allowed and preventive
self-defence is not. (Furthermore he also discusses the non-state actor’s operations.)

19 / Date: 25/3
already much-quoted advisory opinion of the ICJ this was stressed in no uncertain
terms.91 That targeting a nuclear power plant, or a critical infrastructure concerning the
production, storage or transport of dangerous goods like chemical, biological, radio-
logical and nuclear materials, may result in similar destruction as when used as a
military means does not make any difference. The rule is clear civilian objects should
not be targeted, neither in offence nor in defence.92
8. CONCLUSION
Having discussed these elements central to the question under discussion, namely
whether a cyber deterrence comparable to nuclear deterrence is possible, and if so,
whether it would be in accordance with public international law, a few observations can
be made. These conclusions concern a State actor approach and therefore largely leave
out how to deal with non-State actors, and in that sense it only deals with part of the
problem of possible offensive cyber operations.
Deterrence in terms of Morgan93 can be realized either via the projection of
‘retaliation’ or of a ‘stout defence’. In both these cases the deterrent threat is realized
by making clear that in case of a cyber attack that amounts to an armed attack there
will be a reply.
It is clear that a cyber-deterrent strategy comparable to a nuclear-strategy, with an
all-out retaliatory strike in case of an (imminent) attack, at present is not possible for
the reasons discussed above, such as not knowing who the opponent is or who to
attribute the attack to. Deterrence by the threat of retaliation in case of an attack would,
furthermore, be contrary to public international law, and some of its essential (basic)
principles. Retaliation points to a possible unlimited use of force that is intended to
harm a potential attacker. It amounts to a threat of force, which is forbidden under
Article 2(4) UN Charter and is different from self-defence since it would be aimed at
punishment and would not be based on necessity and proportionality as central
customary law criteria for self-defence. Therefore an effective cyber-deterrence strategy
via retaliation is not only technically not viable, but even if so, the projection of
retaliation would amount to a forbidden threat of force. Such cyber deterrence by
threatening to retaliate, if it could be done convincingly at all, which at present is not
the case, could not be compared to nuclear deterrence for the simple reason that nuclear
deterrence should be viewed as a category of its own, vested in the political reality of
international relations, and apparently viewed as being ‘above the law’, public
international law, as is clear from the ICJ’s advisory opinion on the use of nuclear
91
‘The cardinal principles contained in the texts constituting the fabric of humanitarian law
are the following. The first is aimed at the protection of the civilian population and civilian
objects and establishes the distinction between combatants and non-combatants; States must
never make civilians the object of attack and must consequently never use weapons that are
incapable of distinguishing between civilian and military targets’. Legality of the threat or use of
nuclear weapons (n 45) para. 78. See Yoram Dinstein, ‘The principle of distinction and cyber
war in international armed conflicts’ (2012) 17(2) J. Conflict & Sec. L. 265–6.
92
Ibid. 264.
93
Morgan (n 37) 55.

20 / Date: 7/5
weapons. This is not different by projecting a cyber-deterrent threat in defence at the

nuclear power plant of a potential opponent, thereby turning it into a nuclear weapon of
sorts, because it would be contrary to the ius in bello principle of distinction for it
concerns a civilian object.
Deterrence by the presentation of a convincing threat to realize both an optimal
passive and active defence however would be possible. Such projection of an optimal
self-defence in case of a cyber attack amounting to an armed attack, is in conformity
with public international law, for it only makes clear that a State will definitely make
use of its right to self-defence under Article 51 UN Charter if attacked. In other words,
such deterrent threat of force by a State in fact comes down to forewarning any
potential attacker that it will make use of its legitimate right to self-defence, which is
one of the two exceptions to the general prohibition of the use of force.
Therefore, cyber deterrence via the projection of defence is allowed for. States
should, as such, focus on the technical and doctrinal aspects of deterrence via the
projection of a credible defence via all possible passive and active cyber defence means
at their disposal, thereby taking into account rules and principles of public international
law. Such a strategy would need to be transparent for the more it convinces as a
realistic strategy, the better it will prevent from being attacked, which is the essence of
deterrence. With regard to critical information structures this requires applying all
possible passive and active defence measures, which includes constant monitoring.
Such a transparent strategy will furthermore contribute to the defence against attacks by
non-State actors. As such, it may also have a deterrent effect.

21 / Date: 25/3
PART IV
CYBERWAR AND THE JUS

IN BELLO

1 / Date: 25/3

2 / Date: 25/3
14. Distinctive ethical challenges of cyberweapons*

Neil C. Rowe
1. INTRODUCTION
Governments have been aggressively pursuing development of cyberweapons in recent
years, most notably the United States,1 China, and Russia. Cyberweapons are a new
kind of weapon.2 As with all new weapons, decisions should be made about how
ethical it is to employ them in various situations. We will focus here on their use by
militaries; so far there has been little threat from nongovernmental groups such as
terrorist organizations, though some businesses have expressed interest in using them
against their foreign competition. There is much debate about how well the current
laws of warfare3 apply to cyberweapons.4 First however we need to identify the ethical
issues involved since they guide lawmaking. Key ethical issues with cyberweapons
arise in their implementation, targeting, and damage recovery. The discussion has
evolved quickly since our earlier survey.5
To limit the size of this chapter, we will focus on characteristics of cyberweapons
that significantly differ from those than conventional weapons. Much also has been
written about the ethics of conventional warfare,6 and much of that can be applied to
cyberweapons.7 But the special characteristics of cyberweapons raise some new ethical
* This work was supported by the U.S. National Science Foundation under grant 1318126
of the Secure and Trustworthy Cyberspace Program. The views expressed are those of the author
and do not represent those of the U.S. Government.
1
Tom Gjelten, ‘First strike: US cyber warriors seize the offensive’ (January/February 2013)
World Affairs Journal <www.worldaffairsjournal.org/article/first-strike-us-cyber-warriors-seize-
the-offensive> accessed 8 November 2013, 201.
2
Sanjay Goel, ‘Cyberwarfare: connecting the dots in cyber intelligence’ (2011) 54 (8)
Communications of the ACM 132–40.
3
ICRC (International Committee of the Red Cross), ‘International humanitarian law –
treaties and documents’ <www.icrc.org/icl.nsf> accessed 1 December 2007.
4
Robert Belk and Matthew Noyes, ‘On the use of offensive cyber capabilities: A policy
analysis on offensive US cyber policy’ (March 2012) <http://belfercenter.ksg.harvard.edu/
experts/2633/robert_belk.html> accessed 8 November 2013. See also Gill (Ch 17 of this book),
Bannelier-Christakis (Ch 16 of this book) and Arimatsu (Ch 15 of this book).
5
Neil C. Rowe, ‘The ethics of cyberweapons in warfare’ (2010) 1 (1) Int’l. J. of
Technoethics. 20–31.
6
Michael Walzer, Just and Unjust Wars: A Moral Argument with Historical Illustrations
(Basic Books 2006); S. Lee, Ethics and War: An Introduction (Cambridge, UK: Cambridge
University Press, 2012).
7
Edward T. Barrett, ‘Warfare in a new domain: the ethics of military cyber-operations’
(2013) 12(1) J. of Military Ethics 4–17.
307
1 / Date: 25/3
problems, especially in the conduct of warfare (jus in bellum).8 We shall follow here a
negative utilitarian approach to ethics in which we try to assess the negative cost to
societies of various policies with cyberweapons and try to recommend policies that
result in the least negative cost on average. Negative utilitarianism is appropriate here
because the benefits of cyberattacks are not especially diverse, being confined to
disabling adversary computer systems, networks, and what they control.
The Stuxnet cyberattack on Iran9 provides an example of a problematic cyberattack.
Some have lauded this as an example of ‘clean’ cyberwarfare since it appeared to have
a narrow target and achieved some tactical success against it. The target appears to have
been software for industrial-control machines for Iranian centrifuges used for process-
ing uranium, and the attacks appeared to cause destruction of at least some of the
centrifuges. But to achieve this success, many machines had to be infected with the
malicious code (‘malware’) with the hope of eventually transferring their infection to
the target machines. This mode of infection was like a virus, and the attack code spread
to millions of machines, so the attack involved widespread (albeit small) product
tampering. Because the propagation methods were unreliable, multiple redundant
methods were used. Once the attack was recognized, the new propagation and attack
methods were analyzed and reports were published. This enabled criminal attackers to
exploit these new attacks for their own purposes10. So there was direct collateral
damage from the propagation of the attack (small damage to many machines adding
up) as well as from the criminal applications of the methods.
This case suggests we should be skeptical of claims that cyberweapons are precise
weapons that do not cause significant or lasting collateral damage.11 This should not be
a surprise because precision is often difficult for new weapons. Consider for instance
air targeting with drones in Pakistan12 for which ‘very few’ of the attacks (though it
varies with the estimator) were on militants, and similar results could likely have been
better obtained without violence through judicial proceedings. The problem is that there
are just too many possible errors in targeting when the attacker is not near the target
and does not understand the culture. We suspect cyberattacks will be similarly errant, as
they appear similarly low-risk to a remote perpetrator.
8
Herbert S. Lin, Kenneth W. Dam & William A. Owens (eds.), Technology, Policy, Law,
and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies
Press 2009).
9
Michael J. Gross, ‘A declaration of cyber-war’, Vanity Fair (April 2011) <www.
vanityfair.com/culture/features/2011/04/stuxnet-201104> accessed 12 May 2012. See also Gill
(Ch 17 of this book) and Bannelier-Christakis (Ch 16 of this book).
10
Dan Kaplan, ‘New malware appears carrying Stuxnet code’, SC Magazine (18 October
2011) <www.scmagazine.com/new-malware-appears-carrying-stuxnet-code/article/214707>
11
Please see Gill (Ch 17 of this book).
12
Stanford Law School International Human Rights and Conflict Resolution Clinic and New
York University School of Law Global Justice Clinic, ‘Living under Drones: Death, Injury, and
Trauma to Civilians from U.S. Drone Practices in Pakistan’ (September 2012) <http://
www.livingunderdrones.org/report/> accessed 1 September 2014.

2 / Date: 1/4
Distinctive ethical challenges of cyberweapons 309
2. DEFINING CYBERWEAPONS
Cyberweapons are weapons that primarily use software to achieve their effects. They
are usually in the form of modified programs to control computers and devices. Usually
these modifications are for the purpose of sabotage, to prevent a victim from using their
computer systems or certain aspects of those systems. A cyberweapon might prevent a
missile defense system from functioning properly so that it will be destroyed by a
missile. A cyberweapon could also delete key data or programs from a computer
system so that it cannot do its tasks, or it could block network access so a system
cannot communicate with others. Usually cyberweapons do not actively create false
data, as that it more difficult to do. So sabotage is usually the goal.
The use of cyberweapons is a special case of a cyberattack. Cyberattacks are any
methods that attempt to subvert computer software for some gain to the perpetrator.
Most cyberattacks today are by criminals and support financial fraud. But they are also
important today to intelligence agencies as a way to automate their collection of
difficult-to-obtain or secret information. The U.S. has been subjected to extensive such
intelligence gathering recently. But these are not cyberweapons because they do not try
to disable systems. Thus they fall within the range of intelligence gathering in the laws
of war, and do not justify counterattack in response.
Military commanders want control of their weapons, so many cyberweapons are
designed to be controlled remotely over the Internet using the techniques of ‘botnets’
where the attacker’s machine sends orders to victim machines to direct their espionage
or sabotage.13 It is reported that the U.S. and China are eagerly pursuing this
approach.14 If a target is not attached to the Internet, timing mechanisms or specifica-
tions of trigger events can be used to control it.15
Software techniques proposed (and occasionally used) for cyberweapons are similar
to those used for criminal cyberattacks.16 These usually involve impersonation to gain
unauthorized access using flaws in the software of computers, followed by installing
malicious software on those computers. However, the ultimate goals of cybercriminals
are different. They mostly want to steal rather than sabotage, and high priorities for
them are stealing bankcard numbers and other personal information and sending spam
(unsolicited email), both good ways to earn quick money. Criminals are becoming
increasingly professional in probing well-known software for flaws and developing
attack methods, and their discoveries are just what cyberweapons developers need.
Some have argued that cyberweapons are ‘nonlethal’ and thus raise few ethical
questions. Mortality is not the only ethics metric in warfare, as people can be
unethically harmed without being killed, an issue we will discuss further here.
However, allegedly ‘nonlethal’ weapons can definitely kill people, as for instance as
13
Christopher Elisan, Malware, Rootkits, and Botnets: A Beginner’s Guide (McGraw-Hill
Osborne 2012).
14
Gjelten (n 1).
15
Randall Dipert, ‘Other-than-Internet (OTI) cyberwarfare: challenges for ethics, law, and
policy’ (2013) 12 (1) J. of Mil. Ethics 34–53.
16
Cameron H. Malin, .James M Aquilina & Eoghan Casey, Malware Forensics Field
Guide for Windows Systems: Digital Forensics Field Guides (Syngress 2012).

3 / Date: 25/3
crowd-control foam from which people can suffocate, since nearly any method of
human control can be lethal in unexpected circumstances. Cyberweapons can kill
directly as when they interfere with operations at hospitals or in industry (Iran alleges
that Stuxnet caused an explosion of a centrifuge that killed a worker). Cyberweapons,
like other weapons, can also kill indirectly in many ways by damaging the infrastruc-
ture of a society. For instance, it has been estimated that the damage to Iraqi society by
the U.S. invasion resulted in a 654,000 additional deaths 2003-2006 of which 92
percent were due to violence,17 plus another estimated 300,000 deaths through 2011
due to damage to the Iraqi infrastructure.18 We need to evaluate cyberweapons with
most of the same standards as other weapons to see how harmful they are. Actually,
they have a number of analogies to biological weapons in their dissemination methods
and their difficulty of control,19 and biological weapons are prohibited by several
treaties.
3. PECULIARITIES OF CYBERWEAPONS
We can enumerate several key differences between cyberweapons and most traditional
weapons:
+ Cyberweapons do not require physical proximity of the attacker to the victim,

since attacks can be accomplished over the Internet, or else planted well in the
advance of the attack (as ‘Trojan horses’) and triggered when the attacker is long
gone. Thus they are analogous to long-range guided missiles. Thus they raise
some of the same ethical concerns about the ability of the attacker to remotely
confirm their victim before attacking.
+ Cyberweapons are easy to conceal, even easier than biological weapons, since
they are just abstract patterns of bits. They can also operate very quickly and then
destroy all evidence of their presence. This means disarmament of cyberweapons
is very difficult, though some methods can help.20
+ Cyberattacks can be very difficult to attribute to the attacking country. That is
because if attacks are launched across the Internet, it is difficult to trace attacks
backward in the enormous traffic of the Internet; and if attacks are launched from
Trojan horses already inside software, it is difficult to tell from examining them
who is responsible for putting them there. This means that a pure cyberwar not
17
Gilbert Burnham et.al., ‘Mortality after the 2003 invasion of Iraq: a cross-sectional cluster
sample’ (2006) 368 (9545) The Lancet 1421–8.
18
Amy Hagopian et. al., ‘Mortality in Iraq associated with the 2003-2011 war and
occupation: findings from a national cluster sample survey by the University Collaborative Iraq
Mortality Study’ (2013) 10 (10) PLoS Medicine <www.plosmedicine.org/article /info%3Adoi%
2F10.1371%2Fjournal.pmed.1001533> accessed 9 November 2013.
19
Rowe (n 5).
20
Neil Rowe et. al., ‘Challenges in monitoring cyberarms compliance’ in Panayotis
Yannakogeorgos and Adam Lowther (eds.) Conflict and Cooperation in Cyberspace: The
Challenge to National Security in Cyberspace (Taylor and Francis 2013) 81–100.

4 / Date: 25/3
accompanied by traditional attacks is virtually impossible to justify in cyberspace

according to the standards of proof required by the law of war.
+ Cyberweapons require flaws in their victim or they do not work at all. That is
because computer systems and networks normally have many defenses against
sabotage. The situation is quite different from a bullet or a bomb which only
exploits the binding force of the atoms in its target, which is consistent over the
same material no matter what the setting.
+ Cyberweapons have considerably more variety than conventional munitions. Guns
and bombs have a single purpose of violating the physical integrity of objects and
beings and rendering them inoperative by means of projectiles and explosions.
Cyberweapons can sabotage operations of computer systems in many different
ways, some quite subtle.
+ Cyberweapons technology is very similar to cyberespionage technology. That is
because to do both, you must gain and maintain administrator access to a victim
computer system or device. Sabotage of computer systems is usually easy once
you have done that, so escalation from cyberespionage to cyberattack is tempting
for aggressors. The major countries of the world are engaging in an increasing
amount of cyberespionage.21
+ Cyberweapons tend to have unexpected consequences. That is because computer
systems depend on billions of component instructions working consistently every
time they are used, and just one error can upset the whole chain of instructions
unless unusual precautions are taken such as adding redundant functionality.
Similarly, when computers and devices interact over a network, failure of just one
may cause failure of others since there is so much interdependence of systems
today.
+ Cyberweapons have no legitimate uses, unlike guns and explosives. (A possible
exception is ‘red teaming’, or deliberately attacking a system to find its flaws, but
this is too blunt to be a very helpful tool for diagnosis.) Thus finding cyber-
weapons is prima facie evidence of offensive intent.
These features have many ethical implications. In this chapter we will focus on those
which we consider the most important: justifying a cyberattack in cyberwar, the
product tampering required for cyberweapons, the unreliability of cyberweapons, the
difficulty of recovering from the damage of cyberweapons, and the ease of collateral
damage with cyberweapons. These relate to the classic ethical issues in the conduct of
war of having adequate justification for an attack, proportionality22 of the attack to the
provocation, discrimination23 of combatants from noncombatants, and ability to assign
responsibility for conduct.24
21
Adam Segal, ‘The code not taken: China, the United States, and the future of espionage’
(2013) 69 (5) Bulletin of Atomic Scientists 38–45.
22
See also Gill (Ch 17 of this book).
23
See Bannelier-Christakis (Ch 16 of this book).
24
Alexander Moseley, ‘Just War Theory’ (Internet Encyclopedia of Philosophy) <www.iep.
utm.edu/justwar> accessed 14 March 2014.

5 / Date: 25/3
4. JUSTIFYING A CYBERATTACK
Many of the ethical principles about starting traditional warfare (jus ad bellum) apply
to cyberwarfare.25 A nation must be attacked first, suffer serious harm, and have no
other feasible alternatives before it can consider cyberwarfare. But there is a special
problem of the greater difficulty of attribution of a cyberattack compared to conven-
tional attacks. Traditional land, water, and air warfare involve large military entities that
have a clear direction of origin which makes it clear who is attacking whom. This is
less true of cyberwarfare. The malware used will likely have no obvious signs of origin,
and its implantation on victim computer systems may not be recorded; and if the
Internet was used to deliver it, its backtracing will be ambiguous. There are some ways
to prove attribution if the attacking country’s computer systems can be accessed, but
that can be very difficult. To be sure, a country may have suspicions about who
attacked it, but the world community needs legal-quality evidence to endorse a
response following the laws of war. Thus it is very difficult to ethically justify
counterattack in response to a pure cyberattack when applying the ethical principle of
responsibility.
However, it certainly makes sense that a traditional military attack could justify a
cyber-counterattack. Indeed, cyberattack methods could be an important force multi-
plier for military commanders, allowing them to achieve the same results with fewer
forces and with possibly less harm to both sides.26 It also makes sense to combine the
cyber-counterattacks with traditional counterattacks since there are important targets
not in cyberspace. However, achieving less harm with cyberattacks than traditional
attacks is not automatic, and each case needs to be evaluated carefully according to the
criteria we discuss below.
5. PRODUCT TAMPERING AND PERFIDY

Another key ethical problem with cyberweapons is that setting them up usually needs
to subvert existing software and data to achieve effects, a form of product tampering.27
This is a violation of the ethical principle of discrimination of noncombatants from
combatants since nearly all software is neutral and does not serve military purposes any
more than civilian purposes; tampering with the tools like software used by noncom-
batants is ethically similar to hurting noncombatants directly. Nearly all countries have
laws against product tampering as it can cause widespread harm including death. In the
U.S. for instance, the Federal Anti-Tampering Law (USC Title 18 Chapter 65,
‘Malicious Mischief’) defines several categories including ‘whoever, with intent to
cause serious injury to the business of any persons, taints any consumer product or
25
Barrett (n 7). See also Roscini (Ch 11 of this book) and Focarelli (Ch 12 of this book).
26
Dorothy Denning & Bradley Strawser, ‘Moral cyber weapons: the duty to employ
cyberattacks’ in Luciano Floridi and Mariarosaria Taddeo (eds.), The Ethics of Information
Warfare (Springer 2014).
27
Neil C. Rowe, ‘Cyber perfidy’ in Fritz Allhoff, Nicholas G. Evans & Adam Henschke
(eds.), The Routledge Handbook of War and Ethics (Routledge 2013) 394–404.

6 / Date: 7/5
renders materially false or misleading the labeling of, or container for, a consumer
product’. This has a penalty of up three years in prison; tampering that causes bodily
harm receives up to twenty years. These laws apply to software under the classification
of ‘device’ where malicious modification renders misleading the labeling of the
software. Users of software are generally required to sign end-user license agreements
that prohibit tampering with it.
The reason that product tampering is virtually essential to cyberweapons is that
computer systems and digital devices are generally very reliable and strongly resistant
to attempts to subvert them for unanticipated purposes. Attacking a computer system
directly by sending it malicious instructions will usually be ignored. Flooding it with
too much data rarely works because most computer systems limit the rate at which they
accept information or requests. So an attacker must almost always impersonate a
legitimate user of a computer or digital device to perpetrate a cyberattack on it. Usually
the goal is to subvert and impersonate the operating system, the software that controls
the entire computer. Particular targets are the security kernel of the operating system,
the file management system, the update manager, the networking software, and the
electronic mail system. All these are civilian artifacts almost entirely implemented by
civilians, and there are very few alternatives due to the near-monopolies by a few
companies. Making them military targets is similar to poisoning a well that a
community must use.
Unfortunately, that is perfidy if done during war. Perfidy is impersonation of civilians
by military forces, and is prohibited by the laws of war because failing to do so would
result in far higher civilian casualties. Guns, bombs, and missiles do not need to
impersonate people to work, so cyberweapons are fundamentally different. Thus
virtually any cyberweapon installation or use appears to be unethical on the perfidy
criterion.
There are alternatives to perfidy in cyberweapons. Denial-of-service attacks involv-
ing flooding of a victim with information may not require perfidy. Perfidy is also
unnecessary for defense against attacks. Since botnets are the preferred method of
controlling cyberweapons, all the defender need do is interfere with the communica-
tions of the botnet to prevent an attack from being launched; they do not need to get
onto the attacker’s system to stop the attack. Interference can be accomplished by
packet filtering. Even if the attacker encrypts their communications, the sources and
destinations of their packets cannot be encrypted if they are to reach their targets, and
the sizes and signatures of their packets provide clues to recognize them.
One objection to this notion of cyber perfidy is that cyberweapons do not involve as
much threat to human life as perfidy with people would. We disputed this nonlethality
claim above. But the Geneva Conventions do not require a death threat to civilians in
its definition of perfidy; more general harm such as threats of injury and capture are
also included. Just-war theory does permit ‘dual-use’ weapons that harm civilians as
well as military targets when the military benefit is high, but attacking almost-
exclusively civilian targets is considered unethical. Cyberwarfare is questionable
ethically on that basis.

7 / Date: 7/5
It has been argued28 that cyberweapons should be ethically superior to traditional

weapons because of their relative nonlethality, and thus their perfidy could be excused.
Yes, if you could get the effect of a kinetic attack by a cyberweapon, it could be
preferable. However, the unreliability of cyberweapons discussed in the next section
means that a cyberweapon is less likely to be effective and that trades off with its
nonlethality. Cyberweapons also tend to cause plenty of collateral damage as we
discuss later. Human life has a finite value, usually assessed by economists as a few
million dollars, and cyberattacks can cause millions of dollars in collateral damage. So
a nonlethal cyberweapon may be worse than a weapon that kills.
6. THE UNRELIABILITY OF CYBERWEAPONS

Another key problem with cyberweapons is that they must exploit flaws in human
artifacts, generally flaws in software. That means that some well-defended targets are
unattackable no matter what their strategic importance, and other targets may or may
not be attackable based on chance: the chance that the flaw has been found, the chance
that a fix for the flaw has been found, the chance that the fix has been disseminated,
and the chance that the target has installed the fix. Control of the cyberweapon may
also be unreliable, since it may depend on Internet connections that are untested until
conflict breach out or are deliberately broken once a conflict begins. This means that
cyberweapons are generally unreliable. They can be more reliable if the victim
standardizes their software and hardware too much, as the U.S. military tends to do, but
even then many surprise responses can foil an attack. Routine maintenance on software
can install new versions, reorganization of a network can give new configurations, or
the target may engage in deliberate deception. Reliability of attacks can also be
improved by using novel attack methods for which fixes are unlikely to be known, as
with Stuxnet, but those require expensive research to find, and may not be within the
capabilities of all but a few countries.
Unreliability risks both the ethical principles of discrimination of noncombatants29
and proportionality30 of attacks to the provocation. Cyberweapons will also be
unreliable due to errors in targeting, as was mentioned earlier in analogy to air targeting
with bombs and missiles, raising issue of discrimination of noncombatants. Errors
occur with air targeting when intelligence is outdated, as with the U.S. bombing of the
Chinese embassy in Belgrade in 1999, or when people or buildings are misidentified, as
with bombing of a Red Cross warehouse in Afghanistan in 2001.31 Cyberspace
provides additional opportunities for mistakes in targeting because the range of
operations is large, camouflage is easy, and large changes in the target can be made
quickly. The Red Cross warehouse was bombed even though it had a large red cross on
its roof because the bombing pilots flew too high to see it. There will likely be even
28
Strawser & Denning (n 26).
29
See Bannelier-Christakis (Ch 16 of this book).
30
See Gill (Ch 17 of this book).
31
Alex J. Bellamy, Just Wars: From Cicero to Iraq (CUP 2006).

8 / Date: 7/5
more problems with identifying the context of a target in cyberspace and meta-
phorically seeing a ‘red cross’.
The unreliability of cyberweapons encourages commanders to use massive and
multifaceted cyberattacks to ensure a desired effect. For instance, Stuxnet used at least
five different novel propagation methods. Overkill tends to result in unnecessary
damage when the attacker underestimates the chances of success, and unnecessary
damage requires more work to repair. Underestimation of effects will be frequent with
cyberweapons because the conditional probabilities of one weapon succeeding when
another succeeds are not independent but positively correlated in unpredictable ways,
since there can be hidden common underlying vulnerabilities that both weapons can
exploit. Thus overkill can easily happen with cyberweapons and can violate the
principle of proportionality in the laws of war.
Another reliability problem is that automated or semi-automated cyberweapons may
not be stoppable after termination of hostilities, a violation of the laws of war regarding
armistices (which derive from the ethical principle of responsibility for warfare).
Cyberweapons not controlled from the Internet, as by a timer, would be examples. But
even for botnet-controlled cyberattacks, once a victim recognizes they are under attack,
they would likely terminate running processes and close network ports; such activity
could very well break the Internet connection being used to control the attack and
prevent it from being stopped. This suggests that an ethical cyberattacker must either
use self-limiting attacks, such as attacks that destroy a set of data and then stop, or use
mechanisms of control that are highly resistant to victim manipulation such as
unsuspected timing channels for conveying commands. (Timing channels convey
information in the time delay between external events such as the appearance of a
packet from a particular address.)
Unreliability also has strategic implications. There is not much deterrence value in
advertising the possession of a cache of cyberweapons, since many of them will not
work, and advertising enables potential victims to better defend themselves since they
can start hardening their defenses and filtering out traffic from the threatening country.
This means a country would get the same deterrence effect whether or not it has
cyberweapons – so there is no point getting them unless intending to use them soon.
But that means cyberweapons are only good for unprovoked attacks, a violation of the
laws of war. Another issue is that unreliable weapons are poor choices in a conflict
since there are many reliable weapons that better ensure proportionate and discrimin-
atory responses. It thus could be unethical for a commander to use a cyberweapon.
The U.S. thinks it has an answer to the unreliability of cyberweapons: It will launch
massive cyberweapons campaigns. This is consistent with U.S. policy to stage massive
traditional attacks, as in Iraq in 2003 to create ‘shock and awe’ (alias terror). It is then
hoping that the victim country cannot respond with counter-cyberattacks on a similar
scale. But the U.S. military does not have the resources it once did due to the declining
U.S. economy in the face of foreign competition. It can no longer rely on enormous
shows of force to advance its national interests. Of course, software vendors promise
the U.S. military all kinds of capabilities. Cyberweapons are a very appealing product
for software vendors to sell to the U.S. government – software that is rarely used, can
be made to look good in artificial test conditions, and will likely fail in real conflict
long after the vendor has been paid.

9 / Date: 25/3
7. REPAIRING THE DAMAGE OF CYBERATTACKS

A major ethical problem with cyberweapons is repairing their damage after the end of
hostilities (jus post bellum), something that can be a serious challenge. This risks the
ethical principle of proportionality32 of attacks in a different way. It can be hard to find
the damage of a cyberweapon since it is not visible to the naked eye. So indiscriminate
cyberweapons could be even worse than land mines, which are only concealed before
the attack. Even when damage is clear, its cause may be difficult to track down.
Software and systems are interconnected, and what may appear to be a flaw in one may
actually be a flaw in another. Thus using some kinds of cyberweapons may be
sentencing the victim to years of damage repair. This is particularly true for less-
developed victim countries without much technical infrastructure.
The usual approach to damage repair from criminal cyberattacks is to try to restore
the damaged systems from backup data. This can be done for cyberwar attacks too, but
there are possible obstacles that are even more likely with cyberwar attacks. Backup
restoration will not work if the attack code remains in the hardware, firmware, or in the
boot code (such as BIOS). Restoring will also generally take a long time since usually
an entire operating system should be restored to remove all possible sources of
reinfection. Furthermore, attacks can hide in data as well, and the data may need to be
restored from backup too. Not all systems make adequate backups, since taking
backups is a tedious and little-rewarded task, and they may be incomplete, faulty, or
even entirely missing, and then most of the damage of a cyberweapon could be
permanent. In addition, cyberattacks can also cause permanent damage in the form of
opportunities missed while the system was under attack.
Another problem is that new damage from a cyberweapon may continue long after
hostilities have ceased if it used automatic propagation. The Stuxnet attacks continue to
circulate today; though their volume has been reduced by antivirus software, not
everyone has antivirus software nor has it configured correctly. So even if a system is
restored from backup to a clean copy, it may be reinfected if not all the propagation
methods have been discovered and countermeasures applied. Since cyberweapons will
tend to use novel methods of attack, knowing all the right countermeasures may be a
challenge.
For these reasons an ethical cyberattacker should try to facilitate damage repair after
the cessation of hostilities. Several things can be done. First, an ethical cyberattacker
should acknowledge their attack after hostilities because the attacker knows what they
attacked and how, and can provide the best guidance as to what to repair. This is a form
of the ethical principle of responsibility for conduct in warfare. Acknowledgement can
be done by announcement, but it is better to prove it by attaching cryptographic
signatures to the attack, so false claims of responsibility can be prevented. In fact, it
may be desirable for a country to take responsibility for an attack at the time of the
attack to obtain political leverage. The overly close connection of cyberespionage to
cyberwarfare makes this difficult for intelligence agencies to accept, since espionage
tries to avoid attribution, but warfare is fundamentally different from espionage and
32
See Gill (Ch 17 of this book).

10 / Date: 7/5
subject to considerably more international agreements.33 Second, at the cessation of

hostilities an ethical cyberattacker should provide information to the victim about
exactly what was attacked so the damage can be found, perhaps in the form of lists of
sites and software on those sites. The issue is similar to that of keeping records of
where land mines have been emplaced. Third, an ethical cyberattacker should use
attack methods that are easy to repair. That means avoiding autonomous propagation
methods as much as possible, and employing attack methods that are easily revers-
ible34. An example is encryption of key data by an attacker using a key that only the
attacker knows; then the attacker can decrypt the data at the cessation of hostilities and
exactly restore what was there before, since encryption preserves information.
8. COLLATERAL DAMAGE
Perhaps the most serious ethical problem with cyberweapons is their potential for
collateral damage to civilians. This can violate the ethical principle of discrimination of
noncombatants.
Cyberattack methods have been employed so extensively against civilians by
criminals that an important question is how well cyberattacks in cyberwar can be
focused on exclusively military targets. The definition of a civilian is increasingly
unclear in modern warfare,35 and increasing rates of collateral damage in modern
warfare are apparent.36 The U.S. has claimed for many of its drone strikes in Pakistan
that any military-age males killed must be combatants, so we will undoubtedly hear a
similar argument from any aggressor about the victims of their cyberattacks during
cyberwarfare. But we can generally identify civilians as people with not contributing
substantially to warfare by their activities or products.
(a) Types of Cyberattack Collateral Damage
Cyberattacks involve manipulation of programs and data and there are many ways to do
this. Ideally, a cyberattack should modify a single target program or file on a computer
system, something critical to warfighting. We call these type-0 cyberattacks. This is
consistent with the standard goal of warfare to interfere with a victim’s ability to wage
war, which is a more ethical goal than just damaging a victim by the notion of
proportionality. Consider the software for a missile-defense system as in the Israeli
quasi-cyberattack on Syria in 2007;37 an intelligence operative could put a copy of
software for missile defense on a victim’s system that, unlike a correct copy, will
33
34
Rowe (n 20).
35
Pauline Kaurin, ‘When less is more: expanding the combatant/noncombatant distinction’
in Harry Van Der Linden, John W. Lango & Michael W. Brough (eds.) Rethinking The Just War
Tradition (SUNY Press 2007). See also Bannelier-Christakis (Ch 16 of this book).
36
Thomas W. Smith, ‘The new law of war: Legitimizing hi-tech and infrastructural violence’
(2002) 46 Int’l. Stud. Q. 355–374.
37
Richard Clarke & Robert Knake, Cyber War: The Next Threat to National Security and
What To Do About It (HarperCollins 2010).

11 / Date: 7/5
malfunction in critical situations. Unfortunately, it is very difficult to do this, as

software critical to victim’s ability to wage war will be highly protected. Certainly a
potential victim should calculate hash values such as the 160-bit SHA-1 values on their
critical software and periodically check that the values on the software they run are the
same as the values on the software they installed. So type-0 cyberattacks are usually
infeasible.
A cyberattack could modify data on which the target depends, particularly data
whose contents vary over users and installations. If this reaches civilians, we can call
this type-1 collateral damage. An example would be what is known as a ‘configuration
file’ that defines the operating parameters for some software. But many modifications
of configuration files will not disable software, and those that do will usually reveal
their presence by causing failure in more than the targeted conditions.
A more effective kind of cyberattack is to induce a user to download a copy of
Trojaned (modified) software or data from some repository such as an update site. If
civilians also download it, we call this type-2 collateral damage. If downloading from
the repository is concealed from the victim, as when files from a USB thumb drive are
automatically transferred to a computer in which they are inserted, we call this type-3
collateral damage. This appears to have been a key mechanism in propagating the
Stuxnet attack.38 Collateral damage of type-3 attacks can be worse than type-2 attacks
because tracing the source of the malware is harder, making the damage more difficult
to diagnose and repair.
Finally, attacks can spread to a victim from viruses and worms that commandeer
parts of legitimate programs to enable their spreading. We call these type-4 collateral
damage since there are often inadequate controls within the virus or worm on how the
attack spreads and a good number of targets are hit randomly. Type-4 attacks are too
much blunt instruments to be appropriate for most cyberwarfare.
(b) Direct Collateral Damage
The traditional meaning of collateral damage is direct damage to a civilian entity by

errors in targeting. Judged on this criterion alone, Stuxnet did well, as it looked for
certain specialized process-control operating systems before attempting sabotage,
though it did try to propagate itself to other network sites using type-4 methods. It has
been argued39 that this inspection of its environment can be carried further by a
cyberweapon to check the address of the site it is on, the kind of software the site is
running, the kinds of network protocols it is running, the kind of files on the systems,
the kinds of encoding used for transmissions, and so on, to be even more sure what
system it is on before doing damage.
38
United States Cyber Consequences Unit, ‘Overview by the US-CCU of the Cyber
Campaign against Georgia in August of 2008: US-CCU Special Report’ (August 2009)
<www.usccu.org> accessed November 2, 2009.
39
David Raymond et. al., ‘A control measure framework to limit collateral damage and
propagation of cyber weapons’ in Karlis Podins, Jan Stinissen & Markus Maybaum (eds.), 2013
5th International Conference on Cyber Conflict (NATO CCD COE Publications 2013).

12 / Date: 25/3
This sounds encouraging at limiting the collateral damage of cyberweapons, but this
is illusory. The information that a cyberweapon can extract about its environment will
often be technical information that does not reveal the true nature of a potential target.
Just knowing the Internet (IP) address cannot confirm it is a military target, since even
if it is in a block of addresses owned by the military, it could be a military hospital, a
public-relations office, or a housing complex. Rarely is an explicit statement of purpose
attached to a computer system and visible from inside it. And any potential target
should take pains to ensure its range of critical military addresses is kept secret, so it
will be hard to get useful address information. Furthermore, a potential target may also
distribute false address information, may deliberately create decoys to encourage
attacks on the wrong targets, or may camouflage the right targets, as those are standard
military tactics. Or a criminal may spoof a military site to gain leverage. Cyber-
sabotage could be preceded by a long period of espionage to thoroughly confirm the
identity of a machine before attacking it, but the more espionage done, the more likely
it will be discovered, and the less likely an attack will be effective.
Just knowing what software is on a system is similarly ambiguous. How can it be
proven that a particular software product is used by military organizations? This would
require extensive intelligence to confirm, and the whole appeal of cyberweapons is in
not having to visit the target. Military organizations generally use a considerable
amount of civilian software because it is cheaper than the alternatives. Even if there are
distinctive features of the cyber-environment of a military organization, identically-
named or similarly-named software or data entities could be confused. This is
analogous to the mistargeting of drone strikes when civilians have similar names to
insurgents. A site may also be judged a military target on the grounds of its behavior or
its associations with known military sites, neither of which sufficiently justify the use
of deadly force as per the principle of discrimination.
We should note the unfortunate trend in modern warfare to reclassify civilian targets
as military. Electrical grids are increasingly considered military objectives40. This
created a good deal of collateral damage to civilians in Iraq in 2003-2004 since many
utilities such as communications, water systems, and refrigeration depended on the
electrical grid; in fact, civilians depend more on the electrical grid than militaries do
since militaries have better backups like generators and batteries. Disabling the grid in
Iraq did quickly achieve military results, but it took much time to restore infrastructure
and there was much unnecessary civilian suffering. We should expect to see even more
civilian targeting with cyberweapons since cyberweapons appear more benign.
Denial-of-service attacks on Internet sites involve damage to availability of a network
service for a period of time but where no product tampering need be done. The
cyberattacks on Georgia in 2008 were predominantly denial-of-service attacks against
civilians41. Collateral damage can still occur with them because denial of service is a
rather crude weapon, and it will slow down not just the direct targets but also any sites
trying to connect to the targets, and some of these could be civilian. And again, it may
be difficult to correctly identify a civilian site.
40
Smith (n 36).
41
United States Cyber Consequences Unit (n 38).

13 / Date: 8/5
(c) Costs of Recovering From Direct Damage of a Cyberweapon
Let us now consider the costs of collateral damage of cyberweapons so we can apply
utilitarian ethics. One category is the direct cost of repair. Recovering from a
cyberattack requires removal of malware-infected files and running malicious pro-
cesses, but this is not often simple, as we discussed above in the section on repair, and
the cost can vary considerably with the system. Restoring an operating system requires
some time, though not all human-supervised, and the people doing it need a certain
level of technical knowledge. If there are backups, some tedious labor will be needed to
find them and restore them. Typically the restoration also destroys the data on the
systems, which will cost additional effort to restore if it can be restored. The people
doing this work need a certain level of technical knowledge, so the overall cost should
be several thousand U.S. dollars per system. However, if there are no backups for some
or all of the files, the cost of permanent data loss can be considerably more. A lack of
backups, in fact, could be a good reason to target a system in cyberwar.
Alternatively, the responder to the attack can try to ‘patch’ (repair) just the programs
and data having unauthorized modifications. Sites such as cert.org provide guidance on
how to do such patches for specific types of attacks with specific indicators. But these
are unlikely to be useful against cyberwar attacks as the attacks are likely to be novel
and resistant to known patch methods. A country that follows a patching strategy will
be subjected to years of repair activities.
(d) Costs of Attack Propagation
Cyberspace is highly interconnected, and an attack that is designed to propagate itself

could easily spread from a military system to civilian systems, a kind of damage not
considered by most analysts. Stuxnet needed to propagate onto many civilian machines
to have a chance of reaching its few targets since it could not access them directly.
Even when the propagation does not affect the functionality the target system, it can
hurt it by burdening the operating system with added processes and files. Those
additions may be flagged by anomaly-based malware detection mechanisms, and may
require time-consuming administrator inspection well out of proportion to their size. An
ethical cyberattacker should design the attacks to remove themselves from stepping-
stone sites after their goals have been accomplished, much in the way that the police
should not linger on private property in pursuit of a criminal transiting the property, but
this was not done with Stuxnet. Propagation of damage to civilian systems is made
easier by the fact that militaries use much of the same software as civilians such as the
Windows operating system, Internet Explorer and Mozilla browsers, Adobe Acrobat,
and Google. These provide a steady stream of discovered vulnerabilities that attackers
can exploit. Thus it is not difficult for an attack disabling a military site to disable a
civilian site that it reaches by mistake.
If we assume that the average network node has K connections, and if we assume
that the chance of propagating the attack to a new node is p, then we should expect
from a single attack p*K infections from immediate neighbors, and pMKM infections in
neighbors with M degrees of separation. If pK<1, the number of total infections will be
calculated by a geometric series whose sum is 1/(1–pK), so we can multiply this by the

14 / Date: 25/3
cost of a single cleanup to get the overall cost of an attack. But if pK>1 the propagation
is unbounded, and that was apparently true of Stuxnet. If malware can be analyzed
carefully, its propagation methods may be identified, and its damage might be more
easily traced. This is very time-consuming and may not succeed. To avoid tracing, if an
attack is detected on one computer of a local-area network, the rest of the network
usually receives repair or restoration too. This multiplies the cost of an individual
system repair by the size of the network, which can considerably increase costs.
Countermeasures are eventually found for attacks, and the propagation rate should
decrease over time. However, many computer systems and devices never get any
countermeasures, due to lack of funds, carelessness, or previous cyberattack, and so
there are always a residuum of machines willing and able to spread even an old
cyberattack. This means that propagation of attacks can continue a long time.
If the attack came in over the Internet, it can be politically important to identify the
country that is responsible for the attack. Tracing across the Internet can be difficult
because routing information is generally short-lived and attackers will go to great
lengths to conceal their origins by using proxy servers, spoofed servers, and long
chains of control. But the increasing international cooperation on sharing routing
information can be helpful, and intelligence data comparing attack code to that on
likely sources of the attacks can be helpful in clinching a case against a country. This
kind of investigation requires significant effort, however.
(e) Costs of Attack analysis and Development of Mitigation Measures
Another important source of collateral damage not often considered is the effort to
understand the cyberattack. This includes analyzing the attack, finding methods to
repair its damage, finding ways to strengthen defenses against it, extracting signatures
of the attack for use by anti-malware software, and publishing and discussing the
findings. It may also include attribution of the source of the attack to enable better
countermeasures. All these steps are considered standard practice for novel attack
methods,42 and cyberweapons will almost invariably use novel methods to increase
their chances of success. As with Stuxnet, methods of cyberattack against military
systems will often be usable against civilian systems, so some degree of reporting and
analysis of military cyberattacks is ethically imperative. And it needs to be done
quickly, since once an attack has occurred its techniques are disseminated quickly and
can be used in copycat attacks.
Cyberweapons will likely incur higher costs for analysis than criminal cyberattacks.
That is because they have the resources of nation-States for their development. Thus
they will be more likely to be novel, will be better tested, will be more likely
obfuscated to make analysis difficult, and will require more work to find counter-
measures. Hence even if cyberattacks on military targets do not propagate much to
civilian systems, they may incur significant cost to civilians.
Will some military victims try to conceal attacks, thereby depriving the world
community of useful intelligence about the attack methods? It is unlikely because most
42
TechRepublic, ‘Flaw finders go their own way’ (26 January 2005) <http://www.
techrepublic.com/article/flaw-finders-go-their-own-way/> accessed 1 September 2014.

15 / Date: 7/5
victims will be weaker than their attackers (else they would be less likely to be
attacked) and often want all the international help they can get. Even if the attack is on
a secret facility whose details the victim does not want to reveal, often the attacked
software is civilian, and can be fully revealed without violating secrecy. In addition, an
attack on a secret facility may still be detected elsewhere by its collateral damage, as
with Stuxnet.
Much work on analyzing attacks, determining countermeasures, extracting signa-
tures, and disseminating reports about them is done by civilian infrastructure today
since civilians are bearing the brunt of cyberattacks. This kind of work needs to be
done highly trained professionals, so it can be expensive. Initial clues are provided by
observations of odd behavior reported on bulletin boards and blogs such as Bugtraq (at
www.securityfocus.com) and those of software vendors for their user communities.
Discussion on those sites tries to narrow down the circumstances of the behavior and
attribute it to particular features of the software. Professionals at Mitre study these
discussions and decide whether it represents new vulnerability (which is usually due to
a software bug); if so, they give it a CVE number at cve.mitre.org which represents the
vulnerability’s de facto label in subsequent discussions. Security professionals then try
to plan remediation efforts; usually the responsibility is that of the software vendor, but
in the case of serious problems, governments may also be involved. Remediation
usually requires testing by the vendor to find a complete set of fixes. The fixes usually
involve changing the original vulnerable software or its configuration parameters. If the
vulnerability is serious enough, it is posted along with details including signatures for
identifying it and proposed remediation measures at sites such as www.kb.cert.org (the
US-CERT Vulnerability Notes Database) and web.nvd.nist.org, which represent de
facto official recognition.
Attempting to attribute an attack to a particular country or group entails additional
costs. If malware came in over the Internet, log files for the intervening computers can
be inspected for evidence. There will need to be some distinctive features of the
malware for this to work, and malware tries hard to conceal itself, so the success rate in
tracing it will be low. Cyberwar malware will almost certainly be encrypted to
eliminate the possibility of recognizing signatures in its contents, though matching its
occurrences can still be done to trace its path across the Internet. If malware was
installed surreptitiously without coming through the Internet, tracing possible instal-
lation times can be done, and analysis of the text of the malware may suggest
distinctive national or personal code-writing styles. But all this takes a good deal of
time. A thousand hours of the time of trained personnel would be a reasonable guess,
for a total cost of US $100,000.
It thus costs at least $100,000 for the world to analyze and find countermeasures for
a new attack method. Stuxnet was sufficiently novel that considerably more effort was
expended in its analysis, so $1,000,000 is a better figure for it. If Stuxnet were
primarily an Israeli operation, as it appears to be, Israel should be paying this cost to
the professionals around the world for its perpetration of the attacks, since no state of
war exists between Israel and the countries of nearly all those professionals; in fact,
much initial analysis of Stuxnet was done in Russia, so Israel owes Russia a significant
sum. This sort of widespread collateral damage has no counterpart with bombs and
missiles.

16 / Date: 25/3
Analysis of a vulnerability or attack is essential to finding remediation. Posting

information about the vulnerability or attack is essential to enable people to defend
against it, and the more openness of the information exchange, the more quickly
thorough remediation measures will be found. But this openness has a price: it
facilitates new attacks using the same methods. Once criminals know where the
vulnerability is and roughly what it involves, it greatly simplifies their search for how
to exploit it. The consensus of the information-security community today is that
openness is more important than preventing new attacks in the short term, and only a
few vendors disagree with that. Once vulnerability information is posted, remediation
methods usually follow quickly. But not all systems are updated quickly, and
cyberattackers have a window of opportunity ranging from a few days to a few weeks
for systems that are lagging in updates. Millions of dollars worth of theft can occur in
this time period.
Damage can also be caused by countermeasures themselves. Worldwide damage to
DNS services due to China’s efforts to prevent its citizens from going to certain Web
sites has been identified.43 This kind of collateral damage can occur after attacks when
victim States attempt to block network services that led to the attack.
(f) Psychological Damage
Cyberweapons are well suited for inducing mistrust of a victim in their military
systems since attack machinery can be well hidden. When a victim is attacked or
discovers a weapon, they may suspect that other weapons are concealed. Some of the
damage of a cyberattack by a cyberweapon can then be psychological, and this can be
an effective deterrent against the victim going to war.44 Interestingly, this damage can
occur even before going to war, as for instance when many countries overestimate U.S.
cyber capabilities. But the damage is greatest when cyberweapons have actually been
demonstrated on a victim in a convincing manner. This damage can extend well beyond
military systems because an effective cyberattack will likely be reported by the victim
to gain international sympathy, and this reporting will reduce the confidence of
civilians in their digital infrastructure. People may start to blame every problem with
their computers and devices on malware. While from a military effectiveness standpoint
this provides a multiplier on the effect of a weapon, it is bad from a collateral damage
standpoint because the psychological damage may be unpredictable. Militaries prefer
predictable weapons.
Psychological collateral damage is particularly difficult to measure because it may
have little relationship to the actual damage. Overwhelming damage to a country’s
military can have dramatic political consequences, as seen in Argentina after the
Falklands war. Or civilians may just interpret the damage as the military’s own problem
with little impact on themselves. If a country continues to live in fear for a long time
after a cyberattack, this could have profound consequences for people in that country.
43
Sparks et. al., ‘The collateral damage of Internet censorship by DNS injection’ (2012) 42
(3) ACM SIGCOMM Computer Communications Rev. 22–7.
44
Martin C. Libicki, ‘Cyberwar as a confidence game’ (2011) 5 (1) Strat. Stud. Q. 132–46.

17 / Date: 25/3
The Stuxnet attacks led Iran to retaliate by attacking U.S. targets to very little effect,45
wasting resources that could have better spent elsewhere in Iran. The terrorist attacks
on the U.S. in September 2001 induced an overreaction that has done little good for the
U.S. in light of the few terrorist threats it has had subsequently.46 Cyberweapons, with
their mysterious modes of operation and concealed effects, are even better at inducing
fear in a populace. Cyberweapons with broad psychological damage, such as
unnecessarily powerful cyberweapons that shut down cyberspace for weeks, could be
unethical regardless of their targets.
(g) Summing up Collateral Damage
Many of the costs we have mentioned above can be measured, so we can often apply
utilitarian ethics. Let us take Stuxnet as an example. We conservatively estimate that
10,000,000 machines were infected worldwide by the multiple propagation mechan-
isms. Even though these infections did not sabotage most of the machines, it was not
obvious at first that this was true, so quick detection and removal on each machine was
important. The detection and removal were bundled with handling other threats, and
their amortized time cost was probably around a second of a user’s time, hence their
cost was around 10,000,000 * $100 per hour/3600 seconds = $277,000. The cost of
discovery and mitigation of Stuxnet was at least $1 million as discussed above.
Attempts at attribution probably cost around $100,000 since there was not much
concern about it for this attack. The reuse of the attack methods by criminals probably
resulted in 10,000 incidents worldwide having varying costs but probably averaging at
least $100 per incident for $1,000,000 total. The psychological cost to Iran was at least
$500,000 just from the cost of the wasted attacks on the U.S. Thus the total collateral
damage of Stuxnet was at least $2.9 million. This needs to be compared to the numeric
benefit of Stuxnet, a delay of a few months in Iran’s nuclear development, something
difficult but not impossible to estimate.
Thus the cost of a cyberattack that does not kill anyone could easily reach millions of
U.S. dollars. One much-cited study47 assigns a value to a U.S. human life at $4.7
million based on economic impact, and the U.S. Government has assigned values
ranging from $6 million to $9 million recently.48 Since this value has a large economic
component, it will be less where per capita income is less. The international standard
for insurance purposes is $50,000 per future year of human life,49 which would give a
value of $2 million for an average adult. This value should be decreasing on an
45
Siobhan Gorman & Danny Yadron, ‘Banks seek U.S. help on Iran cyberattacks’ Wall
Street Journal (16 January 2013) <http://online.wsj.com/news/articles/SB100014241278
87324734904578244302923178548> accessed 1 September 2014.
46
Paul R. Kimmel and Chris E. Stout, (eds.), Collateral Damage: The Psychological
Consequences of America’s War on Terrorism (Praeger, 2006).
47
W. Kip Viscusi, ‘The value of life: estimates of risk by occupation and industry’ (2004) 42
(1) Economic Inquiry 29–48.
48
Binyamin Appelbaum, ‘As U.S. agencies put more value on a life, businesses fret’, The
New York Times (16 February 2011).
49
Kathleen Kingbury, ‘The value of a human life: $129,000’, Time (May 20, 2008)
<content.time.com/time/health/ article/0,8599,1808049,00.html> accessed 23 November 2013.

18 / Date: 25/3
increasingly overpopulated planet since additional humans are increasingly redundant.

Thus the damage of Stuxnet was similar to that of killing a person even if we do not
believe Iranian claims that it killed someone. Thus the harm of a less well-planned
cyberattack could be greater than the cost of traditional military operations to achieve
the same goals.
9. CONCLUSIONS
Cyberweapons are yet another step in the institutionalization of cowardice. With them
the attacker is even more remote from their victim than with extrajudicial executions by
drones in Pakistan today. This means further opportunities for errors and misjudgments
in targeting, and further opportunities for collateral and persistent damage. This is
consistent with the argument that modern high-technology warfare will and must
increasingly target civilians.50 Worse, much of the damage will be hidden or dissemin-
ated across networks, so aggressors will not get adequate feedback about what they
have done, and victims may find it difficult to remove the damage after the end of
hostilities. Cyberweapons also embody some serious ethical problems on their own
beyond collateral damage, since they are so close to cyberespionage in methods that it
is very tempting to use them for small provocations,. They also usually demand cyber
perfidy, and their dependence on software flaws makes them unreliable and inviting of
overkill.
Thus a civilized country needs to think carefully before embarking on cyberwarfare.
It is becoming increasingly important to resolve cyberconflicts without the violence of
cyberattacks, as reducing violence is a desirable goal in cyberspace just as for other
forms of warfare.51 Because of this host of ethical challenges associated with
cyberweapons, their use should be discouraged, and international agreements should be
sought to restrict their use, much in the manner of nuclear, chemical, and biological
weapons.
50
Smith (n 36).
51
D.J. Christie et. al., ‘Peace psychology for a peaceful world’ (2008) 63 (6) American
Psychologist 540–52.

19 / Date: 7/5
15. Classifying cyber warfare

Louise Arimatsu
The prospect of cyber warfare has brought to the fore a number of distinct legal
questions that merit further scrutiny. Although existing law is capable of meeting most
of the challenges thrown up by this new domain, it would be unwise to underestimate
the difficulties that cyber is likely to present, not least in respect of determining the
existence of an armed conflict and its classification. As with all law, international
humanitarian law is constituted on a number of assumptions, two of which are pertinent
to classification: the existence of the territorial border and knowledge as to the identity
of the adversary. The cyber domain’s apparent disavowal of the border, forces us to
re-engage with questions that remain contested pertaining to the spatial reach of the law
given its ostensible fidelity to the geographical border. However, in practice, it is
probably the challenge associated with correctly identifying the actor who is respons-
ible for the cyber-attack in question that will prove more problematic. This is because
the type of armed conflict or its ‘classification’ is contingent on knowing the identity of
the adversary and only then can a determination be made as to what rules apply in the
circumstance. What is more, the anonymity that cyber affords has the potential to
deprive us of judgment as to whether international humanitarian law even applies to the
particular situation of violence since the relevant test for operationalizing the law is
contingent on knowledge as to the adversary’s identity.
The history of and reasons for why States insist on classifying armed conflict as a
matter of law has been examined elsewhere and will therefore not be retraced in this
chapter.1 For present purposes, what matters is that international humanitarian law
recognizes two types of armed conflict: international, or those waged between two or
more States; and non-international, which include both those fought between the armed
forces of the State and an organized non-State armed group or between such groups.2
As noted, identifying the character of the conflict is necessary because different rules
apply depending on the type of armed conflict in existence.3 Insofar as the codified law
1
Michael Schmitt, ‘Classification of cyber conflict’ (2012) 17(2) J. Conflict & Sec. L. 245;
Louise Arimatsu, ‘Territory, boundaries and the law of armed conflict’ (2009) 12 Ybk. of Int’l.
Humanitarian L. 157.
2
ICRC, ‘How is the term “Armed Conflict” defined in international humanitarian law?’
(Opinion Paper, March 2008) <http://www.icrc.org/eng/resources/documents/article/other/armed-
conflict-article-170308.htm> accessed 8 December 2013.
3
On classification generally, see Sylvain Vité, ‘Typology of armed conflicts in international
humanitarian law: Legal concepts and actual situations’ (2009) 91 I.R.R.C 69; Elizabeth
Wilmshurst (ed.), International Law and the Classification of Conflicts (OUP 2012); ‘Classifi-
cation of conflicts: Syria, Yemen and Libya’ Chatham House Report (2014, forthcoming).
326
1 / Date: 25/3
Classifying cyber warfare 327
is concerned, ‘the differences are vast’.4 This is so not only in regard to the content but
also the sheer volume of rules. The principle treaties governing international armed
conflicts include the 1949 Geneva Conventions, Additional Protocol I of 1977 and the
Regulations annexed to the Fourth Hague Convention of 1907. By contrast, the treaty
rules applicable to non-international armed conflicts are limited to Common Article 3
of the 1949 Geneva Conventions and Additional Protocol II of 1977. That said, the
legal chasm that once distinguished international armed conflict from non-international
armed conflict no longer holds true today. Since the mid-1990s States have embraced
the extension of many of the rules applicable in international armed conflict to
non-international armed conflict. In part this is evidenced by the extension of a number
of weapons treaties to non-international armed conflict; but it has been the evolution of
customary international law that has been game-changing.5 Consequently, there is now
broad agreement that as far as the rules pertaining to the conduct of hostilities are
concerned, the type of conflict being fought matters little. However, the rules diverge
significantly in regard to status. More specifically in the case of international armed
conflict, combatants are entitled to combat immunity and other supplementary rights
principally in the context of detention as set forth in treaty and customary international
law. In contrast, the concept of combat immunity is not known in non-international
armed conflict. Since it is unlikely that States will ever agree to a complete abolition of
the distinction, classifying the conflict – or identifying the type of conflict to which the
particular situation of violence amounts – will remain a critical issue for the
foreseeable future.
It is often suggested that recent wars, from those in the Balkans to the conflict with
Al-Qaeda, have disrupted the clear distinction between the two types of conflict,
making classification even more difficult.6 But even a cursory review of history seems
to cast doubt on this view. What has changed is not how wars are fought but the extent
to which wars are now seen through the prism of the law. And in seeing war through
4
Dapo Akande, ‘Classification of Armed Conflicts: Relevant Legal Concepts’ in Wilmshurst
(n 3).
5
In the case of Prosecutor v. Tadić, the ICTY held:
It cannot be denied that customary rules have developed to govern internal strife. These rules
… cover such areas as protection of civilians from hostilities, in particular from indiscrimin-
ate attacks, protection of civilian objects, in particular cultural property, protection of all
those who do not (or no longer) take active part in hostilities, as well as prohibition of means
of warfare proscribed in international armed conflicts and ban of certain methods of
conducting hostilities.
Prosecutor v. Dusko Tadić (Appeals Chamber Decision on Defence Motion for Interlocutory
Appeal on Jurisdiction) (2 October 1995) IT-94-1-AR72 para. 127 [hereinafter Tadić Appeals
Chamber Decision]. See also Jean-Marie Henckaerts & Louise Doswald-Beck, Customary
International Humanitarian Law Study (CUP 2005).
6
Some commentators have suggested that these conflicts have given rise to a new category
of ‘transnational armed conflict’. For example, see Geoffrey S. Corn, ‘Hamdan, Lebanon, and
the regulation of armed conflict: The need to recognize a hybrid category of armed conflict’
(2006) 40 Vand. J. Trans. L. 295; Geoffrey S. Corn and Eric T. Jensen, ‘Untying the Gordian
Knot: A proposal for determining applicability of the laws of war to the war on terror’ (2008) 81
Temple L. Rev. 787; Geoffrey S Corn, ‘Making the case for conflict bifurcation in Afghanistan’
(2009) 85 Int’l. L. Studies 181.

2 / Date: 25/3
one lens, we have unwittingly exposed the shortcomings of the codified law. Hence, the
challenge before us is to remain steadfast to the aims and objectives of this body of law
as we think about how it applies to the cyber domain.
Cyber operations may pose a novel set of questions in respect of how international
humanitarian law rules apply but the resort to cyber means or methods per se by the
parties will have no bearing on the classification of the conflict. This chapter is
therefore concerned exclusively with situations in which there is no pre-existing armed
conflict and the only operations being conducted are through cyber means. Two
overarching questions are addressed. Can cyber operations unaccompanied by the use
of conventional weapons trigger an armed conflict? If so, under what circumstances?
1. INTERNATIONAL ARMED CONFLICT7

An international armed conflict, as set forth in common Article 2 to the Geneva
Conventions, comprises ‘all cases of declared war or of any other armed conflict which
may arise between two or more of the High Contracting Parties, even if the state of war
is not recognized by one of them’.8 Extrapolating from this, the ICTY’s succinct
statement that an international armed conflict exists ‘whenever there is a resort to
armed force between States’ is now accepted as customary international law.9 Notwith-
standing agreement that, as a matter of fact, such a conflict arises when there is: i) the
use of armed force; ii) by a State against another State, an understanding of precisely
how these criteria might apply in the context of the cyber domain is still in its
embryonic stage.10
(a) The Use of Armed Force
Our conception of what constitutes ‘armed force’ has always assumed the assertion of
physical force in one shape or another principally through the use of conventional
7
For States Party to Additional Protocol I, wars of national liberation or ‘armed conflicts in
which peoples are fighting against colonial domination, alien occupation, or racist regimes in the
exercise of their right of self-determination’ are to be considered international armed conflicts;
Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the
Protection of Victims of International Armed Conflicts (8 June 1977) 1125 UNTS 3 art 1(4). The
fact that this provision was drafted with specific situations in mind, many of which have now
been resolved, has led commentators to suggest that the provision no longer holds much
relevance.
8
Convention for the Amelioration of the Condition of the Wounded and Sick in Armed
Forces in the Field (12 August 1949) 6 UST 3114, 75 UNTS 31; Convention for the
Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at
Sea (12 August 1949) 6 UST 3217, 75 UNTS 85; Convention Relative to the Treatment of
Prisoners of War, 12 August 1949, 6 UST 3316, 75 UNTS 135; Convention Relative to the
Protection of Civilian Persons in Time of War, 12 August 1949, 6 UST 3516, 75 UNTS 287.
9
Tadić Appeals Chamber Decision (n 5) para. 70.
10
See Rule 22 Tallinn Manual and accompanying text; Michael Schmitt (ed.), Tallinn
Manual on the International Law Applicable to Cyber Warfare (CUP 2013) [hereinafter Tallinn
Manual].

3 / Date: 25/3
weapons that release kinetic force. Although cyber operations, because intangible, are
in this respect fundamentally distinguishable from traditional notions of ‘armed force’,
it is indisputable that such operations are quite capable of producing destructive or
deadly results, analogous to conventional weapons systems. As Droege vividly sug-
gests: ‘if a computer network attack causes airplanes or trains to collide, resulting in
death or injury, or widespread flooding with large-scale consequences, there would be
little reason to treat the situation differently from equivalent attacks conducted through
kinetic means or methods of warfare’.11 It follows that there is no reason why cyber
operations that result in, or are reasonably expected to result in, death, injury, damage
and destruction would not satisfy the criterion of ‘armed force’.12 This is certainly the
prevailing view among most commentators today.13
Commentators differ, however, in respect to whether the criterion of armed force is
conditioned on an intensity threshold. Those who maintain that the hostilities must
reach a certain level of violence before an armed conflict exists do so on the basis of
State practice. That said, treaty law imposes no threshold requirements either in respect
of duration or intensity.14 As emphasized in the the ICRC Commentaries to common
Article 2 of the Geneva Conventions, ‘[a]ny difference arising between two States and
leading to the intervention of armed forces is an armed conflict … . It makes no
difference how long the conflict lasts, or how much slaughter takes place’.15 This is
reaffirmed in the Commentary to Additional Protocol I which notes that ‘humanitarian
law also covers any dispute between two States involving the use of their armed forces.
Neither the duration of the conflict, nor its intensity, play a role: the law must be
applied to the fullest extent required by the situation of the persons and the objects
protected by it’.16
11
Cordula Droege, ‘Get off my cloud: Cyber warfare, international humanitarian law, and
the protection of civilians’ (2012) 94 I.R.R.C. 533, 546.
12
13
For example, Michael Schmitt, ‘Wired warfare: computer network attack and jus in bello’
(2002) 84 I.R.R.C. 846; Knut Dörmann, ‘Applicability of the Additional Protocols to computer
network attacks’ (ICRC, 2004) <http://www.icrc.org/eng/resources/documents/misc/68lg92.htm>
accessed 8 December 2013; Nils Melzer, ‘Cyberwarfare and international law’ (UNIDIR
Resources Paper, 2011) <http://www.unidir.ch/pdf/ouvrages/pdf-1-92-9045-011-L-en.pdf>
accessed 8 December 2013. This understanding is consistent with the views expressed by the
drafters of the 1952 ICRC Commentary to art 2, who forcefully maintained that the existence of
an armed conflict was not contingent on ‘the intervention of cumbrous machinery’ given that the
law’s object and purpose was to mitigate the violent effects that are caused as a result of hostile
activities between States. Commentary on the Geneva Conventions of 12 August 1949 (ICRC
1952 – 1958) [hereinafter ICRC Geneva Convention Commentary] vol I 23.
14
In fact treaty law expressly recognizes the possibility for the existence of an international
armed conflict without recourse to any hostilities at all. Art 2 of the Geneva Conventions extends
to cases of ‘partial or total occupation … , even if said occupation meets with no armed
resistance. (Geneva Conventions (n 8) art 2(1))
15
ICRC Geneva Convention Commentary (n 13) vol I 32, vol II 28, vol III 23, vol IV 20.
16
Claude Pilloud et al. (eds.), Commentary on the Additional Protocols of 8 June 1977 to
the Geneva Conventions of 12 August 1949 (ICRC/Martinus Nijhoff 1987) para. 62. But see also
Christopher Greenwood, ‘Scope of application of humanitarian law’ in Dieter Fleck (ed.) The
Handbook of International Humanitarian Law (2nd edn., OUP 2009) 37, 48; Howard S.

4 / Date: 25/3
Nevertheless, State practice does deviate from this interpretation. Over the years,
there have been quite a number of incidents involving the resort to armed force
between States that have resulted in death, injury and considerable destruction and
damage to property, yet been described by States as ‘sporadic border clashes’ or naval
‘incidents’ rather than armed conflict. It is this tendency on the part of States to dismiss
such confrontations as falling short of armed conflict that has led some to suggest that
both the intensity and duration of the violence does matter.17 The practice of States in
the cyber domain also appears to be paralleling the general trend to downplay incidents
that have resulted in the destruction of property. For example, in neither the case of the
Stuxnet operation against Iran’s nuclear facility nor the Shamoon-Aramco incident
against Saudi Arabia’s State-owned company did either State claim the destruction of
State-owned property as tantamount to triggering an armed conflict.18 However, why
States choose to respond in a particular manner to a particular incident – in whatever
domain – is likely to be exceedingly complex;19 accordingly, it would be prudent to
assume that the threshold is low.20
Implicit in the notion of armed force has always been the assumption that the most
effective way to overcome the enemy is to weaken them through the infliction of
material harm. The transformation of contemporary social life by the advent of this new
technology has given rise to the realization that ‘harm’ in this domain can take radically
different forms. This has consequently opened a debate as to what this might mean in
the context of ‘armed force’.21 In most societies, the provision of essential services
such as water, energy, communication, travel, finance and other government services
including, for example, healthcare and the emergency services are now reliant on a
‘vast array of interdependent information technology (IT) networks, systems, services,
Levie, ‘The status of belligerent personnel “Splashed” and rescued by a neutral in the Persian
Gulf area’ (1991) 31 Virginia J. of Int’l L. 611, 613–14.
17
ILA, ‘The Hague Conference: Final Report on the Meaning of Armed Conflict in
International Law’ (2010) <http://www.ila-hq.org/download.cfm/docid/2176DC63-D268-4133-
8989A664754F9F87> accessed 5 September 2014.
18
The Stuxnet worm reportedly caused damage to uranium enrichment equipment at the
Natanz nuclear facility in Iran with the physical destruction of about one thousand IR-1
centrifuges. For further details, see David Albright, Paul Brannan & Christina Walrond, ‘Did
Stuxnet take out 1,000 centrifuges at the Natanz enrichment plant? Preliminary assessment’
(ISIS Report, 22 December 2010) <http://isis-online.org/isisreports/detail/did-stuxnet-take-out-
1000-centrifuges-at-the-natanz-enrichment-plant/> accessed 8 December 2013; Andrew Foltz,
‘Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate’ (2012) 67 J.F.Q. 40; Russell
Buchan, ‘Cyber attacks: Unlawful uses of force or prohibited interventions?’ (2012) 17 J.
Conflict & Sec. L. 211; Ivanka Barzashka, ‘Are cyber-weapons effective? Assessing Stuxnet’s
impact on the Iranian enrichment programme’ (2013) 158 RUSI Journal 48–56. For further
details on the Shamoon-Aramco incident, see Clement Guitton and Elaine Korzak, ‘The
sophistication criterion for attribution’ (2013) 158 R.U.S.I. Journal 62–8. The virus allegedly
rendered useless 30,000 computers which had to be replaced.
19
For a useful analysis on the Stuxnet case, see Gary Brown, ‘Why Iran didn’t admit
Stuxnet was an attack’ (2011) 63(4) Joint Force Quarterly 71 <http://www.ndu.edu/press/why-
iran-didntadmit-stuxnet.html> accessed 8 December 2013.
20
Tallinn Manual (n 10) rule 22, para. 12.
21
Traditional conceptions of ‘armed force’ assume that hostilities, that is the ‘collective
application of means and methods of warfare’, have to take place. See ibid. 82.

5 / Date: 25/3
and resources’.22 These dependencies also create new vulnerabilities. Given this reality,
the question that arises is whether a cyber-operation that disrupts or affects the normal
functioning of a system – and in particular one that was regarded as part of the critical
national infrastructure – would be regarded as ‘armed force’ were it to lead to extensive
and severe effects on the civilian population but not necessarily to death and
destruction. In other words, would the manipulation or disruption of a system which
deprives a State of its ability to perform the basic functions expected of a State, be
regarded as equivalent to the physical destruction of the system?23 Since no such
situation has yet materialized, any answers would be speculative. However, in spite of
the rising incidents of hostile cyber activities,24 many of which are specifically directed
22
Written testimony of NPPD Executive Order 13636 and Presidential Policy Direct 21
Integrated Task Force Director Robert Kolasky for a House Committee on Homeland Security,
‘Oversight of Executive Order 13636 and Development of the Cybersecurity Framework’ (18
July 2013) <http://www.dhs.gov/news/2013/07/18/written-testimony-nppd-house-homeland-
security-subcommittee-cybersecurity> accessed 8 December 2013.
23
In 2013, the Dutch Government endorsed a report it had commissioned on cyber warfare
which had concluded:
if an organised cyber attack (or series of attacks) leads to the destruction of or substantial or
long-lasting damage to computer systems managing critical military or civil infrastructure, it
could conceivably be considered an armed conflict and international humanitarian law would
apply. The same is true of a cyber attack that seriously damages the state’s ability to perform
essential tasks, causing serious and lasting harm to the economic or financial stability of that
state and its people. An example would be a coordinated and organised attack on the entire
computer network of the financial system (or a major part of it) leading to prolonged and
large-scale disruption and instability that cannot easily be averted or alleviated by normal
computer security systems.
Advisory Council on International Affairs and the Advisory Committee on Issues of Public
International Law, ‘Cyber Warfare 20’ (No. 77, AIV/No. 22, CAVV) (December 2011)
<http://www.aiv-advies.nl/ContentSuite/upload/aiv/doc/webversie__AIV77CAVV_22_ENG.pdf>
(accessed 10 September 2014); and Government of Netherlands, ‘Government Response to the
AIP/CAVV Report on Cyber Warfare’ <http://www.rijksoverheid.nl/bestanden/documenten-en-
publicaties/rapporten/2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-
bijlage-regeringsreactie-en.pdf> accessed 10 September 2014.
The ICRC has taken the view that cyber operations that disable an object can constitute an
attack, other commentators have insisted on a higher threshold that is contingent on the need for
physical repair to the system. See also Roscini (Ch 11 of this book).
24
The two primary victims of DDoS attacks have been and continue to be the US and China
(see Arbor Networks, ‘Top daily DDoS attacks worldwide’ (Digital Attack Map, 2013)
<http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16003&view=map>
accessed 10 September 2014. Yet neither have at any time inferred that the cyber operations
directed at them have constituted ‘armed force’ within the meaning of an armed conflict
Likewise, South Korea has not equated the cyber operations conducted against it to amount to
‘armed force’; see for example Symantec, ‘Four Years of DarkSeoul Cyberattacks Against South
Korea Continue on Anniversary of Korean War’ (Symantec, 26 June 2013) <http://www.
symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-
anniversary-korean-war> accessed 10 September 2014; Alex Hern, ‘North Korean ‘cyber-
warfare’ said to have cost South Korea £500m’, The Guardian (16 October 2013) <http://
www.theguardian.com/world/2013/oct/16/north-korean-cyber-warfare-south-korea> accessed 10
September 2014.

6 / Date: 25/3
at critical national infrastructure,25 States have continued to maintain a surprising

degree of tolerance and resilience.26 This would suggest that a hostile cyber operation
by a State against another would have to reach a certain level of severity before it is
regarded as a resort to ‘armed force’, taking into account both the effects and duration
of the operation.27
In addition to prompting reconsideration as to what is meant by ‘harm’ this domain
also forces us to reevaluate our stance toward the question of causality. This is because
rooted in the idea of what constitutes ‘armed force’ is an assumption that the law’s
primary purpose is to mitigate the harm that results as a direct and immediate
consequence of the hostilities between the warring Parties. Commentators generally
dismiss the manipulation of the financial system as constituting ‘armed force’ because
even if death and injury are accepted as inevitable outcomes of severe economic loss,
the harmful effects are not experienced immediately or directly and therefore fall
outside the ‘temporal’ scope of international humanitarian law. Yet at the same time,
cyber operations invite us to revisit traditional conceptions and approaches to both
causality and temporality.28 This is because in assessing whether or not a cyber-attack
constitutes an attack for the purpose of international humanitarian law, our attention is
necessarily drawn to the secondary effects of the attack. The direct consequences of a
cyber-attack may be to disrupt or deny access or service that affects the availability of
networks, information, or network-enabled resources; the effects may go even further
and result in the corruption, manipulation, destruction or degradation of networks or
connected systems.29 But because our primary concern is with the secondary conse-
quences that are likely to result from the disruption, denial, corruption, or manipulation
of the networks and systems, questions surface on how we define what constitutes a
foreseeable consequence in this highly interconnected domain.
(b) By a State Against Another State
The logic of classification is premised on the fact that the identity of the adversary is
known. The ability of actors to take advantage of the anonymity that cyber furnishes
25
For example, according to the Department for Homeland Security’s Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), attacks against critical national
infrastructure are growing. More than 200 brute-force cyber-attack incidents reported between
October and May 2013, surpassing the 198 total attacks in all of fiscal year 2012. More than half
were against the energy sector. ICS-CERT, ‘ICS-CERT Monitor April/May/June 2013’ (27 June
2013, ICS-MM201306) <https://ics-cert.us-cert.gov/monitors/ICS-MM201306> accessed 10
September 2014.
26
Siobhan Gorman & Danny Yadron, ‘Iran hacks energy firms, U.S. says’, The Wall Street
Journal (23 March 2013) <http://online.wsj.com/news/articles/SB100014241278873233361045
78501601108021968> accessed 10 September 2014.
27
David Shamah, ‘Iran-sponsored cyber-attacks unending, PM says’, The Times of Israel
(9 June 2013) <http://www.timesofisrael.com/iran-sponsored-hack-attacks-unending-pm-says/>
28
For a useful insight into causes and effects see Glenn Shafer, ‘Causality and responsibil-
ity’ (2000) 22 Cardozo L. Rev. 1811.
29
US Department of Defense, ‘Strategy for Operating in Cyberspace’ (July 2011) 3.

7 / Date: 25/3
when conducting offensive cyber operations often impedes attribution which con-
sequently presents an acute problem for classification. Future technological advances
may minimize this obstacle but, as with any forensic investigation, information
gathering is likely to remain time-consuming and require considerable resources.30
Moreover, recent history suggests that disputes over attribution are likely to persist
since even when persuasive evidence has been tendered indicating State involvement in
a particular cyber operation or series of operations, public denial remains the dominant
response.31 That said, States have recognized the catastrophic consequences that could
result as a consequence of misidentifying the source of a serious cyber-attack and some
steps have been taken principally in the form of bi-lateral agreements to reduce this
risk.32 It should however be noted that, irrespective of whether the State is involved in
the cyber operation, it is under a legal obligation not to knowingly allow its territory to
be used for acts contrary to the rights of other States and must take appropriate steps to
protect those rights.33 Such obligations aside, the mere failure on the part of a State
to prevent cyber-attacks from its territory – to the extent that the said attacks are not
attributable to it – does not mean that an international armed conflict is triggered
between it and the victim State.34
30
See for example, Mandiant, ‘APT1: Exposing one of China’s Cyber Espionage Units’ (18
February 2013) <http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf> accessed 10 Sep-
tember 2014, which was the outcome of a two-year investigation. But see also statement by US
Secretary of Defense, Leon Panetta that
the department has made significant advances in solving a problem that makes deterring
cyber adversaries more complex: the difficulty of identifying the origins of that attack. Over
the last two years, DoD has made significant investments in forensics to address this problem
of attribution and we’re seeing the returns on that investment. Potential aggressors should be
aware that the United States has the capacity to locate them and to hold them accountable for
their actions that may try to harm America.
(Leon E. Panetta, Remarks by Secretary Panetta on Cybersecurity to the Business Executives for
National Security, New York City’ (11 October 2012) <http://www.defense.gov/transcripts/
transcript.aspx?transcriptid=5136> accessed 10 September 2014).
31
Following the release of the report by Mandiant ibid. which contained considerable
evidence to indicate State involvement in a range of cyber operations, albeit in the context of
cyber espionage, the Chinese Defense Ministry countered with the statement that ‘it is
unprofessional and groundless to accuse the Chinese military of launching cyber attacks without
any conclusive evidence’ (Craig Timberg and Ellen Nakashima, ‘Chinese hackers suspected in
attack on The Post’s computers’, The Washington Post (1 February 2013)) <http://articles.
washingtonpost.com/2013-02-01/business/36685685_1_chinese-hackers-cyberattacks-mandiant>
32
Ellen Nakashima, ‘U.S. and Russia sign pact to create communication link on cyber
security’, The Washington Post (17 June 2013) <http://www.washingtonpost.com/world/national-
security/us-and-russia-sign-pact-to-create-communication-link-on-cyber-security/2013/06/17/ca5
7ea04-d788-11e2-9df4-895344c13c30_story.html> accessed 10 September 2014.
33
Corfu Channel Case (UK v. Albania) (Merits) [1949] ICJ Rep 4, 22; Case Concerning
United States Diplomatic and Consular Staff in Tehran (USA v. Iran) [1980] ICJ Rep 3, paras
67–68; Tallinn Manual (n 10) rule 5 and commentary.
34
The question that remains unanswered is whether there is an international obligation on
States to prevent future harmful cyber operations from being mounted once they are put on
notice that further operations will be conducted from their territory.

8 / Date: 25/3
To qualify as an international armed conflict, a cyber-attack on a State must be

conducted by, or be attributed to, another State. A cyber-attack constituting ‘armed
force’ conducted by the armed forces of a State against another State will trigger an
international armed conflict.35 Likewise, those conducted by other de jure organs of the
State including law enforcement agencies and the intelligence service also qualify.36 A
cyber-attack by an individual or entity that is not an organ of the State may also qualify
if that person or entity has been authorized by law to perform certain tasks on behalf of
the State including cyber-attacks and is acting in that capacity in the particular
instance.37 The speed at which advances are taking place in the cyber realm means that
States are likely to bolster their capabilities by using private sector actors to exercise
governmental authority. However, an international armed conflict will only materialize
if the cyber operation is of the type for which that person or entity has been granted
legal authority to conduct.
International law recognises that a State is responsible for the conduct of a person or
group of persons ‘if the person or group of persons is in fact acting on the instructions
of, or under the direction or control of, that State in carrying out the conduct’.38 It
would follow that if an individual hacker or a group of hacktivists were to conduct a
cyber-attack on the specific instructions of a State they would be regarded as de facto
state organs and the attack would be treated as if launched by de jure State organs.39 In
addition, if such actors were acting under the direction or control of a State (in other
words they were acting under the State’s effective control) in respect to a specific
cyber-attack, their conduct would be attributable to that State.40 In the absence of
specific instructions and evidence of effective control, cyber-attacks by individual
hackers or hacktivists, even if conducted in support of the State, are, as a rule, not
attributable to the State for the purpose of finding an international armed conflict.
However, if the State endorses and encourages the continuation of the cyber operations,
35
Had, for example, the conflict with Libya in March 2011 to enforce UN Security
Council Resolution 1973 opened with a cyber-attack by the US on Qaddafi’s air-defence
system, it may have initiated the international armed conflict between the US and Libya, Eric
Schmitt & Thom Shanker, ‘U.S. debated cyberwarfare in attack plan on Libya’, The New York
Times (17 October 2011) <http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-
against-libya-was-debated-by-us.html?_r=0> accessed 10 September 2014.
36
State organs include ‘any person or entity which has that status in accordance with the
internal law of the State.’ See Draft Articles on Responsibility of States for Internationally
Wrongful Acts, with commentaries [2001] A/56/10 art 4. [hereinafter, Articles on State
Responsibility].
37
Ibid. art 5 reads, ‘empowered by the law of that State to exercise element of the
governmental authority shall be considered an act of the State … provided the person or entity
is acting that capacity in the particular instance’.
38
Ibid. art 8. See also Prosecutor v. Tadić [1999] ICTY Appeals Chamber Judgment,
IT–94–1–A, para. 137 [hereinafter Tadić Appeals Chamber Judgment].
39
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. US) (Merits,
Judgment) [1986] ICJ Rep. 1986.
40
It should be noted that the ‘effective control’ test evolved in the context finding State
responsibility for the acts of non-State actors. See Case Concerning Application of the
Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and
Herzegovina v. Serbia and Montenegro) [2007] ICJ Rep. 43.

9 / Date: 25/3
as would appear to have happened in the case of the 2007 hacktivists cyber campaign
against Estonia, the persons or entity will be deemed de facto organs of the State such
that any cyber operation will fulfil the ‘international’ criterion.41 It should be noted that
in that particular instance, the criterion of ‘armed force’ was not met.
The ICTY has identified one other way in which the acts of private individuals and
entities may be attributed to the State for the purpose of finding an international armed
conflict. According to the tribunal, ‘private individuals acting within the framework of,
or in connection with, armed forces, or in collusion with State authorities may be
regarded as de facto State organs’.42 Although the case law is sparse, this particular
form of attribution has the potential to play a prominent part in the cyber domain given
the close working relationship between public and private sectors.
It is now well-settled in international law that the actions of a non-State organized
armed group43 – as opposed to an individual or group that is not organized, as
discussed above – will be attributed to a State if that State is shown to have overall
control over the group.44 Although the issuing of specific orders or instructions may not
be required, the standard for attribution is high in that the State must have ‘a role in
organising, coordinating or planning the military actions of the military group, in
addition to financing, training and equipping or providing operational support to that
group’.45 The provision of cyber tools – whether in the form of software or hardware –
by a State to a non-State organized armed group together with the supply of specific
intelligence on cyber vulnerabilities of the ‘victim’ State to facilitate a particular attack
would likely suffice.46
41
Tadić Appeals Chamber Judgment (n 38) 133, 137. This principle can be traced to the
judgment of the International Court of Justice in the Tehran Hostages Case (n 33), although the
principle was formulated in the context of State responsibility.
42
Ibid. para. 144.
43
Organised armed group refers to subordinate armed forces or militias or paramilitary
units; see ibid. para. 137.
44
Ibid. paras 131–140, 145. According to the tribunal:
control by a State over subordinate armed forces or militias or paramilitary units may be of
an overall character (and must comprise more than the mere provision of financial assistance
or military equipment or training). This requirement, however, does not go so far as to
include the issuing of specific orders by the State, or its direction of each individual
operation. Under international law it is by no means necessary that the controlling authorities
should plan all the operations of the units dependent on them, choose their targets, or give
specific instructions concerning the conduct of military operations and any alleged violations
of international humanitarian law. The control required by international law may be deemed
to exist when a State (or, in the context of an armed conflict, the Party to the conflict) has a
role in organising, coordinating or planning the military actions of the military group, in
addition to financing, training and equipping or providing operational support to that group.
The International Court of Justice has noted that that the ‘overall control’ is ‘applicable and
suitable’ for the purpose of determining whether or not an armed conflict is international. Case
Concerning Application of the Convention on the Prevention and Punishment of the Crime of
Genocide (n 40) para. 404.
45
Tadić Appeals Chamber Judgment (n 38) para. 137, 145.
46
Tallinn Manual (n 10) Commentary to rule 22, para. 6.

10 / Date: 7/5
2. NON-INTERNATIONAL ARMED CONFLICT

As with international armed conflict, there is no codified definition of what constitutes
a non-international armed conflict. Common Article 3 to the Geneva Conventions
defines non-international armed conflicts in the negative as those that are ‘not of an
international character occurring in the territory of one of the High Contracting
Parties’.47 Treaty law also informs us as to what type of violence is not governed by
international humanitarian law. Article 1(2) of Additional Protocol II, which is
acknowledged to represent customary international law, excludes situations of ‘internal
disturbances and tensions, such as riots, isolated and sporadic acts of violence, and
other acts of a similar nature’.48 This threshold also applies to common Article 3. What
we can safely conclude from this is that isolated and sporadic cyber-attacks – even if
they lead to death, injury, damage and destruction – may not necessarily be governed
by international humanitarian law since to qualify as a non-international armed conflict
the level of violence must cross a threshold above those situations described in
Additional Protocol II.49
Of equal pertinence is the reference in Additional Protocol II that describes such
conflicts as those between a State’s armed forces ‘and dissident armed force or other
organized armed groups’.50 Elaborating on these provisions, the ICTY’s portrayal of a
non-international armed conflict as ‘protracted armed violence between governmental
authorities and organized armed groups or between such groups within a State’ is now
regarded as customary international law.51 Accordingly, the existence of a non-
international armed conflict is contingent on two key elements: (i) the involvement of
an organized armed group; and (ii) the hostilities reaching a certain level of intensity.52
As the ICTY has repeatedly emphasised, the two determinative elements of an armed
47
Although not in the text, it has always been assumed that the provision applies to
hostilities between government forces and armed groups as well as between such groups. See
Pilloud et al. (n 16) para. 4461.
48
Protection of Victims of Non-international Armed Conflicts (8 June 8 1977) 1125 UNTS 609.
Further insight is provided in the Pilloud and others ibid. which adds, ‘riots, such as
demonstrations without a concerted plan from the outset; isolated and sporadic acts of violence,
as opposed to military operations carried out by armed forces or armed groups; other acts of a
similar nature, including, in particular, large scale arrests of people for their activities or
opinions’ (para. 4474).
49
Prior to the adoption of the Protocol Additional to the Geneva Conventions of 12 August
1949, and Relating to the Protection of Victims of Non-international Armed Conflicts (n 48)
there was already widespread agreement that the existence of a non-international armed conflict
requires ‘open hostilities between armed forces which are organized to a greater or lesser
degree’ (Pilloud and others ibid. para. 4341).
50
Protection of Victims of Non-international Armed Conflicts (n 48) art 1(1).
51
This formula has also been applied by the International Tribunal for Rwanda, the Special
Court for Sierra Leone and the International Criminal Court among others.
52
Tadić Appeals Chamber Decision (n 5) para. 70. There are two types of non-international
armed conflict. All non-international armed conflicts are covered by common art 3 to the Geneva
Conventions; in addition, the provisions of Additional Protocol II, which sets forth far more

11 / Date: 25/3
conflict function ‘solely for the purpose, as a minimum, of distinguishing an armed

conflict from banditry, unorganized and short-lived insurrections, or terrorist activities,
which are not subject to international humanitarian law.’53
Before examining how these two criteria might apply in the cyber context, some
mention of the recent debates pertaining to the geographical scope of non-international
armed conflict is apposite. This is because cyber warfare is more likely than any other
means or methods of war to transcend borders reigniting disagreements as to whether
common Article 3 incorporates a spatial element limiting the geographical scope of
non-international armed conflicts. One view insists that, by definition, such conflicts
are those waged exclusively within the territorial boundaries of a single State, and so,
by default, those that cross a border are necessarily international in character. Taken to
its logical conclusion, a cyber-operation conducted from outside the territory would
internationalize the conflict. A second view, and one shared by the majority of
commentators, holds that the word ‘one’ in the text refers to the territory of any of the
Contracting Parties and therefore the phrase does not impose a territorial limitation.
Accordingly, a cyber-operation mounted by either party to the conflict from outside the
territory would not alter the character of the conflict. The consequence of this view is
that non-international armed conflict, because defined solely by the parties to the
conflict rather than the location, has the potential to be global in scope. This has caused
anguish among some within the international legal community who, in seeking to limit
the scope of sovereign power, have strenuously argued for rigid adherence to a
catalogue of legal tests both in regard to jus in bello and jus ad bellum.54
(a) The Involvement of an Organized Armed Group
The element of organization represents the principle that an armed conflict can exist
only between parties that are sufficiently organized to confront each other with military
means.55 State authorities are presumed to have at their disposal armed forces that
satisfy this criterion but the same assumption cannot be made of an armed group
which, by contrast, must demonstrate that it does indeed fulfil this requirement. The
armed group does not have to have an organization structure of a conventional military
unit. As the ICTY has noted ‘some degree of organisation by the parties will suffice’.56
Whether a group is deemed to be ‘organized’ is a factual question and, as repeatedly
detailed rules, apply to non-international armed conflicts fulfilling the additional criteria set forth
in art 1(1) but only in respect of States Parties to that Protocol.
53
Tadić Appeals Chamber Judgment (n 38) para. 562.
54
For example see, Noam Lubell & Nathan Derejko, ‘A global battlefield?’ (2013) 11 J. of
Int’l. Crim. Just. 65–88 and Philip Alston, ‘The CIA and targeted killings beyond borders’
(2011) 2 Harvard Nat. Sec. J. 283. For a different viewpoint, see Robert Chesney, ‘Who may be
killed? Anwar al-Awlaki as a case study in the international legal regulation of lethal force’
(2010) 13 Ybk. of Int’l. Humanitarian L. 360; Ashley Deeks, ‘The geography of cyber conflict:
Through a glass darkly’ (2013) 89 Int’l. L .Studies 1.
55
Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (Judgment) [2008] Case No.
IT-04-84-T para. 60.
56
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (Judgment) [2005] Case No.
IT-03-66-T para. 89.

12 / Date: 25/3
emphasized by the tribunal, it is an assessment that is always context-specific. To

enable that assessment, a variety of indicators have been identified including, for
example, the organization and structure of the armed group; the adoption of internal
regulations; the capacity to launch coordinated military operations; and the capacity to
provide military training.57 While none of the indicators are essential in and of
themselves to establish whether the organization criterion is fulfilled,58 what is clear is
that the lone hacker or even groups of hackers sympathetic to a common cause and
acting collectively but not as a coordinated entity would simply not qualify on the basis
that they are operating independently of one another.59
This raises the question of whether a ‘virtual group’ – in other words, a group that is
organized exclusively on-line – would qualify. The capacity to launch coordinated
military operations together with the ability to impose discipline are characteristics
often cited as necessary to qualify as an organized armed group.60 Insofar as the former
element is concerned, there is no reason why an on-line group would not be able to ‘act
in a coordinated manner against the government (or an organized armed group), take
orders from a virtual leadership, and be highly organized’.61 Existing on-line groups
have frequently demonstrated an ability to plan and carry out cyber operations in a
coordinated manner directed by a leadership although none of the operations, to date,
can be equated to ‘armed force’.62 In short, there is no reason why a virtual group
could not carry out cyber operations on a par with ‘sustained and concerted military
operations’ and so satisfy the requisite threshold.63 Nevertheless, most commentators
have dismissed the prospect that such groups can qualify on the basis that groups
formed and acting exclusively on-line would be unable to enforce discipline and the
observation of international humanitarian law.64 Yet is such a conclusion warranted?
This scepticism is commonly justified on the grounds that the group would lack
57
Other criteria identified by the ICTY include, the nomination of a spokesperson; the
issuing of orders, political statements and communiqués; the establishment of headquarters; the
establishment of a military police and disciplinary rules; the ability to recruit new members;
the creation of weapons distribution channels; the use of uniforms and various other equipment;
and the participation by members of the group in political negotiations.
58
Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (n 55) para. 60.
59
As the commentary to rule 23 of the Tallinn Manual (n 10) notes, ‘the mere fact that
individuals are acting toward a collective goal does not satisfy the organization criterion. For
example, if a website offers malware and a list of potential cyber targets, those who
independently use the site to conduct attacks would not constitute an organized armed group.’
60
The organizational element is satisfied when the group in question operates ‘under a
responsible command structure and has the capability to sustain military operations’ (Tallinn
Manual (n 10) rule 23, para. 11).
61
Schmitt (n 1) 256.
62
It is common practice for the leadership of such groups to publicly declare their intentions
and reasons for a particular cyber operation; issue information on planned actions and execution
dates through video, social media announcements, and pastebin entries; release lists of targets;
provide tools to execute the operation.
63
Pilloud and others (n 16) para. 4453.
64
It should be recalled that the ‘International Group of Experts [involved in the preparation
of the Tallinn Manual] was divided as to whether such difficulty would bar qualification as an
organized armed group’ (Tallinn Manual (n 10) commentary to rule 23).

13 / Date: 25/3
‘physical control over its members’.65 This raises a number of questions. To what
extent is the capacity to enforce the rules a necessary criterion of organization? Is
physical control a pre-condition to discipline and rule enforcement? Does the law, as
drafted, presuppose physical control precluding its applicability to virtual groups or
should a distinction be drawn between Additional Protocol II and common Article 3
conflicts?
An express reference to the capacity of an organised group to enforce international
humanitarian law only appears in Additional Protocol II which applies
to all armed conflicts which are not covered by Article 1 of [Additional Protocol I] and which
take place in the territory of a High Contracting Party between its armed forces and dissident
armed forces or other organized armed groups which, under responsible command, exercise
such control over a part of its territory as to enable them to carry out sustained and concerted
military operations and to implement this Protocol.66
The requirement in the text that the organized armed group implement this Protocol is
generally accepted as an ability to comply with international humanitarian law. What
matters is that the organized armed group is capable of enforcing the rules rather than
whether it does so or not.67 Insofar as Additional Protocol II conflicts are concerned, it
is clear from the text that the capacity to enforce is a necessary criterion of organization
as is the existence of a responsible command and the ability to carry out sustained and
concerted military operations.68 What is also apparent from the jurisprudence of the
international tribunals is that evidence in support of such a capacity is more often than
not equated to an ability to exert physical control over persons.69 Nevertheless, whether
the capacity to enforce is always contingent on physical control is a matter of debate
since why individuals comply with a rule is a complex matter and may not necessarily
be dependent on the threat of a sanction in the form of physical force but, for example,
on the threat of exclusion from the group as well as ‘exposure’ of their identity to the
authorities by group members.70
Even if absence of physical contact is not a bar to qualification, a closer inspection of
the law presents a further hurdle. Although the virtual organized armed group might be
capable of enforcing discipline amongst its members and insist on adherence to the
rules pertaining to the conduct of hostilities as a condition of membership, it is an
inescapable fact that the group would lack the capacity to implement those rules
concerned with protecting the victims of conflict which arguably represent the very
raison d’être of both common Article 3 and Protocol II. The very characteristic of the
65
Schmitt (n 1) 257.
66
Protection of Victims of Non-international Armed Conflicts (n 48) art 1.
67
Prosecutor v. Ljube Boškoski Johan Tarčulovski (Judgment) [2008] Case No. IT-04-82-T
para 205.
68
Pilloud and others (n 16) para. 4453.
69
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (n 56) paras 114–117.
70
Douglas Heckathorn, ‘Collective sanctions and compliance norms: A formal theory of
group-mediated social control’ (1990) 55 Am. Soc. Rev. 366; Karen Cook & Russell Hardin,
‘Norms of cooperativeness and networks of trust in social norms’ in Michael Hechter &
Karl-Dieter Opp (eds.), Social Norms (Russell Sage Foundation 2001) 327.

14 / Date: 25/3
group precludes it from, for example, caring for the wounded and the sick, making
particular provisions for children, or ensuring that detainees were treated humanely
simply because the members would never have any physical contact with one another
let alone with any victims of the hostilities.71 Thus the virtual group presents a
particular problem in that, as traditionally understood, the law does presuppose some
degree of physical contact. Does this mean that international humanitarian law can
never apply to the conduct of a virtual group?
In contrast to Additional Protocol II, common Article 3 contains no analogous
express condition as constituting a requirement of qualification. As the Commentary to
Article 3 notes, the capacity of an organized armed group to respect and ensure respect
for international humanitarian law was one among a number of criteria considered and
rejected by the Diplomatic Conference that drafted the 1949 Geneva Conventions.
Moreover, the Commentary further emphasizes that none of the conditions that were
considered are ‘obligatory and are only mentioned as an indication’.72 Admittedly, in
assessing the organization of an armed group, the ICTY has, when appropriate, taken
into consideration the ‘level of discipline and the ability to implement the basic
obligations of Common Article 3 … such as the establishment of disciplinary rules and
mechanisms; proper training; and the existence of internal regulations and whether
these are effectively disseminated to members’.73 However, the tribunals have also
conceded that ‘none of [the criteria, including the ability to implement the law] are, in
themselves, essential to establish whether the ‘organization’ criterion is fulfilled’.74
This would suggest that no such mandatory condition applies to common Article 3
conflicts. While this view may provoke disagreement, perhaps the most compelling
reason for not rejecting the possibility of common Article 3 applying to a virtual group
is that the consequences of excluding such groups would potentially be counter-
productive. As the drafters of the Commentary to common Article 3 strenuously
maintained, ‘the Article should be applied as widely as possible’ for the very simple
reason that the overriding objective of the provision is to protect the victims of conflict.
(b) The Intensity of the Hostilities
Unlike international armed conflict, the hostilities between the parties must reach a
certain level of intensity before a non-international armed conflict is deemed to exist.
The ICTY has identified various indicative criteria to facilitate the determination as to
whether a given situation has met the required intensity threshold. Examples include
the gravity of attacks and their recurrence;75 the temporal and territorial expansion of
violence and the collective character of hostilities;76 the control of territory by
71
Pilloud et al. (n 16) para. 4426.
72
ICRC Geneva Convention Commentary (n 13) vol I 49.
73
Prosecutor v. Ljube Boškoski Johan Tarčulovski (n 67) para. 202.
74
Ibid. para. 198; Prosecutor v. Ramush Haradinaj, Idriz Balaj, Lahi Brahimaj (n 55)
para. 60.
75
Prosecutor v. Slobodan Milošević (Trial Chamber Decision on Motion for Judgment of
Acquittal) [2004] Case No. IT-02-54-T (Rule 98bis Decision) para. 28.
76
Prosecutor v. Fatmir Limaj, Haradin Bala, Isak Musliu (n 56) para. 94–134

15 / Date: 25/3
non-State forces to the exclusion of government forces;77 an increase in the number of

government forces deployed to respond to the violence; the mobilization of volunteers
and the type and distribution of weapons among the armed groups; the extent to which
the local population has been displaced by the violence; and whether the situation has
come to the attention of the Security Council.
Most commentators share the view that the high threshold of violence that is required
for the existence of a non-international armed conflict means that it is unlikely that an
armed conflict would be triggered by cyber means alone. Cyber-attacks like, for
example, the alleged Trojan horse attack on the security camera system in the Carmel
Tunnels toll road in Israel on 8 September 2013 which caused hundreds of thousands of
dollars in damage simply do not meet the requisite threshold of damage even if an
organized armed group was to claim responsibility for the attack.78 The appropriate
legal regime governing such conduct is the criminal law informed by international
human rights law and not international humanitarian law. As Geiss has observed, not
even the Stuxnet operation caused physical destruction of an intensity that approached
the threshold of violence commonly required for a non-international armed conflict.79 It
would however be short-sighted to categorically rule out the possibility that a
cyber-attack by an organized armed group could trigger a non-international armed
conflict. Consider, for example, a cyber-attack by an organized armed group on a
civilian air traffic control system that resulted in effects of an equivalent magnitude to
those perpetrated on 9/11. In such a case there seems to be little doubt that a State
would consider itself to be engaged in a non-international armed conflict, without there
having to be a series of comparable attacks.80
3. CONCLUDING COMMENTS
The discourse on cyber is often dominated by the belligerent language of ‘cyber
warfare’ and ‘cyber conflict’. For the international humanitarian lawyer, this represents
a troubling trend in that it conveys a misguided and dangerous understanding of what is
taking place daily in the cyber domain. In the world of the legal expert, such terms
have very grave legal consequences for they assume that the applicable legal regime is
one of war rather than peace. It may be that at some point in the future, there will
indeed be a need to apply the law of war paradigm to a cyber-operation. But as this
chapter has sought to convey, an armed conflict – whether international or non-
international – is unlikely to come into existence solely as a consequence of a
77
Prosecutor v. Slobodan Milošević (n 75) para. 29.
78
Daniel Estrin, ‘AP Exclusive: Israeli tunnel hit by cyber attack’, Associated Press
(27 October 2013) <http://bigstory.ap.org/article/ap-exclusive-israeli-tunnel-hit-cyber-attack>
79
Robin Geiss, ‘Cyber warfare and non-international armed conflicts’ (2013) 89 Int’l. L.
Studies 627, 633.
80
Most commentators have taken the view that a non-international armed conflict is unlikely
to be triggered by a cyber-attack. See for example, Schmitt (n 1) at 258; ibid. 634; Droege (n 11)
551.

16 / Date: 25/3
cyber-operation given the conditions that must be satisfied to operationalize inter-

national humanitarian law. Inadvertently or not the logic of classification thus functions
as a ‘breaking’ mechanism that defers to peace rather than war. In so doing, it can play
a critical role in injecting lucidity into how we comprehend the hostile activities that
are becoming a common feature of the cyber domain.
Bar a catastrophic cyber-attack by an organized armed group, it is doubtful that a
non-international armed conflict will be triggered by cyber means alone in view of the
requisite threshold of intensity of the violence. Can the same be said of international
armed conflict? The increased dependency on cyber infrastructure by the global
community has prompted some commentators to suggest that the existing threshold for
an international armed conflict is likely to adjust downwards. This view, however,
seems to place inadequate weight to the problem that anonymity in cyber presents. As
already noted, technological advances complemented by the development of ever-more
sophisticated analytical methods are likely to make attribution easier. There is already
considerable progress in assessing how certain tactics can serve as ‘fingerprints’ that tie
specific attacks to others from a given region in the world.81 However, false flag
operations will continue to prove hugely problematic. This means that a State that has
been subject to a cyber-attack is more likely than not to resist responding in kind until
it is ‘sufficiently certain’82 of the identity of those responsible for the attack. The record
so far indicates that States are displaying a significant level of circumspection even
when confronted by serious and prolonged cyber-attacks. If there is an upside to the
problem of anonymity, it is that States are having to become more resilient to all forms
of hostile cyber operations rather than opt to respond with cyber or kinetic force.
81
Kenneth Geers et al., ‘World War C: Understanding nation-state motives behind today’s
advanced cyber attacks’ (FireEye 2013) <www.fireeye.com/resources/pdfs/fireeye-wwc-report.
pdf> accessed 10 September 2014.
82
Government of Netherlands (n 23).

17 / Date: 25/3
16. Is the principle of distinction still relevant in

cyberwarfare?
Karine Bannelier-Christakis
1. INTRODUCTION
In 2011, in its International Strategy for Cyberspace, the White House stated that
cyberspace can be regulated by the existing positive law and that there is therefore no
need to reinvent new norms to guide States’ behavior.1 The idea that there is no
‘planned obsolescence’ of the existing legal rules in cyberspace is almost unanimously
accepted. From the ICRC2 to the Tallinn Manual3 and the academic community,4 most
agree5 that cyberwar, like any other methods or means of warfare, is subject to the law
of armed conflict. Never perhaps in the history of the war has a new weapon been so
easily accepted as being already ‘covered’ by existing law.
Twenty years ago, in the Legality of the Threat or Use of Nuclear Weapons case6
some States defended an extreme voluntarist position in relation to the application of
1
According to the White House, ‘the development of norms for state conduct in
cyberspace does not require a reinvention of customary international law, nor does it render
existing international norms obsolete. Long-standing international norms guiding state behavior
–in time of peace and conflict – also apply in cyberspace’: The White House, ‘International
Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World’ (Washington
2011) 9.
2
Cordula Droege, ‘Pas de vide juridique dans le cyberespace’, I.C.R.C. (16 August 2011)
<http://www.cicr.org/fre/resources/documents/interview/2011/cyber-warfare-interview-2011-08-
16.htm> accessed 3 October 2014.
3
‘The International Group of Experts was unanimous in its estimation that both the jus ad
bellum and jus in bello apply to cyber operations’: Michael Schmitt (ed.), Tallinn Manual on the
International Law Applicable to Cyberwarfare (CUP 2013) 5.
4
See the conclusions of the International Expert Conference on Computer Network
Attacks and the Applicability of International Humanitarian Law, Stockholm, 17–19 November
2004. As highlights Knut Dörmann, ‘The fact that CNA [Computer Network Attack] developed
only after the adoption of the Protocols does not preclude their applicability. The very existence
of Art. 36 of Additional Protocol I (AP I) is a strong indicator that the drafters of AP I
anticipated the application of its rules to new developments of methods and means of warfare’:
Knut Dörmann, ‘Applicability of the Additional Protocols to Computer Network Attacks’, CICR
Resources (19 November 2004) <https://www.icrc.org/eng/resources/documents/misc/68lg92.
htm> accessed 3 October 2014.
5
For opposing views, see examples cited in Jeffrey Kelsey, ‘Hacking into international
humanitarian law: The principle of distinction and neutrality in the age of cyber warfare’ (2008)
106(7) Mich. L. Rev. 1430, 1472 ff. 15-16.
6
Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep.
1996 226.
343
1 / Date: 7/5
existing law to nuclear weapons.7 But, the International Court of Justice (ICJ) rejected
this vision of international law based on a very strict and probably incorrect reading of
the old Lotus judgment. Recalling the fundamental principles of international human-
itarian law,8 including the Martens Clause, according to which: ‘In cases not covered
by this Protocol or by other international agreements, civilians and combatants remain
under the protection and authority of the principles of international law derived from
established custom, from the principles of humanity and from the dictates of public
conscience’,9 the Court stated that:
(…) nuclear weapons were invented after most of the principles and rules of humanitarian
law applicable in armed conflict had already come into existence; (…). However it cannot be
concluded from this that the established principles and rules of humanitarian law applicable
in armed conflict did not apply to nuclear weapons. Such a conclusion would be incompatible
with the intrinsically humanitarian character of the legal principles in question which
permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds
of weapons, those of the past, those of the present and those of the future.10
In the same way as nuclear war, cyber-warfare is also subject to the law of armed
conflict and to its ‘cardinal principles’,11 the prohibition of unnecessary suffering and
the principle of distinction.
Initiated by the Lieber Code in 1863,12 and constantly reaffirmed since, the principle
of distinction has received a general formulation in Article 48 of the First Protocol of
1977 additional to the Geneva Conventions.13 According to this Article: ‘In order to
ensure respect for and protection of the civilian population and civilian objects, the
Parties to the conflict shall at all times distinguish between the civilian population and
7
France, for example, stated that:
le principe selon lequel les limitations de souveraineté ne se présument pas a pour
conséquence nécessaire qu’en l’absence de règles prohibant expressément le recours à la
menace ou à l’emploi d’armes nucléaires en toute circonstance, ce recours doit être considéré
comme licite, hors les circonstances particulières où il serait interdit
ICJ Verbatim Record (1 November 1995) CR 95/23 63 [emphasis added]. Russia added that, ‘by
virtue of the principle of sovereignty it is presumed that a State is free to act in absence of a
specific restriction provided for in international law’: ICJ Verbatim Record (10 November 1995)
CR 95/29 41.
8
Especially article 22 of the Convention (IV) respecting the Laws and Customs of War on
Land and its annex: Regulations concerning the Laws and Customs of War on Land. The Hague,
18 October 1907 according to which, ‘The right of belligerents to adopt means of injuring the
enemy is not unlimited’ cited in Legality of the Threat or Use of Nuclear Weapons (n 6) para. 77.
9
Legality of the Threat or Use of Nuclear Weapons (n 6) para. 78. The spelling of the
Martens Clause is extract from art 1§2 of Protocol Additional to the Geneva Conventions of 12
August 1949, and relating to the Protection of Victims of International Armed Conflicts (8 June
1977).
10
Legality of The Threat or Use of Nuclear Weapons (n 6) para. 86 .
11
Ibid. para. 78.
12
Francis Lieber, Instructions for the Government of Armies of the United States in the
Field (Government Printing Office 1898).
13
Protocol Additional to the Geneva Conventions of 12 August 1949 and relating to the
Protection of Victims of International Armed Conflicts (8 June 1077) (Protocol I).

2 / Date: 7/5
Is the principle of distinction still relevant in cyberwarfare? 345
combatants and between civilian objects and military objectives and accordingly shall
direct their operations only against military objectives’.
The principle of distinction and its implications, which are intended to protect
civilians and civilian properties from ‘the calamities of war’,14 are part of customary
law both for international and non-international armed conflicts.15 Among these, the
most emblematic are expressed under Article 51 of Protocol I. Accordingly, one should
consider, first that: ‘The civilian population and individual civilians shall enjoy general
protection against dangers arising from military operations’;16 second that: ‘The
civilian population as such, as well as individual civilians, shall not be the object of
attack’;17 and third that: ‘Indiscriminate attacks are prohibited’.18
Logically then, one could state that the civilian population and individual civilians
should enjoy general protection against dangers arising from cyber military operations
and that cyber-attacks directed against civilians and civilian objects are prohibited, as
are indiscriminate cyber-attacks.
This prevailing view according to which the cardinal principles of the law of armed
conflict are applicable to cyber warfare is fairly reassuring taking into consideration the
potential significant effects of cyber-weapons. In a 2009 statement, President Obama
showed his concern about what he qualified as a ‘weapon of mass disruption’.19 One
year later, The Economist described in catastrophic terms a new form of warfare
dominated by ‘cyber-weapons’: oil refineries and pipelines that explode, an air
traffic-control system which is out of control, derailed trains and subway trains,
vanished financial data, shut-down power plants – in short the whole of society sinking
while the identity of the hackers and the authors of this mayhem remain anonymous.20
The transposition of the principle of distinction into cyberspace may nonetheless
raise important questions about its ability to curb the effects of this new form of war. It
is true that some of these questions are not entirely new since the implementation of the
principle of distinction has always required more or less subjective and controversial
interpretations.21
14
Declaration Renouncing the Use, in Time of War, of Certain Explosive Projectiles (29
November/11 December 1868).
15
In the Tadić Case, the Appeal Chamber recognized the application of the principle of
distinction both in internal and international armed conflict. Prosecutor v. Dusko Tadić (Decision
on the Defence Motion for Interlocutory Appeal on Jurisdiction) [1995] No ICTY-94-1-A para.
100–27. On classification of armed conflict in cyberspace see Arimatsu (Ch 15 of this book).
16
Protocol I (n 13) art 51 §1.
17
Ibid. art 51§2.
18
Ibid. art 51§4.
19
The White House, ‘Remarks by the President on Securing our Nation’s Cyber infrastruc-
ture’ (Office of the Press Secretary, 29 May 2009) <http://www.whitehouse.gov/the-press-office/
remarks-president-securing-our-nations-cyber-infrastructure> accessed 3 October 2014, cited in
Newton Lee, Counterterrorism and Cybersecurity (Springer 2013) 100.
20
The Economist, ‘War in the Fifth Domain’ (1 July 2010) <http://www.economist.com/
node/16478792> accessed 3 October 2014.
21
As rightly observed Heather H. Dinnis, ‘The principle of distinction has been under
threat before’: Heather Harrison Dinnis, Cyber Warfare and the Laws of War (CUP 2014) 182.

3 / Date: 8/5
But for several reasons cyberwar stretches this debate to its limits.22 This is also due
to the fact that while cyberwar is sometimes presented as capable of leading to a
devastating ‘total war’, it is also sometimes presented under a more reassuring aspect of
a less devastating war through the use of non-lethal and ‘ultimate in precision
weapons’23 that weaken the enemy without necessarily destroying or killing it.24
At the heart of this debate, the prohibition of direct attacks against civilians and
civilian property points out whether this prohibition, developed with reference to
kinetic weapons, can fully apprehend the complexity of non-kinetic attacks whose
effects are in part or completely dematerialized (Part 2). The complexity of cyberwar
may sometimes raise the spectrum of a ‘disintegration’ of the principle of distinction.
This invites us to re-read the principle carefully in order to assess whether it is strictly
focalized on the prohibition of ‘attacks’ against civilians or whether it should also be
interpreted as prohibiting any military cyber-operations against them (Part 3). Cyberwar
also challenges the protective status attributed to civilians by the principle of distinc-
tion. Indeed, the interconnectivity characterizing cyberspace has blurred the distinction
between civilians and the military and makes the enforcement of the principle all the
more challenging (Part 4).
2. THE PROHIBITION OF CYBER-ATTACKS AGAINST THE

CIVILIAN POPULATION AND CIVILIANS OBJECTS
According to some commentators ‘the definition of cyber-attack remains inconsist-
ent’.25 It is true that, whether under the jus ad bellum or under the jus in bello, the
definition of cyber-attack raises many questions and controversies. These controversies
are largely fuelled by the fact that the conception of military cyber-operations and
attacks are far from the traditional understanding of an ‘armed attack’. However, this
has not prevented some military manuals from adopting their own definition of a
cyber-attack. According to the US Air Force Intelligence Targeting Guide for example,
22
According to Dinnis, ‘The additional targeting opportunities offered by computer
network attack capabilities come at a time when there is already an increased tension in the laws
of armed conflict over the continued pre-eminence of the principle of distinction in modern
warfare’: ibid. 181.
23
Kelsey (n 5) 1434.
24
As Michael J. Glennon warned, ‘cyber-operations can in this view be regarded as merely
the latest efforts-the latest successes (…) to afford greater protection to non-combatant (and
combatants), to enhance proportionality- in effect to pursue many of the ends of humanitarian
law’: Michael J. Glennon, ‘The dark future of international cybersecurity regulation’ (2013) 6 J.
Nat’l. Sec. L. & Pol’y 569. See also, Duncan Blake & Joseph S. Imburgia, ‘Bloodless weapons?
The need to conduct legal reviews of certain capabilities and implications of defining them as
‘weapons’’ (2010) 66 Air Force L. Rev. 157.
25
Jonathan A. Ophardt, ‘Cyber warfare and the crime of aggression: the need for individual
accountability on tomorrow’s battlefield’ (2010) 3 Duke L. & Tech. Rev. See also ‘Multinational
Experiment 7 Outcome 3-Cyber Domain: Objective 3.3 – Concept Framework’ (3 October 2012)
9 <http://mne.oslo.mil.no:8080/Multinatio/MNE7produk/33CyberCon> accessed 3 October
2014.

4 / Date: 7/5
‘Computer Network Attacks are ‘operations to disrupt, deny, degrade, or destroy

information resident in computers and computer networks, or the computers and
networks themselves’.26 These cyber-operations can take various forms, for example,
‘gaining access to a computer system so as to acquire control over it, transmitting
viruses to destroy or alter data, using logic bombs that sit idle in a system until
triggered on the occasion of a particular occurrence or at a set time, inserting worms
that reproduce themselves upon entry into a system and thereby overloading the
network, and employing sniffers to monitor and / or seize data’.27
Interesting and helpful as they might be, these definitions raise the question of their
correlation with the legal definition of ‘attack’ given by the law of war. Does the
definition of ‘attack’ given by the law of war encompass these cyber-operations, and if
so, which ones?28
The answer to this question is of fundamental importance for the effectiveness of the
principle of distinction in cyberspace. Indeed, a definition of ‘attack’ strictly focused on
the ‘act’ itself could exclude from the principle of distinction a wide range of
cyber-operations. Although applicable, the principle of distinction could thus become
partially useless. But in fact this has not been the case. Indeed, according to a
consensual definition, the identification of an attack should not be based on the nature
of the act but rather on its consequences.29 A cyber-operation should be considered as
an attack when the consequences of the operations are comparable to those of a
26
‘US Air Force Intelligence Targeting Guide’ (Air Force Pamphlet 14–210, 1 February
1998) <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.131.8965&rep=rep1&type=pdf>
accessed 3 October 2014. According to the lexicon of the Memorandum for Chiefs of the
Military Services Commanders of the Combatant Commands, Directors of the Joint Staff
Directorates:
A hostile act using computer or related networks or systems, and intended to disrupt and/or
destroy an adversary’s critical cyber systems, assets, or functions. The intended effects of
cyber-attack are not necessarily limited to the targeted computer systems or data themselves-
for instance, attacks on computer systems which are intended to degrade or destroy
infrastructure or C2 capability. A cyber-attack may use intermediate delivery vehicles
including peripheral devices, electronic transmitters, embedded code, or human operators.
The activation or effect of a cyber-attack may be widely separated temporally and geographi-
cally from the delivery:
James E. Cartwright, Memorandum for Chiefs of the Military Services Commanders of the
Combatant Commands, Directors of the Joint Staff Directorates (2011) 5, <http://www.nsci-va.
org/CyberReferenceLib/2010-11-joint%20Terminology%20for%20Cyberspace%20Operations.
pdf> accessed 3 October 2014.
27
Michael Schmitt, ‘Wired warfare: computer network attack and jus in bello’ (2002)
84(846) I.R.C.C. 367.
28
Oona A. Hathaway et al., ‘The law of cyber-attack’ (2012) 100 Cal. L. Rev. 822–39.
29
See for example, Heather A. Dinniss, ‘Attacks and operations -The debate over computer
network ‘attacks’’ in New Technologies, Old Law: Applying International Humanitarian Law in
a New Technological Age (The Minerva Center for Human Rights, Jerusalem, 28–29 November
2011, Conference paper 2) <http://www.kas.de/israel/en/publications/29923/> accessed 3 Octo-
ber 2014; Schmitt (n 3) 106–7; Yoram Dinstein, The Conduct of Hostilities under the Law of
International Armed Conflict (CUP 2004) 84. See also, Cordula Droege, ‘Get off my cloud:
Cyber warfare, international humanitarian law, and the protection of civilians’ (2013) 94(886)
I.R.C.C. 557.

5 / Date: 7/5
conventional attack. The test of the ‘Kinetic effect equivalency’30 is thus decisive in
order to ‘adapt’ the principle of distinction in a case of cyberwar (2a).
However, the applicability in concreto of this KEE test in order to assess if a
cyber-operation constitutes an ‘attack’ can raise so many difficulties that one might
even wonder if relying exclusively to the ‘Kinetic effect equivalency test’ in this field
does not jeopardize the principle of distinction. Indeed the KEE test could authorize
and legitimize a wide range of military operations against civilians that would have
never been acceptable if they had been carried out by kinetic force (2b).
(a) What is a Cyber-attack? The Kinetic Effects Equivalency Test
The law of armed conflict defines ‘attack’ as ‘acts of violence against the adversary,
whether in offence or in defence’.31 According to the KEE test, violence should be
evaluated in terms of effect rather than of means used. On the basis of this test, acts of
violence are acts that cause ‘death or injury of persons or the physical destruction of
objects’.32 This definition of violence makes it possible to qualify acts perpetrated by
non-kinetic weapons as ‘attacks’. For example, as highlighted by Knut Dörmann, ‘the
employment of biological or chemical agents that does not cause a physical explosion,
such as the use of asphyxiating or poisonous gases, would constitute an attack’ because
the resulting effects are violent regardless of the vectors used to achieve them.33
It follows from these elements that cyber-operations that cause death, injury of
persons or physical destruction are to be considered as acts of violence that qualify as
‘attacks’ under the law of armed conflict. According to the Tallinn Manual, ‘a
cyber-attack is a cyber-operation, whether offensive or defensive, that is reasonably
expected to cause injury or death to persons or damage or destruction to objects’.34
The examples of cyber-operations that can therefore be considered as attacks are
numerous.
For example, the intrusion into the computer control system of a nuclear power plant
is not violent in itself, but it could be qualified as an ‘attack’ if its consequences are
violent. One can also imagine a cyber-operation aiming to penetrate the central
computer system of a chemical plant and finally leading to the explosion of the
installation and the atmospheric release of toxic gases. Here again, the intrusion is not
violent, but its effects are violent: the explosion would create damage to property while
toxic gases could have serious consequences on the health of the civilian population.
30
Hereafter ‘KEE’.
31
Protocol I (n 13) art 49 (Definition of attacks and scope of application). This definition is
seen as part of customary law. See, Jean-Marie Henckaerts & Louise Doswald-Beck, Customary
International Humanitarian Law (vol I, Rules, ICRC, CUP 2006) 3–8.
32
See Niels Melzer, Cyberwarfare and International Law (UNIDIR 2011) 26 and footnote,
<http://unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf> accessed 3
October 2014.
33
Dörmann (n 4) 4. See also Prosecutor v. Dusko Tadić (n 15) paras 1214.
34
Schmitt (n 2) Rule 30. According to the Manual: ‘Acts of violence’ should not be
understood as limited to activities that release kinetic force (…), “violence” must be considered
in the sense of violent consequences and is not limited to violent acts’: 106–7.

6 / Date: 7/5
This act then could be qualified as an attack.35 The hacking of the computer control
system of a dam could also be considered as an ‘attack’ if it enables the hackers to take
control of the dam and to open its valves causing massive flooding downstream. Here,
the installation is not damaged, but the effects on civilians and infrastructure may be
equivalent to a kinetic attack that would have destroyed the dam.36
To the extent that the victims are civilians, these attacks should be considered
contrary to the principle of distinction. It is therefore clear that the KEE test is a useful
one and allows the principle of distinction to cover a wide range of cyber-operations
and to play the protective role expected from it.
(b) The Limits of the KEE Test
The KEE test assumes that damage can be clearly identified. But this assumption
presents some problems. First, the proof of the existence and the precise extent of the
damages caused by cyber-operations could become a real probatio diabolica, especially
if one considers that the effects of cyber-attacks are, contrary to the effects of use of
kinetic weapons, rather indirect (2(b)(i)). Indeed, the KEE test sometimes could even
raise the fundamental question of the very existence of the damage when it is not
strictly physical (2(b)(ii)).
(i) The problem of the assessment of the damage resulting from a cyber-attack
It is sometimes difficult to assess with certainty the collateral damage caused by the
malfunction of civilian facilities.
The direct relationship between the impairment of the functioning of a system and
the damage to the civilian population is often difficult to establish with confidence.37 In
addition, the magnitude and seriousness of these injuries are extremely variable and
depend on parameters as different as the dependence of a society toward certain
systems or the appropriateness of human responses to these events.38 As illustrated by
cyber-operations conducted against Estonia in 2007 and Georgia in 2008, a wired
society such as Estonia may be more vulnerable39 than a ‘less computer relevant’
35
Ibid. 115.
36
Ibid. 107.
37
In 2003, after the blackout occurred on the east coast of the US, 11 direct victims related
to this event were counted. Most of them were victims of accidents caused by malfunctioning of
electrical equipment: vehicle collisions due to the cessation of traffic lights, asphyxia caused by
damaged electrical generators, etc. The indirect effects of the blackout and their consequences in
the mid and long term do not seem to have been evaluated. Indeed it is difficult, if not
impossible, to determine, for example, how many people with serious illnesses could not receive
treatment or how many surgeries were postponed, and what were the implications of these
adjournments and postponements on the health of the patients.
38
David Turns, ‘Cyberwarfare and the notion of direct participation in hostilities’ (2012)
17(2) J. Conflict & Sec. L. 288.
39
As underlined in a Report published in 2010 about Estonia, International Cyber
Incidents: Legal Considerations:
The high availability of public e-services and wide Internet accessibility that the Estonian
population enjoys have, as a negative side effect, also made the country a more attractive

7 / Date: 7/5
society such as Georgia.40 However, it is also possible that less connected countries can
be more heavily dependent on certain facilities and infrastructure. Additionally,
variations in the nature of the operation can lead to significantly different results as
evidenced by military operations against electrical grids in Iraq in 1991 and in Serbia
and Montenegro in 1999.41 Furthermore, one should take into account that the
assessment of damages is even more difficult and controversial due to the fact that the
effect of such damages can be seen in the long term.42 This raises the question of
the critical date for the assessment of the existence of such an ‘attack’? Is it reasonable
to label retrospectively an act as an attack several days, weeks or even months after the
commission of the act?
Thus, depending on the circumstances and a series of hardly identifiable parameters,
the same act could or could not be qualified as an attack.
These questions are, however, not new. They are also to be raised in relation to
kinetic operations when assessing the proportionality of an attack or its indiscriminate
nature. But while a kinetic attack against an installation will cause physical damage to
the facility before any eventual collateral damage, this is not automatically the case for
a cyber-operation.
Indeed, a cyber-operation against a facility can be more insidious to the extent that it
can generate collateral damage without causing direct damage to the targeted instal-
lation. Even worse, a cyber-attack could be conducted against an installation in a
completely concealed and furtive way.
target for cyber-attacks. The dependency of the population on easily accessible online
services has made the society more vulnerable to large scale disruptions in the availability of
Internet access:
Eneken Tikk, Kadri Kaska, & Liis Vihul International Cyber Incidents: Legal Considerations
(CCD COE 2010) 18.
40
Turns (n 38) 287.
41
In a 2003 Report, Human Rights Watch underlined that:
Attacks on electrical generation facilities used by the civilian population would have a
profound and long-term impact on the civilian population in Iraq. During the 1991 Persian
Gulf War, for example, the failure of American war planners to accurately assess the
cascading effects that attacks on electricity would have on the civilian population had
profound humanitarian consequences. These attacks crippled basic civilian services, including
hospital-based medical care, and shut down water-distribution, water-purification, and
sewage-treatment plants. As a result, the most vulnerable members of the population, young
children and adults requiring medical attention, suffered injury and death from the lack of
potable water and poor medical treatment. It was proven in Yugoslavia that attacks on
electrical distribution facilities can achieve the necessary military effect of disrupting power
supply without long-term incapacitation of electrical generation capability. Due to the severe
consequences that followed destruction of electrical generation in Iraq, the US attacked
similar facilities in Kosovo in such a way as to cause only temporary incapacitation’:
Human Rights Watch, ‘International humanitarian law issues in a potential war in Iraq’ (Human
Rights Watch Briefing Paper, 2003) 8–9 <http://www.hrw.org/sites/default/files/reports/Iraq%
20IHL%20formatted.pdf> accessed 3 October 2014.
42
Thomas W. Smith, ‘The new law of war: Legitimizing hi-tech and infrastructural
violence’ (2002) 46 Int’l. Stud. Q. 363.

8 / Date: 25/3
In his memoirs of the Cold War, a former Air Force secretary, Thomas Reed, recalls
how, in 1982, a US satellite detected a large blast in Siberia. It was, according to him,
‘the most monumental non-nuclear explosion and fire ever seen from space’. This blast,
he said, ‘was a malfunction in the computer-control system that Soviet spies had stolen
from a firm in Canada. They did not know that the CIA had tampered with the software
so that it would “go haywire”, after a decent interval’.43 Even today, many viruses and
worms remain undetectable in many countries. It will then come as a big surprise to
them that a given malfunction of a facility is the result of a cyber-attack conducted
against it.
(ii) The limits of physical damage in the assessment of attacks

Cyberwar profoundly modifies the parameters of war. As Heather Diniss has rightly
said:
Computer network attacks not only increase the number of targets that it is possible to attack
by reducing the collateral damage and hence the proportionality equation in target selection,
they also allow the possibility of operations which cause no physical damage but nonetheless
destroy or merely neutralize the object or system in question. This is an attractive option for
states, particularly in conflicts which will necessitate the reconstruction of the battle-space at
the conclusion of hostilities; it is inefficient to bomb a power generating station if you can
simply turn it off.44
What needs to be assessed then is how to characterize these cyber-operations ‘that do

not have a clear kinetic parallel’.45 Can we consider that the mere neutralization of an
installation or interference with its normal operation is sufficient enough to label such
an operation as an ‘attack’?
For many observers, especially the supporters of a strict interpretation of the KEE
test, the answer should be negative. Relying on commentaries of Protocol I stressing
that violence requires the use of physical force,46 the Tallinn Manual states for example
that: ‘Interference with functionality qualifies as damage if restoration of functionality
requires replacement of physical components’.47 Therefore, a cyber-operation resulting
in the suspension of the normal activity of a plant will not constitute an attack as such,
unless the resumption of operation of the system requires the physical replacement or
reinstallation of certain components or collateral damage meeting the KEE test
43
Thomas Reed, At the Abyss: An Insider’s History of the Cold War (Presidio Press/
Ballantine Books 2004) 368.
44
Dinniss (n 21) 183–4.
45
Harold Koh (Legal Advisor, U.S. Department of State), highlighted that (about jus ad
bellum and concerning the notion of ‘force’): ‘As you all know, however, there are other types of
cyber actions that do not have a clear kinetic parallel, which raise profound questions about
exactly what we mean by “force”: Harold H. Koh, ‘International Law in Cyberspace’ (U.S.
Department of State, 18 September 2012) <http://www.state.gov/s/l/releases/remarks/197924.
htm> accessed 3 October 2014.
46
Michael Bothe, K. J. Partsch & W. A. Solf, New Rules for Victims of Armed Conflicts:
Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949
(Martinus Nijhoff 1982) 289.
47
Schmitt (n 3) 108.

9 / Date: 25/3
requirements that has been produced due to the malfunctions of the system. According
to this thesis, damage should be physical.48 As a result cyber military operations
conducted against civilians ‘which merely cause discomfort’, or ‘inconvenience’ should
not be considered as ‘attacks’.
However, this interpretation is controversial. For Knut Dörmann, the presence of
physical damage is not an essential requirement for actions to be considered as an
attack. In his opinion:
Given that elsewhere in the same section of AP I [Additional Protocol I], namely in the
definition of a military objective, reference is made to neutralization of an object as a
possible result of an attack, one may conclude that the mere disabling of an object, such as
shutting down of the electricity grid, without destroying it should be qualified as an attack as
well.49
Furthermore, according to Cordula Droege the expression ‘neutralization’ in Article

52(2) of Protocol I used to define military objectives:
shows that the drafters had in mind not only attacks that are aimed at destroying or damaging
objects, but also attacks for the purpose of denying the use of an object to the enemy without
necessarily destroying it. So, for instance, an enemy’s air defence system could be neutralized
through a cyber-operation for a certain duration by interfering with its computer system but
without necessarily destroying or damaging its physical infrastructure.50
Whatever the arguments put forward by each camp in support of its claims, this
controversy shows that the assimilation of cyberwar in conventional warfare induced by
the KEE test is not always an easy one and may even be perceived as a reductive one.
Faced with the dematerialization of the initial act, we need to ‘re-materialize’ its effects
in order to grasp the phenomenon. But endeavoring by all means to make cyberwar fit
the classical framework could lead to a risk of excluding a wide range of military
cyber-operations directed against civilians and civilian objects. As Michael Schmitt
said:
[I]f the Serbian State television station had been targeted by CNA rather than kinetic weapons
during NATO strikes on Belgrade in April 1999, there might well have been no consequent
injury, death, damage or destruction. In that circumstance, criticism on the basis that a
civilian target had been hit would probably have fallen on deaf ears and thereby avoided the
resulting negative publicity, as well as the resulting litigation in the European Court of
Human Rights.51
48
According to Michael Schmitt, ‘a cyber operation, like any other operation, is an attack
when resulting in death or injury of individuals, whether civilians or combatants, or damage to
or destruction of objects, whether military objectives or civilian objects’: Michael Schmitt,
‘Cyber operations and the jus in bello: Key issues’ (2011) 87 Naval War College Int’l. L. Stud.
94.
49
Dörmann (n 4).
50
Droege (n 29) 558.
51
Schmitt (n 27) 381.

10 / Date: 7/5
But if this assertion is true, this could lead us, as Cordula Droege warned, to the absurd
conclusion, ‘that the destruction of one house by bombing would be an attack, but the
disruption of an electrical grid supplying thousands or millions of people would not’.52
Finally it seems true that according to Jeffrey Kelsey, ‘[t]he potentially non-lethal
nature of cyber weapons may cloud the assessment of an attack’s legality, leading to
more frequent violations of the principle of distinction in this new form of warfare than
in conventional warfare’.53
Given this challenge it is useful to examine to what extent the principle of distinction
must be interpreted as prohibiting not only cyber-attacks but, more generally, military
cyber-operations against civilians.
3. BEYOND THE CONCEPT OF ATTACK: A PROHIBITION OF

MILITARY CYBER-OPERATIONS DIRECTED AGAINST
CIVILIANS?
A grammatical interpretation of the provisions of Protocol I codifying the principle of
distinction might lead readers to believe that military cyber-operations against civilians
are to be considered as prohibited. Indeed, according to Article 51, ‘The civilian
population and individual civilians shall enjoy general protection against dangers
arising from military operations’. Furthermore, Article 48 asks belligerents to ‘direct
their operations only against military objectives’, and Article 57 (Precautions in attack)
adds that: ‘In the conduct of military operations, constant care shall be taken to spare
the civilian population, civilians and civilian objects’.54
However, this interpretation remains controversial. For the Tallinn Manual, to
comprehend it as such is not acceptable: military operations against civilians are
prohibited by the principle of distinction only when these operations crossed the
threshold of an attack.55 ‘Attacks’ and ‘military operations’ are thus synonymous. As
explained for example by Michael Schmitt, ‘prohibition is not much on targeting on
military objectives as it is on attacking them, specifically through the use of
52
Droege (n 29) 558–9.
53
Kelsey (n 5) 439.
54
According to Melzer:
The basic treaty rule of distinction is not formulated in terms of ‘attack’ but in terms of
‘operations’ (…). Therefore, although attacks certainly represent the predominant form of
combat operation, it would be inaccurate to assume that cyber operations not amounting to an
attack are not subject to IHL governing the conduct of hostilities. Accurately understood, the
applicability of the restraints imposed by IHL on the conduct of hostilities o cyber operations
depends not on whether the operations in question qualify as ‘attack’ (that is, the predominant
form of conducting hostilities), but on whether they constitute part of the ‘hostilities‘ within
the meaning of IHL:
Melzer (n 32) 27. See also Dinniss (n 29).
55
According to the Tallinn Manual, ‘[o]nly when a cyber-operation against civilians or
civilians objects (or other protected persons and objects) rises to the level of an attack is it
prohibited by the principle of distinction and those rules of the law of armed conflict that derive
from the principle’: Schmitt (n 3) 112.

11 / Date: 8/5
violence’.56 Thus, according to Schmitt: ‘cyber operations directed against civilian

computer systems do not violate the prohibition on attacking civilian objects unless
they qualify as an attack by virtue of their consequences. The paradigmatic case is a
cyber-psychological operation (PSYOP) that involves denial of services, but cause no
physical damage’.57
As a result, belligerents would have the right to target civilians and civilian
properties as long as no direct physical damage occurs,58 or could be proven. But, as
we have seen, the causality link between a cyber-operation and damage can be
extremely difficult to establish. Although applicable, the principle of distinction could
thus be overwhelmed by the nature of cyberwarfare.
According to other authors, the principle of distinction and other rules of inter-
national humanitarian law do not exclusively apply in operations that qualify as
‘attacks’, but also to all military operations which are part of the hostilities. According
to Niels Melzer:
Therefore although attacks certainly represent the predominant form of combat operation, it
would be inaccurate to assume that not amounting to an attack are not subject to IHL
governing the conduct of hostilities. Accurately understood, the applicability of the restraints
imposed by IHL on the conduct of hostilities to cyber operations depends not on whether the
operations in question qualify as ‘attacks’ (that is, the predominant form of conducting
hostilities), but on whether they constitute part of the ‘hostilities’ within the meaning of
IHL.59
This debate about the interpretation of Protocol I and the applicability of the principle
of distinction to all military operations against civilians was probably less important
within the context of the ‘traditional’ use of kinetic weapons. It has nonetheless
acquired a brand new dimension with the progressive development of cyber-weapons.
Indeed, one could think that linking the principle of distinction to hostile cyber-
operations (even if they do not necessarily qualify as ‘attacks’) is probably the best way
to preserve the raison d’être of this principle.
Taking into consideration the potentially dramatic developments of warfare in a
digital world, it would be unreasonable and counterproductive to ‘stick’ to a fixed and
inflexible interpretation of the conditions of applicability of the principle of distinction.
And the general consensus on the submission of cyberwar to the laws of war should not
lead to the absurd conclusion that these rules are irrelevant because they are too ‘old’ to
56
Schmitt (n 27) 376.
57
Michael Schmitt, ‘International law in cyberspace: The Koh Speech and Tallinn Manual
juxtaposed’ (2012) 54 Harvard Int’l. L. J. 26. See also Schmitt (n 48) 91.
58
According to Davidson:
non-military objectives can be targeted by CNAs, as long as the result is not physical danger
to the civilian population or damage to civilian objects and the intention of such action is not
to terrorize the civilian population. This is so, even if the motive of the operation is military
and it is conducted by armed forces:
Osnat Davidson, ‘A legal analysis of computer network attacks under international law’
(2007–2008) 3 I.D.F. L. Rev. 70, 92.
59
Melzer (n 32) 27.

12 / Date: 8/5
deal effectively with new forms of war. The law of armed conflict should on the
contrary be interpreted in an evolutive way in order to adapt to new realities and
possibilities to wage war.
International courts and treaty bodies, faced with changes in technology and science,
have often used methods of dynamic and evolutive interpretation of international
treaties as well as principles of international law to give them their full effect.60 In 1997
in its Gabčikovo-Nagymaros judgment, the ICJ considered that the bilateral agreement
concluded in 1977 between Czechoslovakia and Hungary should be interpreted, not
according to the law and scientific knowledge as they existed in 1977, but dynamically
on the basis of the law and conditions prevailing in 1997.61 Similarly, the Appellate
Body of the World Trade Organization asserted that the words of Article XX(g),
‘exhaustible natural resources’ should be interpreted not in a static manner and on the
basis of knowledge that prevailed in 1947, but in a dynamic manner according to the
knowledge of 1998.62 In these cases, the judges did not want to adopt a grammatical
interpretation that would deprive the treaty of its effects. They interpreted these treaties
in a teleological way so as to give full effect to their provisions. It is also well known
that human rights treaty bodies constantly use evolutionary interpretation as a tool in
order to ‘adapt’ and specify concepts and notions contained in the human rights treaties
in a rapidly evolving world. In the interest of the protected persons these bodies have
60
See Giovani Distefano, ‘L’interprétation évolutive de la norme internationale’ (2011) 112
R.G.D.I.P. 373–96; Rosalyn Higgins, ‘Time and the law: International perspectives on an old
problem’ (1997) 46 I.C.L.Q. 501–20.
61
According to the Court:
Owing to new scientific insights and to a growing awareness of the risks for mankind – for
present and future generations – of pursuit of such interventions at an unconsidered and
unabated pace, new norms and standards have been developed, set forth in a great number of
instruments during the last two decades. Such new norms have to be taken into consideration,
and such new standards given proper weight, not only when States contemplate new activities
but also when continuing with activities begun in the past.
Gabcikovo-Nagymaros Project (HungarylSlovakia) (Judgment) [1997] ICJ Rep. 1997 para. 140.
More recently, in the Case Costa Rica v. Nicaragua, the ICJ, using a dynamic interpretation of
a bilateral agreement concluded in1858, stated that ‘Nicaragua, in adopting certain measures
which have been challenged, in the Court’s opinion, is pursuing the legitimate purpose of
protecting the environment’: Dispute Regarding Navigational and Related Rights (Costa Rica v.
Nicaragua) (Judgment) [2009] ICJ Rep. 2009 para. 89. See also Georg Nolte, ‘Between
contemporaries and evolutive interpretation: The use of subsequent practice in the judgment of
the International Court of Justice concerning the case of Costa Rica v Nicaragua (2009)’ in
Holger P. Hestermeyer (ed.), Coexistence, Cooperation and Solidarity: Liber Amicorum Rudiger
Wolfrum (vol II, Martinus Nijhoff Publishers 2012) 1675–84.
62
According to the Appellate Body of the Dispute Settlement Body of the WTO:
The words of Article XX(g), ‘exhaustible natural resources’, were actually crafted more than
50 years ago. They must be read by a treaty interpreter in the light of contemporary concerns
of the community of nations about the protection and conservation of the environment. (…)
the generic term ‘natural resources’ in Article XX(g) is not ‘static’ in its content or reference
but is rather ‘by definition, evolutionary’:
WTO, US: Import Prohibition of Certain Shrimp And Shrimp Products – Report of the Appellate
Body (12 October 1998) WT/DS58/AB/R paras 129–130.

13 / Date: 7/5
constant recourse to the idea that human rights treaties are ‘living instruments’, the
interpretation of which inevitably requires a non-static process. As the former President
of the European Court of Human Rights, Jean-Paul Costa stated:
The fact is that, more or less since the beginning, the Convention organs … have taken the
view that the text should be interpreted, and applied, by adapting it to the changes that have
taken place over time – to changes in society, in morals, in mentalities, in laws, but also to
technological innovations and scientific progress. The Convention is sixty years old: history
has moved inexorably onward during that period and this contextual evolution has been
highly significant. The Convention’s interpreters expressly rejected a static or finite analysis.
I am convinced they were right.63
This dynamic approach has always been part of the law of armed conflict as evidenced
by the Martens clause inserted in various treaties or the famous Article 36 of the
Protocol I. It is also thanks to this dynamic approach that cyberwar is unanimously
regarded as subject to the law of armed conflict. This is the same way in which one
should interpret Articles 48 and 51 of Protocol, taking into account the objectives of the
drafters that were to protect civilians from the effects of the war. As Diniss wrote:
Once the ability to target civilian objects is permitted, it crosses the fundamental philosoph-
ical line enshrined in the 1868 Declaration of St Petersburg, which states ‘the only legitimate
object which States should endeavor to accomplish during war is to weaken the military
forces of the enemy.64
Furthermore it should be recalled that the principle of distinction has both a conven-
tional and customary basis.65 As pointed out by the ICJ in the Nicaragua case, a
conventional rule and a parallel customary rule remain autonomous. The fact that some
interpretations of the principle under the Protocol could be made in conjunction with
other provisions of the Protocol has no impact on the interpretation of the principle in
its customary dimension.66 The principle of distinction can thus receive different
63
European Court of Human Rights, Council of Europe (eds.), Dialogue between Judges
2011: What are the Limits to the Evolutive Interpretation of the Convention? (ECHR 2011) 5.
64
Dinniss (n 21) 202.
65
In our view there is enough State practice and opinio juris to support the customary
nature of the principle of distinction. This conclusion was also confirmed by the ICJ itself in its
advisory opinion Legality of the Threat or Use of Nuclear Weapons (n 6). As the Court said:
The cardinal principles contained in the texts constituting the fabric of humanitarian law are
the following. The first is aimed at the protection of the civilian population and civilian
objects and establishes the distinction between combatants and non-combatants; States must
never make civilians the object of attack and must consequently never use weapons that are
incapable of distinguishing between civilian and military targets. […] [T]hese fundamental
rules are to be observed by al1 States whether or not they have ratified the conventions that
contain them, because they constitute intransgressible principles of international customary
law (paras 78–79).
66
As the ICJ emphasized in the Nicaragua Case: ‘Rules which are identical in treaty law
and in customary international law are also distinguishable by reference to the methods of
interpretation and application’. And the ICJ added that:

14 / Date: 25/3
interpretations depending on whether it is in a customary or conventional framework.

Similar to treaty rules, customary principles can be subject to dynamic interpretations.
For example, it is due to such a dynamic interpretation by judges that the principle of
due diligence came out of the Strait of Corfu to irrigate almost all fields of international
law.67
In this context, it might be useful, taking into consideration the specificities of
cyber-warfare, to read the principle of distinction in accordance with its objective. This
might prevent belligerents in the future from directing cyber-operations strictly and
exclusively against civilians.
All these debates concerning whether a dam, a plant or an electric grid is or is not a
potential target of cyber-attack reveals also how the interconnection between civil and
military infrastructures makes the application of the principle of distinction extremely
complex. This leads us to ask whether cyber-warfare blurs the distinction between the
civil sphere and that of the military or on the contrary enables better discrimination
between the military and civilians.
4. THE PROHIBITION OF INDISCRIMINATE ATTACKS IN

CYBERSPACE
The principle of distinction implies that civilians and civilian property can be clearly
distinguished from combatants and military objectives. For this purpose the law of
armed conflict requires belligerents to take various measures to avoid the risk of
confusion. It obliges combatants ‘to distinguish themselves from the civilian population
while they are engaged in an attack or in a military operation preparatory to an
attack’;68 it asks the parties to the conflict to remove ‘civilian population, individual
civilians and civilian objects under their control from the vicinity of military object-
ives’;69 and it also considers as perfidy acts, the gaining of confidence of an adversary
by feigning civilian or non-combatant status.70
In reality, the distinction between civilians and military objectives, which had already
been contextual at the time of the codification of the principle of distinction, has been
a principle enshrined in a treaty, if reflected in customary international law, may well be so

unencumbered with the conditions and modalities surrounding it in the treaty. Whatever
influence the Charter may have had on customary international law in these matters, it is
clear that in customary international law it is not a condition of the lawfulness of the use of
force in self-defence that a procedure so closely dependent on the content of a treaty
commitment and of the institutions established by it, should have been followed:
Case concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v.
United States) (Merits) (Judgment of 27 June 1986) [1986] ICJ Rep. 14 paras 178 and 200.
67
See Karine Bannelier, ‘Foundational judgment or constructive myth? The court’s decision
as a precursor to international environmental law’ in Karine Bannelier, Théodore Christakis &
Sarah Heathcote (eds.), The ICJ and the Evolution of International Law. The Enduring Impact of
the Corfu Channel Case (Routledge, 2012) 242–55.
68
Protocol I (n 13) art 44 (Combatants and prisoners of war).
69
Ibid. art 58 (Precautions against the effects of attacks).
70
Ibid. art 37 (Prohibition of perfidy).

15 / Date: 25/3
gradually eroded. The ‘civilianization’71 of war characterized by the development of

non-international and asymmetric conflicts but also by the increasing use of sophisti-
cated technologies and private military companies has blurred the contours of these
notions. The principle of distinction was not spared by this trend, as illustrated by the
success of the concept of dual-use objects which considers as military objectives
civilian infrastructure serving partly a military function. The inextricable interconnec-
tivity between the civilian and the military spheres that characterizes the cyberspace
pushes this trend to the limits by authorizing attack on an increasingly wide and diverse
range of dual-use facilities72 (4a).
This process of ‘civilianization’ of war is not limited to objects and facilities, it also
directly affects civilians. Indeed, cyberwar depends largely on the technical expertise of
civilians. This overuse of civilians in the military cyberspace raises questions about the
status of the protection of these persons. Indeed, the principle of distinction provides
that the protection of civilians against attacks can cease when they take a ‘direct part’
in hostilities. Undoubtedly, the interpretation of the notion of direct participation in
hostilities and its consequences constitutes one of the most challenging questions for
the application of the principle of distinction in cyberspace. It is therefore appropriate
to ask when participation in military cyber-operations can be considered as a direct
participation in hostilities and what the consequences might be (4b).
(a) The Distinction between Civilian Objects and Military Objectives and the
Problem of Dual-use Objects
The law of war does not provide a direct definition of ‘civilian objects’ but only a
definition of the military objective. According to Article 52(2) (General protection of
civilian objects) of Protocol I:
Attacks shall be limited strictly to military objectives. In so far as objects are concerned,
military objectives are limited to those objects which by their nature, location, purpose or use
make an effective contribution to military action and whose total or partial destruction,
capture or neutralization, in the circumstances ruling at the time, offers a definite military
advantage.
By an a contrario reasoning we can thus consider as civilian objects, objects that are
not military objectives. Depending on the circumstances and necessities of the war, the
same object could be considered as a ‘civilian’ one, immunized against attacks by the
principle of distinction, or as a military objective ‘which by their nature, location,
purpose or use make an effective contribution to military action’ and could be
destroyed. If this definition is well established, it is nonetheless well known that the
71
Andreas Wenger & Simon Mason, ‘The civilianization of armed conflict: Trends and
implications’ (2008) 90 (872) I.R.R.C. 835–52.
72
As Vice Admiral Arthur Cebrowski highlighted, ‘There is no logical distinction …
between military or civil systems or technologies. [Therefore] there is also no technical
distinction between exploitation, attack or defense of the information warfare target set’, quoted
in Lawrence T. Greenberg et. al., Information Warfare and International Law (National Defense
University Press 1998) 12.

16 / Date: 7/5
interpretation of the two key elements of the definition is highly subjective. As one
commentator has underlined: ‘Although it seems that the principle of distinction
between military and civilian objects is a straightforward principle, it is often difficult
to apply in practice. The main ambiguity derives from different interpretations of the
terms “effective” and “definite”.’73
Some authors74 but also some States have adopted such a broad interpretation of the
concept of military objective that it profoundly undermines the principle of distinction
itself.
A well-known example is arguably the US Navy Commander’s Handbook on the
Law of Naval Operations which considers as military objectives, not only ‘war-
fighting’ but also ‘war-sustaining’ installations. According to this handbook:
Military objectives are combatants and those objects which, by their nature, location, purpose
or use effectively contribute to the enemy’s war-fighting or war-sustaining capability and
whose total or partial destruction, capture or neutralization would constitute a definite
military advantage to the attacker under the circumstances at the time of attack.75
During NATO airstrikes against Serbia in 1999, Lieutenant General Short of the NATO
Air Component stated it wanted to ‘turn off the lights’ of Belgrade.76 The bombing in
April 1999 of the Serbian Radio Television was also presented as a military objective
because it was seen as the nervous system that kept Milošević in power.77 At the same
time, according to US military sources ‘bridges were often selected for attack for
reasons other than their role in transportation (for example, they were conduits for
communications cables, or because they were symbolic and psychologically lucra-
tive)’.78 This way of interpreting what constitutes a military objective and the way to
73
Davidson (n 58) 94.
74
This doctrinal trend is well illustrated by Charles Dunlap, who argues for a new kind of
total war, stating that:
We need a new paradigm when using force against societies with malevolent propensities. We
must hold at risk the very way of life that sustains their depredations, and we must threaten
to destroy their world as they know it if they persist. This means the air weapon should be
unleashed against entire new categories of property that current conceptions of LOAC put
off-limits,
in Charles J. Dunlap, ‘The end of innocence: Rethinking non-combatancy in the post-Kosovo
era’ (2000) 28(3) Strategic Rev. 9.
75
Department of the Navy, Office of The Chief of Naval Operations, ‘The Commander’s
Handbook on the Law of Naval Operations’ (Edition July 2007) 8.2 (Military Objectives)
<http://www.usnwc.edu/getattachment/a9b8e92d-2c8d-4779-9925-0defea93325c/> accessed 3
October 2014.
76
Cited by Michael Schmitt, ‘The impact of high- and low-tech warfare on the principle of
distinction’ in Roberta Arnold & Pierre-Antoine Hildbrand (eds.), International Humanitarian
Law and the 21st Century’s Conflicts: Changes and Challenges (Edis 2005).
77
ICTY, Final Report to the Prosecutor by the Committee Established to Review the NATO
Bombing Campaign Against the Federal Republic of Yugoslavia (Jun 2000) 26, <http://
www.tpiy.org/x/file/About/OTP/otp_report_nato_bombing_en.pdf> accessed 3 October 2014.
78
Quoted by Jeanne M. Meyer, ‘Tearing down the facade: A critical look at the current law
on targeting the will of the enemy and air force doctrine’ (2001) 51 Air Force L. Rev. 165.

17 / Date: 25/3
gain a military advantage was not unique to the crisis in Kosovo. In the current Syrian
crisis, the different possibilities concerning an eventual cyber-attack against the regime
of President Bashar al-Assad included the idea that one of the objectives should be to
‘turn the lights out for Assad’.79
But even if the notion of ‘war-sustaining’ installation remains controversial, it is true
that many facilities, such as chemical and power plants, oil refineries, hydroelectric
dams, telecommunications or transports infrastructure are often qualified as a dual-use
object and as a consequence are targeted during hostilities.80 As Marco Sassòli states:
‘when a certain object is used for both military and civilian purposes, it may be held
that even a secondary military use turns it into a military objective’.81 Since these
facilities are dual-objects they can be the target of kinetic weapons as well as of
cyber-attacks. But while kinetic attacks against dual use objects are often criticized due
to their impact on civilians, cyber-attacks are often presented as more ‘human’.82 The
controversy of targeting dual objects is not a new one but as Cordula Droege said, ‘in
cyber space the consequences could be exacerbated to an extreme point where nothing
civilian remains’.83 The status of computer and computer systems and companies
associated with these systems calls for special attention. Since computer systems are
the heart of modern armies they can be considered as ‘war-fighting’ and thus as
military objectives. But what about the companies designing and producing hardware
or software? Are they dual-use entities and as such could be military targets? According
79
Cited by David E. Sanger, ‘Syria war stirs new US debate on cyberattacks’, The New
York Times (24 February 2014).
80
It is for example interesting to note that according to the Convention for the Protection of
Cultural Property in the Event of Armed Conflict, broadcasting stations are military objectives.
Indeed, under art 8.1:
There may be placed under special protection a limited number of refuges intended to shelter
movable cultural property in the event of armed conflict, of centres containing monuments
and other immovable cultural property of very great importance, provided that they: (a) are
situated at an adequate distance from any large industrial centre or from any important
military objective constituting a vulnerable point, such as, for example, an aerodrome,
broadcasting station, establishment engaged upon work of national defence, a port or railway
station of relative importance or a main line of communication:
Convention for the Protection of Cultural Property in the Event of Armed Conflict (14 May
1954).
81
Marco Sassòli, ‘Legitimate targets of attacks under international humanitarian law’
(Background Paper prepared for the Informal High-Level Expert Meeting on the Reaffirmation
and Development of International Humanitarian Law, January 27–29, 2003) 7 <http://www.
hpcrresearch.org/sites/default/files/publications/Session1.pdf> accessed 3 October 2014.
82
According for example to Kelsey (n 5):
Unlike conventional strikes, which may leave civilians without power for month or even
years, a cyber-strike could disable the power grid for the duration of hostilities yet allow
electrical service to resume immediately once the fighting was over. This result would not be
completely eliminate the public health and safety concerns, but cyber warfare at least offers
the possibility of lessening the damage relative to a conventional attack: 1435.
83
Droege (n 29) 565.

18 / Date: 25/3
to the Tallinn Manual: ‘An object used for both civilian and military purposes-including
computers, computer networks and cyber infrastructure-is a military objective.’84
Should we then consider Microsoft System, IBM or Dell as potential targets?85 And
beyond these companies, could the Internet and social networks, such as Facebook or
Twitter, also be considered as military objectives? In 1995 already, ‘95 percent of the
telecommunications of the Department of Defense traveled through the Public
Switched Network’.86 The Internet and social networks are also of fundamental
importance for many armed groups involved in riots, unrest or civil war.87 In Syria for
example, President Bashar al-Assad was recently suspected of having interrupted
access to the Internet in order to cripple the communication abilities of the rebellion.88
It is thus not very surprising that for many observers, civilian servers used to transmit
military information are military objectives.89 These facilities could, according to these
observers, be subject to cyber-attacks as well as to kinetic attacks. The legal framework
for these attacks comes under the principle of proportionality which prohibits ‘to cause
incidental loss of civilian life, injury to civilians, damage to civilian objects, or a
combination thereof, which would be excessive in relation to the concrete and direct
military advantage anticipated’.90
Even if one is reluctant to consider the Internet as a global military objective on the
basis of the idea that only ‘segments’ used for military purposes should be targeted,91
the interconnection between civilian and military networks is so deep that an attack
strictly limited or ‘proportional’ seems rather illusory. Besides the fact that it can be
difficult to identify the segments used for military purposes, the mere fact of
introducing a virus into a military network or into a military objective via a civilian
network can have effects that spread far beyond the military framework.92 Cyber-
attacks can therefore be indiscriminate as they ‘cannot be directed at a specific military
objective’.93
84
Schmitt (n 3) rule 39 (Objects used for civilian and military purposes).
85
See for example Eric Talbot Jensen, ‘Unexpected consequences from knock-on effects: a
different standard for computer network operations?’ (2002) 18 Am. U. Int’l. L. Rev. 1544,
quoted by Droege (n 29) 566.
86
Greenberg, Goodman & Soo Hoo (n 72) 12, quoting Richard W. Aldrich, ‘The
International Legal Implications of Information Warfare’ (U.S. Air Force Institute for National
Security Studies Occasional Paper 9, April 1996) 11.
87
See examples of Nepal, Myanmar or Egypt given in Dinniss (n 21) 186.
88
Chris Finan, ‘A cyberattack campaign for Syria’, The International Herald Tribune (27
May 2013).
89
Schmitt (57) 27.
90
Protocol I (n 13) art 51§5 b. On proportionality in cyber armed conflict see Gill (Ch 17
of this book).
91
See Schmitt (n 3) 136.
92
The Stuxnet experience shows that ‘although the worm was designed against Iranian’s
nuclear power plant, its spread infected 45 000 computers around the world’: Thomas Erdbrink
& Ellen Nakashima, ‘Iran struggling to contain ‘foreign-made’ computer worm’, The Washing-
ton Post Staff (28 September 2010).
93
Protocol I (n 13) art 51(4)(b). Furthermore, according to Kelsey (n 5) 1438, IHL requires
to ‘know not just where to strike but be able to anticipate all the repercussions of an attack’.

19 / Date: 25/3
In this context one may wonder how the principle of distinction can curb this
phenomenon as cyber-attacks are not always clearly identifiable and their consequences
and authors remain often unknown.
(b) Problems of Identification and Protection of Civilians in the Context of

Cyberwar
The fate of those involved in cyber-operations is undoubtedly one of the most complex
issues of the law of armed conflict. The principle of distinction assumes that
belligerents can clearly distinguish between civilians and combatants. However, for
various reasons, armed forces increasingly use civilians to perform a wide range of
activities in connection with military cyber-operations. This information technology
outsourcing goes from the simple maintenance of military networks to the exploitation
of weaknesses of computer systems through the development and instillation of worms,
Trojan horses and other viruses. According to Turns: ‘In light of these trends, there is a
high probability that many, if not most, of the personnel substantively involved in
cyber-operations may actually be civilians’.94
What then is the status of these experts involved in these cyber-operations? The
protection against attacks granted by the principle of distinction to civilians is subject
to the fundamental requirement that civilians do not take a direct part in hostilities.95
This condition of ‘innocence’ is inserted in most of the provisions relating to the
principle of distinction and the protection of civilians.96 For example, according to
Article 51(3) of Protocol I: ‘Civilians shall enjoy the protection afforded by this
Section, unless and for such time as they take a direct part in hostilities.’
In the case of direct participation in hostilities, this protection ends and while the
people involved conserve their civilian status, they can lawfully become the target of
attacks. Could a hacker or computer scientist thus become the object of an attack? The
answer to these questions depends on the interpretation of the notion of ‘direct
participation in hostilities’ in the context of cyber-operations.
In this regard, the Interpretive Guidance on the Notion of Direct Participation in
Hostilities published by the ICRC is helpful.97 Although some proposals remain
controversial, the main conclusions of this document seem to be consensual and call for
at least two sets of observations in relation to cyber-operations.
94
Turns (n 38) 292.
95
Claude Pilloud, Commentaires des Protocoles additionnels du 8 juin 1977 aux Conven-
tions de Genève du 12 août 1949 (Martinus Nijhoff Publishers 1986) 633.
96
See for example common art 3 to the four Geneva Convention of 12 August 1949; art.
13(3) of Protocol Additional to the Geneva Conventions of 12 August 1949 relating to the
Protection of Victims of Non-International Armed Conflicts (Protocol II), 8 June 1977; art 38 of
the Convention on the Rights of the Child of 20 November 1989; art 1 of the Optional Protocol
to the Convention on the Rights of the Child on the involvement of children in armed conflict, 25
May 2000; art. 8.2(b)(i) and 8.2(e)(i) of the Rome Statute of the International Criminal Court,
17 July 1998.
97
Niels Melzer (ed.), Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law (ICRC 2009) 85.

20 / Date: 25/3
A first set of observations concerns the meaning of the notion of ‘direct participation
in hostilities’ in a cyber-context. It is first interesting to note that the notion of
‘hostility’ is interpreted widely enough to encompass a large variety of acts. According
to the ICRC’s Guidance: ‘there was wide agreement that the causation of military harm
as part of the hostilities did not necessarily presuppose the use of armed force or the
causation of death, injury or destruction’ but essentially included ‘all acts that adversely
affect or aim to adversely affect the enemy’s pursuance of its military objective or
goal’98.99 In other words, ‘hostilities’ is not synonymous with attack and cyber military
operations that are below the threshold of an attack could be considered as ‘hostilities’.
According to the Tallinn Manual: ‘There is no requirement for physical damage to
objects or harm to individuals. In other words, actions that do not qualify as a
cyber-attack will satisfy this criterion as long as they negatively affect the enemy
militarily.’100 From this point of view, it can be concluded that a wide range of
cyber-operations could fall under the scope of ‘hostilities’.
However, in order to consider an act as a case of ‘direct participation’, three
additional requirements should be met: ‘(1) a threshold regarding the harm likely to
result from the act; (2) a relationship of direct causation between the act and the
expected harm; and (3) a belligerent nexus between the act and the hostilities
conducted between the parties to an armed conflict’.101 Here again, although these
criteria are cumulative, it seems that a broad range of cyber-activities could fit the
definition. According to Interpretive Guidance: ‘Electronic interference with military
computer networks could also suffice, whether through computer network attacks
(CNA) or computer network exploitation (CNE), as well as wiretapping the adversary’s
high command or transmitting tactical targeting information for an attack.’102
As a consequence, this could lead us to a preliminary conclusion that many civilians
involved with military cyber-operations ‘even if they do not actually press the button
that launches a cyber-attack’103 could fit the definition of ‘direct participation in
hostilities’.
The second set of our observations concerns the effects of this ‘(cyber) direct
participation in hostilities’ on the protective status of these civilians. The fact that these
civilians are a legitimate target and might be subject to an attack (cyber or kinetic) is
confirmed. Nonetheless the scope of these attacks raises many questions, both
geographically and temporally.
The interpretation of the expression ‘for such time’ in a cyber-context is particularly
challenging and needs to be clarified. Indeed, should we consider that civilians could
be targeted only when they ‘press’ the button or can they only be targeted when the
cyber-operation is under way? As Schmitt rightly underlined:
This is problematic in that many cyber operations last mere minutes, perhaps only seconds.
Such a requirement would effectively extinguish the right to strike at direct participants.
98
Ibid, pp. 22f, 31
99
Ibid. footnote 97.
100
Schmitt (n 3) 119.
101
Melzer (n 97) 46.
102
Ibid. 48.
103
Quoted by Turns (n 38) 290.

21 / Date: 25/3
Moreover, the effect of a cyber-operation may be long-delayed, as in the case of a

surreptitiously emplaced logic bomb. Would the target of such an operation only be entitled
to attack the direct participant while the logic bomb is being emplaced?104
On the other hand it could be extremely dangerous to adopt a too broad interpretation
leading to the conclusion that it is possible to launch attacks against these civilians as
long as the effects of their actions exist. To quote Michael Schmitt again: ‘In the cyber
conflict environment, therefore, the only reasonable interpretation of “for such time” is
that it encompasses the entire period during which the direct cyber participant is
engaging in repeated cyber-operations.’105 Balanced and reasonable as it might be, this
interpretation does not resolve all the problems. For example should we consider that
the replication of a worm embodies a ‘repeated cyber-operation’? If so direct
participation in hostilities could then become unlimited. But if the answer to this
questions is no, at what time should we then consider that such a cyber-operation is
over?
The ubiquity of cyber-operations is also extremely challenging for the principle of
distinction. Indeed cyber-operations can be launched simultaneously by thousands of
computers all around the world and the instigators of these operations can be located in
civil areas far away from the ‘battlefield’ (if there are any battlefields at all). The
principle of distinction prohibits indiscriminate attacks but authorizes lethal attacks
against civilians directly participating in hostilities and also collateral damage to people
and properties. This is provided that these damages are not excessive in relation to the
concrete and direct military advantage anticipated.106
In this context, one may wonder whether the notion of direct participation in
hostilities in cyber space could become a kind of Trojan horse (or worm) instilled into
the principle of distinction leading to a kind of ‘total cyber war’.107 The risks of abuse
are however not so obvious. Indeed, as we mentioned, the three criteria of direct
participation are cumulative, bringing the threshold requirement to a fairly high level.
In addition, the second criterion of direct participation requires ‘a relationship of direct
causation between the act and the expected harm’. However, as previous developments
have tried to demonstrate, it is precisely such a link which is difficult to establish in the
context of cyberwar. It is therefore once again the snake biting its tail. As David Turns
noted: ‘In these circumstances, it appears doubtful that CW [cyber warfare] could ever
meet the requirement of direct causation for DPH [direct participation in hostilities],
which suggests that civilians could engage in CW [cyber warfare] with impunity.’108
5. CONCLUSION
The prevailing view according to which cyber warfare, like any other method or means
of warfare, is subject to the law of armed conflict is accurate. However, this welcomed
104
Schmitt (n 48) 102.
105
Ibid.
106
Protocol I (n 13) art 51§5(b).
107
Droege (n 29) 565.
108
Turns (n 38) 288.

22 / Date: 25/3
consensus should not overshadow the difficulties of interpretation and application of

the principle of distinction in the context of a dematerialized war. Of course the
difficulties of implementing the principle of distinction ‘in the heat’ of the battle are not
new, but cyberwar stretches them to their outer limits. For the time being the practice of
applicability of this principle in this new form of warfare is very limited and the risks
we highlighted in this chapter remain rather theoretical. One should nonetheless follow
closely future developments in this field. Indeed, it remains to be seen how this old
‘cardinal’ and ‘intransgressible’ principle will be interpreted and tailored in order to
‘fit’ the new realities of the cyber-battlefield.

23 / Date: 25/3
17. International humanitarian law applied to

cyber-warfare: Precautions, proportionality and the
notion of ‘attack’ under the humanitarian law of
armed conflict
Terry D. Gill
1. INTRODUCTION
The applicability of international law to ‘cyber-warfare’ has received significant
attention in recent years. A number of States have presented (semi) official positions on
the question of the applicability of international law to cyber-warfare and several
noteworthy publications have appeared in which the applicability and application of
international law to cyber attacks and other forms of cyber activity have received
attention, including the recently published Tallinn Manual on the Applicability of
International Law to Cyber Warfare.1 Alongside the applicability of the ius ad bellum
governing the permissibility of the use of force and the conditions and modalities
relating to its application in response to cyber attacks, the question of the applicability
of the ius in bello, generally referred to as International Humanitarian Law or the Law
of Armed Conflict (IHL/LOAC), has also received attention, albeit, probably somewhat
less on the whole in relation to cyber attacks, than the law governing the use of force.
1
For examples of State positions on cyber-warfare and the applicability of international law
thereto see, Michael Schmitt (ed.), Tallinn Manual on the Applicability of International Law to
Cyber Warfare (CUP 2013) 2 (hereinafter referred to as Tallinn Manual), citing the national
cyber strategies of, inter alia, Canada, the Russian Federation, the United Kingdom and the
United States. The Netherlands also recently adopted a position which endorsed the findings of
the Advisory Council for International Affairs and the Advisory Committee on Matters of Public
International Law Report on Digital Warfare in which it acknowledged that existing international
law, including the law relating to the use of force and international humanitarian law, fully apply
to cyber-warfare. See for the joint report of the two bodies AIV/CAVV Report 77/22, Cyber
Warfare, December 2011 available online <http://www.aiv-advies.nl/ContentSuite/upload/aiv/
doc/webversie__AIV77CAVV_22_ENG.pdf> accessed 6 March 2015. For the Dutch Govern-
ment’s response, see <http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapport
en/2012/04/26/cavv-advies-nr-22-bijlage-regeringsreactie-en/cavv-advies-22-bijlage-regeringsreactie-
en.pdf> accessed 6 March 2015. Alongside State reactions, a considerable amount of literature
has appeared devoting attention to the international legal aspects of cyber-warfare, both in
relation to use of force issues and the application of IHL / LOAC. These are too numerous to
name, but a few examples of recent publications will serve to illustrate. Among these
publications are (2012) 17 (2) J. Conflict & Sec. L. devoted wholly to cyber-warfare; Paul
Ducheine, Frans Osinga and Joseph Soeters (eds.), Cyber Warfare: Critical Perspectives (TMC
Asser Press 2012); (2013) 89 Int’l. L. Studies; and the publications of the NATO Cooperative
Cyber Defence Centre of Excellence (CCD COE), including the aforementioned Tallinn Manual.
366
1 / Date: 25/3
International humanitarian law applied to cyber-warfare 367
Both aspects are, however, dealt with in the aforementioned Tallinn Manual. In this
chapter, I will set out some of the main positions put forward in that study and
elsewhere relating to the application of international humanitarian law to cyber
hostilities and offer some personal views in relation to the question to what extent this
body of law is relevant and applicable to ‘cyber warfare’. In that context, I will devote
specific attention to when, under which circumstances and how the rules of human-
itarian law relating to the conducting of attacks, with a focus on proportionality, would
apply to hostilities carried out wholly or partially in the cyber domain.
This chapter is based on several premises, which however obvious some may seem,
need emphasizing. First, that as a matter of law, IHL/LOAC only applies when the
conditions relating to the threshold of the existence of an armed conflict have been
reached. Secondly, that to date, there has never been a single instance of a ‘stand-alone’
cyber attack or other act of cyber interference or sabotage, which has come close to
meeting that threshold. Thirdly, that the likelihood of such a ‘stand -alone’ cyber attack
reaching that threshold is remote at best.2 Fourthly, and consequently, that if IHL/
LOAC is applicable to ‘cyber-warfare’, it will most likely be in the context of a
‘regular’ armed conflict in which cyber operations are conducted alongside traditional
‘kinetic’ attacks involving the application of IHL/LOAC to the entire spectrum of
operations and attacks which are conducted by any party to the conflict. Fifthly and
finally, that any armed conflict, irrespective of the means and methods of warfare
employed, is subject to the rules and principles of international humanitarian law, and
these rules are equally applicable to any party to such a conflict.3
This chapter is structured as follows. In the following section, a few considerations
will be set out in support of the premises presented above. In the third section, the rules
of IHL/LOAC relating to the notion of ‘attack’, the taking of precautions to spare the
civilian population and civilian objects and the duty to conduct such attacks in
conformity with the principle of proportionality (as it applies within IHL/LOAC) will
be briefly set out. In the fourth section, these rules will be applied in the context of
cyber attacks conducted within the context of an armed conflict. In the fifth and final
section, a number of conclusions will be presented.
2. WHY AND WHEN HUMANITARIAN LAW WOULD OR WOULD

NOT APPLY TO ‘CYBER-WARFARE’
The starting point of this explanation of the premises underlying this chapter is that
IHL/LOAC is a legal regime which only applies if there is in fact an armed conflict of
either an international or non-international character. The qualitative threshold for
international armed conflict is provided for in common Article 2 of the Geneva
Conventions of 1949 and is restated authoritatively in case law. Although some doubt
2
Thomas Rid, ‘Cyber war will not take place’ in Ducheine, Osinga & Soeters ibid. 73.
3
This follows from the ICJ’s statement that international humanitarian law applies to all
weapons (past, present, and future weapons) in the context of an armed conflict; see Legality of
the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. 226 para. 39.

2 / Date: 25/3
may arise as to the applicability of all the rules of IHL treaty and customary law in
relation to isolated, small-scale incidents involving incidental clashes between the
armed forces of two States, it is well established that an international armed conflict
exists when there is a conflict between the armed forces of two or more States and/or
a total or partial occupation of the territory of a State by another State, irrespective of
whether there is armed resistance to such occupation, a situation of declared or factual
war, or greater or lesser loss of life and injury, and damage and destruction.4 In short,
any armed clash above the most inconsequential between two or more States results in
the existence of an international armed conflict and the applicability of IHL/LOAC to
the parties. With regard to non-international armed conflicts, the situation is not as
sharply defined, but on the basis of widely accepted criteria set out in the case law of
the International Criminal Tribunal for the Former Yugoslavia relating to the requisite
degree of organization, intensity and duration, a non-international armed conflict exists
when there are armed clashes of an intensity and duration between an organized armed
group and a State, or between two or more organized armed groups, which rise above
the level of unorganized or sporadic armed violence or civil unrest.5 If these criteria are
met, the rules and principles of IHL/LOAC relating to non-international armed conflict
apply to the parties to the conflict, irrespective of how the conflict is characterized by
either party. Anything below either of these thresholds is not an armed conflict in the
legal sense and IHL/LOAC does not apply as a matter of law, even though either party
may elect to apply certain of its rules as a matter of policy.
Although the geographical scope of armed conflict is not the focus of this
contribution, it deserves mention that in an international armed conflict (i.e. between
two or more States) IHL/LOAC is applicable throughout the territory of any and all
States party to the conflict and in international sea and airspace to the extent military
operations are conducted there. The territory of third States is inviolable unless one of
the parties conducts military operations from the territory of a non-belligerent (neutral)
State and that State fails to uphold its duties as a neutral to prevent and put an end to
such operations.6 In non-international armed conflicts, IHL/LOAC applies within the
territory of the State in question. It will only apply to the territory of a third State to the
extent an armed group (partially) relocates to the territory of a third State and conducts
operations from there, without the government of that State taking necessary and
4
Common art 2 of the Geneva Conventions of 1949, reaffirmed in, inter alia, Jean Pictet
(ed.) Commentary to the First Geneva Convention for the Amelioration of the Condition of the
Wounded and the Sick in Armed Forces in the Field (ICRC, 1952), 32. See also Prosecutor v.
Dusko Tadić (Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction) [1995]
No ICTY-94-1-A para. 70. For discussion whether an international armed conflict results from
an isolated low-level armed incident, see, Christopher Greenwood, ‘Scope of application of
humanitarian law’ in Dieter Fleck (ed.), The Handbook of International Humanitarian Law (2nd
edn., OUP 2008) 48.
5
Prosecutor v. Dusko Tadić (n 4) para. 20; Prosecutor v. Ramush Haradinaj et.al.
(Judgement) [2008] IT-04-84-T para. 60. On the qualification of cyber armed conflict see
Arimatsu (Ch 15 of this book).
6
For the geographic scope of international armed conflict, see e.g. Greenwood (n 4) 59–62;
on neutrality law as it applies under the UN Charter, see e.g. Michael Bothe, ‘The law of
neutrality’ in Fleck (n 4) 571 et. seq. 582–3.

3 / Date: 25/3
adequate measures to prevent or halt such operations being conducted from its
territory.7 The result in both cases is that barring exceptional circumstances, the
territory of States not party to the armed conflict is inviolable. In relation to
international armed conflicts, this is due to the law of neutrality, alongside rules of
general international law relating to State sovereignty and in relation to non-
international armed conflicts, due to the latter set of rules arising from principles of
State sovereignty and non-intervention, alongside rules and principles arising from the
ius ad bellum.8
Stand-alone cyber attacks have, to date, never met either of these thresholds for the
existence of an armed conflict. No example of cyber espionage, interference, intellec-
tual property theft, or even sabotage has until now even approached the threshold of
either an international or non-international armed conflict.9 As serious as cyber
espionage, cyber interference and cyber theft and crime are, they are not ‘warfare’ in
anything but a semantic sense. Even when States engage in massive cyber surveillance
and espionage, cyber intellectual property theft, cyber interference and cyber non-
armed intervention, the lawful responses are to be found in the law relating to law
enforcement, retorsion and countermeasures, and not the law relating to the use of force
or the humanitarian law of armed conflict. Likewise, cyber terrorism would not
automatically trigger the applicability of IHL/LOAC. This would only occur if it
resulted in the threshold of either an international or non-international armed conflict,
as set out above, being met. There has been, to date, no such example of cyber
terrorism, but its occurrence at some point in the future cannot be ruled out. If the
necessary conditions relating to the degree of organization, intensity and duration were
present, this could result in the applicability of IHL/LOAC, but despite fears of such
cyber terrorism, it would seem unlikely that a terrorist group would resort to cyber
means instead of the type of terrorist attacks that have been used and are being used by
7
The normal situation is that non-international armed conflicts occur within the territory of
the State in question. In some cases, there is ‘spill-over’ of a non-international conflict onto the
territory of one or more other States whence operations are conducted rising to the level of
non-international armed conflict, see, inter alia, Tallinn Manual (n 1) rule 21 and accompanying
commentary 78–9. An example of such a spill-over is the conflict between Turkey and the PKK
movement, which has seen numerous operations by both sides being conducted over the border
in northern Iraq, where the Iraqi Government does not exercise effective control over its territory.
8
The relevance of the principles of sovereignty, non-intervention and the prohibition of the
use of force to this question are self-evident. In addition, international law regulating self-
defence, while not unanimous in State practice and academic opinion, shows considerable
support for the possibility of conducting self-defence in response to armed attack from across an
international frontier by a non-State organized armed group if the State from where the attack
originated either controls or exercises substantial involvement in the attack, or is unable or
unwilling to prevent such attacks being conducted from its territory. This is related to the
principle of necessity within self-defence, which is one of the requirements for its exercise. Only
when the State where the operations are conducted from fails to take adequate measures to
prevent attacks being mounted from its territory, is there a necessity to take action in
self-defence. To the extent these operations rise to the level of a non-international armed
conflict, humanitarian law relating to such conflicts would become applicable. See, inter alia,
Tallinn Manual ibid. 58–9 and 61–6.
9
Rid (n 2) 75 et. seq.

4 / Date: 25/3
such groups on a regular basis. This is because cyber vulnerabilities are almost
certainly overstated on the one hand and on the other hand, the necessary economic,
financial and technical resources to achieve massive societal dislocation on a long-term
basis or inflict large-scale casualties by cyber means alone are not readily available to
most, if any, terrorist groups.10
Neither is it likely, in the event of an armed conflict between States, that massive
stand-alone cyber attacks, sometimes referred to as ‘cyber Pearl Harbour’ scenarios,
would be the most likely way in which hostilities were conducted under such
circumstances. In the event a large-scale armed offensive were carried out by a State
against another State, it would seem illogical that such an attack would be confined to
cyber means of warfare. Under such circumstances, the State conducting such an
offensive would be most likely to utilize all means of warfare at its disposal. If one
decides to conduct all-out warfare for whatever reason, why limit oneself to one
weapon alone?11 Nor is it much more likely that a smaller scale armed attack against a
discrete target would be conducted by cyber means alone. The reasons for this are
basically twofold. First, such a stand-alone cyber armed attack would not ensure the
destruction or effective elimination of the target permanently, or for a prolonged period.
If, for example, one wished to take out a particular military capability, platform or
critical installation, it would be exceedingly difficult to ensure long-term effective
damage, destruction or degrading of the targeted object by cyber means alone. In such
a case, cyber techniques of warfare would be much more effective if used in
conjunction with traditional ‘kinetic’ weapons, as was the case in the Israeli attack on
the Syrian nuclear reactor in September 2007, when cyber techniques akin to electronic
jamming were reportedly used as a means to temporarily neutralize Syrian air defences
in order to clear the way for Israeli fighter bombers to attack and destroy the nuclear
installation in northern Syria.12 If, on the other hand, one wished to remain undetected
(at least initially) and below the threshold of an armed attack in order to gather
intelligence or inflict mere sabotage upon a system, as in the case of the Stuxnet
sabotage of Iranian nuclear centrifuges, the threshold of an armed attack or of an armed
conflict, would not be met. In short, cyber means of surveillance, espionage and
sabotage are used regularly by a variety of actors without this being deemed to
constitute ‘warfare’ in either the factual or legal sense.13
Consequently, the most likely way in which cyber means and methods of warfare
would be used within the context of an armed conflict, aside from intelligence
gathering and conducting counter-intelligence and other types of information opera-
tions, such as psychological warfare or the influencing of public opinion, would be as
an adjunct and assist to attacks conducted by traditional means, as was the case in the
10
Sean Lawson, ‘Beyond cyber-doom: Cyber attack scenarios and the evidence of history’
10 (2012) J. Inform. Tech. & Polit. 1, 4.
11
Chinese military strategy is often cited as an example of how cyber methods would likely
be used in conjunction with traditional force in the event of any war between the PRC and
another State, see Han Bouwmeester, Hans Folmer & Paul Ducheine, ‘Cyber security and policy
responses’ in Ducheine, Osinga & Soeters (n 1) 34–7.
12
Rid (n 2) 84–5. See also Terry D. Gill & Paul Ducheine, ‘Anticipatory self-defence in the
cyber context’ (2013) 89 Int’l. L. Studies 438, 461–2.
13
Gill & Ducheine ibid. 459; Rid (n 2) 85–8.

5 / Date: 25/3
aforementioned example of the Israeli airstrike on the Syrian reactor. In such

circumstances, cyber operations are essentially another form of electronic warfare,
which has been around for a considerable amount of time. The most likely employment
would be within the context of operations directed against the adversary’s ‘sensory and
nervous systems’, such as degrading command, control and communications systems,
weapons guidance systems, and detection systems like radar systems. This would
almost always be conducted alongside more traditional means and methods of warfare,
and as such, would be subject to IHL/LOAC rules and principles, including those
pertaining to the conducting of ‘attacks’, whenever such operations amounted to ‘acts
of violence directed against the adversary, whether in offense or defence’14, which were
reasonably likely to result in physical damage, destruction, death or injury. Hence,
while it quite possible and perhaps even likely that cyber-warfare in the real sense of
the word will occur at some point, it is most likely to occur in a fairly traditional battle
space, both physical and electronic, in which a variety of means and methods of
warfare are employed alongside each other, including certain techniques of digital
warfare. Because of the resources required to successfully design and employ cyber
weapons and the types of operations in which they would be most likely used and most
effective, it seems probable that most cyber-warfare in the real sense would occur
within the context of international (inter State) armed conflicts, since most armed
groups do not have either the resources, or the type of sophisticated command, control,
communications and weapons systems which would make the techniques of cyber-
warfare a logical choice of means. If this is a correct surmise, without necessarily
ruling out other possible scenarios categorically, then it equally logically follows that
whenever such an armed conflict occurs, it will be governed and regulated by the rules
and principles of IHL/LOAC which pertain to the conduct of hostilities, including the
principle of proportionality in the conducting of ‘attacks’ which are likely to effect the
civilian population, since they apply to all weapons and targeting in any armed conflict.
We will therefore, now turn to the law which is relevant to such attacks.
3. THE LAW OF ARMED CONFLICT RELATING TO THE

CONDUCTING OF ATTACKS
The law relating to the conduct of attacks within IHL/LOAC is primarily contained in
Articles 48–58 of the First Additional Protocol to the Geneva Conventions of 1949
(hereinafter referred to as AP I.) While this only applies as treaty law to parties to AP
I, which is applicable in international armed conflicts, the customary law relating to the
conduct of attacks is substantially similar and binds all States and parties to armed
14
This is the definition of attack under IHL/LOAC as stated in First Additional Protocol to
the Geneva Conventions of 1949 (AP I) art 49 and under customary law.

6 / Date: 25/3
conflict, and is applicable in all armed conflicts whether international or non-

international in character.15 For the sake of simplicity, the relevant provision of AP I
will be cited where necessary, when referring to a specific rule or rules.
The two main principles of IHL/LOAC in relation to the targeting of persons or
objects subject to attack in an armed conflict are distinction and proportionality. These
principles act alongside the two main principles of IHL/LOAC which are military
necessity and humanity and several other principles, such as the principle of honourable
conduct prohibiting perfidy in attacks and the principle of equal application of
IHL/LOAC to all parties to the conflict, which form the core structure of this branch of
international law. The basic rules relating to the targeting of persons and objects are
essentially the following: First, attacks may only be conducted against combatant
members of the adversary’s forces and military objectives.16 These include regular
members of the armed forces, with the exception of non-combatant military personnel
(medical personnel and chaplains), or in non-international conflicts against fighting
members of armed groups.17 In addition, civilians directly participating in hostilities are
subject to attack for the duration of their participation, including the period of
deployment to and from the place where the attack is conducted.18 Military objectives
are those objects which according to their nature, use, purpose or location make an
effective contribution to military operations and whose capture, destruction or neutral-
ization would confer a definite military advantage under the circumstances prevailing at
the time an attack is being considered or conducted.19 Attacks may never be conducted
against civilians, civilian objects, protected persons or objects, as such, unless they are
directly participating in hostilities or have been converted into military objectives, in
which case they lose their protection against attack.20
Secondly, in any attack that is likely to affect civilians or civilian objects, the
principle of proportionality (as it applies within IHL/LOAC) must be observed. This
provides that an attack which is likely to cause excessive civilian casualties or damage
or destruction of civilian objects in relation to the concrete and direct anticipated
military advantage expected from the attack (viewed a whole) is prohibited.21 It should
be noted that proportionality within IHL/LOAC is only relevant in an attack upon a
15
There are at present 173 States Party to AP I. Many, indeed most, of its provisions apply
as customary law to non-parties in international armed conflicts and to all parties to non-
international armed conflicts, alongside its binding effect upon State Parties to it in international
armed conflicts as a matter of treaty law. The provisions of AP I relating to the conduct of
attacks which have obtained customary status are reflected in the ICRC customary law study
(ICRC CLS), which, notwithstanding certain criticism and shortcomings, has a widely recog-
nized authoritative, but not binding status. For the purposes of this chapter, those rules will be
assumed to reflect customary law, since a detailed examination falls outside its scope. The rules
in the ICRC CLS relating to attacks are contained in rules 1–24 thereof.
16
AP I (n 14) art 49. On distinction in cyberspace see Bannelier-Christakis (Ch 16 of this
book).
17
Ibid. art 43 and ICRC Interpretive Guidance on the Notion of Direct Participation in
Hostilities under International Humanitarian Law (26 February 2009) (IG DPH) 32–3.
18
Ibid. 65.
19
AP I (n 14) art 52:2.
20
Ibid. art 51.
21
Ibid. art 51:5 lit.b.

7 / Date: 25/3
military objective (including enemy personnel) which is likely to affect the civilian
population or civilian objects. An attack which is not likely to affect civilians or civilian
objects is not affected by this principle, while an attack deliberately directed against
civilians or a civilian object, as such, is strictly prohibited and would constitute a war
crime.22
Thirdly, constant care must be undertaken to spare the civilian population as far as
possible and to prevent, or in any case, minimize loss of civilian life, injury of civilians
and damage or destruction of civilian objects resulting from an attack on a military
objective. This requires the taking of all feasible precautions when planning and
conducting an attack and cancelling or suspending an attack whenever the collateral
effects of the attack are likely to be excessive in relation to the concrete and direct
military advantage anticipated. This is proportionality in a somewhat different context,
namely in choosing the time, method and means of attack least likely to cause
excessive collateral injury or damage. The standard here is that of the ‘reasonable
commander/combatant’ acting in good faith and on the basis of information reasonably
available at the time the attack is planned or conducted. It also requires an ongoing
assessment as to whether the attack remains within the bounds of proportionality at all
stages of the attack. Whenever possible, prior warning must be given to civilians likely
to be affected, unless this would completely or largely compromise the attack.23
Fourthly, means (weapons) and methods of attack which are not or cannot be
directed against a specific military objective or objectives or whose effects cannot be
limited to military objectives and are consequently indiscriminate are prohibited. Hence
means and methods of attack which cannot discriminate between military objectives
and civilians and civilian objects are prohibited. Examples of this would be a weapon
such as a ballistic missile without a reliable guidance system, such as the Scud missiles
used by Iraq in the ‘Desert Storm’ campaign, which by their nature could only be
indiscriminately directed against geographical areas rather than a specific target, or a
means of attack, such as setting a fire in an urban area to force enemy personnel into
22
The applicability of the principle of proportionality to attacks upon military objectives
which are likely to affect civilians is clear from the text of art 51:5 lit.b and the scope of the
section of AP I in which it appears and is related to protection of the civilian population. The
weighing of military advantage against likely incidental and collateral effects upon civilians and
civilian objects makes this completely clear. Likewise, since proportionality is only relevant in
attacks upon military objectives whereby civilians may be affected and attacks against civilians
and civilian objects, as such, are prohibited irrespective of any military advantage they might
confer, proportionality is only relevant in relation to attacks upon military objectives whereby
civilians are likely to be affected. Deliberate attacks upon civilians, as such, are simply
prohibited as indiscriminate attacks. Both deliberate attacks upon civilians and disproportionate
attacks upon military objectives resulting in excessive (which is not always synonymous with
extensive and vice versa) civilian casualties or collateral damage to civilian objects are treated as
grave breaches of AP I and constitute war crimes under art 8:2 lit. b (i) and (ii) and (iv)
respectively of the Rome Statute of the International Criminal Court.
23
AP I (n 14) art 57. For the standard of the reasonable commander/combatant, see, inter
alia, the Tallinn Manual (n 1) para.13 of the commentary to rule 51 at 163, citing the ruling of
the ICTY in the Prosecutor v. Stanislav Galic (Judgement) [2003] IT-98-29 T para. 58.

8 / Date: 25/3
the open, but which cannot be controlled and is likely to spread indiscriminately
affecting civilians and their property along with the intended target.24
Fifthly, certain objects such as dams, dykes and nuclear power plants capable of
‘releasing dangerous forces’ if struck, may only be targeted if they are directly
converted into a military function and provide significant support to military operations
and no other option is available.25 The targeting of cultural property is likewise
prohibited, except in similar cases and the targeting of objects vital to the survival of
the civilian population, or which would cause long-term, widespread and significant
harm to the natural environment is prohibited.26
Sixthly, weapons or methods of combat which would cause superfluous injury or
suffering to enemy combatants are subject to either (far-going) restrictions or are
completely banned. The former category includes, inter alia, incendiary weapons and
certain types of mines, while the latter includes certain types of munitions (e.g.
expanding or flattening bullets) and poisoned, chemical and biological weapons.27
Finally, attacks of a perfidious nature (feigning non-combatant or protected status
while engaging in attack) are prohibited.28
While this summary is not exhaustive, it covers the most important rules relating to
the conduct of attacks. In addition, other rules relating to the conduct of hostilities are
relevant, such as the duty to refrain from attacks upon protected persons (such as
medical personnel) or persons who are hors de combat (the wounded, sick, ship-
wrecked and aircrew bailing out of a stricken aircraft, or who have surrendered at
discretion and laid down their arms), so long as they refrain from any hostile act, and
the prohibition of denying quarter (not accepting surrender when it is offered or
conducting hostilities in a way to allow for no survivors).29
4. APPLYING PROPORTIONALITY IN ATTACKS WHICH EMPLOY

CYBER WEAPONS
If cyber means and methods of warfare were employed in conducting attacks within the
context of an armed conflict, to what extent and how would the law relating to the
conduct of attacks set out in the previous section, in particular, the application of
the principle of proportionality as it is understood within IHL/LOAC, be relevant? In
attempting to answer this question, one should bear in mind a number of consider-
ations. To start with, only acts which result in (or are intended to result in) the direct or
reasonably foreseeable causation of physical damage, destruction, injury or death are
‘attacks’ within the context of the law of armed conflict.30 Consequently, any military
24
AP I (n 14) art 51:4, lit. a, b and c respectively.
25
Ibid. art 56.
26
Ibid. arts 53, 54 and 55.
27
Hague Regulations on Land Warfare 1907 art 23(e); ibid. art 35 and specific conventions
regulating or banning certain weapons.
28
AP I (n 14) art 37.
29
First Geneva Convention of 1949 art 24; AP I (n 14) arts 41, 42, 40 respectively.
30
Tallinn Manual (n 1) rule 30, with accompanying commentary; AP I (n 14) art 49.

9 / Date: 25/3
operation which does not result in these effects or is intended or reasonably likely to
result in such effects (an unsuccessful attack is still an attack), does not involve the
principle of proportionality, or any of the other IHL/LOAC rules related to the conduct
of attacks. Hence, most military ‘information operations’, such as psychological
warfare, military deception operations designed to mislead the opponent, electronic
warfare aimed at jamming or neutralizing electronic communications and weapons
guidance or target acquisition systems (unless this was a part of an attack), would fall
outside the ambit of ‘attack’, since they rarely cause such physical effects upon either
persons or objects. Likewise the mere gathering of intelligence or conducting of
counter intelligence operations to protect one’s own communications and systems,
would rarely, if ever, qualify as an ‘attack’ within the context of the law of armed
conflict.31 That is not to say that there are no relevant rules within IHL/LOAC relating
to such operations, but only that these are not related to proportionality and the other
rules governing attacks.32
Secondly and related to the first point, any operation which only results or is
intended to result in mere inconvenience without any foreseeable chance of physical
harm or damage, even if this effects the civilian population, equally falls outside the
notion of attack, and is not governed by the principle of proportionality. There are two
reasons for this: first, because ‘attacks’ are defined as ‘acts of violence’ under IHL; and
secondly, because proportionality relates to expected collateral civilian death, injury,
damage or destruction, which is excessive in relation to the anticipated military
advantage from the attack upon a military objective. So if cyber operations resulted in
temporary or more prolonged interference with civilian data systems (say e-mail
communications or financial transactions), without causing or being intended or likely
to cause physical harm (including loss of functionality of the system itself), they would
not likely qualify as attacks and proportionality would not be applicable, even if they
caused a significant degree of inconvenience and affected daily life to an appreciable
extent. Although ‘acts of violence’ are not limited to the release of physical energy (e.g.
chemical weapons are not ‘kinetic’, but an attack with chemical weapons unquestion-
ably qualifies as an ‘attack’), there must be some physical effects involving damage to,
or destruction of, objects, or death or injury of persons for the operation to qualify as
an attack, which would make proportionality potentially relevant, and inconvenience,
even serious inconvenience, does not normally meet this threshold.33 In most cases,
even if such operations resulted in the destruction or loss of data contained on such
systems without resulting in physical harm to persons or damage to objects and without
31
For a description and legal analysis of ‘information and influence operations’, see Blaise
Cathcart, ‘Legal dimensions of information operations’ in Terry D. Gill & Dieter Fleck, The
Handbook of the International Law of Military Operations (OUP 2010) 404 et. seq.
32
Examples of rules and principles of IHL/LOAC which are not directly related to the
conduct of attacks include (but are not limited to) those relating to ruses of war, espionage,
misuse of protected, neutral or enemy indicators or status and the duty to take passive
precautions (avoidance of locating military objectives in the immediate vicinity of civilians and
civilian objects to the maximum extent feasible). These are dealt with in the abovementioned
Tallinn Manual (n 1) in the cyber context in Rules 59 and 61–66 with accompanying
commentary.
33
Tallinn Manual (n 1) rule 30, para. 12 commentary.

10 / Date: 25/3
affecting the functionality of the system itself, it still would not qualify as an attack,
since data in and of itself has no physical properties.34 It is arguable, that if the
consequences of such destruction of data were reasonably severe, that this could qualify
as an act of violence, although this is probably not binding law at present.35 Moreover
if an act were designed to, or likely to result in, the spread of terror or severe mental
anguish amongst the civilian population it would, in any case, be prohibited under IHL/
LOAC, even if it is not directly related to the notion of proportionality and does not
necessarily have any relationship to whether or not data is damaged or destroyed.36
However, the destruction of data which could or would likely result in physical effects
(for example destruction or damage to electronic medical records of patients in a
hospital, or the shutdown of a SCADA system controlling a public utility) would in any
case qualify as an attack, and depending upon whether it was a side effect of an attack
upon a military objective, or simply a deliberate attack upon a civilian system as such,
proportionality could enter into the equation. If it were a (foreseeable or unintended)
side effect of an attack upon a military objective, proportionality would be relevant and
the lawfulness of the attack would (partly) depend upon whether the collateral effects
were excessive in relation to the expected military advantage. If it were simply a direct
attack upon a civilian system as such, proportionality would not be relevant to its
legality, since any such attack is ipso facto illegal to start with.37
Thirdly, any attack not reasonably likely to cause such physical effects upon civilians
or civilian objects falls outside the ambit of proportionality even if it causes or results
in extensive damage to military objectives or death or injury to persons subject to
attack.38 Hence, an attack upon a self-contained military data system, such as an
insulated military communications, target acquisition, or weapons guidance system, as
presumably was the case in relation to the earlier mentioned Israeli attack on the Syrian
air defence system in 2007, would not involve any considerations of proportionality,
since such systems are normally (highly) insulated from civilian systems and little or
no question of likely collateral effects arises. Likewise, if the cyber weapon or
technique used in an attack were specifically designed to effect only (certain features
of) a specific military target and any collateral effects were likely to only be negligible,
proportionality would only enter into the equation if the effects turned out to be
appreciable and could have been reasonably foreseen. For example, the Stuxnet virus,
although used outside the context of an armed conflict, was such a weapon. Although it
apparently subsequently spread to a considerable number of (civilian) computer
systems in the region, its effects upon them were virtually non-existent or negligible,
34
The Group of Experts in the Tallinn Manual ibid. unanimously agreed that whenever an
attack directed against data resulted in physical harm or destruction above a de minimis level it
would qualify as an attack. If this included (possible) harm to civilians and civilian objects,
proportionality would be applicable. The majority also agreed that if the functionality of the
targeted system were affected to a significant extent, requiring physical replacement of
components it could qualify as an attack. See 108–9 for discussion of these issues.
35
Ibid. rule 38 para. 5 of the commentary thereto.
36
AP I (n 14) art 51:2. For discussion of this in the cyber context see, Tallinn Manual ibid.
para. 8 commentary to rules 30 and 36 with accompanying commentaries.
37
See section 3 supra.
38
See (n 22) and accompanying text.

11 / Date: 25/3
since it had been specifically designed to only affect certain components within the
Iranian nuclear programme.39 Had it been used within the context of an armed conflict,
the question of its proportionality would scarcely, if at all, have been relevant.
Finally, to the extent an attack upon a military objective were (partially) conducted
by cyber means, the rules and principles governing attacks would be relevant to the
extent, the target had a dual use function, or there was an appreciable chance of
collateral effects which would meet the threshold of physical damage or personal injury
to civilians or civilian objects. This is perhaps stating the obvious, but there can be no
doubt that the principle of proportionality would then apply. This would be the case,
irrespective of whether the attack were conducted in conjunction with traditional
‘kinetic’ weapons, or by cyber means alone. In the former case, the principle would
apply to all aspects of the attack, including the cyber component thereof, since an
attack has to be viewed as a single act and not chopped into separate segments (e.g.
loading, aiming and firing a weapon is all part of a single act once it has been
completed.) Hence an attack upon a military objective carried out by a combination of
cyber and kinetic means should be assessed as a whole.40 In the latter case involving a
stand-alone cyber attack, proportionality would be applicable whenever and to the
extent such an attack on a legitimate target was reasonably likely to result in
foreseeable collateral physical effects to civilians and civilian objects including damage
or destruction of civilian data systems which could result in physical harm or damage.
In principle, there is no difference in terms of assessing the legality of such an attack in
terms of proportionality from one which was conducted by traditional kinetic weapons.
Consequently, it would be lawful to the extent it did not transgress any of the rules
relating to the conduct of attacks, including the principle of proportionality. In short it
would be disproportionate if the collateral effects, whether intended or simply a
reasonably foreseeable by-product of the attack, were excessive in relation to the
anticipated military advantage, based upon the information reasonably available at the
time the attack was being planned and conducted. Moreover, it would also depend upon
whether all feasible precautions had been taken before and throughout the attack to
limit the effects thereof to the maximum extent possible, and where the situation called
for it, the attack had been cancelled or suspended once it was in progress if the
situation demanded this. Finally, it could also depend upon whether prior warning had
been given to civilians before the attack was undertaken whenever this was possible.
Examples of such attacks involving cyber weapons or techniques (either alone or
alongside traditional weapons) would be against industrial installations, dual-use
objects, such as power plants, or communications systems used for both military and
civilian purposes. Provided these rose to the level of an attack as set out above,
39
Rid (n 2) 84–6. It is likely that in both cases, the cyber weapon (virus, worm, etc) was
inserted into the targeted systems (which were hardly likely to be connected to the Internet) by
means of a removable drive such as a USB stick.
40
An attack is seen as commencing once a person or object is endangered (e.g. laying a
mine is part of an attack long before its detonation). By analogy, a cyber attack commences once
malware is introduced which is reasonably likely to result in physical harm or destruction, even
if the effect is delayed or fails to occur, due to detection or malfunction. See Tallinn Manual
(n 1) paras 14–19 of the commentary to rule 30.

12 / Date: 25/3
proportionality would govern such attacks in the same way it governs traditional
attacks. There are few, if any differences in this regard.
Nevertheless, as stated in the opening sections of this chapter, there is probably little
likelihood of such attacks being conducted by purely cyber means alone, aside from
exceptional circumstances) for the reasons stated earlier. Consequently, the assessment
of proportionality, will in most cases, likely be no different than if the attack had been
wholly conducted by kinetic weapons. In any case, the law is the same irrespective of
the (combination of) weapons employed.
5. CONCLUDING REMARKS
The main questions posed in the preceding sections of this chapter were to what extent
would attacks within the context of an armed conflict which were conducted by digital
means, either on their own, or in conjunction with traditional kinetic force, be likely to
qualify as ‘attacks’ under IHL/LOAC (acts of violence resulting in physical harm to
persons or damage to objects) and when and to what extent would this involve the
applicability of the rules of IHL/LOAC governing the conduct of attacks, including in
particular the principle of proportionality in bello? On the basis of the preceding
examination and discussion of these questions a number of conclusions can be drawn.
First, IHL/LOAC only applies in the context of an armed conflict and no cyber attack
on its own has hitherto qualified as reaching the threshold of an armed conflict.
However, on at least one occasion (Israel’s attack on a Syrian nuclear facility in 2007),
cyber means of warfare were reportedly used in conjunction with kinetic force and this
without doubt qualified as an attack which was governed by IHL. Moreover any act
which caused or was intended to or was reasonably likely to cause any appreciable
danger of physical harm or damage would qualify as an attack, if it were carried out
within the context of an armed conflict. This could include attacks conducted by digital
means, provided the threshold of an armed conflict had been met and the act fitted into
the above-mentioned definition and qualification of an ‘attack’.
In that context, it was argued that the most likely scenario in which cyber operations
would be used as a means of attack would be in conjunction with traditional kinetic
weapons as in the example referred to above and that this is more probable within the
context of an international armed conflict than in most armed conflicts of a non-
international character. This was primarily because most armed groups have neither the
capability of mounting a purely digital operation qualifying as an attack, nor do most of
them have the types of sophisticated command, communications and weapons systems
which would be the most likely objects of a digital attack. Moreover, many cyber
operations which are likely to be engaged in any kind of armed conflict, such as
information operations, surveillance and (counter) intelligence do not qualify as attacks
and are not subject to the rules governing attack, including the principle of proportion-
ality. Be that as it may, any act which did amount to an attack would nevertheless be
governed by the IHL/LOAC rules regulating attacks, if an armed conflict were in
progress, irrespective of whether it was of an international or non-international
character.

13 / Date: 7/5
After setting out the applicable law relating to the conduct of attacks, it was further
argued that in view of the above-mentioned considerations, seen in context with the
function and purpose of the principle of proportionality, as it applies within IHL/
LOAC, that only attacks upon military objectives, whereby it was foreseeable that
civilians or civilian objects would be affected, would be governed by the principle of
proportionality. Hence attacks upon purely military targets, without any likely appreci-
able consequences to civilians or civilian objects would fall outside the applicability of
proportionality. Likewise in any attack which was directed against purely civilian
objects or the civilian population, as such, would be ipso facto illegal and no
considerations of proportionality would enter into assessing its illegality. Consequently,
cyber attacks (either on their own or in conjunction with more traditional weapons)
upon insulated military systems and similar military objectives, whereby the possible
consequences to civilians or civilian objects were non-existent or negligible and attacks
upon civilians and civilian objects, as such, are not subject to proportionality consider-
ations.
This still leaves a fairly wide scope for the applicability of the principle of
proportionality to attacks in which cyber weapons or techniques could be used. While,
as was discussed, there are some specific considerations relating to how the principle
would be applied if cyber entered the equation (such as whether destruction of data
effecting the civilian population qualifies as an attack), the principle itself and its basic
function along with the conditions relating to whether an attack is carried out in
conformity with the principle of proportionality, are not significantly, if at all, different
when cyber weapons are employed than if they are not. Hence, proportionality applies
in much the same way to cyber attacks conducted within the scope of an armed conflict
as to any other type of attack, using any weapon, traditional, or non-traditional.

14 / Date: 25/3
18. Cyber war and the law of neutrality

David Turns1
1. INTRODUCTION
The phenomenon of neutrality has been in existence as long as organised warfare itself
has characterised less than friendly relations between different peoples, princes and
polities. Defined in its most basic sense, in relation to armed conflicts, as the status of
non-participation either in a given conflict (temporary neutrality) or all conflicts
(permanent neutrality) with consequent legal rights and duties, it has fulfilled the
historically vital function in international relations of legally regulating the co-existence
of political entities that are at peace with those that are at war. The legal rights and
duties that flow from the status of neutrality attach to both belligerent and neutral
powers, and their violation by either party was traditionally seen as a very serious
matter since it could entail, among other things, the entry of a previously neutral power
into a war and the obligation of the relevant power to make reparations for such
violation according to the general international law doctrine of State responsibility. The
importance of neutrality during the Age of Exploration (from the fifteenth to the
seventeenth centuries) and the subsequent rise of the Nation-State in the post-
Westphalian paradigm is not difficult to appreciate: on the one hand, the great
European colonial empires with the foundations of their wealth dependent on maritime
commerce had a vested interest (as non-belligerents) in ensuring that their merchant
shipping would not be unduly caught up in hostile operations during other nations’
conflicts and (as belligerents) in enforcing the rules of maritime neutrality to their own
advantage and to their enemies’ detriment; on the other hand, smaller neutral nations
generally saw the economic opportunities for enhanced trade in wartime commodities
with belligerents – particularly where the latter were subject to blockade.2 Meanwhile,
all States jealously guarded their territorial sovereignty against infringement by any
other States, whether belligerent or not. Classic violations of territorial sovereignty in
the context of neutrality consist of such incidents as the boarding and/or capture by a
belligerent of an enemy ship at anchor in a neutral port – for example, the capture of
the Confederate Navy cruiser CSS Florida by the USS Wachusett in the harbour at
1
This chapter originates in a paper delivered at a Symposium on the Legal Aspects of
Cyber Warfare, held at the Swedish National Defence College in December 2012. All opinions
stated herein are those of the author and do not necessarily represent those of the Government,
Ministry of Defence or Armed Forces of the United Kingdom.
2
For a useful general discussion of historical attitudes to neutrality in the specific context
of naval warfare, see Carl J. Kulsrud, Maritime Neutrality to 1780: A History of the Main
Principles Governing Neutrality and Belligerency to 1780 (Little, Brown and Company 1936).
380
1 / Date: 25/3
Cyber war and the law of neutrality 381
Bahia in flagrant violation of Brazilian neutrality during the American Civil War,3 and
the boarding by HMS Cossack of the German oil tanker and supply ship Altmark in
Jøssingfjord, at a stage in World War II when Norway was still neutral.4 Other issues
included the impressment of neutral sailors into the naval service of belligerent powers,
such as the British practice, during the Napoleonic Wars, of boarding American-flagged
ships and forcing American seamen who were alleged to be British subjects or deserters
into Royal Navy service.5 Each such incident was a cause célèbre of its day, with
important diplomatic and political, as well as legal, repercussions.
As one of the oldest aspects of public international law relevant to the fundamental
status of war and peace in international relations, the customary international law of
neutrality was largely agreed by the eighteenth century before undergoing progressive
codification – in line with other aspects of the laws of war – as part of the Hague Peace
Conferences at the beginning of the twentieth century. Although its application was
generally considered to be of great practical importance during both World Wars, as in
previous wars down the ages, State practice since the adoption in 1945 of the United
Nations Charter, with its provisions outlawing the use of force and requiring the
co-operation of all Member States with collective security enforcement action man-
dated by the Security Council, has led to a general tendency to dismiss the laws of
neutrality as either at best extant in theory but largely non-applicable in modern
practice, or at worst as entirely obsolescent.6 In the delightful phrase of one commen-
tator, ‘They [the rules of neutrality] have a slightly musty quality to them.’7 With this
background to the body of rules under consideration, one may be forgiven for
wondering how they can possibly be relevant to the future of armed conflict, and
specifically to conflict in cyberspace. On the face of it, neutrality law’s traditional
obsession with protecting the territorial sovereignty of neutral States seems completely
irrelevant in relation to a domain which by definition knows no such concept as either
territory or sovereignty. Moreover, in light of the fact that there is as yet no lex
3
See ‘Report of Lieutenant Morris, C.S. Navy, late commanding C.S.S. Florida, of the
seizure of that vessel by the U.S.S. Wachusett, October 7, 1864 Bahia, Brazil’ in Official Records
of the Union and Confederate Navies in the War of the Rebellion (Series 1, vol. 3, Government
Printing Office 1896) 631–3; note the references to Brazilian neutrality in Enclosure 2 (letter of
protest from Lt Morris to the President of the Province of Bahia), 634–5.
4
See Brian Simpson, ‘The rule of law in international affairs’ (2004) 125 Proceedings of
the British Academy 211, 213–15; Hansard HC Debs vol 357 cols 1161–1164 (20 February
1940); Hansard HL Debs vol 115 cols 576–80 (20 February 1940); ‘Correspondence between
His Majesty’s Government in the United Kingdom and the Norwegian Government respecting
the German Steamer “Altmark”’ (Cmd 8012, 1950) House of Commons Sessional Papers,
Norway No. 1 vol XXV 451–66.
5
See Walter R. Borneman, 1812: The War That Forged a Nation (Harper Collins 2005)
19–25.
6
As will be argued in this chapter, this conclusion is both exaggerated and premature. It is
beyond the scope of this chapter to consider in detail the implications of the adoption of the UN
Charter for neutrality law generally, but for a useful discussion, see Detlev F. Vagts, ‘The
traditional legal concept of neutrality in a changing environment’ (1998) 14 Am. U. Int’l. L. Rev.
83, 88–91.
7
Ibid. 84.

2 / Date: 25/3
specialis in international law to govern situations arising in cyberspace, the two topics
might appear on the face of it to be mutually incompatible.
This chapter will suggest that such is not necessarily the case, despite the fact that to
date there have been no explicit invocations of neutrality law in respect of any
international8 cyber conflict. While the existence of neutrality is a matter of fact based
on States’ attitudes to a given conflict, the ever-growing interdependence of the world
community, not least in economic terms, seems to confirm that ‘neutrals cannot simply
ignore a war conducted by other countries. “The very nature of war causes its effects to
extend also to non-participating States and their nationals, whether they wish it or
not.”’9 The chapter will first provide a general overview of the definition, sources and
substance of the law of neutrality, before considering how it might apply to conflicts in
cyberspace, in terms of both the jus ad bellum and the jus in bello. Some concluding
remarks will indicate the author’s views of the possible future for the rules of neutrality
in an age of actual or potential cyber conflict.
2. THE INTERNATIONAL LAW OF NEUTRALITY:

GENERALITIES
(a) Definition
Neutrality traditionally has two broad meanings, depending on whether it is being

discussed in the context of normal peacetime relations or in that of war, i.e. armed
conflict; however, it is true to say that as a status it is essentially predicated on the
existence of international armed conflict, since that is the only situation in which its
legal rules are relevant and operative. In essence, ‘[n]eutrality (derived from the Latin
neuter = neither of each) is defined in international law as the status of a State which
is not participating in an armed conflict between other States’.10
States may adopt a position of permanent neutrality, which is not affected by the
temporal existence of any particular armed conflict and is a matter of legal obligation,
either voluntarily undertaken by the State in question as a matter of its domestic law11
8
Although history shows that the laws of neutrality have occasionally been deemed
relevant in certain non-international armed conflicts that have had important international
implications (principally in cases where each of the contending parties is seen as having some
degree of international legitimacy and personality or where the geographical scope of the
conflict is such that it has effects outside the territory where the conflict is taking place, the main
examples being the American and Spanish Civil Wars), doctrinally it has always been the case
that the rules of neutrality are applicable only in conflicts between States.
9
Yoram Dinstein, War, Aggression and Self-Defence (4th edn., CUP 2005) 24–5 (citing
Eric Castrén, The Present Laws of War and Neutrality (Suomalainev Tiedeakemia 1954)).
10
Dieter Fleck (ed.), The Handbook of International Humanitarian Law (3rd edn., OUP
2013) § 1101.
11
During the interwar period the US Congress adopted domestic legislation establishing US
neutrality as a matter of domestic legal obligation: see US Department of State, Office of the
Historian, ‘The Neutrality Acts, 1930s’ <http://history.state.gov/milestones/1921-1936/neutrality-
acts> accessed 26 September 2014.

3 / Date: 25/3
or imposed on it by international treaty.12 Probably the most famous example of a

permanently neutral State is Switzerland, whose self-described tradition of ‘reticence in
foreign policy’ dates back to at least 1515, was formally recognised by the Great
Powers of Europe at the Congress of Vienna in 1815 and has been incorporated into
successive Federal Constitutions since 1848.13 More recent examples include the
acceptance of permanently neutral status by Austria in 1955 – despite the adoption of a
national constitutional law which gave the appearance of voluntary adoption, it had
actually been a pre-requisite for the withdrawal of post-World War II Soviet occupation
forces and ratification of the Austrian State Treaty, and had therefore been agreed in
advance by the former Allied Powers14 – and the UN General Assembly’s recognition
of Turkmenistan’s permanent neutrality, as provided for in its national legislation.15 It is
also possible for a designated part of the territory of a State to be permanently neutral,
as opposed to the State as such.16 Permanent neutrality as a status under public
international law is not to be confused with either de facto neutrality17 or a policy of
neutrality. The latter – as practiced by Sweden through most of the nineteenth and
twentieth centuries, Ireland since 1937 and Finland during the Cold War – is
characterised by the absence of any legal obligation; as a unilateral policy decision of
the relevant government, it may of course be changed very rapidly and does not
necessarily entail international recognition.
In practice very few States have ever been, or are today, permanently neutral in the
legal sense. By far the more common usage of the term ‘neutrality’ is in relation to
what is effectively temporary neutrality, which in international law is defined as being
the position of any State that does not participate in armed hostilities between two or
12
One of the most famous historical examples of permanent neutrality being imposed on a
sovereign State by international agreement was Belgium, under the Treaty of London (1839). It
was the violation of this treaty by Germany in 1914 that was the immediate cause of Great
Britain’s involvement in the First World War. The Vatican City State also agreed to permanent
neutrality under art 24 of the Treaty of Conciliation, part of the 1929 Lateran Pacts with Italy, as
a condition of continued papal independence following Italian unification.
13
Swiss Federal Department of Defence, Civil Protection and Sports, Swiss Neutrality (4th
edn) 4–10 <http://www.vbs.admin.ch/internet/vbs/en/home/documentation/publication.parsys.
0008.downloadList.9934.DownloadFile.tmp/neuteebook.pdf> accessed 26 September 2014.
14
Bundesverfassungsgesetz vom 26. Oktober 1955 über die Neutralität Österreichs,
Bundesgesetzblatt für die Republik Österreich Nr. 211/1955.
15
UNGA Res A/50/80 [A] (11 January 1996) UN Doc A/RES/50/80.
16
E.g. the Panama Canal Zone, under art XVIII of the Hay-Bunau-Varilla Treaty (Conven-
tion for the Construction of a Ship Canal, 18 November 1903 <http://avalon.law.yale.edu/20th_
century/pan001.asp> accessed 27 September 2014) was declared ‘neutral in perpetuity’; the first
of the Corrijos-Carter Treaties confirmed this status (Treaty Concerning the Permanent Neutral-
ity and Operation of the Panama Canal (7 September 1977) arts 1–2 <http://www.pancanal.com/
eng/legal/neutrality-treaty.pdf> accessed 27 September 2014).
17
Primarily this would result from a State’s voluntary abolition of its own armed forces:
examples are Liechtenstein (since 1868) and Costa Rica (since 1949). On the other hand, Iceland
has voluntarily had no armed forces since achieving independence from Denmark in 1944, but is
a member of the North Atlantic Treaty Organisation and is thus considered a neutral State
neither de jure nor de facto.

4 / Date: 25/3
more other States;18 this is in fact automatically the de jure status of such non-
participating States. As such, temporary neutrality has no legal application outside
international armed conflicts and requires no formal declaration or explicit acknowl-
edgment: its existence is entirely dependent on there being a factual situation of armed
conflict.19 It entails very specific rights and duties in the relationship between neutral
and belligerent States, which arise as a matter of legal obligation under international
law. Being so fact-dependent, it is logical that the laws of neutrality apply only so long
as a conflict lasts, and in relation to any particular State may be further limited by that
State’s attitude to the conflict in question. A State may adopt a position of neutrality at
the outset of a conflict, only to find itself embroiled therein as a belligerent at a later
point in time through hostile action or occupation by one or more belligerents, as in the
cases of Denmark, the Netherlands and Belgium during World War II, following their
1940 invasion by Germany. Similarly, a belligerent State may withdraw from a conflict
and assume the position of a neutral, as in the case of Russia in World War I, following
the 1918 Treaty of Brest-Litovsk with the Central Powers. Finally, although it is
relatively unusual, a State may be a belligerent vis-à-vis certain States but neutral
vis-à-vis others that are allied to those belligerents: during World War II for example,
although the Soviet Union was at war with Germany and Italy in the European theatre
of the war from 1941, legally it remained neutral and at peace in respect of the third
Axis Power, Japan, right up until the last three weeks of hostilities in the Pacific theatre
in 1945.
Temporary neutrality in turn is not to be confused with non-belligerency, which is
the practice certain States have adopted, in specific conflicts, of providing assistance to
one or other of the belligerent parties without becoming directly involved in armed
hostilities; classic examples (all in the context of World War II) include American
economic support and provision of war materiel to Britain under the Lend-Lease
Program20 before America’s entry into the war in December 1941, the very extensive
and wide-ranging forms of practical assistance provided by Ireland to the UK and US
throughout the war (or rather, ‘the Emergency’ – the somewhat Orwellian term coined
by the Irish Government to characterise Ireland’s position of ‘friendly neutrality’
vis-à-vis the Allied Powers),21 and the Spanish provision of volunteer troops – the
famous Blue Division – to fight with the German and other Axis forces, under German
overall command and control, against the Soviet Union on the Eastern Front.
18
Fleck (n 10).
19
At customary international law the generic definition of armed conflict has been
expressed as existing, ‘whenever there is resort to armed force between States or protracted
armed violence between governmental authorities and organized armed groups or between such
groups within a State’: Prosecutor v. Duško Tadić (Decision on the Defence Motion for
Interlocutory Appeal on Jurisdiction) [1995] No ICTY-94-1-A para. 70.
20
An Act to Further Promote the Defense of the United States (Pub L 77–11, H.R. 1776, 55
Stat. 3034, enacted March 11, 1941).
21
See Mervyn O’Driscoll, ‘Keeping Britain sweet: Irish wartime neutrality, political
identity and collective memory’ in E. Grollet, Collective Memory in Ireland and Russia:
Conference Proceedings (Rosspen 2007).

5 / Date: 7/5
(b) Sources
In common with much of the modern law relevant to armed conflict, the rules of
neutrality had their origin in customary international law developed over many
centuries before undergoing a process of codification at the beginning of the twentieth
century. In addition to a substantial body of national judicial decisions, many of them
by British and American courts and relating mostly (though not exclusively) to the
application of neutrality rules in warfare at sea,22 the contemporary law of neutrality is
mainly to be found in two treaties that emerged from the Second International Peace
Conference held at The Hague in 1907, along with one earlier document from the
conclusion of the Crimean War (1853–56). The Paris Declaration Respecting Maritime
Law of 16 April 185623 purported to abolish the ancient practice of privateering and
assure the protection of neutral ships and goods at sea; in 1907, detailed rules
regulating the presence and activities of belligerent warships in neutral ports and
territorial waters were laid down in the Hague Convention (XIII) concerning the Rights
and Duties of Neutral Powers in Naval War.24 Extensive equivalent rules for the land
domain in hostilities were stipulated in the Hague Convention (V) Respecting the
Rights and Duties of Neutral Powers and Persons in Case of War on Land25 and have
also in recent years been restated with considerably more modern language and
concepts – albeit not in the internationally binding form of a treaty – for both the
maritime26 and air27 domains of warfare. Notwithstanding the relative antiquity of the
Hague Conventions V and XIII, it was already generally considered at the time of their
adoption that they were declaratory of customary international law;28 that being the
22
For examples, see Leslie C. Green, The Contemporary Law of Armed Conflict (3rd edn.,
Manchester University Press 2008) 302–4.
23
Declaration Respecting Maritime Law (16 April 1856) British State Papers 155–158 vol
LXI.
24
Convention (XIII) concerning the Rights and Duties of Neutral Powers in Naval War
(adopted 18 October 1907, entered into force 26 January 1910).
25
Ibid.
26
Louise Doswald-Beck (ed.), San Remo Manual on International Law Applicable to
Armed Conflicts at Sea (CUP 1995).
27
Harvard Program on Humanitarian Policy and Conflict Research, Manual on Inter-
national Law Applicable to Air and Missile Warfare (Harvard University 15 May 2009) Section
X Rules 165–75 [Harvard Manual] <http://www.ihlresearch.org/amw/manual/> accessed 27
September 2014. Certain provisions of an earlier unratified instrument had previously addressed
aspects of neutrality in respect of the air domain: see The Hague Rules concerning the Control
of Wireless Telegraphy in Time of War and Air Warfare, Part II: Rules of Aerial Warfare (Cmd
2201) House of Commons Sessional Papers, Miscellaneous no. 14 (1924) vol XXVII 1031–76.
Whereas the Hague Rules were neither adopted nor ratified as a treaty although it was originally
hoped that they might attain that legal status, the Harvard Manual does not purport to be a treaty
at all. Although the legal value of these documents might therefore appear questionable, to the
extent that they mirror rules found in the treaties on land and maritime warfare or restate
otherwise pre-existing rules, they may be said to represent customary international law.
28
Adam Roberts & Richard Guelff (eds.), Documents on the Laws of War (3rd edn., OUP
2000) 85 and 127.

6 / Date: 7/5
case, and as they remain in force for the State parties,29 their provisions would be of
general applicability in the event of neutrality law being invoked in an international
armed conflict today. Some of the other Hague Conventions adopted in 1907 also touch
on the subject of neutrality, namely Convention (VIII) Relative to the Laying of
Automatic Submarine Contact Mines30 and Convention (XI) Relative to Certain
Restrictions with Regard to the Exercise of the Right of Capture in Naval War,31 and
certain relevant rules are also restated in the military manuals of various States,32
thereby providing further evidence of their customary law status.
With the exception of the modern restatements mentioned – which are not treaties as
such anyway and of which only the Harvard Manual can really be said to belong to the
cyber age – it will be noted that the treaty instruments and the customary rules which
they largely codify are of considerable antiquity; they pre-date even the invention of
computers, let alone the concept of cyber warfare. It has become something of a truism
to make the point that there is no lex specialis in international law specifically
governing activities in cyberspace: the treaties are too old, and State practice – what
little of it that may have been identified to date – is so fragmented and inconsistent that
it is difficult to speak of customary lex lata in this area.33 However, there are two
international documents that make express reference to neutrality in armed conflict and
are applicable, by analogy in the one case and expressly in the other, to cyber war;
these are, respectively, the Hague Rules for the Control of Radio in Time of War,34 and
the Tallinn Manual on the International Law Applicable to Cyber Warfare, Prepared by
the International Group of Experts at the Invitation of the NATO Cooperative Cyber
Defence Centre of Excellence.35 Again, a note of caution is necessary as to their
normative status: the Hague Rules were never opened for signature and ratification as a
binding treaty, while the Tallinn Manual is the work of individuals not purporting to
express the official opinions of any States or organisations;36 technically, therefore,
neither document is legally binding per se. In the case of the Hague Rules, it is not
entirely clear from the General Report of the Commission of Jurists to Consider and
Report upon the Revision of the Rules of Warfare precisely which (if any) provisions of
the rules in Part I were already considered to be customary international law; in many
cases, inevitably in light of the relatively recent development of radio technology at the
time, the rules were derived from conventions which themselves were of comparatively
29
There are 33 State parties to Convention V, and 29 to Convention XIII: see International
Committee of the Red Cross, ‘Treaties and State Parties to Such Treaties’ <http://www.icrc.org/
ihl> accessed 28 September 2014.
30
Declaration Respecting Maritime Law (n 22) art 4.
31
Ibid. 167–74 arts 1, 2 and 5.
32
E.g. Fleck (n 10), which incorporates the 1992 German Joint Services Regulations (ZDv
15/2); UK Ministry of Defence, The Manual of the Law of Armed Conflict (OUP 2004); US
Department of the Navy et al., The Commander’s Handbook on the Law of Naval Operations,
NWP 1–14M (ed July 2007).
33
But see below, text accompanying Tallinn Manual (n 35) rule 5.
34
The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and Air
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) 1021–30.
35
Michael N. Schmitt (ed.) (CUP 2013) [Tallinn Manual].
36
Ibid. 9–10.

7 / Date: 25/3
recent origin.37 The Tallinn Manual is arguably going to be of greater normative value
since it is grounded in the acknowledged existing law, which it seeks to extend to cyber
conflict:
The International Group of Experts was unanimous in its estimation that both the jus ad
bellum and jus in bello apply to cyber operations. Its task was to determine how such law
applied, and to identify any cyber-unique aspects thereof. The Rules set forth in the Tallinn
Manual accordingly reflect consensus among the Experts as to the applicable lex lata, that is,
the law currently governing cyber conflict.38
Rules 91–95 of the Tallinn Manual directly deal with the issue of neutrality in cyber
operations, as will be discussed below.
(c) Substance
Without going into every particular of the general laws of neutrality, for present
purposes, their essential principles may be said to be the ‘two pillars’ of non-
participation and non-discrimination;39 the first principle entails specific rights and
duties for both neutral and belligerent States, while the second is applicable only in
respect of certain actions of neutral States.
Non-participation means that, on the one hand, the territorial sovereignty of a neutral
State must not be violated by any belligerents, while on the other hand, a neutral State
is not allowed actively to participate in armed hostilities or to allow such participation
from its territory. The rule regarding inviolability of territorial sovereignty differs
between the land and maritime domains: whereas the land territory of neutral States is
absolutely inviolable,40 the mere presence of belligerent warships in neutral territorial
waters is not per se unlawful as long as they abstain from ‘[a]ny act of hostility’,41 and
in the decades since 1907 the general international law of the sea has additionally
recognised a right of transit through neutral international straits and archipelagic sea
lanes (in addition to the long-standing customary right of ‘innocent passage’), which
the modern law of armed conflicts at sea expressly preserves.42 Air operations are
correspondingly regulated, according to whether they take place over land or sea:43 for
example, the British dropping of propaganda leaflets over the city of Rome during
World War II elicited a diplomatic protest from Pope Pius XII, who considered the fact
that some of them fell to earth within the precincts of the Vatican to be a breach of the
37
See The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and
Air Warfare, Part II: Rules of Aerial Warfare (n 26) 1021–22.
38
39
Dinstein (n 9) 24.
40
HC V, art 1.
41
HC XIII, arts 1 and 2. Belligerent warships may remain in neutral ports for necessary
repair of battle or storm damage; thus, the German pocket battleship Admiral Graf Spee’s
sojourn in Montevideo harbour after the Battle of the River Plate in 1939 fully respected
Uruguayan neutrality (see also ibid. arts 12–14).
42
See Doswald-Beck (n 26) §§ 23–33.
43
See Harvard Manual (n 27) rules 167(a), 170(a) and 172(a)(ii).

8 / Date: 25/3
Holy See’s neutrality.44 While belligerent powers may not violate neutral territory by
moving troops or military convoys across,45 erecting communications installations on,46
or forming combatant forces in such territory,47 neutral powers are themselves under a
positive duty not to permit such actions to take place within their territory.48 The
corresponding duty of the neutral State in maritime warfare is inevitably less extensive
in view of the permitted presence of belligerent warships in neutral ports and waters,
although it does include the special obligation to prevent the fitting out, arming or
departure of any vessel intended for hostile operations.49
While it is self-evident that neutral States must not participate in hostilities, their
duty of non-discrimination is perhaps less well-known; it requires such States to apply
with complete impartiality, as between the belligerents, certain specific restrictions and
prohibitions. For example, ‘the conditions, restrictions, or prohibitions made by [a
neutral power] in regard to the admission into its ports, roadsteads, or territorial waters,
of belligerent war-ships [sic] or of their prizes’ must be applied impartially to both
sides in a conflict at sea.50 Although by the time of World War II it was generally
understood that the internment of belligerent aircraft and their aircrews shot or forced
down over any neutral State’s airspace was to be applied impartially,51 the Irish practice
of instructing Allied aircrew to report that their flight was on non-combatant duty (so
that they could quietly be sent across the border to Northern Ireland) whilst insisting on
the internment of all German aircraft and aircrew, became a matter of some notoriety.52
Such attitudes, as mentioned above, effectively amount to non-belligerency – also
sometimes referred to as ‘qualified neutrality’ – but still have in common with strict
observance of neutrality the avoidance of active participation in armed hostilities. The
same is true of the requirement that neutral States not give assistance to the parties to
a conflict: this does not extend to a prohibition on selling ‘arms, munitions of war, or,
in general … anything which can be of use to an army or a fleet’53 and the duty of
non-discrimination does not mean that such sales must be extended equally to both
44
See Owen Chadwick, Britain and the Vatican during the Second World War (CUP 1986)
222.
45
HC V, art 2.
46
Ibid. art 3. For the equivalent provision in respect of maritime warfare, see HC XIII,
art 5.
47
HC V, art 4.
48
Ibid. art 5.
49
HC XIII, art 8. This codified the customary law position that had been argued
successfully by the US in its post-Civil War proceedings against Great Britain for the latter’s
failure to prevent the construction in, and departure from, its ports of Confederate commerce
raiders such as the CSS Alabama and CSS Florida: see John B. Moore, History and Digest of the
International Arbitrations to Which the United States Has Been a Party (vol I, Government
Printing Office 1898) ch XIV 495–682 and 653–9; Tom Bingham, ‘The Alabama Claims
Arbitration’ (2005) 54 I.C.L.Q 1.
50
HC XIII, art 9.
51
See The Hague Rules concerning the Control of Wireless Telegraphy in Time of War and
Air Warfare, Part II: Rules of Aerial Warfare (n 26) art 42, and commentary at 1054–55.
52
See O’Driscoll (n 20) 12–14.
53
HC V, art 7.

9 / Date: 8/5
sides in a conflict,54 although if a neutral State decides to ban such exports, it must do
so on a non-discriminatory basis.
On a more general level, it has long been accepted that neutral States are absolutely
entitled to defend their territorial sovereignty against any and all infringements by
belligerent forces, but the fact that a State may do so in accordance with the right of
self-defence as a matter of the jus ad bellum does not turn it into a belligerent and
cannot be regarded as a hostile or wrongful act under international law.55 Conversely, if
a neutral State is unwilling or unable to prevent the use of its territory for hostile
operations against a belligerent (a failure which comes within the definition of
aggression in customary international law),56 the latter may be entitled to use force in
self-defence against hostile forces in the neutral State, subject to the normal rules of the
jus ad bellum.
Finally, the effect of the advent of the UN Charter regime (as regards the legality of
the use of force) on the traditional law of neutrality should be noted. As Vagts has
remarked, ‘war and neutrality were both thought rendered obsolete by the coming of
the United Nations and its regime of collective security. That is not quite accurate’.57
The Charter undoubtedly has significance for neutrality in that it requires all Member
States of the UN, on the one hand, to co-operate with collective security enforcement
measures mandated by the Security Council under Chapter VII of the Charter,58 and on
the other hand, to refrain from rendering any assistance to States that are the object of
such enforcement measures.59 The former obligation might suggest that there is no
scope for a State to remain neutral stricto sensu, once the Security Council has ordered
enforcement measures against another State,60 while the latter obligation could imply
the abandonment of impartiality in the provision of any ‘arms, munitions of war, or …
anything which can be of use to an army or a fleet’.61 However, State practice since
1945 has indicated that the traditional law of neutrality continues to be invoked by
States, Chapter VII of the Charter notwithstanding. The Korean War (1950–53) saw
ambivalent stances and contradictory behaviour by several States,62 not least the
54
See below, (n 60).
55
See HC V, art 10; HC XIII, art 26.
56
UNGA Res 3314 (XXIX) (14 December 1974) Annex – Definition of Aggression art 3(f).
Note, however, that this requires the territory to have been ‘placed at the disposal of another
State’: absent such consent – as, for example, in the case of a failed State or one without an
effective government in control of the territory – it is not likely that aggression would be
imputed to the neutral State itself.
57
Vagts (n 6) 84.
58
UN Charter arts 2(5), 25 and 49.
59
Ibid. art 2(5).
60
In support of this view, see Christian Lanz, ‘Is neutrality an appropriate instrument for
domestic security? A European perspective’ (2005) 17 Information & Security 41–9 and 42–3.
61
HC V, art 7. The requirement to comply with an arms embargo at the direction of the
Security Council under art 41 of the Charter, for example, would negate this obligation for
neutral States: see Vagts (n 6) 89.
62
E.g. Operation TP Stole, a Central Intelligence Agency-masterminded takeover of a
Norwegian ship chartered by the Communist Chinese to take Indian medical supplies to North
Korea (Norway and India both proclaimed their neutrality in the Korean War): see Paul M.

10 / Date: 7/5
People’s Republic of China, which steadfastly insisted that it was neutral despite the
large-scale combat operations of the ‘Chinese People’s Volunteers’ against the UN
forces whose presence in Korea was mandated by Security Council Resolutions 83 and
84.63 The inconclusiveness of military ground offensives during the Iran-Iraq War
(1980–88) led both belligerents to attack neutral shipping in the Persian Gulf in an
attempt to interdict each other’s oil trade (the so-called ‘Tanker War’), which severely
impeded the right of neutrals to trade with belligerents;64 this, coupled with the overtly
ambivalent attitude adopted by several non-belligerent States in the conflict65 gave rise
to considerable debate as to the relevance and application of the law of maritime
neutrality.66 The Security Council repeatedly condemned all infringements of neutral
States’ territorial waters as well as attacks on neutral shipping,67 which clearly
indicated that the rules of neutrality were deemed to be still applicable; the practice
adopted by certain neutral States of reflagging their merchant vessels for protection by
US and other powerful naval forces – themselves belonging to neutral nations – present
in the Persian Gulf, while not completely uncontroversial, was not viewed as subverting
neutrality law.68
It has been suggested that it was the Security Council’s failure to designate an
aggressor in the Iran-Iraq War that ‘made it possible for other states to assume the
status of traditional neutrality’;69 however, subsequent State practice on point is
extremely limited. During the subsequent crisis and conflict in the Persian Gulf
resulting from the Iraqi invasion of Kuwait (1990–91), the Americans and their
Coalition partners accepted a ‘modified nature of neutrality’ in the situation of
Edwards, Combat Operations of the Korean War: Ground, Air, Sea, Special and Covert
(McFarland and Co. 2010) 165–6.
63
UNSC Res 83 ‘Complaint of aggression upon the Republic of Korea’ (27 June 1950) UN
Doc S/RES/83; UNSC Res 84 ‘Complaint of aggression upon the Republic of Korea’ (7 July
1950) UN Doc S/RES/84. Chinese military participation in the Korean War was characterised by
the General Assembly as aggression: UNGA Res 498(V) (1 February 1951) UN Doc A/RES/498
(V).
64
See A. Gioia and N. Ronzitti, ‘The law of neutrality: Third states’ commercial rights and
duties’ in Iger F. Dekker & Harry G. Post, The Gulf War of 1980–1988: The Iran-Iraq War in
International Legal Perspective (Dordrecht: Martinus Nijhoff Publishers 1992) 221–42. Iraq
expressed the view that neutral merchant ships trading with Iran forfeited their neutral character:
‘Letter dated 20 February 1985 from the Permanent Representative of Iraq to the United Nations
addressed to the Secretary-General’ (20 February 1985) UN Doc S/16972 para. 2.
65
E.g. France supplied arms and military equipment to Iraq only, while the US specifically
denied arms and war materials to Iran only: Gioia & Ronzitti (n 64) 228–9.
66
See, e.g. Francis V. Russo, ‘Neutrality at sea in transition: State practice in the Gulf War
as emerging customary international law’ (1988) 19(5) Ocean Development & Int’l. L. 381;
Boleslaw A. Boczek, ‘Law of warfare at sea and neutrality: Lessons from the Gulf War’ (1989)
20(3) Ocean Development and Int’l. L. 239–71.
67
See Boczek ibid. 260.
68
See Michael H. Armacost, ‘U.S. policy in the Persian Gulf and Kuwaiti reflagging’
(1987) 10(1) Defense Institute of Security Assistance Management J. 11, 14; Margaret G
Wachenfeld, ‘Reflagging Kuwaiti tankers: A U.S. response in the Persian Gulf’ (1988) Duke L.
J. 174–202.
69
Boczek (n 66) 254.

11 / Date: 7/5
enforcement action being taken pursuant to a Security Council mandate:70 the

Jordanian and Iranian proclamations of neutrality were respected, on the understanding
that they were ‘subordinate to [those nations’] obligation as UN members to comply
with UNSC resolutions’; the US asserted that, ‘regardless of assertions of neutrality, all
nations were obligated to avoid hindrance of Coalition operations undertaken pursuant
to, or in conjunction with, UNSC decisions, and to provide whatever assistance
possible’.71 This extended, in the US interpretation, to a requirement for Iran to return
any downed Coalition aircraft and aircrew instead of interning them, as required by
Article 5 of Hague Convention V, and to the permissibility of US entry into neutral
airspace to rescue such aircraft or aircrew, ‘consistent with [US] international obliga-
tions as a belligerent’.72 Further, in respect of neutral States’ trade with Iraq, it was the
US position that, ‘[the UNSC] resolutions modified the obligation of neutral powers to
remain impartial with regard to Coalition UN members’.73
3. THE INTERNATIONAL LAW OF NEUTRALITY IN THE CYBER

CONTEXT
(a) Generalities
It has been clear from the outset that any discussion of neutrality law in the context of
cyber conflict at this point in time must be highly speculative, to say the least. The
normative sources of neutrality law, as briefly discussed above, date from an era when
computers and cyber networks had not even been imagined, and their substance is
heavily reliant on such tangible constructs as territory, territorial waters and airspace
(above both land and the territorial sea). Cyber networks, by their very nature, are
intangible and appear unsusceptible per se to any exercise of national jurisdiction or
sovereignty. As has been colourfully suggested with reference specifically to maritime
neutrality laws, ‘their dispositions with regard to naval passage through neutral waters
and into neutral ports reflect a world in which sweating teams of stokers moved coal
from bunkers to furnaces beneath boilers’.74 Quite apart from the total lack of clearly
accepted lex scripta regulating cyber neutrality, there is also an equally total lack of any
relevant State practice: as far as is known there have been no purely cyber conflicts to
date, and the only armed conflict in which cyber operations were unquestionably
conducted within the context of the conflict has not resulted in any legal determination
of wrongfulness and/or responsibility for such operations. During the South Ossetia
War (2008), both Russian and Georgian media websites were hacked, as well as
70
UNSC Res 678 (29 November 1990) UN Doc S/RES/678.
71
US Department of Defense, ‘Final Report to Congress: Conduct of the Persian Gulf War,
Appendix O – The Role of the Law of War’ (1992) 31 Int’l. L. Materials 615, 638. As examples
of neutral States’ attitudes, Austria and Switzerland both permitted overflights by US military
transport aircraft, whereas India did not: ibid. 640.
72
Ibid. 639.
73
Ibid. 640.
74
Vagts (n 6) 84.

12 / Date: 25/3
Georgian official government websites; neutrality was ostensibly implicated, however,

insofar as it was alleged that Russian hackers inflicted distributed denials of service
(DDOS) on Azerbaijani news websites, while the governments of Estonia and Poland
offered technical assistance by hosting Georgian official websites and sending cyber-
defence advisers to Georgia.75 As far as is known, Azerbaijan never objected to the
putative violations of its neutrality, while Estonia and Poland were not condemned for
their own violations – if indeed their actions amounted to violations. No State
acknowledged responsibility for any hacking or DDOS operations; Russia claimed that
the hacking of Georgian websites was undertaken by ‘patriotic activists’ (or ‘hack-
tivists’) spontaneously and outside any governmental control.76
Nevertheless, in spite of the difficulties, it is submitted that the law of neutrality can,
should, and probably will in due course be applied to cyber conflicts, by interpretative
analogy and in light of the objects and purposes of the law – i.e. protection of the
interests of neutral and belligerent States alike; a similar extension has previously been
foreseen in respect of the use of satellites and other modern communications tech-
nology in outer space.77 Moreover, the references to neutrality in recent manuals and
accompanying commentaries – the Harvard and Tallinn Manuals – unofficial and
non-normative though their legal status may be, as well as in official national military
manuals, clearly indicate that current expert opinion continues to hold a place for
neutrals’ rights and duties in the modern law regulating resort to and conduct of armed
(including cyber) conflict.
(b) Expressly Applicable Rules
As noted in the Tallinn Manual, ‘The International Group of Experts unanimously

agreed that the law of neutrality applied to cyber operations’.78 Indeed, the Experts
assert that:
The global distribution of cyber assets and activities, as well as global dependence on cyber
infrastructure, means that cyber operations of parties to a conflict can easily affect private or
public neutral cyber infrastructure. Accordingly, neutrality is particularly relevant in modern
armed conflict.79
As will be discussed below, the present author believes that there is at least a 50 per
cent probability that this is an accurate assessment of the future for neutrality law in
75
See Noah Shachtman, ‘Estonia, Google Help “Cyberlocked” Georgia (Updated)’, Wired
(8 November 2008) <http://www.wired.com/dangerroom/2008/08/civilge-the-geo/> accessed 27
September 2014; Stephen W. Korns and Joshua E. Kastenberg, ‘Georgia’s cyber left hook’
(2008) XXXVIII(4) Parameters 60–76.
76
See John Markoff, ‘Before the gunfire, cyberattacks’, The New York Times (12 August
2008) <http://www.nytimes.com/2008/08/13/technology/13cyber.html?emand_r=0> accessed 27
September 2014; Paulo Shakarian, Jana Shakarian & Andrew Ruef, Introduction to Cyber-
Warfare: A Multidisciplinary Approach (Syngress 2013) Ch 3.
77
See David L. Willson, ‘An Army view of neutrality in space: Legal options for space
negation’ (2001) 50 Air Force L. Rev. 175, 192–204.
78
Tallinn Manual (n 35) Ch VII para. 1.
79
Ibid. para 3.

13 / Date: 25/3
cyber conflict, notwithstanding the fact that no State has as yet declared neutrality in
any cyber conflict. The Tallinn Manual specifies just five rules of lex lata80 in relation
to cyber neutrality, namely:
+ The prohibition of hostile acts81 by belligerents against neutral cyber infra-

structure;82
+ The prohibition of belligerent cyber operations using infrastructure within neutral
territory;83
+ The duty of a neutral State not to allow belligerent cyber operations ‘from cyber
infrastructure located in its territory or under its exclusive control’;84
+ The right of a belligerent to ‘take such steps, including by cyber operations, as are
necessary’ against a neutral State that fails to prevent belligerent operations in
accordance with Rule 93;85 and
+ The necessity for neutral States to act in a manner compatible with any collective
security enforcement measures ordered by the UN Security Council under
Chapter VII of the UN Charter.86
Rules 91–93 may be characterised as part of the jus in bello and are derived directly
from the relevant Hague Conventions of 1907 – respectively, Article 1 of both HC V
and HC XIII (Rule 91), Articles 2 and 3 of HC V and Articles 2 and 5 of HC XIII
(Rule 92), and Article 5 of HC V (Rule 93). Rules 91 and 92 are basically opposite
sides of the same coin in that they prohibit violations of neutrality, whether directed
against or emanating from neutral cyber infrastructure. Rule 93 reaffirms the duty of
neutral States, where possible, to prevent violations occurring on their territory. These
Rules clearly reflect only the ‘first pillar’ of the traditional law of neutrality: the
principle of non-participation. While this principle thus remains the bedrock of a
contemporary concept of neutrality, the nature of the modern global economy and
international commercial realities, as illustrated by State practice in the Iran-Iraq and
First Gulf Wars discussed above, as well as the inherent practical and technical
80
Each of the first three rules is claimed to represent a norm of customary international law,
as reflected in the Hague Conventions V and XIII. The fourth, as a form of ‘self-help’, is said to
be ‘generally accepted as customary international law’ (Tallinn Manual (n 35) rule 94, para 1);
although little evidence is cited to justify such an assertion, it may be safely assumed that it
would fall within the category of self-defence under the jus ad bellum (cf. UK Ministry of
Defence (n 32) para 1.43(a)). The fifth is derived from a treaty, namely the UN Charter, under art
103 of which customary law rules that are incompatible with a rule contained in the Charter are
superseded by the latter.
81
The Experts note that they chose to use the term ‘exercise of belligerent rights’ as a
synonym for ‘hostile act’ (the principal term which is used in the Hague Conventions); the
preference is explained by reference to the latter term being ‘an operational term of art’,
although the point is not elucidated further: Tallinn Manual (n 35) Ch VII, para. 6. The present
author considers the sense of the term ‘hostile act’ to be clear enough from the context.
82
Ibid. rule 91.
83
Ibid. rule 92.
84
Ibid. rule 93.
85
Ibid. rule 94.
86
Ibid. rule 95.

14 / Date: 25/3
difficulties in the regulation of cyber activity, seem to suggest that the ‘second pillar’ of
non-discrimination may become less important in future applications of neutrality law –
in the cyber context as in more conventional armed conflicts.87
(c) Selected Issues: Jus ad Bellum
Rules 94 and 95 of the Tallinn Manual are concerned with the cyber dimension of
neutrality in respect of the two Charter-based exceptions to the prohibition of the use of
force in international relations: self-defence (although the Manual does not use that
term at this point) and collective security enforcement measures ordered by the
Security Council in the exercise of its Chapter VII powers. Indeed, it is arguable that
the law of neutrality is of very little relevance to the initiation of cyber conflicts except
in these two respects. It is interesting to note, however, that Rule 94 is concerned with
a belligerent’s right to use force, if necessary, to counter cyber violations of a State’s
neutrality – not with a neutral State’s right to defend its neutrality by armed force,
including cyber operations, if necessary. Perhaps it was assumed by the Experts that the
neutral State’s right of self-defence in such circumstances would be so self-evident as
to render discussion unnecessary. Nevertheless, it bears emphasising that, since every
State always has the inherent right to defend its territorial sovereignty and political
independence from attack,88 the Tallinn Manual repeatedly mentions the unlawful use
of cyber infrastructure on a neutral State’s territory, and the Hague Conventions
expressly recognised that a neutral State’s use of force in defence of its rights is not to
be regarded as a hostile or unfriendly act by the belligerent(s) against which such
action is directed,89 by analogy a neutral State clearly would be permitted to defend its
neutrality against cyber violations.
As regards the precise formulation used in Rule 94, it may be noted that it
presupposes knowledge by the neutral State of the violation. However, the notorious
difficulty of tracing – much less of attributing – cyber activity with any great degree of
precision90 may impose an altogether unreasonable burden on the authorities of a
neutral State, even when the principle of due diligence in preventing violations of
international law is taken into account.91 As opined by the International Court of Justice
(ICJ) in the very first contentious case ever submitted to it for adjudication:
87
Although note that the duty of non-discrimination is acknowledged in that any restric-
tions on the use of open, publically accessible networks (e.g. the Internet) must be ‘impartially
applied to all parties to the conflict’: ibid. rule 93, para. 3. This could apply, for instance, in the
context of restricting belligerent Internet traffic from transiting via servers hosted in a neutral
State – a measure which would surely be remarkably difficult to enforce.
88
UN Charter art 51.
89
HC V, art 10; HC XIII, art 26.
90
See Nicholas Tsagourias, ‘Cyber attacks, self-defence and the problem of attribution’
(2012) 17(2) J. Conflict & Sec. L. 229–44, especially at 234.
91
This doctrine, of course, concerns liability of a State for actions of its own official agents;
the position is more complicated where the wrongful acts are committed by non-State actors.
See generally Malcom N. Shaw, International Law (6th edn., CUP 2008) at 785–93.

15 / Date: 25/3
it cannot be concluded from the mere fact of the control exercised by a State over its territory
and waters that that State necessarily knew, or ought to have known, of any unlawful act
perpetrated therein, nor yet that it necessarily knew, or should have known, the authors. This
fact, by itself and apart from other circumstances, neither involves prima facie responsibility
nor shifts the burden of proof.92
It is submitted that this may a fortiori be the case in the cyber context, as in the
situation where an agent of a belligerent State briefly enters the territory of a neutral
State and, while present there, opens a laptop computer and sends an e-mail containing
a virus that infects the military command network of an opposing belligerent, before
leaving neutral territory. All this could occur within a period of 24 hours or less. How
precisely could the neutral State’s authorities reasonably be expected to prevent or
terminate such activity without leaving the door open to an aggrieved belligerent to
take hostile action against the neutral State? The ICJ stated further in the Corfu
Channel Case that in light of a victim State’s frequent inability to furnish direct proof
of facts disclosing responsibility for a breach of international law, ‘[s]uch a State
should be allowed a more liberal recourse to inferences of fact and circumstantial
evidence’.93 The formula adopted by the International Group of Experts in the Tallinn
Manual is consonant with that dictum and would seem to entail a presumption very
much in favour of an ‘aggrieved belligerent’s’ rights, to the detriment of those of a
neutral.
The content of Rule 95 would be of interest in the event of the UN Security Council
ordering action against a delinquent State that was engaging in cyber operations that
were deemed a threat to the peace, breach of the peace or act of aggression, in terms of
Chapter VII of the UN Charter. The suggestion is that in such a situation, it would not
be a breach of a neutral State’s obligations under the law of neutrality for it to
participate in cyber operations ordered by the Council,94 consistent with Article 42 of
the Charter. Presumably, if the Council ordered ‘cyber sanctions’ consistent with Article
41, a neutral State could be called upon to comply with them in accordance with its
duty to accept and carry out Council decisions under Article 25 – which, by virtue of
Article 103, would override any inconsistent obligations arising under neutrality law. In
practice, it remains to be seen how – if at all – neutral States would wish to ‘stand on
their neutrality’, or otherwise, in such situations. The precedents set during the First
Gulf War95 suggest that there will be a divergence of opinion between those States that
wish to insist on maintaining an attitude of neutrality (i.e. those most closely affected
by the enforcement action) and those that are participating in any ‘coalition of the
willing’ authorised by the Security Council. Taking the interconnectivity of the cyber
domain into account, however, and the mutual interdependence that it implies, one may
wonder whether it will not be the case that all ‘heavily wired’ States might not come to
view themselves as being closely affected by any cyber sanctions or cyber enforcement
action.
92
Corfu Channel (United Kingdom v. Albania) (Merits) (Judgment) [1949] ICJ Rep. 4 at
18.
93
Ibid.
94
Tallinn Manual (n 34) rule 95 para. 3.
95
Ibid. text accompanying (nn 69–72).

16 / Date: 7/5
(d) Selected Issues: Jus in Bello
A far larger number of provisions of the law of armed conflict (LOAC) potentially
implicate neutrality in the cyber context than is the case in respect of the rules on the
legality of the use of force by States, and there is a correspondingly greater number of
legal provisions in the Hague Conventions V and XIII, and other ‘musty’ instruments,
that might provide useful analogies for the application of neutrality law in the cyber
age. Of particular interest are the various provisions relating to the construction and use
of communications equipment on neutral territory, and those – even less well-known –
from the Hague Rules for the Control of Radio in Time of War,96 covering radio
stations and apparatus. Although imperfectly fitted to the technology of cyber, these
provisions from the first three decades of the twentieth century, with their focus on
what were then modern means of communication, represent perhaps the closest
analogies in settled international law to the types of issues likely to be encountered by
neutral States in the cyber domain.97 On land, belligerents are forbidden to erect on
neutral territory ‘a wireless telegraphy station or other apparatus for the purpose of
communicating with belligerent forces’,98 or to use for purely military purposes any
such apparatus erected before a conflict if it is not ‘opened for the service of public
messages’.99 There is a duty on neutral States not to allow any of these acts to occur on
their territory,100 but they are not required to forbid or restrict belligerent use of any
telegraph, telephone cables or wireless telegraphy apparatus situated on their territory,
irrespective of whether such devices belong to the State itself, to companies or to
private individuals.101 The erection of ‘wireless telegraphy stations or any apparatus for
the purpose of communicating with the belligerent forces’ is equally forbidden in
neutral ports and territorial waters.102 Special provisions regarding radio stations are
enumerated in the Hague Rules for the Control of Radio in Time of War, although it
must be remembered that this instrument was never formally adopted as a binding
treaty or opened for signature or ratification. The erection or operation, by belligerents
or their agents, of radio stations ‘within neutral jurisdiction’ is stated to be a violation
of neutrality; it is worth noting that this was not limited to conduct by belligerents but
is equally a violation if a neutral State permits it to happen.103 In keeping with similar
provisions in Hague Convention V, neutral States were not required to restrict or
prohibit the use of radio stations within their jurisdiction, except in order to prevent
96
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) 33.
97
See, generally, Jeffrey T. Kelsey, ‘Hacking into international humanitarian law: The
principles of distinction and neutrality in the age of cyber warfare’ (2008) 106(7) Michigan L.
Rev. 1427, 1441–6.
98
HC V, art 3(a).
99
Ibid. art 3(b).
100
Ibid. art 5.
101
Ibid. art 8.
102
HC XIII, art 5.
103
Warfare, Part I: Rules for the Control of Radio in Time of War (n 27) art 3.

17 / Date: 7/5
transmission of information.104 In a provision of particular interest in the cyber context,

the use of mobile radio stations belonging to belligerents was also addressed: these
were not to be used while within neutral jurisdiction and neutral States were required to
employ ‘the means at their disposal’ to prevent such use;105 and mobile radio stations
belonging to neutrals were not to keep any record of messages received from
belligerent radio stations, ‘unless such messages are addressed to [the neutral stations]
themselves’.106
What are we, some 100 years later in the age of the Internet, to make of these almost
extravagantly archaic provisions, and how – if, indeed, at all – are we to ‘fit’ them to
the possibilities of cyber conflict?107 There are in fact some fairly clear analogies that
can usefully be drawn. Computers undoubtedly form part of cyber infrastructure and
are therefore analogous to wireless telegraphy, for instance; facilities housing net-
worked computers could be considered similar to radio stations; computer viruses,
malware, botnets and other similar tools for cyber war could be likened to means of
warfare within the meaning of LOAC.108 Technicians who operate computer systems on
behalf of belligerents while on neutral territory could be lawful combatants or civilians
directly participating in hostilities, depending on their personal status under LOAC.109
The main emphasis in the Hague Conventions and Rules is on the protection of
neutral territorial sovereignty and jurisdiction on the one hand, and the prohibition of
communications with belligerents on the other. As to the former, it is probable that
jurisdiction will be more significant in the cyber age than territory per se: cyberspace is
not part of any tangible territory – unlike airspace, it cannot even be classified
according to its proximity to land or water110 – so it is difficult to see how the territorial
location of cyber violations can be ascertained (particularly in light of the difficulties of
attribution and as regards the use of mobile infrastructure like laptop computers) other
than by reference to the concept of jurisdiction.111 It was stated more than 30 years ago
in connection with an American attempt to exercise jurisdiction in respect of the export,
by third States, of US-derived technical data to the Soviet Union: ‘Goods and
104
Ibid. art 4.
105
Ibid. art 5.
106
Ibid. art 8.
107
For an elaborate but far from unrealistic example of a possible scenario involving
neutrality in cyber conflict, see Eric T. Jensen, ‘Sovereignty and neutrality in cyber conflict’
(2012) 35 Fordham Int’l. L. J. 815, 816–17.
108
Thus, they could be analogous to ‘munitions of war’, in which case their movement
‘across the territory’ of a neutral State would be forbidden: HC V, art 2.
109
See Tallinn Manual (n 35) rules 25–29.
110
A better analogy for cyberspace in fact would be outer space, which under public
international law is considered res communis – an area which by definition is not capable of
forming part of the territory of any State: see Treaty on Principles Governing the Activities of
States in the Exploration and Use of Outer Space, including the Moon and Other Celestial
Bodies, UN Doc A/RES/2222 (XXI) (19 December 1966) Annex, arts I and II. An appropriate
analogy may also be drawn with the high seas: see George K. Walker, ‘Information warfare and
neutrality’ (2000) 33 Vand. J. of Trans. L. 1079, 1150–6.
111
As to which generally, see Vaughan Lowe & Christopher Staker, ‘Jurisdiction’ in
Malcolm D. Evans (ed.), International Law (3rd edn., OUP 2010) 313.

18 / Date: 7/5
technology do not have any nationality and there are no known rules under inter-
national law for using goods or technology situated abroad as a basis of establishing
jurisdiction over the persons controlling them.’112 On the other hand, 20 years later,
things had moved on enough for criminal jurisdiction to be included in a new treaty
relating to certain aspects of cyber activity.113 We must also bear in mind the very fluid,
intangible nature of the Internet, and the fact that the types of acts which could
constitute violations of cyber neutrality are likely to be transnational in nature: hostile
data could be transmitted from a network in one State and transit the Internet nodes or
hubs of one or more intervening States before arriving at its target. It seems probable
that in the future, States may seek to assert their cyber jurisdiction by reference, not to
a concept of territoriality as emphasised in the Hague Conventions and Rules, but to
one of personality – that is to say, the identity of the person(s) committing a cyber
violation of neutrality may come to be seen as more useful legally than the location
where the act occurs.114 This may be an especially attractive legal possibility when one
considers the ban on forming ‘corps of combatants’ on neutral territory in order ‘to
assist the belligerents’.115 Given the plausible deniability of much State involvement
with malicious activity in cyberspace, and the assertions that so-called ‘patriotic
“hacktivists”’ in Russia were responsible, for example, for DDOS attacks and webpage
defacement in Estonia (2007) and Georgia (2008),116 there could conceivably be scope
for a revival, in the cyber context, of the concept of the levée en masse117 found in the
law of armed conflict.118 Whether ‘hacktivists’ are legally considered civilians directly
participating in hostilities or part of a levée en masse, however, they could arguably fall
within the spirit of the prohibition in Article 4 of HC V.
As to communications with belligerents, this is likely to be of relevance primarily in
the context of cyber espionage,119 an activity which is neither expressly permitted nor
expressly prohibited under public international law; despite the probability that it would
violate the international law of neutrality, it is more likely to be treated as a violation of
national law only, particularly since under LOAC it is defined as occurring in the
112
European Communities: Comments on the U.S. Regulations Concerning Trade with the
U.S.S.R. (1982) 21 International Legal Materials 891, 894.
113
See Convention on Cybercrime (Council of Europe), CETS No. 185, 23 November 2001
(entered into force: 1 July 2004) art 22.
114
For further technical and jurisdictional possibilities, and very interesting discussion, see
Thomas Schultz, ‘Carving up the Internet: Jurisdiction, legal orders and the private/public
international law interface’ (2008) 19 E.J.I.L. 799. See also Tsagourias (Ch 1 of this book).
115
HC V, art 4.
116
See Piret Pernik, ‘Different tactics, same story’ (RKK/CDS blog, 28 March 2014)
<http://blog.icds.ee/article/255/different-tactics-same-story> accessed 27 September 2014.
117
As most recently defined in Geneva Convention (III) Relative to the Treatment of
Prisoners of War of August 12, 1949 (1950) 75 UNTS 135–285, art 4(A)(6). See also Arimatsu
(Ch 15 of this book) and Bannelier-Christakis (Ch 16 of this book).
118
But see Tallinn Manual (n 34) rule 27. The Commentary to a subsequent rule then makes
it clear that the Experts regard ‘hacktivists’ as civilians directly participating in hostilities: ibid.
rule 35 para. 11. See also David Turns, ‘Cyber warfare and the notion of direct participation in
hostilities’ (2012) 17 J. Conflict & Sec. L. 279.
119

19 / Date: 7/5
territory of a party to a conflict (as opposed to a neutral).120 Finally, it may be noted

that the use of infrastructure is not prohibited or necessarily restricted if it is the neutral
State’s own infrastructure:121 so the by analogy use of computers, servers or Internet
Service Providers belonging to a neutral State, on behalf of belligerents, would not be
forbidden. It remains arguable, however, that the use in neutral territory of a laptop
belonging to a belligerent State or one of its nationals in order to assist that belligerent
in active hostilities would be considered a violation of neutrality law.
4. CONCLUSION
In the early stages of World War II the principal concerns of neutral nations were
overwhelmingly to do with the protection of their territorial sovereignty against
violation. They involved such matters as protesting against the shining of searchlights
from British warships into territorial waters at night (in the case of Norway)122 and
ensuring the departure of the damaged German pocket battleship Admiral Graf Spee
from the neutral harbour of Montevideo after the Battle of the River Plate, which itself
had taken place within a neutral exclusion zone unrecognised by the belligerents (in the
case of Uruguay).123 In the early twenty-first century the main equivalent issues of
preoccupation are likely to be routing or transit of cyber attacks via Internet servers,
nodes or other infrastructure located in or owned by neutral States; thus, the territorial
link remains, despite the intangible nature of the domain. Particular questions are likely
to involve the extent of awareness of the neutral State’s authorities about any cyber
infringement of their neutrality; whether those authorities have the ability to prevent
such infringements from occurring; the source and routing of cyber attacks; and to
whom such infringements are attributable. The same principles as were applicable 100
years ago – the Hague Conventions and customary international law – remain
applicable today, by analogy if not directly.
It would not be unreasonable to assume that the ever-greater interconnectedness of
nations’ affairs, economically and politically, and their increasing mutual inter-
dependence, as well as the all-pervasive nature of the Internet and cyber networks and
the increasing evidence of hostile cyber operations – albeit at a low level, short of
armed conflict – may well lead those States that do not wish to become embroiled in
such situations to emphasise and reinforce their adherence to neutrality law; this may
well be so, even in situations where the international community, acting through the
UN Security Council, has clearly designated an aggressor and ordered collective
security enforcement action. It is therefore entirely possible, the lack of recent and
current State practice notwithstanding, that the international law of neutrality may yet
120
Tallinn Manual (n 35) Rule 66, para. 2. The Experts note that such activities conducted
outside enemy-controlled territory are more correctly classified as computer network exploit-
ation or cyber reconnaissance, doctrinal concepts which in no way violate international law:
para. 3.
121
HC V, art 8.
122
See Simpson (n 4) 219.
123
For a summary of the battle, its background and consequences: see Sydney D. Waters,
The Royal New Zealand Navy (Historical Publications Branch 1956) 45–74.

20 / Date: 7/5
undergo its biggest renaissance since those days of neutral waters and searchlights in a
less wired world. As has been suggested, ‘Undeniably, neutrality as a general concept
has as much vitality today as in the pre-Charter era … [the] opportunity for claims of
neutrality … remains large.’124
124
Walker (n 110) 1197.

21 / Date: 25/3
PART V
REGIONAL AND
INTERNATIONAL APPROACHES
TO CYBER SECURITY

1 / Date: 25/3

2 / Date: 25/3
19. Towards EU cybersecurity law: Regulating a new

policy field
Ramses A. Wessel
1. INTRODUCTION
‘For cyberspace to remain open and free, the same norms, principles and values that the
EU upholds offline, should also apply online. Fundamental rights, democracy and
the rule of law need to be protected in cyberspace.’ This argument lies at the heart of
the 2013 Cybersecurity Strategy of the European Union, adopted jointly by the
European Commission and the High Representative of the European Union for Foreign
Affairs and Security Policy, to underline both the internal and external dimensions of
this new policy area.1 Indeed, cybersecurity initiatives are not only developed at the
global level and they prove to relate to many different areas of the EU’s activities.
Apart from the fundamental rights dimension, the EU refers to an obvious economic
element, which relates to the completion of the so-called ‘Digital Single Market’:
citizens need trust and confidence to engage in new connected technologies and to use
e-commerce facilities.2 At the same time, cybersecurity can be said to form part of the
Common Security and Defence Policy (CSDP) which forms the basis for the Union
external security action.3 In December 2013 the European Council (the Heads of State
or Government) decided to develop a EU Cyber Defence Policy Framework to further
implement the new developments in its security and defence policy.4 More generally,
the 2009 Lisbon Treaty endowed the EU with more legal and institutional competences
1
Commission (EC) and High Representative of the European Union for Foreign Affairs and
Security Policy, ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace’ (joint communication) JOIN(2013) 1 final, 7 February 2013.
2
See also the Commission (EC) 2000/31/EC on certain legal aspects of information society
services, in particular electronic commerce, in the Internal Market [2000] OJ L 178 (Electronic
Commerce Directive), which introduced an Internal Market framework for electronic commerce,
providing legal certainty for business and consumers alike. It established harmonized rules on
issues such as the transparency and information requirements for online service providers,
commercial communications, electronic contracts and limitations of liability of intermediary
service providers.
3
As stated in art 3(5) of the Treaty on European Union (TEU), ‘In its relations with the
wider world, the Union shall uphold and promote its values and interests and contribute to the
protection of its citizens. It shall contribute to […] security […] as well as to the strict
observance and the development of international law, including respect for the principles of the
United Nations Charter.’
4
European Council, ‘European Council conclusions on Common Security and Defence
Policy’ 20 December 2013 <http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/
ec/140214.pdf> accessed 4 April 2015.
403
1 / Date: 25/3
to realise its ambitions as ‘a global actor’5 and to link internal and external security
policies.6
Indeed, EU cybersecurity forms a prime example of an area in which both internal
and external (global as well as bilateral) policies are connected, thus implying a need to
combine different legal competences of the Union. Over the past decade the EU started
to take its first careful steps in formulating and regulating this new policy area, starting
mainly from an ‘outside-in’ perspective in which global security threats triggered
internal policies.7 With the adoption of the 2013 Strategy it aims to bring together the
different earlier initiatives in a comprehensive fashion while pointing to plans for new
legislation,8 which also reflect a wish to act as a global player and a participant in the
formulation of new global rules. It has rightfully been argued that European cyber-
security policy is formulated and implemented in a multi-level and multi-stakeholder
structure,9 in which legislation is connected to both international developments and
domestic implementation in the EU Member States (‘multilevel regulation’10) and
where both public and private actors11 play a role.
While there seems consensus on the proliferation of incidents and risks related to
cybersecurity,12 one of the key problems underlying the EU initiatives is that ‘cyberse-
curity’ as such is not mentioned as a theme – let alone a competence – in the EU
5
Recent publications on this topic include Bart Van Vooren, Steven Blockmans & Jan
Wouters (eds.), The EU’s Role in Global Governance: The Legal Dimension (OUP 2012); Inge
Govaere et al. (eds.), The European Union in the World: Essays in Honour of Marc Maresceau
(Martinus Nijhoff Publishers 2013).
6
Florian Trauner, ‘The internal-external security nexus: more coherence under Lisbon?’ (10
March 2010) 89 EUISS Occasional Paper; as well as Florian Trauner and Helena Carrapico,
‘The external dimension of EU justice and home affairs after the Lisbon Treaty: Analysing the
dynamics of expansion and diversification’ (2012) 17 Eur. Foreign Aff. Rev. 1.
7
See for instance the Commission (EC), ‘The EU Internal Security Strategy in Action: Five
steps towards a more secure Europe’ (Communication) COM (2010) 673 final, 22 November
2010.
8
Initiatives include a Commission proposal for a Directive concerning measures to ensure a
high common level of network and information security (usually referred to as ‘NIS’) across the
Union (EU Document COM (2013)48 final) as well as an earlier proposal for a General Data
Protection Regulation (COM (2012) 11 final) and a Regulation on electronic identification and
trust services for electronic transactions in the EU internal market (COM (2012) 238 final).
9
Annegret Bendiek & Andrew L. Porter, ‘European cyber security policy within a global
multistakeholder structure’ (2013) 2 E.F.A. Rev. 155. This article also provides a good overview
of the wide scope of the actual problems caused by a lack of cybersecurity.
10
See for instance Nupur Chowdhury & Ramses A. Wessel, ‘Conceptualizing multilevel
regulation in the EU: A legal translation of multilevel governance?’ (2012) 18(3) Eur. L. J. 335;
Andreas Føllesdal, Ramses A. Wessel & Jan Wouters (eds.), Multilevel Regulation and the EU:
The Interplay between Global, European and National Normative Processes (Martinus Nijhoff
Publishers 2008).
11
See for instance the European Cyber Security Group (http://www.cybersecuritygroup.eu)
or the European Network for Cyber Security (https://www.encs.eu).
12
See for instance the report by Neil Robinson et al., ‘Data and security breaches and
cyber-security strategies in the EU and its international counterparts’ (European Parliament,
Directorate-General for Internal Policies, Policy Department A: Economic and Scientific Policy,
September 2013); Javier Argomaniz, ‘The European Union policies on the protection of

2 / Date: 25/3
Towards EU cybersecurity law: Regulating a new policy field 405
Treaties. Yet, as noted by the European Commission, cybercrime is ‘by its very nature
cross-border’ and hence ‘proper cross-border arrangements’ are required13 which brings
about the jurisdictional question that also emerges in international law.14 In the EU,
however, the ‘principle of conferral’15 may further complicate things and leaves the
Union with two options: it either connects cybersecurity to existing competences in
other fields, or it uses soft law instruments to stimulate Member States and other
relevant actors to implement parts of the Strategy. As we will see in the present chapter,
the Union aims to do both. Yet, with a view to its limited competences and given the
diverging procedural requirements in the different policy areas (ranging from the
internal market or the Area of Freedom, Security and Justice (AFSJ) to the Union’s
Common Foreign, Security and Defence Policy), it is questionable whether the
demands for consistency and effectiveness (arts 13 and 21 TEU) can be met. At the
same time cybersecurity forms an excellent example of an area in which the different
policy fields of the Union need to be combined (a requirement for horizontal
consistency), and where measures need to be taken at the level of both the EU and the
Member States (calling for vertical consistency).16
This chapter will both assess the existing and emerging internal rules related to
cybersecurity as well as the Union’s contribution to the development of a global
regulatory framework. While other policy areas revealed strong links between internal
and external policies (notably the Union’s Common Commercial Policy,17 or the
development of the AFSJ18) the absence of explicit competences in the area of
infrastructure from terrorist attacks: A critical assessment’ (2013) 1 Intelligence and Security; P.
Cornish, ‘Cyber security and politically, socially and religiously motivated cyber attacks’
(European Parliament/Policy Department External Policies, 2009).
13
Commission (EC), ‘Communication on Critical Information Infrastructure – results and
next steps: the path to global security network’ (Communication) COM (2011) 163 final, 3
December 2011.
14
Cf. J. Joachim Zekoll, ‘Jurisdiction in cyberspace’ in Gunther Handl, Joachim Zekoll &
Peer Zumbansen, Beyond Territoriality – Transnational Legal Authority in an Age of Global-
ization (Martinus Nijhoff Publishers 2012).
15
Art 5(2) TEU: ‘Under the principle of conferral, the Union shall act only within the limits
of the competences conferred upon it by the Member States in the Treaties to attain the
objectives set out therein. Competences not conferred upon the Union in the Treaties remain
with the Member States.’
16
On consistency and coherence see for instance Marise Cremona, ‘Coherence in European
Union foreign relations law’ in Panos Koutrakos (ed.), European Foreign Policy: Legal and
Political Perspectives (Edward Elgar 2011); Christophe Hillion, ‘Tous pour un, un pour tous!
Coherence in the External Relations of the European Union’ in Marise Cremona (ed.),
Developments in EU External Relations Law (OUP 2008).
17
Joris Larik, ‘Much more than trade: The common commercial policy in a global context’
in Malcom Evans and Panos Koutrakos (eds.), Beyond the Established Legal Orders: Policy
Interconnections Between the EU and the Rest of the World (Hart Publishing 2011) 13–45;
Marise Cremona, ‘The external dimension of the Single Market: Building (on) the foundations’
in Catherine Barnard & Joanne Scott (eds.), The Law of the Single European Market: Unpacking
the Premises (Hart Publishing 2002).
18
Jorg Monar, ‘The external dimension of the EU’s area of freedom, security and justice:
Progress, potential and limitations after the Treaty of Lisbon’ (Stockholm: SIEPS Report
2012/1); Ramses A. Wessel, Luisa Marin & Claudio Matera, ‘The external dimension of the

3 / Date: 25/3
cybersecurity may form a reason for the Union to take a route other than the traditional
one based on the ‘in foro interno, in foro externo’ principle.19 Particular attention will
be paid to the question of whether the current fragmentation can be overcome on the
basis of the current treaty regime and some new case-law of the Court of Justice of the
European Union. The focus on cybersecurity is not meant to render other cyberspace
policies of the EU less relevant. While over the years the EU has been engaged in the
regulation of the Internet in a broader sense20 – with co-regulation as an important
dimension21 – the scope of this contribution does not aim to present a comprehensive
overview.
Section 2 will first of all define the relevant concepts and set the institutional stage.
The key adopted policies, including the Cybersecurity Strategy will be introduced in
Section 3. Section 4 will assess the existing legal instruments as well as the question of
their legal basis. This will be done mainly from the perspective of the existing
fragmentation in this area. In turn, this fragmentation will form the basis for an answer
to the question as to whether – under the current treaty regime – it is possible for a
consistent body of EU cybersecurity law to develop (Section 5).
EU’s area of freedom, security and justice’ in Christina Eckes, Theodore Konstadinides (eds.),
Crime within the Area of Freedom, Security and Justice: A European Public Order (CUP 2008)
272; Claudio Matera, ‘The European Union area of freedom, security and justice and the fight
against new security threats. New trends and old constitutional challenges’ in Maurizio Arcaric
& Louis Balmond (eds.), Global Governance and the Challenges of Collective Security
(Editoriale Scientifica 2012) 69–87.
19
This principle refers to the system in which the existence (or sometimes the use) of
internal competences implies the existence of external competences. Hence, once the EU would
be allowed to regulate an issue internally, it would also have the competence to include the same
issue in international agreements concluded with third states. The principle played a prominent
role in the landmark case AETR on the existence of external competences of the European
Community in transport. See John Temple Lang, ‘The ERTA Judgment and the Court’s case-law
on competence and conflict’ (1986) 6(1) Ybk. Eur. L. 183–218; Case 22/70, Commission v
Council (European Road Transport Agreement) (ECLI:EU:C:1971:32).
20
Franz C. Mayer, ‘Europe and the Internet: The Old World and the New Medium’ (2000)
11(1) E.J.I.L. 149. According to the European Commission, the EU’s regulatory role has evolved
over the years, to keep pace with the evolving ICT landscape: introducing rules covering all
electronic communications networks and services ensuring fair access to basic services (phone,
fax, internet, free emergency calls) at affordable prices, for all customers – including people with
disabilities stimulating competition by reducing the dominant position that former national
telecom monopolies used to maintained for certain services, like high-speed internet access. The
rules are applied independently by the authorities in each EU country, with national regulators
coordinating their policies at EU level through forums like the Body of European Regulators for
Electronic Communications (BEREC). See for a summary: ‘Information Technology’ (Euro-
pa.eu) <http://europa.eu/pol/infso/index_en.htm> accessed 4 April 2015. See on the role of the
EU in Internet governance also Commission (EC) ‘Internet governance: the next steps’
(Communication) COM(2009) 277 final, 18 June 2009; as well as the overview of activities by
the Commission on ‘Internet, Online activities and ICT standards’ <http://eur-lex.europa.
eu/summary/chapter/information_society.html?root_default=SUM_1_CODED=31> accessed 4
April 2015.
21
Christopher T. Marsden, Internet Co-Regulation: European Law, Regulatory Governance
and Legitimacy in Cyberspace (CUP 2011).

4 / Date: 8/5
2. DEFINITIONS AND INSTITUTIONS
(a) Defining Cybersecurity and Cybercrime
The title of the present chapter refers to ‘cybersecurity’. Yet, cyberspace policies
usually also include ‘cybercrime’. Indeed, both the broader notion of ‘cybersecurity’
and the criminal activities falling under ‘cybercrime’ form part of the EU’s policies. In
the 2013 EU Strategy they are described as follows:22
Cybersecurity commonly refers to the safeguards and actions that can be used to
protect the cyber domain, both in the civilian and military fields, from those
threats that are associated with or that may harm its interdependent networks and
information infrastructure. Cybersecurity strives to preserve the availability and
integrity of the networks and infrastructure and the confidentiality of the
information contained therein.
Cybercrime commonly refers to a broad range of different criminal activities
where computers and information systems are involved either as a primary tool or
as a primary target. Cybercrime comprises traditional offences (e.g. fraud,
forgery, and identity theft), content-related offences (e.g. on-line distribution of
child pornography or incitement to racial hatred) and offences unique to comput-
ers and information systems (e.g. attacks against information systems, denial of
service and malware).
Hence, while cybersecurity refers to the range of safeguards and actions that can be
used to protect the cyber domain, cybercrime reflects to the actual criminal activities,
thus following the descriptions laid down in the Council of Europe Convention on
cybercrime.23 According to the European Commission, one million people become
victims of Internet crime daily.24 Yet, as we will see, it is difficult, both institutionally
and substantively, to separate the two concepts and, indeed, the two are combined in
the already existing cooperation between the EU and the United States, which can be
said to form a basis for the new and more comprehensive approach foreseen by the EU.
Despite the description of both policy areas by the EU and other actors, the current
definitions have met with some criticism. In 2001 the EU established the position of
European Data Protection Supervisor (EDPS), to make sure that all EU institutions and
bodies respect peoples’ right to privacy when processing their personal data. In its 2013
advisory report on the issue,25 the EDPS notices (with some regret) that some concepts,
22
For other (non-EU) definitions see Ducheine (Ch 10 of this book); Kastner & Mégret (Ch
9 of this book).
23
24
Commission (EC), ‘EU Centre to combat cyber crime and consumer protection in
electronic commerce’ (press release) IP/12/317, 28 March 2012 <http://europa.eu/rapid/
pressReleasesAction.do?reference=IP/12/317> accessed 4 April 2015.
25
The European Data Protection Supervisor, ‘Opinion of the European Data Protection
Supervisor on the Joint Communication of the Commission and of the High Representative of
the European Union for Foreign Affairs and Security Policy on a “Cyber Security Strategy of the

5 / Date: 7/5
such as cyber resilience (adding the element of the ability of a system to recover from
the effects of a security incident to full operational capacity) and cyber defence (related
to increasing the resilience of the communication and information systems supporting
Member States’ defence and national security interests) are not defined in the EU
Strategy or the proposed Directive on NIS. More in general, it noted that:
Although the Communication is a non-binding policy document, it would have been helpful
to define these notions more precisely so that there is a clear common understanding of what
is being referred to and a clear common understanding of the scope of the actions planned in
the Joint Communication. […] From a data protection perspective, the issue of taxonomy is
particularly important since these terms are being used as a justification for certain special
measures which could cause interference with fundamental rights, including the rights to
privacy and data protection.26
Debates on activities in cyberspace also refer to many more phenomena. Where

cybercrime involves offences against property rights of non-State actors (e.g. phishing),
cyber espionage concerns breaches in the databases of State or non-State enterprises by
foreign government agencies, and cyber war involves State attempts to attack another
State via electronic networks.27 Indeed, as we will see it is the relative fuzziness of the
definitions as well as the broad scope of the area that will also make it more difficult to
take new legislative initiatives in the appropriate EU policy fields.
(b) Setting the Institutional Stage
Following the EU-US cooperation in the so-called Working Group on Cyber-Security

and Cyber-Crime (WGCC) established at the EU-US Summit in November 2010,28 the
EU started to set up and further strengthen its own institutional framework to deal with
issues of cybersecurity. Obviously, the existing Institutions continue to form the main
initiators (European Commission) or decision-makers (the European Parliament
together with the Council). At the same time, cybersecurity is an area where organs
involved in decision-making are forced to work together to prevent developing separate
internal security and foreign policies, which has for instance led to joint meetings of
the Political and Security Policy Committee (PSC), the Standing Committee of the
Council on Operational Cooperation on Internal Security (COSI) and the Parliamentary
Committees on Civil Liberties, Justice and Home Affairs (LIBE) and Foreign Affairs
(AFET). It has also been noted that Europol is becoming better situated to support
European Union: an Open, Safe and Secure Cyberspace” and on the Commission proposal for a
Directive concerning measures to ensure a high common level of network and information
security across the Union’ (The European Data Protection Supervisor report) 14 June 2013
<https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2013/
13-06-14_Cyber_security_EN.pdf> accessed 4 April 2015.
26
The European Data Protection Supervisor report (n 25) points 22–23.
27
Cf. Bendiek & Porter (n 9) 158.
28
Commission (EC), ‘EU-U.S. Summit 20 November 2010, Lisbon – Joint Statement’
MEMO/10/597, 20 November 2010. See also Maria Grazia Porcedda, ‘Transatlantic Approaches
to cyber-security and cybercrime’ in Patryk Pawlak (ed.), ‘The EU-US Security and Justice
Agenda in Action’ (EUISS Chaillot Paper, No. 127, 30 December 2011).

6 / Date: 7/5
transnational police cooperation (through the dissemination of threat assessments and

intelligence), and that Eurojust’s cross-border prosecution of cybercrime, bolstered by
its use of joint investigation teams, represents further progress in international
coordination on intelligence and prosecution.29
An interesting question concerns the role the Court of Justice of the European Union
(CJEU) is allowed to play, also given the essential and decisive role it has played in the
formation of other areas of EU law.30 We will return to this question below in relation
to the question of the appropriate legal basis for the legislation in this area. Given the
fact that cybersecurity covers many aspects (as we have seen ranging from data
protection to network and information security and cyber defence), initiatives will have
to result in strong inter-institutional cooperation. Indeed, the 2013 Cybersecurity
Strategy was issued jointly by the European Commission and the High Representative
for Foreign and Security Policy.
In addition to the involvement of the existing Institutions, a special EU Cybercrime
Centre was established in 2012.31 This centre, named ‘EC3’, is located at one of the
EU’s agencies, Europol in The Hague. EC3 officially commenced its activities on
1 January 2013 with a mandate to tackle the following areas of cybercrime:
a. That committed by organised groups to generate large criminal profits such as

online fraud
b. That which causes serious harm to the victim such as online child sexual
exploitation
c. That which affects critical infrastructure and information systems in the European
Union.
EC3 thus aims to become the focal point in the EU’s fight against cybercrime, through
building operational and analytical capacity for investigations and cooperation with
international partners in the pursuit of an EU free from cybercrime. Yet, for the
development of actual legislation, it is necessary for the European Commission and the
European External Action Service to be involved. For that reason EC3 liaison offices
have been placed at those institutions and to other relevant agencies, including the
European Network and Information Security Agency (ENISA).32 This latter agency
also works to improve cooperation between Member States to implement emergency
response plans, conduct regular emergency drills, and develop a European Information
Sharing and Alert System (EISAS) to guard against attacks on critical infrastructure.33
Overall, however, it is questionable whether this somewhat loose institutional frame-
work will allow the Union to actually regulate the field of cybersecurity.
29
Bendiek & Porter (n 9) 169.
30
On this role of the Court of Justice see Alec Stone Sweet, ‘The European Court of Justice’
in Paul Craig & Gráinne de Búrca (eds.), The Evolution of EU Law (2nd edn., OUP 2011) Ch 6.
31
Council conclusions on the establishment of a European Cybercrime Centre, 3172nd
Justice and Home Affairs Council meeting Luxembourg, 7 and 8 June 2012.
32
Commission Regulation (EC) No 460/2004 establishing the European Network and
Information Security Agency [2004] OJ L 77.
33
‘EISAS’ (ENISA) <http://www.enisa.europa.eu/activities/cert/other-work/eisas_folder>
accessed 4 April 2015.

7 / Date: 7/5
Given the fact that the large majority of network and information systems are
privately owned and operated, the involvement of private actors is essential and
occasionally also institutionalized, as exemplified by the European Public-Private
Partnership for Resilience (EP3R).34
3. EU CYBERSECURITY AND CYBERCRIME POLICIES
(a) Early Policies
The relatively slow acknowledgement of the need to regulate cyberspace is not only
related to the absence of competences on the side of the EU, but also to the early notion
that by its very nature ‘cyberspace’ could and should not be regulated. It could not be
regulated because of the fact that the phenomenon sits uneasily with traditional notions
of territorial jurisdiction and it should not be regulated because ‘regulatory efforts […]
would unduly restrict the great potential of the Internet’.35 Yet, ‘this ‘first generation
thinking’ […] proved to be a fallacy’36 and both the EU and its Member States realized
that ‘if information flows freely, it is because we allow it to do so’.37 Indeed, in the EU,
cybersecurity became an element of existing or new policies in related areas.38 To
mention a few influential documents, in 2001 the Commission issued in the Communi-
cation ‘Network and Information Security: proposal for a European Policy approach,39
updated in 2006 by its Strategy for a Secure Information Society,40 in which the
necessary additional steps are assessed to improve network and information security
(NIS). Key policy documents further include the 2010 Stockholm Programme (and the
subsequent Action Plan by the Commission41), the comprehensive multi-annual (2010-
2014) programme in relation on issues of the Union’s AFSJ’, in which the European
Council called for the promotion of ‘legislation that ensures a very high level of
network security and allows faster reactions in the event of cyber attacks’ (s 4.2.3). In a
34
Launched in 2009. See Commission (EC), ‘Protecting Europe from large scale cyber-
attacks and disruptions: enhancing preparedness, security and resilience’ (Communication)
COM(2009) 149 final, 30 March 2009.
35
Zekoll (n 14) 342–3.
36
Ibid. 343.
37
Horatia M. Watt, ‘Yahoo! cyberspace-collision of cultures: Who regulates’ (2003) 24
Mich. J. Int’l. L. 673, 683. Also quoted in Zekoll ibid. 344.
38
See for the early emergence of a EU policy on cybercrime from the perspective of
comparative federalism (the US, Switzerland): Fernando Mendez, ‘The European Union and
cybercrime: Insights from comparative federalism’ (2005) 12(3) J. of Eur. Pub. Pol’y 509–27.
39
Commission (EC), ‘Network and Information Security: Proposal for A European Policy
Approach’ (Communication) COM(2001) 298 final, 6 June 2001.
40
Commission (EC), ‘A strategy for a Secure Information Society – Dialogue, partnership
and empowerment’ (Communication) COM(2006) 251.
41
Commission (EC), ‘The EU Internal Security Strategy in Action: Five steps towards a
more secure Europe’ (Communication) COM(2010) 673 final, 22 November 2010.

8 / Date: 25/3
special section on cybercrime (s 4.4.4.), it also called upon the Commission and
the Member States to take the initiative for new concrete actions to guarantee
cybersecurity.
In the same year, the European Commission published the Digital Agenda for Europe
(DAE), ‘to deliver sustainable economic and social benefits from a digital single market
based on fast and ultra fast internet and interoperable applications’.42 In section 2.3 a
number of concrete actions were mentioned, including measures aiming at a reinforced
and high level NIS policy, including legislative initiatives such as a modernised ENISA,
and measures allowing faster reactions in the event of cyber attacks, including a
Computer Emergency Response Team (CERT) for the EU institutions; and measures,
including legislative initiatives, to combat cyber attacks against information systems by
2010, and related rules on jurisdiction in cyberspace at European and international
levels by 2013.
Early initiatives also related to consumer protection and jurisdictional issues. Thus,
the 2001 ‘Brussels Regulation’, inter alia, enables consumers to sue at their domicile
(and requires plaintiffs to sue the consumer there) if the defendant (or plaintiff) ‘directs
[its professional or commercial online activities] to that Member State’.43
In relation to international security, the 2003 European Security Strategy did not
refer to cybersecurity, but the 2008 Report on the Implementation of the European
Security Strategy briefly did as it referred to attacks at IT systems ‘as a potential new
economic, political and military weapon’.44
(b) The EU Cybersecurity Strategy
The 2013 Cybersecurity Strategy can be seen as a continuation of the internal and
external policies that have been developed by the EU in the area of Network and
Information Security (NIS), inter alia, resulting in the 2001 Commission Communi-
cation on ‘Network and Information Security: Proposal for a European Policy
Approach’ and the 2006 ‘Strategy for a Secure Information Society’45 – and in the
framework of the EU-US WGCC. Part of the Cybersecurity Strategy is related to
linking core EU values that exist in the ‘physical world’ to the ‘digital world’:
promoting fundamental rights, freedom of expression, personal data and privacy; access
for all; democratic and efficient multi-stakeholder governance; and a shared respons-
ibility to ensure security. Other elements relate to other policy areas of the EU,
including the internal market or defence policy. As the new Strategy forms the key
42
Commission (EC), ‘A Digital Agenda for Europe’ (Communication) COM(2010) 245
final/2, 26 August 2010. See also: ‘Digital Agenda for Europe’ (European Commission)
<http://ec.europa.eu/digital-agenda/> accessed 4 April 2015.
43
Council Regulation (EC) 44/2001 on ‘Jurisdiction and the Recognition and Enforcement
of Judgments in Civil and Commercial Matters’ [2000] OJ L 012. Also referred to in Zekoll
(n 14) 345.
44
Council of the European Union, ‘Report on the Implementation of the European Security
Strategy – Providing Security in a Changing World’ (S407/08, 11 December 2008).
45
See ‘Network and Information Security: Proposal for A European Policy Approach’ (n 39)
and ‘A strategy for a Secure Information Society – Dialogue, partnership and empowerment’
(n 40) respectively.

9 / Date: 7/5
framework for the planned actions and new legislation in the coming years, we will
briefly assess its main points.
As an express legal basis cannot be found in the EU Treaties, the Strategy rightfully
acknowledges that ‘it is predominantly the task of the Member States to deal with
security challenges in cyberspace’. Yet, five strategic priorities are mentioned to
enhance the EU’s overall performance in this area:
(i) Achieving cyber resilience

The idea is that EU action can help in particular to counter cyber risks and threats
having a cross-border dimension, and contribute to a coordinated response in emer-
gency situations. In the Strategy this is linked to both the functioning of the internal
market and the internal security of the EU. This builds on the existing policy on NIS,
which in 2004 resulted in the creation of ENISA.46
Proposals to further regulate this area through new legislation include the establish-
ment of common minimum requirements for NIS at national level; the setting up of
coordinated prevention, detection, mitigation and response mechanisms, enabling
information sharing and mutual assistance amongst national NIS competent authorities;
and the improvement of preparedness and engagement of the private sector. The private
actors would have to report to the national NIS authorities and add to the already
existing voluntary cooperation, which at EU level takes shape in for instance the EP3R.
Although over the years several initiatives have been taken in this area – for instance
by ENISA, Europol, Eurojust and national data protection authorities – it is believed
that continued attention is needed to make end users aware of the risks they face online.
The Strategy mentions several new initiatives to further raise this awareness.
(ii) Drastically reducing cybercrime

Strong and effective legislation is believed to be necessary to tackle cybercrime. The
key international legal instrument at the moment is the Council of Europe Convention
on Cybercrime (the ‘Budapest Convention’). In addition, both the EU and the Member
States have adopted legislation, including a specific Directive on combating the sexual
exploitation of children and child pornography.47 A new Directive on attacks against
information systems was adopted in August 2013.48
The Strategy also notes that currently not all EU Member States have the operational
capability to effectively respond to cybercrime. The Commission will support the
Member States to identify gaps and strengthen their capability to investigate and
combat cybercrime.
46
A new Regulation to strengthen ENISA and modernize its mandate is being negotiated by
the Council and the European Parliament. See Commission (EC), ‘Proposal for a Regulation of
the European Parliament and of the Council Concerning the European Network and Information
Security Agency (ENISA)’ COM (2010) 521, 30 September 2010.
47
European Parliament and Council Directive 2011/93/EU on combating the sexual abuse
and sexual exploitation of children and child pornography, and replacing Council Framework
Decision 2004/68/JHA [2011] OJ L 335/1.
48
European Parliament and Council Directive 2013/40/EU on attacks against information
systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L 218/8.

10 / Date: 25/3
Given the fact that competences are mainly in the hands of Member States, at EU
level the fight against cybercrime will have to take the form of coordination only. In
that respect the Strategy foresees a role for the EU to facilitate bringing together law
enforcement and judicial authorities and public and private stakeholders from the EU
and beyond, for instance by supporting initiatives of the European Cybercrime Centre
(EC3), Europol, Eurojust, and the European Police College (CEPOL).
(iii) Developing cyberdefence policy in the framework of the Common Security

and Defence Policy (CSDP)
While cooperation in the area of security and defence was difficult in the first 50 years
of the EU’s existence, the 2001 Nice Treaty opened up the way to the establishment of
military missions abroad.49 Since 2003 the EU has launched some 30 peace missions
and operations contributing to stabilisation and security in Europe and beyond.
Moreover, CSDP has become an integral part of the EU’s Common Foreign and
Security Policy (CFSP), which in turn is now part of the overall ‘Union’s External
Action’, as laid down in Title V of the current TEU. Yet, it remains important to
remember that the different security policies of the Union have very different origins.
While the current CSDP was developed together with the CFSP within the previously
existing ‘second pillar’ of the EU (with a strong emphasis on intergovernmental
cooperation and coordination), the internal security policies find their basis in either the
‘third pillar’ (on police and judicial cooperation in criminal matters) or in the
provisions defining the Union’s AFSJ. The 2009 Lisbon Treaty may have brought many
policy areas together, but the different origins as well as the still diverging decision-
making rules and procedures explain the absence of an integrated security policy.50
The Cybersecurity Strategy at least has the intention of including defence in the
overall EU security strategy by recognizing that ‘[c]ybersecurity efforts in the EU also
involve the cyber defence dimension’. Even more than other aspects of cybersecurity
however, the defence dimension is very much in the hands of the Member States and
the Strategy merely mentions coordination and dialogue actions at EU (and NATO)
level.
(iv) Develop industrial and technological resources for cybersecurity

The Strategy notes that many of the global leaders providing innovative ICT products
and services are located outside the EU and that this provides a risk that Europe not
only becomes excessively dependent on ICT produced elsewhere, but also on security
solutions developed outside its frontiers.
One of the goals is to establish a single market for cybersecurity products, also to
enhance a more uniform application of security rules. This calls for a Europe-wide
49
See for instance Ramses A. Wessel, ‘The state of affairs in European Security and Defence
Policy: The breakthrough in the Treaty of Nice’ (2003) 8(2) J. Conflict & Sec. L. 265–88;
Ramses A. Wessel, ‘Common Foreign, Security and Defence Policy’ in Dennis M. Patterson
(ed.), Wiley-Blackwell Companion for European Union Law and International Law (Wiley-
Blackwell 2015) (forthcoming); and Panos Koutrakos, The EU Common Security and Defence
Policy (OUP 2013).
50
Peter Van Elsuwege, ‘EU External action after the collapse of the pillar structure: In
search of a new balance between delimitation and consistency’ (2010) 47(4) C.M.L. Rev. 987.

11 / Date: 7/5
market demand for highly secured products, but also for the development of security
standards. Security should be part of the whole supply chain and also be integrated in
Research and Development. The EU funding programs will give specific attention to
this.
(v) Establish a coherent international cyberspace policy for the EU

Finally, cyberspace issues should be ‘mainstreamed’ into the EU’s external relations
and its Common Foreign and Security Policy, meaning that the internal policies should
be an integral part of the Union’s external action. As indicated by the Strategy, ‘The
Commission, the High Representative and the Member States should articulate a
coherent EU international cyberspace policy, which will be aimed at increased
engagement and stronger relations with key international partners and organizations, as
well as with civil society and private sector.’ Specific other international organizations
are mentioned: the Council of Europe, OECD, UN, OSCE, NATO, AU, ASEAN and
OAS; as well as the EU-US Working Group on Cyber-Security and Cyber-Crime
(WGCC).
The enhanced international cooperation should not necessarily lead to new inter-
national legal instruments, but full use should be made of the Budapest Convention
while respecting the legal obligations already enshrined in the existing human rights
treaties.
4. EU CYBERSECURITY LAW
(a) A Fragmentation in Legal Instruments
The fact that cybersecurity as such is not mentioned as a theme in the EU Treaties has
not prevented the EU from being quite active in slowly regulating this policy field. The
last few years in particular have shown some new initiatives. The aim of this section is
not to substantively assess or criticize the proposed and existing legislation,51 but rather
to point to the piecemeal approach taken by the Union as it has to rely on different
legal bases.
51
Criticism is often related to the focus on tackling security threat without a clear attention
for the protection of individual liberties. See for instance studies by NGO’s and others pointing
to weaknesses or dangers in the (upcoming) legislation: Cedric Burton & Anna Pateraki, ‘Status
of the proposed EU Data Protection Regulation: Where do we stand?’ (JD Supra Business
Advisor, 9 February 2013) <http://www.jdsupra.com/legalnews/status-of-the-proposed-eu-data-
protectio-29569/> accessed 4 April 2015. With regard to the role of the European Parliament see
also Aidan Wills & Mathias Vermeulen, ‘Parliamentary Oversight of Security and Intelligence
Agencies in the European Union’ (PE 315.238, Study commissioned by the European Parlia-
ment, 2011): ‘It may seem incredible, but in key strategic documents that have been adopted by
the European Council, the Council and the Commission, the European Parliament apparently is
simply ignored. While such an omission would appear strange before the Treaty of Lisbon, it is
now … all the more inexplicable.’

12 / Date: 7/5
The 2005 Framework Decision on attacks against information systems is probably

one of the first legal instruments adopted by the Union in relation to cybersecurity.52
The main objective of that Decision was to improve cooperation between judicial and
other competent authorities, including the police and other specialized law enforcement
services of the Member States, through approximating rules on criminal law in the
Member States in the area of attacks against information systems. With a view to the
integration of the former Police and Judicial Cooperation in Criminal Matters (PJCC)
in the Union’s AFSJ, in August 2013 this Decision was replaced by the Directive on
attacks against information systems.53 The legal basis of this Directive is Article 83(1)
of the Treaty on the Functioning of the European Union (TFEU), which underlines that
it forms part of the judicial cooperation in criminal matters, currently laid down in that
part of the Treaty. In fact, this is one of the areas where one may find a competence of
the EU to legislate in the area of cybercrime. Article 83(1) TFEU provides:
The European Parliament and the Council may, by means of directives adopted in accordance
with the ordinary legislative procedure, establish minimum rules concerning the definition of
criminal offences and sanctions in the areas of particularly serious crime with a cross-border
dimension resulting from the nature or impact of such offences or from a special need to
combat them on a common basis.
These areas of crime are the following: terrorism, trafficking in human beings and sexual
exploitation of women and children, illicit drug trafficking, illicit arms trafficking, money
laundering, corruption, counterfeiting of means of payment, computer crime and organised
crime.
Judicial cooperation in criminal matters is not the only possible legal basis for
legislative measures in the area of cybersecurity. In February 2013 the Commission
also issued a proposal for a Directive concerning measures to ensure a high common
level of network and information security across the Union.54 According to the
explanatory memorandum:
The aim of this Directive is to ensure a high common level of network and information
security (NIS). This means improving the security of the Internet and the private networks
and information systems underpinning the functioning of our societies and economies. This
will be achieved by requiring the Member States to increase their preparedness and improve
their cooperation with each other, and by requiring operators of critical infrastructures, such
as energy, transport, and key providers of information society services (e-commerce plat-
forms, social networks, etc), as well as public administrations to adopt appropriate steps to
manage security risks and report serious incidents to the national competent authorities.
This time, however, the Commission uses economic rather than security arguments and
opts for the functioning of the internal market as the legal basis, arguing that under
52
Council (EC) Framework Decision 2005/222/JHA on attacks against information systems
[2005] OJ L 69.
53
Ibid.
54
Commission (EC), ‘Proposal for a Directive of the European Parliament and of the
Council concerning measures to ensure a high common level of network and information
security across the Union’ COM(2013) 48 final (7 February 2013).

13 / Date: 25/3
Article 114 TFEU, the EU can adopt ‘measures for the approximation of the provisions
laid down by law, regulation or administrative action in Member States which have as
their object the establishment and functioning of the internal market’.
Network and information systems play an essential role in facilitating the cross-border
movement of goods, services and people. They are often interconnected, and the internet is
global in nature. Given this intrinsic transnational dimension, a disruption in one Member
State can also affect other Member States and the EU as a whole. The resilience and stability
of network and information systems is therefore essential to the smooth functioning of the
Internal Market. […] The disparities resulting from uneven NIS national capabilities, policies
and level of protection across the Member States lead to barriers to the Internal Market and
justify EU action.55
Concerning the question of whether ultimately the internal market forms the ‘centre of
gravity’ in the set of objectives behind the network and information security (see the
legal basis discussion below), substantively, the Directive indeed aims at establishing a
cooperative network mechanism for information exchange and at creating binding
obligations for key providers of information society services, as well as public
administrations to adopt appropriate steps to manage security risks and report serious
incidents to the national competent authorities.
Enhancing trust in the internal market is also pursued by the proposal for a
Regulation on electronic identification and trust services for electronic transactions in
the EU internal market.56 This proposal is also based on Article 114 TFEU, which
concerns the adoption of rules to remove existing barriers to the functioning of the
internal market.
That cybersecurity is not just related to the AFSJ or to the internal market is
underlined by the proposal for a General Data Protection Regulation.57 Again a
completely different legal basis is used as the proposal is based on Article 16 TFEU,
which is the new legal basis for the adoption of data protection rules introduced by the
Lisbon Treaty. This provision allows for the adoption of rules relating to the protection
of individuals with regard to the processing of personal data by Member States when
carrying out activities which fall within the scope of Union law. It also allows the
adoption of rules relating to the free movement of personal data, including personal
data processed by Member States or private parties. Currently, personal data protection
is regulated mainly by the 1995 Directive 95/46/EC3, with two objectives in mind: to
protect the fundamental right to data protection and to guarantee the free flow of
personal data between Member States. It was complemented by Framework Decision
2008/977/JHA as a general instrument at Union level for the protection of personal data
in the areas of police cooperation and judicial cooperation in criminal matters.
55
Ibid. Explanatory memorandum.
56
Commission (EC), ‘Proposal for a Regulation of the European Parliament and of the
Council on electronic identification and trust services for electronic transactions in the EU
internal market’ COM (2012) 238 final, 4 June 2012.
57
Commission (EC), ‘Proposal for a Directive of the European Parliament and of the
Council on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final, 25
January 2012.

14 / Date: 25/3
According to the explanatory memorandum:
Rapid technological developments have brought new challenges for the protection of personal
data. The scale of data sharing and collecting has increased dramatically. Technology allows
both private companies and public authorities to make use of personal data on an
unprecedented scale in order to pursue their activities. Individuals increasingly make personal
information available publicly and globally. Technology has transformed both the economy
and social life.
The aim of the new Regulation therefore is to prevent ‘fragmentation in the way
personal data protection is implemented across the Union, legal uncertainty and a
widespread public perception that there are significant risks associated notably with
online activity.’ This also explains the choice for a Regulation (that would be directly
applicable in all EU Member States) over a Directive (on the basis of which it would be
more difficult to coherent data protection framework that can also be enforced).
Decision-making on the proposal is being followed closely by multinational companies,
nongovernmental organisations, academics, and foreign governments as the new
Regulation will have global implications. It is believed to serve as a model for other
regions of the world and have extraterritorial effects on data controllers located outside
the EU.58
The Cybersecurity Strategy also mentions one particular field of cooperation related
to the so-called ‘solidarity clause’ laid down in Article 222 TFEU.59 On the basis of
that provision
The Union and its Member States shall act jointly in a spirit of solidarity if a Member State
is the object of a terrorist attack or the victim of a natural or man-made disaster. The Union
shall mobilise all the instruments at its disposal, including the military resources made
available by the Member States, to:
(a) + prevent the terrorist threat in the territory of the Member States;
+ protect democratic institutions and the civilian population from any terrorist attack;
+ assist a Member State in its territory, at the request of its political authorities, in the
event of a terrorist attack;
(b) assist a Member State in its territory, at the request of its political authorities, in the
event of a natural or man-made disaster.
Indeed, cybersecurity is not mentioned explicitly. Yet, it easily fits under some of the
headings. In a 2012 Resolution, the European Parliament even explicitly mentioned
cybersecurity as falling within the scope of the solidarity clause: it called for ‘an
adequate balance between flexibility and consistency as regards the types of attacks and
disasters for which the clause may be triggered, so as to ensure that no significant
threats, such as attacks in cyberspace, pandemics, or energy shortages, are overlooked
[…]’.60 In fact, the European Parliament even went a step further and also mentioned
58
Burton & Pateraki (n 51).
59
See for instance Malcolm Ross & Yuri Borgmann-Prebil (eds.), Promoting Solidarity in
the European Union (OUP 2010).
60
European Parliament resolution 2012/2223(INI) on the EU’s mutual defence and solidar-
ity clauses: political and operational dimensions [2012] para. 20.

15 / Date: 25/3
cyberattacks as a reason to invoke the so-called ‘mutual defence clause’ laid down in
Article 42(7) TEU, containing a provision comparable to Article 5 of the NATO Treaty:
If a Member State is the victim of armed aggression on its territory, the other Member States
shall have towards it an obligation of aid and assistance by all the means in their power, in
accordance with Article 51 of the United Nations Charter. This shall not prejudice the specific
character of the security and defence policy of certain Member States.
The European Parliament took the view;
that even non-armed attacks, for instance cyberattacks against critical infrastructure, that are
launched with the aim of causing severe damage and disruption to a Member State and are
identified as coming from an external entity could qualify for being covered by the clause, if
the Member State’s security is significantly threatened by its consequences, while fully
respecting the principle of proportionality […].61
While in the case of the solidarity clause it may be argued that there needs to be a link
with ‘terrorism’, the mutual defence clause refers to ‘armed aggression’, which in
international law terms may rule out certain cyber attacks.62 Hence, in both cases the
application of the clauses to situations of cybersecurity is not always obvious. In
practice, however, invoking a solidarity or a mutual defence clause will most probably
be driven more by political incentives than by legal doctrinal analysis.
While large parts of the debates still pertain to internal EU competences and to the
Union’s struggle to regulate the Internet in the territory of its Member States,63 the
discussion on cyberattacks underlines the need for global approaches as well. When
‘the next war will begin in cyberspace’,64 calls for a multilateral cyber warfare treaty
are understandable.65 In the EU’s external relations, the main guiding legal document is
the already mentioned Council of Europe Convention on Cybercrime (Budapest
Convention).66 Currently, this the only binding international instrument on this issue. It
serves as a guideline for any country developing comprehensive national legislation
against cybercrime and as a framework for international cooperation between the,
currently, 41 parties to this treaty. The Convention is also open to states that are not a
member of the Council of Europe and the list of signatories includes Australia,
Dominican Republic, Japan and the US. While the EU Member States are a party to the
Convention, the EU as such is not. Yet, it participates in the Cybercrime Convention
61
European Parliament resolution 2012/2223(INI) (n 60) para. 13. This view is not normally
held by international lawyers.
62
See for examples of cyber attacks Alexander Klimburg & Heli Tirmaa-Klaar, ‘Cyber
Security and Cyber Power: Concepts, Conditions and Capabilities for Cooperation for Action
within the EU’ (PE 433 828, study commissioned by the European Parliament, April 2011).
63
Mayer (n 20).
64
Gen. Keith B. Alexander, upon accepting the post to lead the first United States
Cyber-Command (USCYBERCOM). Quoted by Rex Hughes, ‘A Treaty for Cyberspace’ (2010)
86(2) Int’l. Affairs 523.
65
Ibid.
66
Convention on Cybercrime (n 23). Cf. also Mike Keyser, ‘The Council of Europe
Convention on Cybercrime’ (2003) 12(2) J. Transnat’l L. & Pol’y 287.

16 / Date: 25/3
Committee (T-CY). Despite the fact that the Convention in its current version refers to
participating ‘states’ only, a further development of the EU’s activities in relation to
cybercrime may call for an intensified involvement of the EU in this area. Yet, at this
stage it would be difficult to find a legal basis for full participation as the EU Treaties
do not deal with cybercrime as such and the Union’s activities so far are mainly of a
coordinating nature.
Most importantly, perhaps, is the notion mentioned in the Cybersecurity Strategy to
mainstream cyberspace issues into EU external relations. When successful, this will
allow the EU to link its internal policy initiatives and legislation to its external action,
also in the area of foreign and security policy. Yet, as we have seen, the different
legislative initiatives are based on legal provisions located in different parts of the
treaties, with different rules being applicable. While linking security issues to the
internal market may offer possibilities for the EU to legislate cybersecurity domestic-
ally, it has always proved to be difficult to do the same externally. Connecting security
and international trade has seldom led to a coherent external policy.67 In his Opinion in
the so-called Mauritius case, AG Bot underlined the need for a link between internal
policies and foreign policy objectives to allow for a correct use of the Union’s CFSP to
serve as a legal basis. At the same time, as he pointed out, ‘Agreements under the CFSP
may include purely incidental aspects of other Union policies where these are so
limited in scope that they do not justify an additional legal basis.’68 Yet – as further
elaborated below – more intensive combinations of policy areas remain difficult due the
varying procedural rules for different policy areas and the division of competences
between the Union and its Member States. The question is to what extent the resulting
piecemeal approach will result in a consistent body of EU cybersecurity law. Apart
from the question of the correct legal basis (see below), it is also difficult in practice to
separate internal and external dimensions. As observed by Bendiek and Porter:
The distinct separation between domestic and foreign policy in European security policy
compromises the EU’s ability to respond to cyber attacks. Not only may Internet-based
attacks on critical infrastructure originate in Ghana, Russia or elsewhere, but also often it is
difficult (if not impossible) to identify the source of the attack. […] An appropriate response
to such an attack requires cross-border cooperation between authorities. It is here that the
current division of responsibilities between civil defence, military defence, and law enforce-
ment falters.69
(b) The Choice of Legal Basis and the Role of the Court of Justice
An assessment of the existing legal instruments thus leads to a fragmented picture of

existing EU cybersecurity law. Like any other international organization, the EU’s
competences are defined by the principle of conferral (or ‘attribution’; see above), not
only implying that for each and every decision a legal basis should be available in the
67
See Fabienne Bossuyt, Lotte Drieghe & Jan Orbie, ‘Living apart together: EU compre-
hensive security from a trade perspective’ (2013) 18(4) E.F.A. Rev. 63.
68
Case C-658/11 European Parliament v Council of the European Union (ECLI:EU:C:
2014:41), para. 25.
69
Bendiek & Porter (n 9) 156–7.

17 / Date: 7/5
treaties or in secondary legislation (thereby defining the possible scope of EU action),

but also that competences in one policy area cannot be stretched so as to cover other
areas. In EU law the legal basis chosen for a particular legal instrument defines the role
and involvement of the Institutions (e.g. a necessary initiative by the Commission, or
the degree of involvement of the European Parliament), the decision-making procedure
(a ‘legislative procedure’ or not) and the voting rules in the Council (majority voting or
unanimity). Hence, the choice not only has legal consequences, but also politically
defines the role of the Institutions and the influence of the Member States.70 In areas in
which the treaties have left many or most powers in the hands of the Member States,
the latter will be keen not to allow the Commission to engage in ‘competence-creep’
through the backdoor. The CJEU often plays the role of the ultimate arbiter in quarrels
between the Institutions or between the Member States and the Institutions. As we have
seen, a body of cybersecurity law seems to be developing on the basis of diverging
legal bases, ranging from the Internal Market or the AFSJ to the CSDP. It therefore
forms an obvious source for legal (and connected political) conflict between the
Institutions and the EU Member States. The problem the Court is facing is that many
terms (such as ‘foreign’, ‘security’, or ‘defence’) are not easily defined. At the same
time, ‘The Union shall ensure consistency between the different areas of its external
action and between these and its other policies’ (art 21(3) TEU) and it has been argued
that the principle of consistency is principle enforceable before the CJEU, irrespective
of whether or not EU Institutions are operating within the CFSP context.71 This section
aims to address some of the legal questions connected to the choice of the legal basis
(and hence the competence of the EU to regulate the field) and the role of the Court.
The starting point is that the Court has jurisdiction in most areas of EU law. This
jurisdiction, inter alia, relates to its competence to answer questions coming from
national judges using the so-called preliminary procedure (art 267 TFEU) and to its
power to annul decisions taken by the Institutions on the basis of a claim by another
EU Institution or a Member State, or – under more strict conditions – by and individual
(art 263 TFEU).72 In relation to the Union’s Foreign, Security and Defence Policy the
Court’s role is different and limited to a number of specific situations.73 Yet, the Lisbon
70
Cf. Panos Koutrakos, ‘Legal Basis and Delimitation of Competence in EU External
Relations’ in Marise Cremona & Bruno de Witte (eds.), EU Foreign Relations Law: Constitu-
tional Fundamentals (Hart Publishing 2008) 171-198.
71
See Christophe Hillion, ‘A powerless Court? The European Court of Justice and the
common foreign and security policy’ in Marise Cremona & Anne Thies (eds.), The ECJ and
External Relations: Constitutional Challenges (Hart Publishing 2014); cf. also on the role of
principles in relation to the Court’s jurisdiction: Thomas Horsley, ‘Reflections on the role of the
Court of Justice as the motor of European integration: Legal limits to judicial lawmaking’ (2013)
50(4) C.M.L. Rev. 931.
72
See Stone Sweet (n 30).
73
See role of the Court in CFSP for instance: Stefan Griller, ‘The Court of Justice and the
Common Foreign and Security Policy’ in A. Rosas, E. Levits & Y. Bot (eds.), Court of Justice of
the European Union – Cour de Justice de l’Union Européene, The Court of Justice and the
Construction of Europe: Analyses and Perspectives on Sixty Years of Case-law – La Cour de
Justice et la Construction de l’Europe: Analyses et Perspectives de Soixante Ans de Jurispru-
dence (T.M.C. Asser Press 2013) 675–92; and Maja Brkan, ‘The Role of the European Court of
Justice in the Field of Common Foreign and Security Policy after the Treaty of Lisbon: New

18 / Date: 7/5
Treaty seems to have changed this and it can be argued that it even reversed the
situation: ‘the Court has jurisdiction except where the latter is explicitly excluded.
Hence, any lack of jurisdiction is now framed as an exception to that rule which, like
any exception in EU law, is arguably to be interpreted restrictively’.74 This, allegedly,
would allow for a more extensive role of the Court in some situations involving CFSP
and would (again allegedly) allow for a more comprehensive approach towards
cross-cutting policy areas such as cybersecurity (see further below).
The legal basis is not just relevant for internal legislation, but also for the Union’s
external action. Yet, this also reveals a problem in relation to creating a comprehensive
and consistent body of EU cybersecurity law. While the choice for an Internal Market
or an AFSJ legal basis may largely lead to similar legal instruments and a similar
involvement of the Institutions, the choice for a legal basis in the Union’s CFSP or
CSDP implies a choice for completely different legal instruments and largely different
roles of the Institutions.75 Most importantly, a CFSP/CSDP legal basis excludes the
adoption of Directives and Regulations, the key instruments that so far have also been
used in regulating cybersecurity. Indeed, ‘legislative acts’ are excluded (art 24(1) TEU),
and only ‘Decisions’ can be adopted as formal CFSP instruments, either by the
European Council (art 26(1) TEU) or the Council (art 26(2) TEU). Furthermore,
because of some procedural differences, it remains difficult to combine CFSP/CSDP
with other policy areas when negotiating international agreements (art 37 TEU), despite
the overall unification of the procedures in Article 218 TFEU.
One may argue that in those cases a choice will have to be made between either a
CFSP/CSDP or another instrument. While this is correct in principle, it stands in
contrast to the comprehensive approach that is heralded by the Cybersecurity Strategy
as well as by the EU Treaties themselves, which – since the Treaty of Lisbon – have
brought EU external action under one heading and in one combined objective (see in
particular art 21 TEU). The Treaties offer a rule to decide on the correct legal basis in
the sense that CFSP/CSDP decisions should not affect other policy areas, and vice
versa (art 40 TEU; sometimes referred to as the ‘non-contamination clause’).76 The
Court’s jurisdiction with respect to CFSP/CSDP is limited, and includes for instance
the monitoring of the compliance with the dividing line between CFSP and non-CFSP
Challenges for the Future’ in Paul J. Cardwell (ed.), EU External Relations Law and Policy in
the Post-Lisbon Era (TMC Asser Press 2012) 97–115.
74
Hillion (n 71). In this article Hillion convincingly argues that a wider competence of the
Court in relation to certain CFSP acts is foreseen in the current treaty regime.
75
See in general on the different nature of CFSP: Bart Van Vooren & Ramses A. Wessel, EU
External Relations Law: Text, Cases and Materials (CUP 2014).
76
Art 40 TEU:
The implementation of the common foreign and security policy shall not affect the
application of the procedures and the extent of the powers of the institutions laid down by the
Treaties for the exercise of the Union competences referred to in Articles 3 to 6 of the Treaty
on the Functioning of the European Union.
Similarly, the implementation of the policies listed in those Articles shall not affect the
application of the procedures and the extent of the powers of the institutions laid down by the
Treaties for the exercise of the Union competences under this Chapter.

19 / Date: 25/3
matters laid down in Article 40 as well as the review of the legality of the external
restrictive measures laid down in Article 275(2) TFEU (art 24(1) TEU).77
Will Article 40 help in deciding on the correct legal basis for a cybersecurity
measure? And, perhaps more importantly, does the establishment of the correct legal
basis help in creating a consistent body of cybersecurity law? The landmark case on the
choice between a CFSP/CSDP and another legal basis is ECOWAS (or Small Arms and
Light Weapons).78 In the event, the Court found that by using a CFSP Decision on the
EU support to Economic Community of West African States (ECOWAS) in the fight
against the proliferation of small arms and light weapons (SALW), the Council had
encroached upon the EC competence in the field of development cooperation, thus
violating the provisions of Article 47 TEU (now art 40 TEU). While Article 47 revealed
a clear priority for a non-CFSP legal basis in case of a conflict, current Article 40 does
not make that choice and simply leads to the rule that in adopting CFSP/CSDP
decisions the Council should be aware of the other external policies, and vice versa.
Despite its ‘balanced’ approach, Article 40 implies that foreign policy measures are
excluded once they would interfere with exclusive powers of the Union, for instance in
the area of Common Commercial Policy. This may seriously limit the freedom of the
Member States in the area of restrictive measures (see below) or the export of ‘dual
goods’ (commodities which can also have a military application).79
The text of Article 40 TEU thus forces the Court to take a different view on the
relationship between CFSP/CSDP and other areas of external action. No longer should
an automatic preference be given to a non-CFSP legal basis whenever this is possible.80
Whereas it has been argued that CFSP may be envisaged as lex generalis while other
external policies, allegedly including other security policies set out in the TFEU, would
amount to lex specialis,81 this would not answer all delimitation problems. Indeed,
cybersecurity offers a prime example of an area where measures may lie at the
77
See more extensively: Hillion (n 71).
78
Case C-91/05 Commission v Council (Small Arms/ECOWAS) [2008] ECR I-3651. See
more extensively Christoph Hillion and Ramses A. Wessel, ‘Competence distribution in EU
external relations after ECOWAS: Clarification or continued fuzziness?’ (2009) 46 C.M.L. Rev.
551–86; as well as Joni Heliskoski, ‘Small arms and light weapons within the Union’s pillar
structure: An analysis of Article 47 of the EU Treaty’ (2008) 33 Eur. L. J. 898; Bart Van Vooren,
‘EU–EC external competences after the Small Arms Judgment’ (2009) 14 E.F.A. Rev. 7; Bart Van
Vooren, ‘The Small Arms Judgment in an age of constitutional turmoil’ (2009) 14(2) E.F.A. Rev.
231.
79
Council Regulation 1334/2000/EC setting up a Community regime for the control of
exports of dual-use items and technology [2000] OJ L159/1; in the meantime replaced by
Council Regulation 428/2009/EC setting up a Community regime for the control of exports,
transfer, brokering and transit of dual-use items [2009] OJ L134/1. Exception was only made for
certain services considered not to come under the CCP competence. For these services (again) a
CFSP measure was adopted: Council Joint Action 2000/401/CFSP concerning the control of
technical assistance related to certain military end-uses [2000] OJ L159/216.
80
See more extensively Hillion (n 71).
81
Cf. Alan Dashwood, ‘Article 47 TEU and the relationship between first and second pillar
competence’ (70–103) and Marise Cremona, ‘Defining competence in EU external relations’ in
Alan Dashwood & Marc Maresceau (eds.), Law and Practice of EU External Relations – Salient
features of a Changing Landscape (CUP 2008) 34-69.

20 / Date: 25/3
crossroads of CFSP and non-CFSP. Yet, parts of the foreseen new cybersecurity rules
relate to cyberdefence, which would need a legal basis in CSDP, a sub-chapter of CFSP.
As argued by Hillion, CSDP is much more specific than CFSP and could perhaps also
be seen as a lex specialis, including its own purposes, particularly in Articles 42 and 43
TEU: ‘Disagreement on the CSDP v TFEU legal basis could thus be solved on the
basis of the traditional ‘centre of gravity’ approach’.82 In relation to the topic of the
present chapter this would imply that decisions which would mainly be dealing with
cyberdefence would find their basis in CSDP. Obviously, this would exclude legislative
measures and the diverging decision-making procedures would preclude combining
cyberdefence with, for instance cybercrime or trade measures in one single decision.
An answer to the question of how to square a comprehensive approach to security
with the diverging procedures for CFSP and non-CFSP issues was given by the Court
of Justice in a case initiated by the European Parliament.83 The case concerns the
signing and conclusion of the Agreement between the EU and the Republic of
Mauritius on the conditions of transfer of suspected pirates and associated seized
property from the EU-led naval force to Mauritius and on the conditions of suspected
pirates after transfer. The European Parliament argued that the chosen legal bases for
the Council Decisions (arts 37 TEU and 218(5) and (6) TFEU), are not correct as the
agreement does not relate exclusively to the CSFP, but also pertains to judicial
cooperation in criminal matters, police cooperation, and development cooperation.
Opting for a CFSP Decision has deprived the European Parliament of the right of
consent it has in relation to the non-CFSP issues in the agreement. The Court held that
– despite the fact that the EP should be kept informed – a CFSP legal basis was
sufficient given the foreign policy context of the operation. Again external and internal
security policies remained separate.84
Overall and from an external perspective, however, the EU’s obsession with the
correct legal basis is not particularly helpful in combining different policy areas. It is,
in particular, the fact that a choice has to be made that may prevent consistent policies
from emerging in cross-cutting areas. As Blockmans and Spernbauer rightfully argue:
the legal dichotomy between the spheres of CFSP and non-CSFP policies, Member State
preferences for a legal basis that provides them with veto ower in decision-making
procedures, the two-way ‘non-contamination clause’ of Article 40 TEU, and the absence of
judicial review from the realm of the CFSP effectively stand in the way of ‘mixing’ EU
measures in cross-over fields of external security action […].85
82
Hillion (n 71).
83
Case C-658/11, European Parliament v Council (ECLI:EU:C:2014:2025).
84
See more extensively: C. Matera and R.A. Wessel, Context or Content? A CFSP or AFSJ
Legal Basis for EU International Agreements – Case C-658/11, European Parliament v Council
(Mauritius Agreement), Revista de Derecho Comunitario Europeo, 2014, pp. 1047–1064. See
also Steven Blockmans and Martina Spernbauer, ‘Legal obstacles to comprehensive EU external
security action’ (2013) 18(4) E.F.A. Rev. 7–24.
85
Blockmans & Spernbauer (n 84) 11.

21 / Date: 15/5
This means that the Court will have quite a task in deciding on the correct legal basis
for security measures, including ones on cybersecurity combining different internal and
external policies.
In a 2012 judgment the Court was given the opportunity to address a similar issue. In
Case C-130/10 European Parliament v Council of the European Union, the European
Parliament challenged a Council Regulation imposing certain specific restrictive
measures directed against certain persons and entities associated with Usama bin
Laden.86 One question is particularly relevant for the present contribution: would it be
possible to combine CSDP decisions (for instance on cyberdefence) with for instance
AFSJ decisions (on cybercrime) or should future decisions (and international agree-
ments) be based on separate parts of the EU Treaties, accepting fragmentation and
possible inconsistencies? The Court held that EU restrictive measures (sanctions)
related to CFSP should be based on Article 215 TFEU and not on Article 75 TFEU
(relating to AFSJ) as argued by the European Parliament. A key argument seemed to be
that these anti-terrrorism measures are so much part of the Union’s external action that
not placing them in the framework of CFSP would in fact render the latter policy area
redundant in relation to anti-terrorism. And, following the AG’s Opinion in the
Mauritius case mentioned above, an additional argument could be that these are not
stand-alone measures, but that they form part of a global scheme in which also other
international organisations – notably the UN Security Council – play a role.
While this case was about anti-terrorism measures, a similar case could occur in
relation to cybersecurity as another area in which both AFSJ and CFSP/CSDP measures
are (planned to be) adopted. While the new treaty rules may provide some indication of
the correct legal basis, the wide variation in cybersecurity measures will continue to
form an obstacle on the route to a comprehensive and consistent policy in that area.
5. CONCLUSION: THE EMERGENCE OF A BODY OF EU

CYBERSECURITY LAW?
While the EU has been active in establishing cybersecurity-related policies since the
beginning of the millennium, the last few years have shown new ambitions and
initiatives. The adoption of the Cybersecurity Strategy in 2013 in particular heralds a
more comprehensive approach to cyberspace developments. Despite the absence of
express competences related to cybersecurity, the EU’s activities are triggered by the
cross-border dimension inherent to the policy area. At the same time – and despite the
fact that most competences in the field have remained in the hands of the Member
States – the EU is increasingly active at the global level and has clearly stated its
ambition to play a role in further developing the global regulatory and legislative
framework.
The fact that the scope of cybersecurity ranges from economic internal market
elements, fundamental rights and citizens’ freedoms to criminal cooperation and
defence policy, has led to a fragmented regulation of this policy field. While the EU is
86
Case C-130/10 Parliament v Council (ECLI:EU:C:2012:472).

22 / Date: 7/5
usually able to find a connection to existing competences, allowing it to produce new

legislation in many different fields, it suffers from the fact that it is not always easy
(and sometimes even impossible) to combine the different cybersecurity dimensions in
consistent or even connected policies. Despite the fact that the Lisbon Treaty integrated
many policy fields by making an end to some diverging decision-making procedures,
the field of ‘security’ is still characterised by a substantial degree of fragmentation
(with security aspects being covered by the internal market, the AFSJ and the CFSDP).
It is the EU’s complex division of powers and its diverging procedures and rules for
different policy areas that seem to stand in the way of realising a comprehensive body
of cybersecurity law. At the same time not only the ‘internal’ EU turf battles complicate
things, but also the separation between domestic and foreign policy in European
security policy.
The current treaty regime only partly allows the EU to improve things. Despite the
fact that foreign and security measures are no longer ‘subordinate’ to other policies
(which is underlined both by Treaty provisions and recent case-law), a choice for the
correct legal basis will still have to be made and combinations of CFSP and other
policies remain difficult because of the different (and often incompatible) procedural
requirements. Obviously, this is not always a problem. The EU can simply adopt
different decisions related to the internal market, crime or defence issues. Yet, the focus
of the debate of the legal basis may very well blur the views on coherence and
consistency. With Blockmans and Spernbauer we assert that ‘the Court might wish to
re-define its objectives-based “centre of gravity” approach in order to reconcile the
quest for the correct legal basis in one of the EU Treaties with the ambition to take a
comprehensive approach to EU foreign policy and external security provision’.87
Yet, there is no denying of the fact that something like a body of EU cybersecurity
law is developing. Alongside the existing decisions, the EU has announced new
legislative initiatives, partly following international (transatlantic) cooperation, partly
because of a connection to internal objectives related to either fundamental rights or
economic motives. The fact that many options are still open will allow the EU to take
its own consistency requirements seriously and aim for a comprehensive and coherent
development of this new body of law.
87
Blockmans & Spernbauer (n 84) 23.

23 / Date: 25/3
20. NATO and cyber defence*

Katharina Ziolkowski
1. INTRODUCTION
The end of the Cold War coincided with several strategic decisions of the United States
(US) Government and with technical developments which laid the foundations for the
transformation of the academic research networks, which were mainly geographically
based in the US, into the Internet as it is known today.1 Two decades later, the Internet
is deemed a truly global network, indispensable to political, economic, social and
cultural life in post-industrial States. At the same time, a revival of Cold War metaphors
in the context of cyberspace is perceivable in the media and in political and legal
science.2 Indeed, the perception of cyber security, formerly viewed as an exclusively
technical and organisational challenge, has undergone a strategic shift. Cyber security
* This contribution is based on open source materials only and reflects the personal opinions
of the author.
The present chapter was finalised in December 2013 and does not reflect NATO’s Enhanced
Cyber Defence Policy endorsed in June 2014. For information on the new policy see NATO,
‘Cyber Defence’ <http://www.nato.int/cps/en/natohq/topics_78170.htm> accessed 12 October
2014 and NATO, ‘Wales Summit Declaration’ (issued by the Heads of State and Government
participating in the meeting of the North Atlantic Council in Wales, 5 September 2014) paras 72
and 73 <http://www.nato.int/cps/en/natohq/official_texts_112964.htm> accessed 12 October
2014.
1
The US decommissioned the Advanced Research Projects Agency Network (ARPANET),
initially developed by the US Department of Defence for collaboration in the context of
scientific defence research projects (28 February 1990), and disconnected the US Computer
Science Network (CSNET) (October 1991). The US agency National Science Foundation (NSF)
opened the succeeding main network (NSFNET), which subsequently built the backbone of the
Internet, for uses other than academia or education (March 1991). The introduction of the first
World Wide Web service of hyperlinked documents, i.e. websites, by a CERN scientist shaped
the current feature of the net (6 August 1991). See Johann-Christoph Woltag, ‘Internet’ in
Rüdiger Wolfrum (ed.), The Max Planck Encyclopedia of Public International Law [hereafter
MPEPIL] (Oxford University Press 2008, online edition) MN 2 <http://opil.ouplaw.com/home/
epil> accessed 2 December 2013; National Science Foundation, ‘A Brief History of NSF and the
Internet’ (Factsheet, 13 August 2003) <http://www.nsf.gov/news/news_summ.jsp?cntn_id=
103050> accessed 2 December 2013; Vincent Cerf, ‘How the Internet came to be’ (1993)
<http://www.virtualschool.edu/mon/Internet/CerfHowInternetCame2B.html> accessed 2 Decem-
ber 2013; CERN, ‘The birth of the web’ <http://home.web.cern.ch/about/birth-web> accessed 2
December 2013.
2
E.g. Noah Schachtman & Peter W. Singer, ‘The wrong war: The insistence on applying
Cold War metaphors to cybersecurity is misplaced and counterproductive’ (Brookings Institution
Paper, 15 August 2011) <http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_
shachtman.aspx> accessed 2 December 2013; David Singer, ‘In cyberspace, New Cold War’,
426
1 / Date: 7/5
NATO and cyber defence 427
has become an inherent part of national security, as is evident from the multitude of
national cyber security strategies issued since 2008,3 and thus also a matter of
international peace and security. Consequently, cyber security is currently on the
agendas of many of international and security organizations including the North
Atlantic Treaty Organization (NATO). With the NATO Policy on Cyber Defence of
2008 (revised in 2011), the organization was the first to deal with the challenges of
cyber threats as pertinent to national and international security.
NATO is a collective self-defence alliance with the nature of a politico{military
international organization.4 Emerging in the post{World War II era as a collective
security mechanism, since the end of the Cold War it has evolved into an organization
with a comprehensive definition of security and an almost global outreach through its
partnership programmes. Non-conventional and non-military threats such as cyber
threats were recognized as relevant to the Alliance’s security and play a prominent role
as one of the four5 ‘emerging security challenges’ which the organization is address-
ing.6
These developments are consistent with the broad mandate of NATO as endorsed in
Article 2 of the North Atlantic Treaty of 1949. The provision obliges Member States to
‘contribute toward the further development of peaceful and friendly international
relations’ by, inter alia, ‘promoting conditions of stability’. A broad interpretation of
the organization’s mandate reflects the major changes in the Alliance’s self-perception
since the end of the Cold War;7 it is vindicated in the preamble of the treaty, paragraph
X of which stipulates that NATO Member States:
[…] are determined to safeguard the freedom, common heritage and civilisation of their
peoples, founded on the principles of democracy, individual liberty and the rule of law. They
seek to promote stability and well-being in the North Atlantic area. They are resolved to unite
their efforts for collective defence and for the preservation of peace and security.
The New York Times (24 February 2013) <http:// www.nytimes.com/2013/02/25/world/asia/us-

confronts-cyber-cold-war-with-china.html?pagewanted=all> accessed 2 December 2013; Yasmin
Tadjdeh, ‘U.S. engaged in “Cyber Cold War” with China, Iran’, National Defence Magazine
(7 March 2013) <http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1075>
accessed 2 December 2013. For scientific contributions see e.g. Matthew Waxman, ‘Cyber-
attacks and the use of force: Back to the future of Article 2(4)’ (2011) 36 Yale J. of Int’l. L.
425–426; Brandon Valeriano, ‘Mind the gap? Deterrence in cyberspace’ (New Atlanticist, 11 July
2012) <http://www.acus.org/new_atlanticist/mind-cyber-gap-deterrence-cyberspace> accessed 2
December 2013.
3
See selection of publicly available strategic cyber security documents at NATO CCD
COE, National Strategies & Policies website <http://www.ccdcoe.org/strategies-policies.html>
accessed 12 October 2013.
4
NATO, ‘Welcome’ <http://www.nato.int/nato-welcome/index.html> accessed 2 December
2013.
5
Other emerging security challenges are: terrorism, proliferation of weapons of mass
destruction and energy security.
6
See NATO, ‘Emerging Security Challenges’ <http://www.nato.int/cps/en/natolive/news_
65107.htm> accessed 2 December 2013.
7
Thilo Marauhn, ‘North Atlantic Treaty Organization’ in MPEPIL (n 1) MN 11.

2 / Date: 25/3
Before elaborating on NATO’s cyber defence endeavours, two important aspects need
to be stated. They refer to the expressions ‘NATO decision’ and ‘NATO operation’,
often used in media and in scholarly writings, which lead to a misperception of the
organisation’s nature and function.
Every decision made within NATO structures is made by consensus among its 28
Member States; NATO never makes decisions. A ‘NATO decision’, as often referred to
in media and academia, reflects the collective will (and compromise) of all 28
sovereign States.8 As a politico-military international organization, the Alliance does
not have legislative or regulatory powers comparable to the supra-national organization
which is the European Union (EU). Thus, the subsequent implementation of the
decisions is also in the hands of the 28 sovereign members.
Secondly, NATO does not generally dispose of troops or military equipment.9 In a
NATO-led military operation Member States, possibly alongside others,10 contribute
military contingents and equipment as necessary for the operation and agreed on within
the organisation. Thus, a ‘NATO operation’ is a military operation conducted by NATO
Member States, possibly with others, in which the political or military decisions are
made within the organization’s structures, and for which the NATO military head-
quarters structure, education and training centres and standardized processes are used.
Against this background it is neither within NATO’s responsibility nor in accordance
with its nature and purpose to build up military ‘offensive cyber capabilities’, as is
sometimes claimed in media and scholarly writings.11
Bearing this in mind, the evolution of cyber defence in NATO, the key aspects of
NATO’s current cyber defence endeavours and the remaining challenges for the
organization will be presented.
2. CYBER DEFENCE IN NATO – THE EVOLUTION

NATO was the very first international organization to adapt quickly to the new strategic
environment and emerging security threats like cyber threats.12
8
NATO (n 4).
9
There is one notable exception. NATO owns 17 Boeing E-3A ‘Sentry’ Airborne Warning
and Control System (AWACS) aircraft which provide the Alliance with an immediately available
airborne command and control, air and maritime surveillance and battlespace management
capability. The aircraft are operated at NATO Air Base Geilenkirchen, Germany. See NATO,
‘AWACS: NATO’s “Eye in the Sky”’ (29 July 2014) <www.nato.int/cps/en/natolive/topics_
48904.htm> accessed 28 September 2014.
10
For example, the NATO-led operation ISAF in Afghanistan was supported with troops by
14 non-NATO States, see NATO, ‘ISAF Troop Contributing Nations’ <http://www.nato.int/ISAF/
structure/nations/index.html> accessed 2 December 2013.
11
Jason Healey & Leendert van Bochoven, ‘NATO’s cyber capabilities: Yesterday, today,
and tomorrow’ (Atlantic Council Issue Brief, February 2012) 6f.
12
Alexander Klimburg & Heli Tiirmaa-Klaar, ‘Cybersecurity and cyberpower: Concepts,
conditions and capabilities for cooperation for action within the EU’ (European Union, European
Parliament, Directorate-General for External Policies of the Union, Directorate B, Policy
Department, Study EXPO/B/SEDE/FWC/2009-01/LOT6/09; PE 433.828; April 2011) 24.

3 / Date: 25/3
The first malicious cyber activities directed against NATO networks occurred during
Operation Allied Force in Kosovo in 1999. Pro-Serbian hacktivist groups conducted
distributed denial of service attacks which blocked email accounts and disrupted NATO
websites for some days. These experiences led to the implementation of the NATO
Cyber Defence Programme in 2002, sometimes referred to as the ‘Prague Capabilities
Commitment’, as the decisions were made during NATO’s Summit in Prague.
Thereafter the NATO Computer Incident Response Capability (NCIRC) was estab-
lished, which addressed the technical protection of NATO networks.
The malicious cyber activities conducted in 2007 against information and communi-
cations technology (ICT) in Estonia led to a broader understanding of the necessity for
cyber defence, as Estonia requested emergency assistance to protect its digital
infrastructure targeted by hacktivists.13 The need for a policy and doctrine became
apparent and cyber defence entered the political arena of the Alliance.
(a) Strategic and Policy Documents
In 2008, shortly after the events in Estonia, the first NATO Policy on Cyber Defence
was adopted. That policy aimed at bolstering the cyber defence capabilities of NATO’s
own networks and established initial mechanisms for consultations with Member States
on cyber defence issues.14
Malicious cyber activities conducted in 2008 mainly against government and media
websites in Georgia, and which were seemingly coordinated with troop movements of
the Russian Federation in East Ossetia, demonstrated that ‘cyber attacks’ have the
potential to become a major component of conventional warfare.15 The potential threat
to national and Euro-Atlantic security and stability from the use of cyber tools
represented a strategic shift and led to the understanding that the Alliance needed to
strengthen not only the cyber defences of the organization, but those across the Alliance
as a whole.16
Accordingly, NATO Member States recognized in the Strategic Concept for the
Defence and Security of the Members of the North Atlantic Treaty Organisation of
November 2010 that malicious cyber activities ‘can reach a threshold that threatens
national and Euro-Atlantic prosperity, security and stability’.17 In order to assure the
13
Vincent Joubert, ‘Five years after Estonia’s cyber attacks: lessons learned for NATO?’
(NATO Defence College, Research Paper No 76, May 2012) 2; Liina Areng, ‘International cyber
crisis management and conflict resolution mechanisms’ in Katharina Ziolkowski (ed.), Peacetime
Regime for State Activities in Cyberspace. International Law, International Relations and
Diplomacy (NATO CCD COE 2013) 565, 577.
14
Joubert, ibid.
15
NATO, ‘NATO and cyber defence’ <http://www.nato.int/cps/da/natolive/topics_78170.
htm> accessed 2 December 2013.
16
Ibid.
17
NATO, Active Engagement, Modern Defence. Strategic Concept for the Defence and
Security of the Members of the North Atlantic Treaty Organisation (adopted by Heads of State
and Government at NATO, 19–20 November 2010, Lisbon) para. 12 <http://www.nato.int/
strategic-concept/pdf/Strat_Concept_web_en.pdf> accessed 2 December 2013 NATO Strategic
Concept.

4 / Date: 25/3
security of NATO’s territory and populations, the Alliance committed to continue

fulfilling its essential core tasks, inter alia, to deter and to defend against emerging
security challenges, such as cyber threats.18 Further, the document stresses that NATO
will accelerate efforts to respond to ‘cyber attacks’, bring all its agencies under a
protective umbrella, and will include the cyber domain in the defence-planning process:
We will ensure that NATO has the full range of capabilities necessary to deter and defend
against any threat to the safety and security of our populations. Therefore, we will: […]
develop further our ability to prevent, detect, defend against and recover from cyber attacks,
including by using the NATO planning process to enhance and coordinate national cyber-
defence capabilities, bringing all NATO bodies under centralized cyber protection, and better
integrating NATO cyber awareness, warning and response with member nations […].19
The NATO Lisbon Summit declaration, also issued in November 2010, stated the intent
to revise the Alliance’s cyber defence policy by June 2011.20 In March 2011, a NATO
Concept on Cyber Defence was drafted for Defence Ministers, which formed the
conceptual basis of the revised NATO Policy on Cyber Defence.21 On 8 June 2011 a
revised policy, the key aspects of which will be presented in detail below, was approved
and accompanied by a detailed Action Plan for its implementation. The Action Plan is
a living document that is continuously updated to ensure that NATO is at the forefront
of developments in cyberspace and maintains the necessary flexibility to meet the
challenges which they pose.
At the Chicago Summit in May 2012, NATO Member States’ Heads of Government
reaffirmed their commitment to improve the Alliance’s cyber defences by bringing all
of NATO’s networks under centralized protection and implementing a series of
technical and organizational upgrades.22
(b) Cyber Defence Governance
Cyber defence is implemented within NATO structures comprehensively. Elements of

cyber defence governance can be found at the political, military/operational and
technical levels of the organization, and individual Allies are obliged to implement
specific aspects of NATO’s cyber defence policy.23
The North Atlantic Council (NAC), NATO’s highest political decision-making
authority, composed of representatives of the Member States at the level of Heads of
Government, Ministers or Ambassadors, provides the high-level political oversight of
all aspects of the implementation of the organization’s cyber defence policy. The
18
ibid para. 4.a); see also NATO, ‘Defending the networks. The NATO Policy on Cyber
Defence’ (Factsheet, 2011) <http://www.nato.int/nato_static/assets/pdf/pdf_2011_09/20111004_
110914-policy-cyberdefence.pdf> accessed 2 December 2013 (NATO Cyber Defence Policy
Factsheet).
19
NATO Strategic Concept (n 17) para. 19.
20
NATO, Lisbon Summit Declaration (20 November 2010) para. 40 <http://www.nato.int/
cps/en/natolive/official_texts_68828.htm> accessed 2 December 2013.
21
NATO Policy on Cyber Defence Factsheet (n 18).
22
Ibid.
23
NATO Cyber Defence (n 15).

5 / Date: 7/5
Council will be appraised of major cyber incidents and ‘attacks’ and will exercise
principal decision-making authority in cyber defence related crisis management.24 The
Defence Policy and Planning Committee, a senior advisory body to the NAC and a key
committee bringing together defence counsellors from all national delegations, provides
Allies’ oversight and advice on the Alliance’s cyber defence efforts at the expert level.25
At the working level, the NATO Cyber Defence Management Board (CDMB)
coordinates cyber defence throughout NATO’s civilian and military bodies. It com-
prises the leaders of the political, military/operational and technical staffs in diverse
NATO headquarters, agencies and other entities with responsibilities for cyber
defence.26 This body operates under the auspices of the Emerging Security Challenges
Division (ESCD) in NATO Headquarters. ESCD was created in 2010 within the
International Staff, thus at the political level, following an initiative by NATO Secretary
General, Anders Fogh Rasmussen. It focuses on cyber defence and three other areas
identified as ‘emerging security challenges’: terrorism, the proliferation of weapons of
mass destruction and energy security.27 The Division brings together various strands of
expertise already present in different parts of NATO Headquarters, providing greater
focus on and visibility of these topics at the political level, and providing NATO with a
strategic analysis capability to monitor and anticipate international developments that
could affect Allied security.28
The NATO Consultation, Control and Command (NC3) Board is the main body for
consultation on the technical and implementation aspects of cyber defence.29 The
NATO Military Authorities (NMA) and the NATO Communications and Information
(NCI) Agency bear specific responsibilities for identifying the statement of the
operational requirements, acquisition, implementation and operation of NATO’s cyber
defence capabilities.30
Through its NCIRC Technical Centre, the NCI Agency is responsible for the
provision of technical and operational cyber security services throughout NATO.31
NCIRC is a two-tier functional capability where the NCIRC Technical Centre consti-
tutes NATO’s principal technical and operational capability and has a key role in
responding to any cyber aggression against the Alliance.32 It processes millions of
security events each day, including serious cases that require immediate follow-up by
cyber defence experts.33 The NCIRC Technical Centre is currently undergoing a €58
24
Ibid.
25
NATO, ‘Defence Policy and Planning Committee’ <http://www.nato.int/cps/en/natolive/
topics_69128.htm> accessed 2 December 2013.
26
27
NATO, ‘New NATO division to deal with Emerging Security Challenges’ (News, 4 August
2010) <http://www.nato.int/cps/en/natolive/news_65107.htm> accessed 2 December 2013.
28
Ibid.
29
30
Ibid.
31
Ibid.
32
Ibid.
33
NATO, ‘NATO Cyber Defence’ (Media Backgrounder, October 2013) <http://www.nato.
int/nato_static/assets/pdf/pdf_2013_10/20131022_131022-MediaBackgrounder_Cyber_Defence_
en.pdf> accessed 2 December 2013.

6 / Date: 25/3
million upgrade to provide state-of-art sensors, scanners and analytic capabilities to

better prevent, detect and respond to malicious cyber activities.34 The NCIRC Coordin-
ation Centre is responsible for the coordination of cyber defence activities within
NATO and with nations; provision of staff support to the CDMB; planning of an annual
‘Cyber Coalition’ exercise; and cyber defence liaison with international organizations
such as the EU, the Organization for Security and Co-operation in Europe (OSCE) and
the United Nations/International Telecommunication Union (UN/ITU).35
The two Supreme Headquarters of NATO, Allied Command Operations (ACO) and
Allied Command Transformation (ACT), as well as the operational headquarters, the
NATO Office of Security and its Cyber Threat Assessment Cell and the organization’s
counter-intelligence entities all also deal with cyber threats and cyber defence.
Since 2012 the cyber defence capabilities of the Allies have been integrated into the
NATO Defence Planning Process (NDPP).36 Generally speaking, the NDPP aims to
facilitate the timely identification, development and delivery of the necessary range of
national forces that are interoperable and adequately prepared, equipped, trained and
supported, and the associated military and non-military capabilities to conduct the
Alliance’s missions. The NDPP guides the integration of cyber defence capabilities into
national defence frameworks. Cyber defence has also been integrated into NATO’s
Smart Defence initiative, a concept developed in the face of shrinking defence budgets
which enables countries to work together to develop and maintain capabilities which
they could not afford to develop or procure alone, and to free resources for developing
other capabilities.37 Both NDPP and the smart defence concept require individual Allies
to determine, develop and coordinate their national cyber defence capabilities.
3. KEY ASPECTS OF NATO CYBER DEFENCE

The principles guiding NATO’s cyber defence are the prevention of ‘cyber attacks’ and
the resilience of networks, as well as the avoidance of duplication of effort.38 The key
aspects of NATO’s cyber defence, as stated in the NATO Policy on Cyber Defence, is
the clear delineation of the responsibilities of the organization from the responsibilities
of its Member States, cyber crisis management and the provision of assistance to
members as well as to partners.
(a) Focus: Defence of NATO’s Own Networks
The goals and aims of NATO’s cyber defence are preconditioned by the nature and core
tasks of the organization, which are to provide structures, mechanisms and leadership
for collective self-defence and crisis management as decided upon by its Member
34
Ibid.
35
NATO Cyber Defence (n 15). On the EU’s approach to cybersecurity see Wessel (Ch 19 of
this book). On the UN’s approach to cyber security see Henderson (Ch 22 of this book).
36
Ibid.
37
Ibid.
38

7 / Date: 25/3
States.39 In order to fulfil those core tasks, NATO needs to ensure its functionality,
which in the cyber context means maintaining a secure ICT infrastructure on which it
can operate. Consequently, the organization must ensure the availability, integrity and
confidentiality of its communication lines within the organization itself, with its
agencies, its multitude of operational headquarters and temporary missions and with the
capitals of its Member States and partners. This includes encrypted communication
lines for transmission of classified data. ‘NATO’s principal focus is therefore on the
protection of its own communication and information systems.’40 Within the NATO
structure there are currently about 70,000 computers in 58 different locations in 31
States. These computer networks are probed hundreds of times each day.41 Incident
response and mitigation of malicious cyber activities conducted against NATO’s
information infrastructure is the (now centralized) responsibility of NCIRC.
To a degree, NATO and national governmental networks are interconnected. Thus,
security for these national computer systems, which support NATO networks or process
NATO data, also needs to be provided. National networks are, however, within the
sovereignty of the respective Member States. NATO is currently working in
cooperation with Member States to identify critical ICT interdependencies and to
develop minimum standards of cyber defence for the respective national computer
networks.42 The implementation of any cyber defence measures will need to be
undertaken by each sovereign Ally.
The defence of national IT-systems and computer networks remains, as with any
other national defence endeavour, the responsibility of each NATO member. This is
understandable when bearing in mind the nature of NATO. The organization is an
Alliance of 28 sovereign States. Those States bear the primary responsibility for the
defence of their territory and population, and may or may not use NATO and its
structures in cases of self-defence or other crises. The cyber threats faced daily by
Allies are for the most part of non-military nature, and can mostly be classified as
cyber crime including politically motivated cyber crime, or ‘hacktivism’, and cyber
espionage. The countermeasures necessary to deter those threats are civilian in nature
and NATO would certainly not be the appropriate entity to ensure the national cyber
security of its Member States against such threats.
However, malicious cyber activities conducted against the national ICT of Member
States can reach a level threatening the national security of the victim and thus become
relevant to the Alliance’s security. This is especially the case with regard to ICT
supporting national critical infrastructures such as the energy supply system or the
banking system. When requested, NATO will therefore assist its members in achieving
a minimum level of cyber defence to reduce vulnerabilities to national critical
infrastructure.43 This commitment is of major significance when considering the
different levels of sophistication among NATO Member States with regard to the use of
39
Ibid.
40
Ibid [emphasis in the original].
41
NATO, Public Diplomacy Division, ‘Tackling New Security Challenges’ (NATO Briefing
2012) 11.
42
NATO Policy on Cyber Defence Factsheet (n 18); NATO Cyber Defence (n 15).
43
NATO Policy on Cyber Defence Factsheet, ibid.

8 / Date: 25/3
ICT, and the existence and advance of national cyber security frameworks. The Alliance
consists of States ranging alphabetically from Albania to the United States of America,
and displaying major differences in the complexity, use and resilience of national ICT.
As an Alliance is only as strong as its weakest member, the organization is concerned
about the cyber defence level of its members, but less advanced Member States can
only be encouraged to build up a minimum of national cyber security frameworks
within their sovereign areas; NATO can only provide assistance.
Apart from preventive cyber defence measures aimed at strengthening the resilience
of NATO networks and, partly, national networks, NATO also offers its members and
its partners (on a case-to-case basis) a system of cyber crisis management.
(b) NATO Cyber Crisis Management
NATO offers its members different mechanisms of crisis management, ranging from
diplomatic measures to collective self-defence. Those crisis management mechanisms
also apply to cyber crises. As stated in the Strategic Concept of 2010, the Alliance is
committed to defending the territory and populations of its Member States against all
threats, including emerging security challenges such as cyber threats.44 However,
NATO will maintain strategic ambiguity and flexibility on how to respond to different
types of crises that include a cyber component.45 Some different modalities of cyber
crisis management which NATO offers to its members will be presented below.
(i) Collective Self-Defence

The core task of NATO is collective self-defence. Article 5 of the North Atlantic Treaty
states:
The Parties agree that an armed attack against one or more of them in Europe or North
America shall be considered an attack against them all and consequently they agree that, if
such an armed attack occurs, each of them, in exercise of the right of individual or collective
self-defence recognised by Article 51 of the Charter of the United Nations, will assist the
Party or Parties so attacked by taking forthwith, individually and in concert with the other
Parties, such action as it deems necessary, including the use of armed force, to restore and
maintain the security of the North Atlantic area.
In the past, it was debated whether or not this provision applied to malicious cyber
activities. Neither a legal definition nor a universally accepted definition of the term
‘armed attack’ exists, and the term is open to interpretation. NATO Member States
consider that malicious cyber activities can potentially constitute an ‘armed attack’ and
trigger the right to collective self-defence. In the NATO Strategic Concept of 2010 they
declared that ‘[c]yber attacks […] can reach a threshold that threatens national and
Euro{Atlantic prosperity, security and stability’ and committed itself to continuing to
44
Ibid.
45
Ibid.

9 / Date: 7/5
fulfil its essential core tasks, inter alia, to ‘deter and to defend against […] emerging
security challenges’, including cyber threats.46
Some authors47 assert that the Alliance needs to specify which malicious cyber
activities will likely be deemed to constitute an ‘armed attack’ and judge the lack of
such a declaration as a deficiency of the organization. However, the absence of such a
specification can be considered as a politically wise and therefore favourable option.
Drawing ‘red lines’ with regard to interpretations of key international security terms
such as ‘armed attack’ is not always sensible. Retaining strategic ambiguity may
maintain or support a deterrent effect. Accordingly, there is no ‘check-list’ specifying
the level of tolerance of the 28 Member States with regard to traditional (e.g. kinetic)
military activities directed against an Ally, and thus claiming the necessity of such a
‘check-list’ with regard to malicious cyber activities is unconvincing. Furthermore, the
decision as to whether an armed attack is present will always be highly political and
will never occur outside of a certain political context. Therefore, the determination
whether a certain situation is or is not covered by Article 5 can only be undertaken on
a case-by-case basis after comprehensive consultation between and by consensus of the
organization’s 28 Member States, taking into consideration the political and security
environment as well as all facts and circumstances of the case.
The decision about whether an ‘armed attack’ in the meaning of Article 5 is present
and how the Alliance wants to respond would be determined by Member States on a
submission made by an Ally. The decision will be taken within the organization’s
highest decision-making body, the NAC, and would require consensus between all 28
Allies.48 The attacked Ally would have to request NATO’s assistance, as opposed to a
request directed at an individual Ally outside the organization’s structures. However,
each individual Member State decides which ‘action […] it deems necessary […] to
restore and maintain […] security’ and thus the nature and scope of ‘assistance’ it
desires to grant. Thus, the assistance of an Ally can, in theory, range from a political
statement of condemnation of the attack to deployment of armed forces, according to
the circumstances of the case and the capabilities at the disposal of the assisting Ally.
As, in general terms, (collective) self-defence measures do not need to mirror the
means used by the aggressor, an ‘armed attack’ conducted by cyber means could be
responded to with kinetic military action. However, the assistance granted to an Ally
cannot exceed what the victim State formally requested, but it is likely that the request
and the assistance would be informally agreed on between Allies beforehand.
In the six decades of the Alliance’s history Article 5 has been invoked only once, in
response to the terrorist attacks on 11 September 2001, reflecting the determination of
the Member States, as expressed in the NATO Strategic Concept of 1999, that terrorism
is one of the threats affecting the Alliance’s security. The case was an significant
precedent with regard to the procedural steps which can be of utmost importance in
cases of ‘armed attacks’ conducted by cyber means. Almost immediately after the
terrorist attacks occurred, NATO Member States invoked ‘the principle of Article 5’.
46
NATO Strategic Concept (n 17) para. 12 and 4.a); NATO Policy on Cyber Defence
Factsheet, ibid.
47
Joubert (n 13) 2.
48

10 / Date: 7/5
On 2 October 2001, after a determination that the perpetrators and responsible entities
were ‘extraterritorial’, the decision was confirmed and Article 5 invoked. As malicious
cyber activities will only seldom be immediately attributable to a State, the procedure
used will be invaluable in cases of ‘cyber armed attacks’.
The cyber defence debate should not centre on questions of ‘armed attack’ and
‘self-defence’. Admittedly, some States emphasize the risk of cyberspace transforming
into a new global battlefield,49 and several countries consider cyberspace the fifth
domain of warfare, in addition to land, sea, air and space.50 It is undeniable that several
States have, or are thought to have, offensive cyber capabilities at their disposal or
under development. However, only a very few51 have issued publicly available cyber
security or defence strategies for the military sector, and only one52 directly addresses
offensive cyber activities. In general, States rather emphasize the dependency of the
armed forces on the availability, integrity and confidentiality of ICT and thus cyber
security. The discussion of cyber warfare as perceived in media and scholarly writings
is, to a certain extent, driven by an overestimation of the scope and consequences of
malicious cyber activities, and by an underestimation of the technical expertise,
operational sophistication and development time required to launch a ‘cyber attack’.
Questions of the complexity and accessibility of potential target computer systems are
widely disregarded.53 As the vast majority of the current malicious cyber activities are
49
E.g. the Chinese statement at the United Nations General Assembly, noting that the
‘international community […] must work to prevent the information space from becoming a
“new battlefield”’, UN Doc A/DIS/3467 (1 November 2012); Sergey Fedosov, ‘Statement by the
Russian participant at the UNIDIR Cyber Security Conference (Conference “What does a stable
cyber environment look like?”’, UNIDIR, Geneva, 8–9 November 2012) <http://www.unidir.ch/
files/conferences/pdfs/pdf-conf1922.pdf> accessed 30 November 2013; Noah Schachtman,
‘Darpa looks to make cyberwar routine with secret “Plan X”’ (Wired, 21 August 2012)
<http://www.wired.com/dangerroom/2012/08/plan-x/> accessed 30 November 2013.
50
E.g. United States of America, ‘Department of Defense Strategy for Operating in
Cyberspace’ (July 2011) 5; The Netherlands, Ministry of Defence, ‘The Cyber Defence Strategy’
(June 2012) 4; Japan, Ministry of Defence, ‘Toward Stable and Effective Use of Cyberspace’
(September 2012) 3.
51
These are Russia, the US, the Netherlands and Japan. See Russian Federation, Ministry of
Defence, ‘Conceptual Views Regarding the Activities of the Armed Forces of the Russian
Federation in the Information Space’ (2011, unofficial translation) 4ff <http://www.ccdcoe.org/
strategies/Russian_Federation_unofficial_translation.pdf> accessed 2 December 2013 (see, for
example, the definitions of military conflict in information space, information war and
information weapons); United States of America (n 50) 5 (‘Given its need to ensure the ability to
operate effectively in cyberspace and efficiently organize its resources, DoD established U.S.
Cyber Command (USCYBERCOM) […]’); The Netherlands (n 50) 11 (‘Focal Point 3:
Offensive’); Japan (n 50) 4 (‘The MOD and SDF [Self Defence Forces] must aim to acquire
cutting-edge capabilities in cyberspace just as they do for other domains in order to fulfil its
missions such as national defense.’).
52
The Netherlands ibid.
53
John B. Sheldon, ‘Achieving mutual comprehension: why cyberpower matters to both
developed and developing countries’ in Kerstin Vignard (ed.), Confronting Cyberconflict
(UNIDIR Disarmament Forum Series 2011/4) 41; Tom Gjelten, ‘Is all the talk about cyberwar-
fare just hype?’ GBP News (15 March 2013) <http://www.gpb.org/news/2013/03/15/is-all-the-
talk-about-cyberwarfare-just-hype> accessed 2 December 2013.

11 / Date: 7/5
to be categorized as economically or politically motivated cyber crime, including cyber

espionage, scholars caution against an inappropriate militarization of the topic.54
Without aiming to impair the importance of collective self-defence, it must be stated
that the majority of risks emanating from cyberspace should currently be deemed
non-military threats which must be countered by strengthening the resilience of
IT-systems and computer networks and improving cyber security within the Alliance, as
envisioned by the NATO Policy on Cyber Defence.
(ii) Consultation
Another mechanism of crisis management which NATO offers to its members is
consultation according to Article 4 of the North Atlantic Treaty which states: ‘The
Parties will consult together whenever, in the opinion of any of them, the territorial
integrity, political independence or security of any of the Parties is threatened.’ Informal
or formal consultations occur constantly on different topics and at all levels of the
organization’s structure; they are an indispensable preparatory step for all decision-
making within the organization, which is by consensus. Article 4 refers to consultations
between NATO Member States within the NAC, i.e. the highest political level, with
regard to national security issues of utmost importance. This formal consultation
process reinforces the Alliance’s political dimension and gives NATO an active role in
preventive diplomacy by providing the means to help avoid military conflict.55
In the history of the Alliance, Article 4 has been invoked only three times, each time
by Turkey: in February 2003 in response to a threat to its population or territory
resulting from the armed conflict in neighbouring Iraq, and twice in 2012 after one of
Turkey’s fighter jets was shot down by Syrian air defence forces and five Turkish
civilians were killed by Syrian shells.56 In both situations NATO agreed to deploy
troops and equipment.57
The malicious cyber activities directed against some networks located in Estonia in
2007 led to the adoption of the first NATO Policy on Cyber Defence and raised
awareness within the Alliance with regard to cyber threats, but did not trigger Article 4
consultations; although the malicious cyber activities were discussed in the NAC,
Article 4 was not invoked. At such a high political level, procedural steps are not
omitted by accident. It is likely that the possibility of invoking Article 4 was discussed
informally within diplomatic circles after enquiries by Estonia, and the decision not to
use Article 4 was a cognizant political choice. The incidents were taken seriously and
were discussed at the highest political decision-making level, but not invoking Article 4
54
E.g. Ryan Singel, ‘White House Cyber Czar: “There is no cyberwar”’, Wired Magazine (4
March 2010) <http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/> accessed 2
December 2013; Myriam D. Cavelty, ‘The militarisation of cyber-space: Why less may be better’
in Christian Czosseck, Rain Ottis and Katharina Ziolkowski (eds.), Proceedings of the 4th
International Conference on Cyber Conflict (NATO CCD COE 2012) 141; Mary E. O’Connell,
‘Cyber security without cyber war’ (2012) 17(2) J. Conflict & Sec. L. 187, 195–8; Thomas Rid,
‘Cyber war will not take place’ (2012) 35(1) J. of Strategic Studies 5.
55
NATO, ‘The consultation process and Article 4’ <http://www.nato.int/cps/en/natolive/
topics_49187.htm> accessed 2 December 2013.
56
Ibid.
57
Ibid.

12 / Date: 25/3
showed that neither Estonia nor the Alliance considered the incidents to threaten
Estonia’s national security.
The events, although gaining much media and subsequent scholarly attention, in a
way creating a ‘cyber war hype’, did not have damaging effects on a scale and intensity
which would threaten Estonia’s national security. The denial of service attacks targeted
some computer networks supporting critical infrastructure in the highly ‘wired’ State,
however, in a ‘surgical’ and temporally limited way; for example, the online services of
two banks were interrupted during the campaign on three occasions for between one
and a half and two hours.58 Some disruptions of other services such as online news
services and defacement of a political party’s website also occurred.59 Impairment of
the communications of emergency services was not reported. All in all, the situation,
possibly also due to effective cyber defence measures undertaken by the State and the
‘international cyber security community’, could be deemed a nuisance rather than a
threat to national security.
(iii) Civil Crisis Management

As the vast majority of malicious cyber activities that could reach a level of relevance
to national security of a NATO Member State or a partner country are of a non-military
nature, NATO mechanisms of civil crisis management are of special importance with
regard to cyber crises. Those mechanisms which are intended to, inter alia, support
national authorities during civil crises, were developed in the 1950s.
The organization’s principal civil emergency response mechanism is the Euro-
Atlantic Disaster Response Coordination Centre (EADRCC). The centre operates
around the clock and serves as a clearing-house system for coordinating requests and
offers of assistance, mainly in cases of natural or man-made disasters for the NATO
Member States and 22 partner countries.60 All EADRCC’s tasks are performed in close
cooperation with the UN Office for the Coordination of Humanitarian Affairs
(UNOCHA), which retains the primary role in the coordination of international disaster
relief operations.61 In cases when the requestor is not a NATO member or NATO
partner country, or when collective Allied military resources are used, the decision to
provide assistance to civil authorities must be made by the NAC. Such decisions have
been required twice for providing humanitarian relief to Pakistan, first in the aftermath
of a massive earthquake in 2005 and again following floods some years later.62
In order to process and manage civil crises, several synergistic processes have been
developed within the organization, namely the Crisis Management Process, the NATO
Intelligence and Warning System, NATO’s Operational Planning Process and NATO
Civil Emergency Planning Crisis Management Arrangements.63 The Industrial
Resources and Communications Services Group, a sub-group of the Civil Emergency
58
Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber Incidents: Legal Consider-
ations (NATO CCD COE 2010) 22.
59
Ibid. 20–23.
60
NATO, ‘Euro-Atlantic Disaster Response Coordination Centre (EADRCC)’ <http://www.
nato.int/cps/en/natolive/topics_52057.htm> accessed 2 December 2013.
61
Ibid.
62
Areng (n 13) 575.
63
Ibid. 575.

13 / Date: 25/3
Planning Committee, includes cyber expertise,64 with IT experts seconded to NATO

from Member States for three-year periods. They not only support emergency planning
but also respond to requests for technical assessment within the Civil Emergency
Planning Rapid Reaction Team (CEP RRT). This team is at 24-hours readiness to be
deployed to assess the crisis situation and civilian assistance requirements. The first,
and so far only, example of a deployment of cyber experts in accordance with the CEP
RRT procedures occurred in August 2008 as a result of the cyber crisis in Georgia.65
Although NATO has 60 years of experience and constant development of civil crisis
management mechanisms, much remains to be done with regard to preparedness
for cyber crises. For example, the Comprehensive Approach Specialist Support
(COMPASS) Database which names national civil emergency experts ‘on-call’ for
stabilization and reconstruction operations, does not currently include any cyber
experts.66 Generally speaking, the role and capabilities of NATO’s civil emergency
mechanisms during a cyber crisis is still to be clarified.
(iv) Assistance to Member States

Beside the civil crisis management mechanisms, NATO is committed to ‘[…] provide
coordinated assistance if an Ally or Allies are victims of a cyber attack’.67 To facilitate
such assistance NATO endeavours to enhance consultation mechanisms, early warning,
situational awareness and information-sharing between the Allies. To this end, as of
December 2013 individual Memoranda of Understanding (MoUs) between NATO
CDMB and 24 Allies’ national cyber defence authorities were concluded. The MoUs
record in detail and individually the capabilities, processes and level of support which
each nation can expect to offer to or receive from NATO, Allies or partner countries.
The agreements are likely to refer to information sharing between the State and NATO
on cyber threats and incidents, unilateral assistance modi and the deployment of NATO
Rapid Reaction Teams (RRTs). These teams comprise IT experts who could either
coordinate support or be at readiness to assist a requesting State (or a NATO
headquarters or other NATO entity) facing malicious cyber activities it cannot deal with
on its own.
The deployment of RRTs will likely be decided at the highest political level of
NATO and will probably be discussed among the 28 Allies in recognition of a paradox
endorsed in the NATO Policy on Cyber Defence: NATO’s focus being the defence of its
own networks and Allies requesting assistance from NATO to protect national ICT.
Importantly, the existence of RRTs cannot relieve NATO’s members from their
responsibility to provide for national defence, including developing cyber defence
capabilities, and investing the necessary resources.68 As Lord Jopling, then member of
64
Ibid. 576.
65
Ibid.
66
Ibid.
67
68

14 / Date: 25/3
the NATO Parliamentary Assembly, said in 2011: ‘The less advanced NATO nations
must realize that in the cyber domain there cannot be a free ride.’69
By the end of 2013, as far as is publicly known, two RRTs were being set-up but had
yet to be deployed.70 In practical terms, it seems rather illusory that an RRT would be
granted access to critical IT infrastructure of a nation and provide technical ‘hands-on’
assistance. First, only the IT personnel of the targeted computer network will know the
architecture, applications and other peculiarities of the network and be able to
undertake technical changes in order to defend it. Second, it seems likely that a
sovereign State will not be willing to share information about the architecture and
details of such networks with outsiders. Thus, the support of the RRT would probably
consist of general consultations and recommendations.
Apart from assistance in cases of malicious cyber activities, NATO is committed to
providing assistance to individual Allies to improve the cyber defence of its national
critical infrastructure systems.71 The nature of the assistance will depend on the
individual request of and the cyber security situation in the particular country. Thus, it
is not clear how far the assistance will reach in each individual case. Any decisions in
this respect will be made within the organization’s highest political levels, and it can be
assumed that the assistance would probably consist mainly of consultations, and the use
of common funds to, for example, build up the technical level of cyber defence would
be vetoed.
Much of the time NATO provides ‘soft’ assistance to its Member States and Partners
through projects aimed at supporting nations in strengthening the national cyber
security and resilience. It offers opportunities for technical cyber defence exercises, and
supports research, training and education to develop the necessary expertise to
complement the related technology.72
(c) Ensuring Preparedness: Exercises
Since 2008 NATO has organized an annual three-day cyber exercise named ‘Cyber
Coalition’. It is a technical exercise on the level of Computer Emergency Response
Teams (CERTs) focusing on defending own networks against intrusion. The exercise
aims to train technical personnel and their leadership, and to test the ability of Allies
and partners to coordinate their actions and cooperate in warding off multiple simulated
‘cyber attacks’.73 In 2013 more than 30 Nations were involved, with about 380 cyber
defence experts participating from their home countries. The participants were drawn
from national armed forces, law enforcement and relevant ministries, as well as from
civilian and military staff at NATO headquarters. In line with the commitment to
cooperation with NATO partner countries and other international organizations, five
69
NATO Parliamentary Assembly, Lord Jopling (United Kingdom), General Rapporteur,
‘Information And National Security’ (Draft Report, 21 April 2011) para. 56.
70
NATO Cyber Defence – Media Backgrounder (n 33).
71
72
See for more information NATO Cyber Defence (n 15).
73
NATO, ‘NATO holds annual cyber defence exercise’ (NATO News, 26 November 2013)
<http://www.nato.int/cps/en/natolive/news_105205.htm> accessed 2 December 2013.

15 / Date: 25/3
non-NATO States (Austria, Finland, Ireland, Sweden and Switzerland) participated,

with New Zealand and the EU as observers.
In 2012, ‘Cyber Coalition’ was integrated into NATO’s strategic level Crisis
Management Exercise (CMX), which is an annual exercise involving all NATO entities
as well as the capitals of NATO Member States aimed at training crisis management
reaction mechanisms and communication channels.74 Thus, the existing mechanisms
were trained to be used in the situation of a major cyber crisis.
Furthermore, NATO is undertaking endeavours to incorporate cyber defence aspects
into all ‘conventional’ NATO military exercises.
The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), a
military organization manned and funded by 11 NATO Member States and accredited
in 2008 by NATO as a centre of excellence, but which is not part of NATO’s command
or force structure, offers an annual exercise known as ‘Locked Shields’. This is a
real-time network defence exercise supported by several NATO Member States, partner
countries and industry.75 In 2013 the exercise also included some legal play intended to
exercise legal advisers with regard to the complex questions related to cyber defence
measures undertaken by the technical teams.76
(d) Training, Education, and Research
According to the revised policy, NATO is committed to accelerating its efforts in

training and education on cyber defence through its existing schools and the NATO
CCD COE.77 The main educational entities serving NATO are the NATO School in
Oberammergau, Germany, and the NATO Communications and Information Systems
School in Latina, Italy. Both institutions offer technical courses focusing on network
administration and cyber defence. The NATO CCD COE offers diverse courses on
technical topics including digital forensic analysis, malware and exploits, mitigation of
botnets and monitoring and defence of IT systems.78 In the legal area, the Centre offers
an ‘International Law of Cyber Operations Seminar’ in cooperation with the NATO
School and the US Naval War College, focusing on the applicability of humanitarian
law in cyberspace.79
The main NATO body responsible for strategic level research and experiments on
NATO’s transformation (of military structures, capabilities and interoperability) is the
74
NATO, ‘NATO conducts annual crisis management exercise (CMX) and cyber coalition
exercise’ (Press release [2012] 131 of 31 October 2012) <http://www.nato.int/cps/en/natolive/
news_91115.htm?mode=pressrelease> accessed 2 December 2013.
75
NATO CCD COE, ‘Exercises, Locked Shields’ <https://www.ccdcoe.org/401.html>
accessed 2 December 2013.
76
NATO CCD COE, ‘Cyber defence exercise Locked Shields 2013’ (After Action Report,
2013) 41f <http://www.ccdcoe.org/publications/LockedShields13_AAR.pdf> accessed 2 Decem-
ber 2013.
77
78
NATO CCD COE, ‘Training’ <http://www.ccdcoe.org/236.html> accessed 3 November
2013.
79
NATO CCD COE, ‘International Law of Cyber Operations Seminar’ <http://www.
ccdcoe.org/352.html> accessed 3 November 2013.

16 / Date: 25/3
NATO ACT. Within its headquarters, specific working groups focus on the topic of
cyber defence, producing research papers intended to enhance the cyber defence
endeavours of the organization and Member States.
NATO’s Science for Peace and Security Programme, ‘a policy tool for enhancing
cooperation and dialogue with all partners, based on civil science and innovation, to
contribute to the Alliance’s core goals and to address the priority areas for dialogue and
cooperation identified in the new partnership policy’80 focuses on ‘emerging security
challenges’, including cyber threats. With the support of this programme, in 2012
NATO CCD COE published a National Cyber Security Framework Manual 81 to
support NATO Member States and partner nations in building up a framework of
political documents, laws and regulations, organizational an administrative measures,
communication and crisis management procedures, and technical protection measures
in order to improve the ability to appropriately address cyber threats.
NATO CCD COE also supports education and training endeavours by organizing an
annual International Conference on Cyber Conflict (CyCon), by supporting NATO
ACT, and by publishing research papers and publications such as the recent ‘Peacetime
Regime for State Activities in Cyberspace. International Law, International Relations
and Diplomacy’.82 This volume offers, inter alia, an interpretation of public inter-
national law with regard to the rights and obligations of States in the cyber realm
during peacetime. The topics covered range from the notion of territorial sovereignty in
cyberspace through international aviation, space and economic law restrictions to
matters of State responsibility.
(e) Cooperation in the Arena of Cyber Defence
As cyber threats transcend State borders and organizational boundaries, the NATO
Policy on Cyber Defence also stresses the need for cooperation of the Alliance with
NATO partner countries.83 NATO Member States reinforced the importance of inter-
national cooperation by stating in the Chicago Summit Declaration of 2012 that ‘[t]o
address the cyber security threats and to improve our common security, we are
committed to engage with relevant partner countries on a case{by{case basis […] in
order to increase concrete cooperation’.84
Since the 1990s NATO has established several cooperation programmes with NATO
non-Member States. Those are the Partnership for Peace programme (22 States,
including Russia), the Mediterranean Dialogue (seven States), the Istanbul Cooperation
80
See NATO, ‘Science for Peace and Security Programme’ <http://www.nato.int/cps/en/SID-
51871B1B-CD538A0D/natolive/topics_85373.htm?> accessed 8 August 2013.
81
Alexander Klimburg (ed.), National Cyber Security Framework Manual (NATO CCD
COE 2012).
82
Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace. Inter-
national Law, International Relations and Diplomacy (NATO CCD COE 2013).
83
84
NATO, Chicago Summit Declaration (issued by the Heads of State and Government
participating in the meeting of the North Atlantic Council in Chicago on 20 May 2012) para.
49 <http://www.nato.int/cps/en/SIDD03EFAB6-46AC90F8/natolive/official_texts_87593.htm?
selectedLocale=en> accessed 2 December 2013.

17 / Date: 25/3
Initiative (four States), Membership Action Plan (three States) and the Individual
Partnership Cooperation Programme (six States). Cooperation is based on documents
which detail the political guidance agreed by NATO Member States as to the goals and
possibilities of cooperation in the cyber realm. Such cooperation will be based on
shared values and common approaches and could encompass awareness-raising
activities and sharing of best practices. The details of the cooperation are decided on in
each case at the highest political level of the organization. Although NATO views its
partner-outreach in global terms, the cooperation with regard to cyber defence is
currently, by nature, limited to those partner countries which can contribute and thus
offer mutual benefit. Importantly, NATO endeavours within its cooperation with
partners to promote complementarity and not to duplicate efforts already undertaken
within other international organisations.
The cooperation in the context of cyber defence and security is also envisioned with
other international organizations, with academia and with industry.85 Cooperation with
the EU seems especially important, as the organizations have a significant overlap in
membership. Because of the different foci of the organizations, many opportunities for
complementarity can be identified and duplication of effort avoided. However, the
cooperation seems to be challenged by political aspects. High-Level Staff Talks have
been conducted in the past and were renewed mid 2013 following the publication of the
EU cyber security strategy. The EU was invited to the ‘Cyber Coalition’ exercise of
NATO as an observer, and an invitation from side of EU to their cyber exercises is to be
expected. Those are first promising steps.
Developing genuine partnerships with industry, which owns approximately 80 per
cent of the Internet infrastructure worldwide, is widely recognized as vital in ensuring
effective cyber defence both across the Alliance and also for the organization.86 In 2012
the NATO Industrial Advisory Group (NIAG), a high-level consultative body of senior
industrialists from NATO Member States, examined how the private sector could best
assist NATO in carrying out its responsibilities for cyber defence, particularly with
regard to the organization’s role in assisting Member States which are victims of
malicious cyber activities.87 In 2013 and 2014, the NIAG conducts an in-depth study of
actions NATO should take in collaboration with industry to facilitate NATO cyber
defence during crises.88
4. CHALLENGES AND OPPORTUNITIES

NATO is facing several challenges common to every governmental or inter-
governmental organization. First, with regard to IT personnel it competes with industry
for talent, especially with giant software-producing companies and the private cyber
security industry. Additionally, as with every international organization, it draws a
significant proportion of its personnel from secondments from Member States, which
85
86
Ibid.
87
Ibid.
88
Ibid.

18 / Date: 8/5
can decide to keep rare IT and cyber defence talent within their own national structures.
Second, in times of economic crisis, NATO is not immune to financial austerity. It is
unclear how the concept of ‘smart defence’ – cooperation between Allies in developing,
acquiring and maintaining military capabilities known as pooling and sharing – will
apply in the cyber defence arena. The Malware Information Sharing Platform (MISP),
which will be developed by Belgium, seems a rather peculiar project. The Belgian
national platform is already shared with some nations and with the NCIRC. A legal
framework for mutual sharing of information about malware is still to be developed,
and sharing information about malware discovered in a nation’s own national networks
will certainly be voluntary. Allies will also seek to receive information from their
industry; an illusory idea but the only one that could lead to the creation of a joint
cyber threat picture for the Alliance.
NATO is also facing challenges specific to the organization. The 28 NATO Member
States show an enormous variation in the sophistication and use of the cyber realm. The
differences are set out in the national cyber security frameworks which are in place or
missing, usually addressing strategic and political decisions on cyber security; laws and
regulations; organizational and administrative measures, including communication and
crisis management procedures; and technical protection measures. That diversity is
mirrored in the different levels of national cyber defence capabilities and in the interest
of the Member States toward cyber defence. Consequently, taking any decision on the
topic within the organization is a challenge and implementation can be hampered by a
lack of interest or capability. NATO does conduct some ‘soft’ programmes aiming at
building up the cyber defence capabilities of the less ‘cybered’ Member States, as the
Alliance can be only as strong as its weakest member. However, it seems this support
will not result in providing a ‘free ride’ for the less developed members in terms of, for
instance, building up national IT structure and cyber security framework by using
common funding, or with regard to providing cyber defence through the organization
instead of the member. National cyber defence is determined within the NATO policy
as the individual responsibility of each Ally. The differences in cyber defence
sophistication equally present a challenge for cooperation with partner nations.
Cooperation cannot be one-sided, but must be of mutual benefit to all parties involved.
As only some partner nations show both a level of sophistication and common values,
only a minority of NATO partners will be eligible for cooperation in cyber security or
cyber defence.
Meaningful cooperation with industry would require information sharing between the
organization and the companies, which should also be mutually beneficial. This would
require all NATO Member States to agree on information sharing possibilities, which
would consider national security interests and the security interests of the Alliance as
well as national regulations with regard to sharing of governmental information.
Considering the different interests and legal frameworks of the 28 members, this will
be a considerable challenge.
NATO’s comprehensive and multi-stakeholder approach to cyber defence govern-
ance, and the necessary implementation of cyber defence across all the levels and
entities of the Alliance, could impair the ability of governing bodies to take quick

19 / Date: 25/3
decisions in cyber crisis situations.89 Any further insight and lessons learned with
regard to this aspect must be left to future developments.
Despite all the challenges NATO faces with regard to the complex topic of cyber
defence, the organization can be deemed relatively advanced when compared to other
international organizations dealing with international security issues. NATO was the
first international organization to deal with cyber threats and the mechanisms which the
organization offers can, despite appearances, prove very effective. The organization has
a good and solid crisis management system which can be used in situations of cyber
crisis. The future practice of NATO and its Member States will show in which aspects
the Alliance needs to adapt its mechanisms in order to provide effective cyber defence.
The organization has proved, since its establishment in 1949, that it is able to swiftly
adapt to new security environments, and it has good prospects to build up and improve
the existing crisis management mechanisms and the ‘hands-on’ as well as ‘soft’
assistance it is prepared to provide its members and partner countries.
However, the cyber security environment of the Alliance as a whole depends on the
national cyber security situation and cyber defence capabilities of its members. In this
regard, much remains to be done.
89
See Areng (n 13) 578.

20 / Date: 25/3
21. Cyber security in the Asia-Pacific

Hitoshi Nasu and Helen Trezise
1. INTRODUCTION
Cyber threats have been characterised as the Asia-Pacific’s chief security problem.1 As
Information and Communications Technology (ICT) dependence has continued to
permeate Asia-Pacific societies, the significance of securing cyberspace has increas-
ingly been recognised by regional authorities. Though efforts remain at ‘varying levels
of maturity’,2 the development and implementation of domestic cyber security strat-
egies has become a top priority for many Asia-Pacific nations. A number of countries in
the region have already adopted new cyber security policies, including Australia,3
Japan,4 Malaysia,5 Singapore,6 and the New Zealand.7 The rapidly increasing sophis-
tication, diversity and ingenuity of cyber threats in the region has meant that such
policies must remain dynamic and responsive; hence, for example, experts called for an
update to the Australian Government’s 2009 Cyber Security Strategy as a matter of
urgency,8 and the government itself acknowledged the importance of responsive
approaches to malicious cyber actors who are adaptive and agile.9
1
See, e.g., Robert K. Ackerman, ‘Diverse Pacific Nations share concerns’ (2011) 65(5)
Signal 59, 62.
2
James A. Lewis, ‘Asia: The Cybersecurity Battleground’ (Statement before the Sub-
committee on Asia and the Pacific, House Foreign Affairs Committee, US Congress, Washing-
ton, 23 July 2013) 6.
3
Commonwealth of Australia, ‘Cyber security strategy’ (2009) <http://www.ag.gov.au/
RightsAndProtections/CyberSecurity/Documents/AG%20Cyber%20Security%20Strategy%20-%
20for%20website.pdf> accessed 20 November 2013.
4
Japanese Government Ministry of Defence, ‘Defence of Japan 2013’ (2013) 80 <http://
www.mod.go.jp/e/publ/w_paper/2013.html> accessed 28 November 2013; Japanese Government
Information Security Policy Council, ‘Cyber security strategy’ (2013) <http://www.nisc.go.jp/
active/kihon/pdf/cybersecuritystrategy-en.pdf> accessed 28 November 2013.
5
Malaysian Government Ministry of Science, Technology and Innovation, ‘National
cyber-security policy’ (2006) <http://nitc.mosti.gov.my/nitc_beta/index.php/national-ict-policies/
national-cyber-security-policy-ncsp> accessed 22 November 2013.
6
Infocomm Development Authority of Singapore, ‘Singapore continues to enhance cyber
security with a five-year national cyber security masterplan 2018’ (Press Release, 24 July 2013).
7
New Zealand Government Department of Communications and Information Technology,
‘New Zealand’s cyber security strategy’ (June 2011) <http://www.dpmc.govt.nz/dpmc/
publications/nzcss> accessed 22 November 2013.
8
See Peter Jennings & Tobias Feakin, ‘Special Report: The emerging agenda for
cybersecurity’ (Australian Strategic Policy Institute, 29 July 2013).
9
Australian Government Department of the Prime Minister and Cabinet, ‘Strong and
secure: A strategy for Australia’s national security’ (2013) 40–41 <http://www.dpmc.gov.au/
national_security/docs/national_security_strategy.pdf> accessed 28 November 2013.
446
1 / Date: 7/5
Cyber security in the Asia-Pacific 447
With the majority of the world’s Internet users residing in the Asia-Pacific,10 cyber
security in this region is an issue that demands close scrutiny. According to analysis by
the Organisation for Economic Co-operation and Development (OECD), most domestic
cyber security policies focus on achieving two interconnected objectives: ‘strengthening
cyber security for the Internet economy to further drive economic and social prosperity;
and protecting cyber-space reliant societies against cyber-threats’.11 Therefore, it is in
the best interests of States to promote regional cooperation, as the growing regional
dependence on ICT infrastructure and various opportunities heralded by the digital age
mean that countries ‘now have a large stake in a … stable and secure internet’.12 This
chapter reviews cyber security policy initiatives by regional institutions in the Asia-
Pacific with a view to considering how regional cyber security efforts are hampered by
interaction with traditional security challenges that confront many States in the region.
2. GEOPOLITICAL LANDSCAPE AND CYBER SECURITY

Cyber security threats present a particularly complex challenge for the Asia-Pacific
region due to pre-existing geopolitical rivalries, as well as the political, economic, and
socio-cultural diversity that characterises this region.13 Security threats posed in
cyberspace do not arise in a political or socio-economic vacuum, but are often a
manifestation or extension of political or socio-economic tensions that already exist in
the real world.
First, cyberspace has increasingly been seen as a new domain of battlespace in which
sovereign States must defend their national interests. For that reason, the notion of
cyber security has been elevated to a matter of national security in many States. The
2012 OECD report on the analysis of the cyber security policies of ten OECD countries
described ‘sovereignty considerations’ as an emerging trend in cyber security policy
making.14 This trend is reflected in a number of national cyber security approaches
within the Asia-Pacific region, where States commonly describe threats to domestic
10
922.2 million of the 2.1 billion Internet users around the world are located in Asia:
European Commission (EC), ‘Commission Staff Working Document: Impact Assessment
accompanying the document – Proposal for a Directive of the European Parliament and of the
Council concerning measures to ensure high level of network and information security across the
Union’ (SWD(2013) 32 final, 7 February 2013) 147 <http://eeas.europa.eu/policies/eu-cyber-
security/cybsec_impact_ass_en.pdf> accessed 28 November 2013.
11
OECD, ‘Cybersecurity policy making at a turning point: Analysing a new generation of
national cybersecurity strategies for the Internet economy’ in OECD Digital Economy Papers
(No. 211, OECD Publishing 2012) 6.
12
Australian Government, ‘Australia in the Asia Century’ (White Paper, October 2012) 238
<http://www.asiaeducation.edu.au/verve/_resources/australia-in-the-asian-century-white-paper.
pdf> accessed 28 November 2013.
13
See generally, Robert K. Ackerman, ‘Cyber security dominates Asia-Pacific agenda’
(2011) 65(5) Signal 59; Nicholas Rees, ‘EU and ASEAN: Issues of regional security’ (2010) 47
Int’l. Politics 402.
14
See OECD (n 11) 7.

2 / Date: 15/5
cyber security as threats to their ‘national security’.15 For example, Australia’s 2009
and 2013 Defence White Papers recognise that malicious cyber activity could compro-
mise national security if directed towards ‘defence, government or commercial infor-
mation networks’.16 In light of this, the 2013 Defence White Paper emphasises the need
to develop capabilities that will allow the Australian Defence Force ‘to gain an
advantage in cyberspace, guard the integrity of our information, and ensure the
successful conduct of operations’.17 Similarly, New Zealand’s Cyber Security Strategy,
adopted in 2011, notes that a targeted cyber attack could disrupt critical services,
negatively impact the national economy, and ultimately endanger the security of the
State.18 Japan’s 2013 Cyber Security Strategy envisages the strengthening of its
Self-Defence Force’s ability to counter cyber attacks, as part of its goal to create a
‘resilient’ cyberspace,19 and South Korea views cyberspace as ‘another operational
domain like the nation’s territories on land, air and sea that need a State-level defense
system’.20 Indonesia is reportedly developing a ‘cyber army’ to tackle its own cyber
insecurities.21
These national security approaches to cyber security are tethered to the pre-existing
geopolitical conditions that shape each State’s national defence strategies, and even
have the potential to unnecessarily increase regional security tensions. The unique
characteristics of offensive cyber tools – for example, unlimited geographical coverage
of attacks and the difficulty of identifying the attacker – make them an attractive option
to achieve strategic objectives in disguise.22 As Ackerman notes, ‘[t]raditional area
geopolitical rivalries are enhanced by the potential for cyber operations, and nations
once secure behind rugged borders or vast bodies of water now face potential threats to
their national infrastructure through a realm that knows no borders’.23 Indeed, regional
States, particularly the US, have expressed growing concerns about increased ‘cyber
intrusions … tied to the Chinese government and military’ in the region.24 Regional
15
See generally, Michael Portnoy & Seymour Goodman (eds.), Global Initiatives to Secure
Cyberspace: An Emerging Landscape (Springer 2009).
16
Australian Government Department of Defence, ‘Defence White Paper 2013’ (2013)
para. 2.82 (Australian Defence White Paper 2013) <http://www.defence.gov.au/whitepaper2013/
docs/WP_2013_web.pdf> accessed 28 November 2013.
17
Ibid.
18
New Zealand’s ‘Cyber security strategy’ (n 7).
19
Japanese ‘Cyber security strategy’ (n 4). See also ‘Defence of Japan’ (n 4) 80.
20
Lee Youkyung, ‘S. Korea charts out national cyber security strategy’ Yonhap News
Agency (Online, 8 August 2011) <http://english.yonhapnews.co.kr/techscience/2011/08/08/45/
0601000000AEN20110808006500320F.HTML> accessed 20 November 2013.
21
See Abu Hanifah, ‘Indonesia to create its own “cyber army”’ Xinhua News Agency
(Online, 29 May 2013) <http://news.xinhuanet.com/english/world/2013-05/29/c_132416837.
htm> accessed 20 November 2013.
22
This raises an issue of attribution under international law. See, e.g., Nicholas Tsagourias,
‘Cyber attacks, self-defence and the problem of attribution’ (2012) 17 J. Conflict & Sec. L. 229.
23
Ackerman (n 13) 59.
24
International Institute for Strategic Studies, ‘The Shangri-La Dialogue Report 2013’ (8
August 2013) 20, quoting United States Secretary of Defense Chuck Hagel <http://www.iiss.org/
en/publications/conference%20proceedings/sections/shangri-la-aa36/the-shangri-la-dialogue-2013-
395b> accessed 28 November 2013.

3 / Date: 7/5
military powers including Australia, Democratic People’s Republic of Korea, India,

Myanmar, the People’s Republic of China (PRC), and the Republic of Korea are all
reported to have been developing offensive cyber warfare capabilities as part of
modernisation of military forces.25
Second, the fragmented political, economic and socio-cultural identity of the
Asia-Pacific region is reflected in the disparity in technological capabilities and cyber
infrastructure among regional States. The rise of globalisation has seen that ICT plays
a pivotal role in the advancement of regional States, a ‘key defining tool … of modern
nation-building’.26 However, as Nicholas Thomas notes, this ‘virtual process’ has
‘mirrored the uneven pattern of economic development found across East Asia’.27 As
such, there exists a significant digital divide between technologically advanced nations
such as Australia, Japan, the PRC, Singapore and the Republic of Korea, and States
such as Cambodia, Laos, Myanmar, Vietnam, and Timor-Leste.28 The result is that
some States have been refining cyber security strategies and adapting to evolving cyber
threats for years now, while in other countries, limited cyber infrastructure and ICT
usage have meant that cyber threats are only just becoming, or still yet to become,
‘security’ issues.
In developing regional cyber security confidence building measures (‘CBMs’), some
States are of the view that the particular characteristics of the Asia-Pacific region,
including the cyber capacity of developing States and differences in domestic political,
economic, and socio-cultural orientations, must be duly taken into account.29 The PRC
goes so far as to say that ‘we should attach more importance to the cultural elements
behind the Internet public policies of different countries’,30 advocating the need for
tighter government regulation of cyberspace. Australia, on the other hand, in its
Australia in the Asian Century White Paper observes that ‘the internet needs to remain
open and free of unnecessary government regulation’.31
25
James A. Lewis & Katrina Timlin, ‘Cybersecurity and cyberwarfare: Preliminary
assessment of national doctrine and organization’ (Centre for Strategic and International Studies,
2011) 6, 8–9, 13, 16, 18.
26
Ubaidillah Masli, ‘Cooperation needed on cybersecurity’, The Brunei Times (Brunei-
Muara, 24 May 2013) A01, quoting Colonel (Rtd) Pg Dato Paduka Hj Azmansham Pg Hj
Mohamad, speaking at the opening of the 10th ASEAN Regional Forum Security Policy
Conference. See also, Council of Security Cooperation in the Asia Pacific (CSCAP), ‘Ensuring
a safer cyber security environment’ (Memorandum No 20, 2012).
27
Nicholas Thomas, ‘Cyber security in East Asia: Governing anarchy’ (2009) 5 Asian
Security 3, 4.
28
See, e.g., Caitríona H. Heinl, ‘Regional cyber security: Moving towards a resilient
ASEAN cyber security regime’ (Working Paper No 263, S Rajaratnam School of International
Studies, 9 September 2013) 7.
29
See, e.g., Kwon Haeryong, ‘The ARF perspectives on TCBMs: Future work’ (Presented
at United Nations Institute for Disarmament Research Cyber Security Conference, Geneva, 8–9
November 2012).
30
Chinese Assistant Foreign Minister, Zheng Zeguang, quoted in Tobias Feakin, ‘ARF, and
how to change the tune of the cyber debate’, The Strategist (14 October 2013) <http://
aspistrategist.org.au/arf-and-how-to-change-the-tune-of-the-cyber-debate/> accessed 20 Novem-
ber 2013.
31
‘Australia in the Asian Century’ (n 12) 238.

4 / Date: 7/5
Third, cyber security threats might emanate not just from nation States and
State-sponsored actors, but also from non-State actors, such as terrorist groups and
individuals.32 Contemporary cyber threats emerge in a multitude of forms and reflect a
range of motivations, from moneymaking to cyber espionage, sabotage, destabilisation,
and other strategic and tactical military advantages. Indeed, concerns have more
recently been raised over the growing threat of cyber intrusion by organisations, as
opposed to individual hackers.33 In addition, the increasing volume, complexity,
seriousness, and professionalism of such attacks further complicate any efforts to
secure and stabilise cyberspace.
The transnational nature of cyber security threats means that mere unilateral
responses and countermeasures are ineffective. This is particularly problematic in a
region like the Asia-Pacific where, as Nicholas Rees explains, ‘there are a number of
weak states with limited political and institutional capacity to address [cross-border]
threats’.34 Thus, transnational cyber security concerns have increasingly become focal
points of key regional bodies, particularly Association of Southeast Asian Nations
(ASEAN), its ASEAN+ progenies, the ASEAN Regional Forum (ARF), and the
Asia-Pacific Economic Cooperation (APEC).35
Ultimately, the ‘digital divide’ and the lack of homogeneity amongst Asia-Pacific
nations, not just economically but also politically and socio-culturally, poses a
challenge to the ability of regional forums and institutions to galvanise members into
collective action against cyber security threats.36 However, this disparity can also be
considered an advantage within the regional framework, as it means that developing
countries can work within and seek assistance and guidance from regional institutions
in overcoming inadequacies in ICT capacity and meeting challenges posed by cyber
security threats from the outset.37 As the Council for Security Cooperation in the
Asia-Pacific stresses, holistic domestic cyber security policies and regional collective
measures of cooperation comprise the two essential measures required to ‘maximise
protection against cyber threats and also maximise the regional benefits of the digital
32
See Thomas (n 27) 5.
33
See, e.g., Voltaire Gazmin, ‘New trends in Asia-Pacific security’ (Speech delivered at the
Asia Security Summit, Shangri-La Hotel, Singapore, 2 June 2013) <http://www.iiss.org/en/
events/shangri%20la%20dialogue/archive/shangri-la-dialogue-2013-c890/fourth-plenary-session-
0f17/gazmin-1599> accessed 20 November 2013.
34
Rees (n 13) 408.
35
Regional leaders consider these institutions to be key players in regional cyber security
policy development, as expressed at the 7th East Asia Summit (EAS), in which they specifically
noted ‘the efforts of ASEAN, the ARF and APEC in addressing cyber security matters’:
‘Chairman’s Statement of the 7th East Asia Summit’ (7th EAS, Phnom Penh, Cambodia, 20
November 2012) <http://www.asean.org/images/documents/Final_Chairman%20Statement%20
of%20the%207th%20EAS%20(Final).pdf> accessed 28 November 2013. Other regional cyber
security initiatives such as the Asia-Pacific Telecommunity (APT) and the United Nations
Economic and Social Commission for Asia and the Pacific have a more technical focus on ICT
regulation in general. See generally, Portnoy and Goodman (n 15) Ch 4.
36
See Rees (n 13) 408.
37
See Heinl (n 28) 7 and 11 (citing Chris Finan, former Director for Cybersecurity
Legislation and Policy, US National Security Staff at the White House, ‘Effective and Credible
Cyber Deterrence’ (CENS Cybersecurity Workshop, 27 May 2013)); Thomas (n 27) 11.

5 / Date: 7/5
economy’.38 The critical question relevant to this chapter is to what extent existing
regional institutions in the Asia-Pacific have contributed to attaining these competing
goals within their institutional framework.
3. REGIONAL CYBER SECURITY APPROACHES

Over the past decade, Asia-Pacific States have attempted to address an increased variety
of non-traditional security issues within regional frameworks,39 which encompass
environmental security, economic security, health security and transnational organised
crime. More recently, tension has been rising with actual and possible military
confrontations between regional States involved in territorial disputes, in particular
between the PRC and the Philippines over Scarborough Shoal, and between the PRC
and Japan over the Diaoyu / Senkaku Islands. These military and non-military concerns
are both influencing the dynamics of the security landscape in the Asia-Pacific, and
they provide a critical context for understanding its regional engagement with the
domain of cyber security over the last decade and into the future. This section reviews
the development of regional cyber security policy initiatives for the purpose of
understanding the institutional rationale and the obstacles to regional cooperation in
securing cyberspace.
(a) Association of Southeast Asian Nations (ASEAN)
ASEAN was founded by Indonesia, Malaysia, the Philippines, Singapore and Thailand
with the aim ‘to ensure their stability and security from external interference in any
form or manifestation’.40 From its inception, ASEAN has served its role as a political
platform with dual regional security functions – committing themselves to collective
efforts to remove external interference, on the one hand, and entering into reciprocal
arrangements to ensure the internal stability and security of the government in each
member State, on the other – forming the basis for the development of ASEAN as a
‘security community’.41 Both are based on the 1976 Treaty of Amity and Cooperation
in Southeast Asia:42 the former is embedded in the regional principle of non-
interference in Article 2(c), whereas the member States’ commitment to ‘endeavour to
strengthen their respective resilience in … security fields’ (emphasis added) in Article
11 supports the latter role. The ASEAN Charter, adopted in 2007, reaffirms these
38
CSCAP (n 26) 1.
39
See generally, e.g., Mely Caballero-Anthony, Ralf Emmers & Amitav Acharya (eds.),
Non-Traditional Security in Asia: Dilemmas in Securitization (Ashgate 2006).
40
The Bangkok Declaration (Bangkok, 8 August 1967) <http://www.asean.org/news/item/
the-asean-declaration-bangkok-declaration> accessed 22 November 2013. ASEAN has expanded
its membership since then, adding Brunei Darussalam, Cambodia, Laos, Myanmar and Vietnam.
At the time of writing, a bid for membership by Timor-Leste is being considered.
41
For details, see especially, Amitav Acharya, Regionalism and Multilateralism: Essays on
the Cooperative Security in the Asia-Pacific (Eastern Universities Press 2003) 227–30.
42
Treaty of Amity and Cooperation in Southeast Asia (24 February 1976, entered into force
15 July 1976) 1025 UNTS 319.

6 / Date: 7/5
commitments by proclaiming that it aims to ‘enhance regional resilience by promoting

greater political, security … cooperation’ based on a ‘shared commitment and
collective responsibility in enhancing regional peace, security and prosperity’.43
ASEAN’s cyber security policy has indeed developed along this line of dual
functions, although with some modification towards further regional integration and
more active engagement with external actors. On the one hand, particularly at the initial
stage, ASEAN has attempted to secure cyberspace through regional cooperation in
building national cyber security resilience. More recently, ASEAN has realised the need
for more comprehensive cyber security efforts in order to secure cyberspace from
common threats such as transnational cyber intrusions by criminal and terrorist
organisations.44
The initial stage of regional cyber security policy initiatives in ASEAN can be
characterised as the cooperative building of national cyber security resilience. Respons-
ibility for ICT infrastructure and capacity development has fallen primarily to the
ASEAN Telecommunications and IT Ministers (TELMIN) – now part of the ASEAN
Economic Community whose aim is to enhance the region’s economic growth and
competitiveness.45 With the aim of bridging the digital divide within the region,
TELMIN adopted the e-ASEAN Initiative in 1999, and subsequently the e-ASEAN
Framework Agreement in 2001, looking in part to encourage cooperation between
member States to develop, strengthen and enhance the competitiveness of the regional
ICT sector,46 especially within developing States. The 1998 Hanoi Plan of Action also
called for the establishment of the ‘ASEAN Information Infrastructure’, designed to
ensure the interoperability and interconnectivity of IT systems within member States.47
In 2003, TELMIN’s cyber development goals were conflated with cyber security
agendas by the Singapore Declaration, which called on all ASEAN Member States to
establish national Computer Emergency Response Teams (CERTs) by 2005 (following
the inauguration of LaoCERT in February 2012, this goal has belatedly been
achieved).48 This formed part of a push by TELMIN to establish a common regional
framework for sharing cyber expertise as well as cyber security threat and vulnerability
assessment information so as to ‘help develop cybersecurity policies and exchange
43
Charter of the Association of Southeast Asian Nations (20 November 2007, entered into
force 15 December 2008) arts 1 and 2(2)(b).
44
Thomas (n 27) 11.
45
See generally ASEAN Secretariat, ‘ASEAN Economic Community Blueprint’ (2008)
<http://www.asean.org/archive/5187-10.pdf> accessed 22 November 2013.
46
See e-ASEAN Framework Agreement (2001) art 2 <http://www.asean.org/news/item/e-
asean-framework-agreement> accessed 22 November 2013.
47
Hanoi Plan of Action (adopted by the 6th ASEAN Summit, Hanoi, Vietnam, 15
December 1998) para. 3.1.1 <http://www.asean.org/news/item/hanoi-plan-of-action> accessed 28
November 2013.
48
See ASEAN TELMIN, ‘Singapore Declaration’ (3rd TELMIN, September 2003);
ASEAN TELMIN, ‘Joint Media Statement of the Third ASEAN Telecommunications and IT
Ministers’ (3rd TELMIN, Singapore, 19 September 2003) para. 4 <http://www.asean.org/
communities/asean-economic-community/category/press-releases-13> accessed 28 November
2013; Heinl (n 28) 34–5.

7 / Date: 7/5
real-time information on cybersecurity issues’.49 Subsequently, in its Economic Com-

munity Blueprint, ASEAN emphasises the need for a secure and interconnected
regional information infrastructure.50
Behind this shift in policy focus to a more regional common framework is the
realisation that promoting regional ICT interconnectivity, and thus interdependence, as
a way to strengthen the region’s overall stability and prosperity ‘raise[s] the threat
spectre for cross-border cyber incidents’.51 Malaysian Minister of Defence Dato’ Seri
Dr Ahmad Zahid Hamidi made this point clear at the 2012 Asia Security Summit
(Shangri-La Dialogue), stating that while ASEAN, and Malaysia in particular, benefit-
ted from regional interconnectivity, ‘a major cyber-attack on the network linking its
members would have grave implications leading towards destabilisation’.52 Given that
less developed countries are at greater risk of cyber intrusion, this further highlights the
need for regional cooperation in capacity building exercises and other cyber security
measures aimed at mitigating potential ‘weak links’.53
The ASEAN ICT Masterplan 2015 (AIM2015), which was adopted in 2011 to set out
ASEAN’s quest to become a ‘global ICT hub’,54 in particular addresses the potential
negative ramifications of increased ICT interconnectivity and interoperability. As
Caitríona Heinl explains:
AIM2015 calls for the development of a common framework for network security, the
establishment of common minimum standards for network security to ensure a high level of
preparedness and integrity of networks across ASEAN, a network security ‘health screening’
program for ASEAN to be implemented at regular intervals, the development of best practice
models for business continuity and disaster recovery for all sectors, and the establishment of
a multi-stakeholder ASEAN Network Security Action Council (ANSAC) to promote Com-
puter Emergency Response Team cooperation and sharing of expertise.55
ANSAC has met annually since 2012, and its tasks so far have included reviewing the
ASEAN Telecommunication Regulators’ Council (ATRC) Framework for Cooperation
on Network Security, through which ASEAN TELMIN’s work is largely completed.
Thus, in pursuing enhanced regional cyber capacity, interconnectivity and ICT
infrastructure within the region, ASEAN leaders started seeing comprehensive cyber
security efforts as increasingly vital. Cyber security featured in TELMIN’s 2012
49
ASEAN TELMIN, ‘Joint Media Statement of the Third ASEAN Telecommunications and
IT Ministers’ ibid.
50
See ‘ASEAN Economic Community Blueprint’ (n 45) para. 51.
51
Heinl (n 28) 6.
52
Dato’ Seri Dr Ahmad Zahid Hamidi, ‘New forms of warfare – Cyber, UAVs and
emerging threats’ (Speech delivered at the Asia Security Summit, Shangri-La Hotel, Singapore, 3
June 2012) <http://www.iiss.org/en/events/shangri%20la%20dialogue/archive/sld12-43d9/fourth-
plenary-session-1353/dato-seri-dr-ahmad-zahid-hamidi-b13b> accessed 28 November 2013.
53
Heinl (n 28) 12.
54
ASEAN Secretariat, ‘ASEAN ICT Masterplan 2015’ (2011) 26 <http://www.asean.org/
resources/publications/asean-publications/item/asean-ict-masterplan-2015> accessed 22 Novem-
ber 2013.
55
Heinl (n 28) 29.

8 / Date: 7/5
Mactan Cebu Declaration.56 In the Declaration, TELMIN made a number of security

related undertakings, among other things, to:
+ cooperate and participate in the building and promotion of a safe, secure and
trusted online environment;
+ harmonise ICT rules and regulations;
+ facilitate the presence of a robust and resilient information infrastructure; and
+ enhance policy framework development, cooperation, and sharing of best prac-
tices on the protection of data and information infrastructures.57
The Declaration also seeks to boost cyber security through strengthening the regional
CERT programs – for example, ASEAN CERT Incident Drills, aimed at enhancing
‘incident investigation and coordination amongst [ASEAN and other regional]
CERTs’.58 However, these efforts for a regional comprehensive framework based on
national-level cyber security programs, at least so far, remain piecemeal and frag-
mented and show a lack of region-wide cohesiveness.59
ASEAN has also sought to address cyber insecurities along with other regional
security issues through its Political-Security Community, whose aim is to establish a
‘cohesive, peaceful, stable and resilient region with shared responsibility for compre-
hensive security’.60 Within this Community, cyber security has primarily been the
domain of the ARF, as will be further examined in the next section. However, through
ASEAN Defence Ministers Meetings (ADMMs), it has also been seeking to ‘enhance
ASEAN’s capacity and develop capabilities to contribute to operational effectiveness in
addressing non-traditional security challenges’.61 At the 7th ADMM in May 2013, for
example, the ASEAN Defence Ministers endorsed the establishment of a regional
‘Logistics Support Framework’.62 During the same meeting, Vietnamese Minister of
National Defence Phung Quang Thanh reportedly called on ASEAN to deepen ties with
the two major powers of the region, the PRC and the US.63
It has been suggested that an expanded regional arrangement with major powers
would be beneficial for the entire region, given that ASEAN’s perception as a ‘neutral
56
ASEAN TELMIN, ‘Mactan Cebu Declaration: Connected ASEAN – Enabling Aspira-
tions’ (12th TELMIN, the Philippines, 15–16 November 2012) <http://www.asean.org/news/
asean-statement-communiques/item/mactan-cebu-declaration-connected-asean-enabling-
aspirations> accessed 28 November 2013.
57
Ibid. paras 7–14.
58
Ibid. para. 16.
59
Heinl (n 28) 2.
60
ASEAN Secretariat, ‘ASEAN Political-Security Community Blueprint’ (2009) para. 10
<http://www.asean.org/archive/5187-18.pdf> accessed 22 November 2013.
61
ASEAN Secretariat, ‘ASEAN Defence Ministers Strengthen Cooperation Ties’, ASEAN
Secretariat News (8 May 2013) <http://www.asean.org/news/asean-secretariat-news/item/asean-
defence-ministers-strengthen-cooperation-ties> accessed 20 November 2013.
62
Ibid.
63
‘ASEAN chiefs work closely on security issues’, Việt Nam News (8 May 2013)
<http://vietnamnews.vn/politics-laws/239041/asean-chiefs-work-closely-on-security-issues.html>

9 / Date: 8/5
broker’ positions it well to mitigate tensions between the two powers,64 particularly in
relation to cyber incidents. It is notable in this context that ASEAN developed the
ASEAN Cooperation Plan, which supports joint projects between the US and ASEAN
and relevantly includes the promotion and enhancement of cyber security in the
region.65 In August 2013, ASEAN Defence Ministers and eight ASEAN Dialogue
Partners discussed what role the defence sector has to play in addressing emerging
non-traditional security threats, including cyber security, at the Second ADMM+
meeting held in Brunei Darussalam.66 There is also a prospect that the issue of cyber
defence and cyber warfare will be put on the agenda for ADMMs in the future.67
(b) ASEAN Regional Forum (ARF)
The ARF was established by ASEAN in 1994 to help promote peace and prosperity
across the region,68 and currently has a membership base of 27 nations.69 Although it
originally emerged as a cooperative platform for confidence building and preventive
diplomacy,70 it has further institutionalised with a common security vision based on the
ideas of cooperative security and comprehensive security, as enshrined in the 2009
Vision Statement.71 It has been designated in Bali Concord II, adopted in 2003, as ‘the
primary forum in enhancing political and security cooperation in the Asia-Pacific
64
Heinl (n 28) 3.
65
See Office of the Spokesman, US Department of State, ‘US ASEAN Cooperation Plan’
(Fact Sheet, 29 July 2005).
66
ASEAN Secretariat, ‘ASEAN Defence Ministers and their Plus Counterparts Reaffirm
Commitment for Regional Peace and Security at the 2nd ADMM-Plus’ ASEAN Secretariat News
(3 September 2013) <http://www.asean.org/news/asean-secretariat-news/item/asean-defence-
ministers-and-their-plus-counterparts-reaffirm-commitment-for-regional-peace-and-security-at-the-
2nd-admm-plus> accessed 20 November 2013. The eight ASEAN dialogue partners were
Australia, India, Japan, New Zealand, the PRC, Russia, the Republic of Korea, and the US.
67
Remarks made by Purnomo Yusgiantoro, Minister of Defence, Indonesia, at Shangri-La
Dialogue 2013 Third Plenary Session: Military Modernisation and Strategic Transparency, 1
June 2013, available via <www.iiss.org> accessed 18 August 2013.
68
See, e.g., ‘The ASEAN Regional Forum: A Concept Paper’ (adopted by the ASEAN
Regional Forum Ministerial Meeting 1 August 1995) para. 5 (‘1995 Concept Paper’) <http://
aseanregionalforum.asean.org/files/library/Terms%20of%20References%20and%20Concept%20
Papers/Concept%20Paper%20of%20ARF.pdf> accessed 22 November 2013.
69
The 27 members are the ten ASEAN member nations (Brunei Darussalam, Cambodia,
Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam),
the ten ASEAN dialogue partners (Australia, Canada, the European Union, India, Japan, New
Zealand, the PRC, Republic of Korea, Russia and the US), one ASEAN observer (Papua New
Guinea), and the Democratic People’s Republic of Korea, Mongolia, Pakistan, Timor-Leste,
Bangladesh and Sri Lanka.
70
1995 Concept Paper (n 68) para. 6; ‘The First ASEAN Regional Forum Ministerial
Meeting’ (Chairman’s Statement, Bangkok, Thailand, 25 July 1994) para. 4 <http://www.
asean.org/archive/arf/ARF-Doc-Series-2004/Chapter-1.pdf> accessed 28 November 2013.
71
‘ASEAN Regional Forum Vision Statement’ (16th ARF, Phuket, Thailand, 23 July 2009)
<http://aseanregionalforum.asean.org/files/library/ARF%20Chairman’s%20Statements%20and%
20Reports/The%20Sixteenth%20ASEAN%20Regional%20Forum,%202008-2009/ARF_Vision_
Statement.pdf> accessed 22 November 2013.

10 / Date: 7/5
region’.72 As Joshua Kurlantzick notes, while the ARF ‘has no authority beyond
ASEAN’s, it provides an opportunity for increased dialogue and interaction’ between
major regional actors.73 One of the ARF’s key focuses is counterterrorism and
transnational crime, and inter-sessional meetings are held on this topic. It is within this
framework that cyber security is addressed, with Australia, Malaysia, and the Russian
Federation co-leading cyber security efforts.
Since 2004, the ARF has conducted regular seminars and workshops on cyberspace,
with particular focus on cyber terrorism, incident response, capacity building, and the
threat of proxy actors. In 2006, the ARF member States issued the Statement on
Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyberspace,74 which
encouraged enhanced national and regional cyber security regimes on the grounds that
‘an effective fight against cyber-attacks and terrorist misuse of cyber space requires
increased, rapid and well-functioning legal and other forms of cooperation’.75 This
policy was endorsed in the Hanoi Plan of Action to Implement the ARF Vision
Statement by the ARF senior officials’ meeting in May 2010.76
ARF cyber security efforts thus follow the 2006 Statement that envisaged cyber
security threats posed by non-State actors and transnational crimes as common security
challenges within the region. Along this line, the 2012 ‘Workshop on Cyber Security
Incident Response’ hosted by Australia and Singapore, for example, explored the ability
of participating States to cooperate in the event of a regional cyber security incident,
focusing specifically on ‘the benefits of consistent offences and information sharing
mechanisms with law enforcement agencies and computer emergency response
teams’.77 Also, at the 10th ARF Security Policy Conference held in Brunei in May
2013, senior defence policy officials considered a number of cyber security cooperation
opportunities, including ‘the sharing of best-practices, the conducting of professional
exchanges and education on cyber security, as well as streamlining efforts in enhancing
cyber security between different policy areas’.78
72
‘Declaration of ASEAN Concord II’ (9th ASEAN Summit, Bali, Indonesia, 7 October
2003) para. 6 (‘Bali Concord II’) <http://www.asean.org/news/item/declaration-of-asean-
concord-ii-bali-concord-ii> accessed 28 November 2013.
73
Joshua Kurlantzick, ‘ASEAN’s Future and Asian Integration’ (Council on Foreign
Relations, November 2012) 6.
74
‘ASEAN Regional Forum Statement on Cooperation in Fighting Cyber Attack and
Terrorist Misuse of Cyberspace’ (13th ARF, Kuala Lumpur, Malaysia, 28 July 2006) <http://
www.mofa.go.jp/region/asia-paci/asean/conference/arf/state0607-3.html> accessed 28 November
2013.
75
Ibid.
76
‘Hanoi Plan of Action to Implement the ASEAN Regional Forum Vision Statement’
(endorsed by ARF SOM on 20 May 2010) para. 2 <http://aseanregionalforum.asean.org/library/
arf-chairmans-statements-and-reports.html> accessed 28 November 2013.
77
‘ASEAN Regional Forum Work Plan for Counter-Terrorism and Transnational Crime
2011–2012’ in ASEAN Regional Forum at Twenty: Promoting Peace and Security in the
Asia-Pacific (World Affairs Press 2013) 214 <http://aseanregionalforum.asean.org/library/arf-
publication.html> accessed 29 November 2013.
78
‘10th ASEAN Regional Forum Security Policy Conference’ (ASEAN Summit 2013,
23 May 2013) <http://asean-summit-2013.tumblr.com/post/51724122815/10th-asean-regional-
forum-security-policy-conference> accessed 20 November 2013.

11 / Date: 7/5
However, there is evidence of a shift away from this policy in favour of a greater
national cyber security focus. In the ARF Statement on Cooperation in Ensuring Cyber
Security, adopted at the 19th ARF on 12 July 2012, an emphasis was placed on the
need to pursue measures that will ‘further intensify regional cooperation on security in
the use of ICTs’ through, inter alia: dialogue on strategies to address cyber threats in a
way ‘consistent with international law’; enhanced regional cooperation in realising a
‘culture of cyber security’; and the promotion of cyber ‘confidence-building, stability,
and risk reduction measures’.79 Despite its common security foundations set by the
2006 Statement, this document implicitly recognises the growing correlation between
cyberspace and national security concerns, hence emphasising ‘confidence-building and
other transparency measures’ necessary to ‘reduce the risk of misperception, escalation
and conflict’.80 In keeping with this growing national security concern in cyberspace,
discussion currently continues on a proposed ‘ARF Seminar of Experts on the
Development of Cyber CBMs’.81
As South Korean Ambassador to the UN Conference on Disarmament, Kwon
Haeryong observes, Asia-Pacific States are in general ‘rather unengaged’ on issues
relating to the international governance of cyberspace.82 In the ARF context, where
many nations’ own cyber security strategies are still in their nascent form, this is
unsurprising. The present and future uncertainties about the cyber security landscape
and its implications for geopolitical rivalry between ARF member States are reflected
in the fundamental differences between their cyber security approaches. These uncer-
tainties and divergent policy approaches undermine the ARF’s ability to galvanise
members into collective action on cyber security.83
Indeed, the line of division became evident at the ARF ‘Workshop on Measures to
Enhance Cyber Security – Legal and Cultural Aspects’ held in Beijing on 11–12
September 2013. Throughout the workshop, Chinese and Russian delegations refer-
enced their jointly drafted International Code of Conduct, which maintained that
‘policy authority for Internet-related public issues is the sovereign right of States’.
Many Western States have criticised the Code as inconsistent with international
practices and instruments, including the Universal Declaration of Human Rights.84
According to Tobias Feakin, this reflects a familiar tension in the quest to secure the
cyber realm, whereby ‘China and a selection of partners, including Russia, advocate a
State-led legal approach, while most Western States advocate the “multi-stakeholder”
79
‘Chairman’s Statement of the 19th ASEAN Regional Forum’ (19th ARF, Phnom Penh,
Cambodia, 12 July 2012) Annex 4: ‘ARF Statement on Cooperation in Ensuring Cyber
Security’.
80
Ibid.
81
See ‘Chairman’s Statement of the 20th ASEAN Regional Forum’ (20th ARF, Bandar Seri
Begawan, Brunei Darussalam, 2 July 2013) para. 33 <http://aseanregionalforum.asean.org/
library/arf-chairmans-statements-and-reports.html> accessed 29 November 2013.
82
Haeryong (n 29).
83
See Rees (n 13) 408.
84
See ‘Co-Chair’s Summary Report on ARF Workshop on Measures to Enhance Cyber
Security – Legal and Cultural Aspects’ (Beijing, the PRC, 11–12 September 2013) paras 33–37
<http://asean regionalforum.asean.org/library/arf-chairmans-statements-and-reports.html> acces-
sed 29 November 2013.

12 / Date: 7/5
approach which shies away from legally binding agreements and advocates the
promotion of norms of behaviour in cyberspace’.85 Indeed, during the 12th Asia
Security Summit (Shangri-La Dialogue) held in Singapore on 31 May to 2 June 2013,
concerns were raised about ‘ideological and political differences’ inhibiting the
development of a cohesive international legal framework for addressing cyber issues
and increasingly militarising the cyber domain.86
(c) Asia-Pacific Economic Cooperation (APEC)
With a membership base consisting of 21 Pacific Rim economies, APEC is a major

player in the Asia-Pacific region. Formed in 1989, the forum’s overall objectives are to
promote business, trade and investment liberalisation, and economic growth and
prosperity in the region.87 In 1990, the APEC Telecommunications and Information
Working Group (APEC TEL) was created, with a mission to ‘improve telecommunica-
tions and information infrastructure in the Asia-Pacific region by developing and
implementing appropriate telecommunications and information policies, including
relevant human resource and development cooperation strategies’.88 The APEC Senior
Officials and Telecommunications and Information Ministers and Leaders (TELMIN)
direct and oversee the Telecommunications and Information Working Group’s activ-
ities. In turn, APEC TEL, which meets only biannually, operates through three steering
groups: the Liberalisation Steering Group, the ICT Development Steering Group and,
notably, the Security and Prosperity Steering Group (SPSG).
Initially, APEC’s engagement with the cyber realm focused on issues ‘such as
e-commerce, identity theft, and related developments, before shifting in the late 1990s
to focus on criminal aspects of cyberspace (particularly information security)’,89
reflecting its economic focus. APEC also concentrated efforts on the regional realisa-
tion of the full socio-economic benefits of the digital age, as reflected in the Brunei
Goals adopted by the APEC Leaders in 2000, in which they committed to triple
Internet access across the region by 2005, and to ensure that all communities within
member economies had Internet access by 2010.90 The Action Agenda for New
Economy,91 adopted in the same year, envisaged the materialisation of a ‘digital
85
Feakin (n 30).
86
International Institute for Strategic Studies (n 24) 46.
87
‘1989 APEC Ministerial Meeting’ (Joint Statement, Canberra, Australia, 6–7 November
1989) <http://www.apec.org/Meeting-Papers/Ministerial-Statements/Annual/1989/1989_amm.
aspx> accessed 22 November 2013.
88
APEC TEL, ‘Telecommunications and Information’ (APEC, 2013) <http://www.
apec.org/Groups/SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups/Telecommunications-and-Information.aspx> accessed 19 November 2013.
89
Thomas (n 27) 13 [footnotes omitted].
90
APEC Leaders, ‘Bandar Seri Begawan Declaration – Delivering to the Community’
(Bandar Seri Begawan, Brunei Darussalam, 16 November 2000) paras 15–17 <http://www.apec.
org/Meeting-Papers/Leaders-Declarations/2000/2000_aelm.aspx> accessed 29 November 2013.
91
Ibid. Annex 1: ‘Action Agenda for New Economy’.

13 / Date: 7/5
society’,92 and in 2001 the e-APEC Task Force expanded on it in the e-APEC
Strategy.93 The e-APEC Strategy details three cyber-focus areas, namely: creating an
‘environment for strengthening market structures and institutions’; facilitating an
‘environment for infrastructure investment and technology development’; and enhan-
cing ‘human capacity building and promot[ing] entrepreneurship’.94
The events of 9/11 precipitated a shift in APEC’s dialogue on cyber issues. A little
over a month after the attacks, APEC leaders issued a statement condemning inter-
national terror, noting that it posed a ‘direct challenge to APEC’s vision of free, open
and prosperous economies, and to the fundamental values that APEC members hold’.95
Furthermore, APEC leaders acknowledged the ‘imperative to strengthen international
cooperation at all levels in combating terrorism in a comprehensive manner’,96
including enhanced critical sector protection in the area of telecommunications
infrastructure.97 A year later, this time in the wake of the ‘Bali bombings’, the APEC
Leaders Statement on Fighting Terrorism and Promoting Growth recognised the need
for enhanced cyber security, noting that ‘the global communications network is only as
secure as its weakest link’.98
APEC’s Counter Terrorism Action Plans (CTAPs), whose development stemmed
from these counterterrorism statements, devote a section to ‘promoting cyber security’
and reaffirm commitments to ‘counter … terrorism by implementing and enhancing
critical information infrastructure protection and cyber security to ensure a trusted,
secure and sustainable online environment’.99 The CTAPs provide a space where
member economies can record their APEC commitments to the promotion of cyber
security, as well as the past and future measures they have taken or intend to take to
meet these commitments.100 With a view to strengthening regional ICT infrastructure,
the Plans also ask members to detail cyber capacity building needs, and areas of cyber
security expertise that might assist other APEC members.
92
APEC Electronic Commerce Steering Group (ECSG), ‘e-APEC Strategy’ (Report,
October 2001) 1 <http://publications.apec.org/publication-detail.php?pub_id=584> accessed 29
November 2013.
93
Ibid.
94
Ibid. 1–2. See also APEC Leaders, ‘Bandar Seri Begawan Declaration – Delivering to the
Community’ (n 90).
95
‘APEC Leaders Statement on Counter-Terrorism’ (Shanghai, China, 21 October 2001)
para. 2 <http://www.apec.org/Meeting-Papers/Leaders-Declarations/2001/2001_aelm/~/media/
Files/LeadersDeclarations/2001/01_ldrs_counterterror.pdf> accessed 29 November 2013.
96
Ibid. para. 4.
97
Ibid. para. 6.
98
‘APEC Leaders Statement on fighting terrorism and promoting growth’ (Los Cabos,
Mexico, 26 October 2002) <http://www.apec.org/Meeting-Papers/Leaders-Declarations/2002/
2002_aelm/statement_on_fighting.aspx> accessed 29 November 2013.
99
See APEC, ‘Counter terrorism action plans’ (APEC, 2013) <http://www.apec.org/Groups/
SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Task-Groups/~/link.aspx?_
id=6B7B2BAA018C48A98F733314CF7CA193&_z=z> accessed 20 November 2013. The plans
also include the 2010 commitment, to ‘enhance mutual cooperation on countering malicious
online activities and engage in efforts to increase cybersecurity awareness’.
100
Ibid.

14 / Date: 7/5
In August 2002, the US delegation to APEC TEL submitted the APEC Cybersecurity
Strategy at its 26th meeting, which reportedly laid the foundation for the Shanghai
Declaration,101 in which APEC TELMIN emphasised the importance of network
security and the development of IT security standards and best practice guides.102 It
also directed APEC TEL to ‘give special priority to and facilitate within APEC work on
the protection of information and communications infrastructures’.103 To this end, the
SPSG has been working towards promoting and realising security in the cyber realm.104
In October 2002, APEC Leaders also made commitments to enact domestic laws
governing cyber security and cybercrime,105 and agreed that cyber-laws and policy
should be consistent with international legal instruments, including the Council of
Europe’s Convention on Cybercrime,106 and United Nations General Assembly Resolu-
tion 55/63.107 They supported the development of national CERTs, in order to enable
the ‘exchange [of] threat and vulnerability assessment’.108
In 2005, the APEC Senior Officials recognised in the APEC Strategy to Ensure
Trusted, Secure and Sustainable Online Environment (‘2005 Cybersecurity Strategy’)
that the ability of members and their citizens to harness ICT’s full potential, as
envisaged in the 2000 Brunei Goals and 2001 e-APEC Strategy, had become increas-
ingly dependent on the ‘integrity and security’ of cyberspace.109 They considered that
cyber security sat firmly within APEC’s core mandate, given that ‘most traditional
economic and social activities in many APEC Member Economies have become
dependent on the online environment’.110 In light of this, the 2005 Cybersecurity
Strategy sought to:
+ coordinate regional domestic legal and policy approaches to cyber threats;

+ develop regional mechanisms to ‘prevent cyber attacks and minimize damage and
recovery time from incidents’;
101
APEC TELMIN5, ‘Shanghai Declaration’ (Shanghai, the PRC, 29–30 May 2002)
<http://www.apec.org/Meeting-Papers/Ministerial-Statements/Telecommunications-and-
Information/2002_tel.aspx> accessed 22 November 2013.
102
Ibid. Annex A: ‘Program of Action’, and Annex B: ‘Statement on the Security of
Information and Communications Infrastructures’.
103
Ibid. Annex B.
104
See APEC TEL, ‘Security and Prosperity Steering Group’ (APEC, 2013) <http://www.
apec.org/ Groups / SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups / Telecommunications-and-Information/Security-and-Prosperity-Steering-Group.aspx>
105
See ‘APEC Leaders Statement on fighting terrorism and promoting growth’ (n 98).
106
(entered into force: 1 July 2004). On cybercrime see Kastner and Mégret (Ch 9 of this book).
107
UNGA Res 55/63 (4 December 2000) UN Doc A/RES/55/63. On the UN’s approach to
cybersecurity see Henderson (Ch 22 of this book).
108
‘APEC Leaders Statement on fighting terrorism and promoting growth’ (n 98).
109
APEC TEL, ‘APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environ-
ment’ (endorsed by the APEC Senior Officials, November 2005) <http://www.apec.org/Groups/
SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-Groups/~/media/
Files/Groups/TEL/05_TEL_APECStrategy.pdf> accessed 29 November 2013.
110
Ibid.

15 / Date: 7/5
+ enhance public cyber security awareness;

+ develop cyber security partnerships across industries and sectors;
+ encourage research and development into improving the security of the online
environment; and
+ support regional cooperation in creating a ‘trusted, secure and sustainable online
environment’.111
The goals and commitments of these core cyber security documents have formed the
basis of subsequent TELMIN statements and APEC cyber strategies. In its Strategic
Action Plan: 2010–2015, adopted by TELMIN8 in 2010, the Telecommunications and
Information Working Group re-affirms its commitment to cyber security capacity
development, ‘including through distribution of best practice approaches, information
sharing, technical cooperation, training and education’.112 This Strategic Action Plan,
along with the TELMIN8 Okinawa Declaration, reflect two emerging focal points for
APEC’s cyber security policy: cyber threats posed to vulnerable groups, particularly
children; and consumer protection measures, particularly in relation to ‘personal
information protection’.113 However, APEC’s engagement with cyber security is by no
means confined to private security in cyberspace. Indeed, at the opening session of the
44th meeting of APEC TEL in 2011, Malaysia raised concerns about ‘negative acts’ in
the cyber realm that ‘threaten the stability of Government’.114 Also, in its 2012 CTAP,
Mexico listed ‘technical support regarding Advanced Persistent Threats against govern-
ment’ as a building need for them.
One of the striking aspects of APEC’s cyber security approach is its proactive
engagement with the private sector through its various workshops and training
programs.115 The steering groups operating under the Telecommunications and Infor-
mation Working Group run various projects and workshops aimed at promoting and
enhancing cyber security amongst member economies.116 Most notably, the SPSG has
111
‘APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment’ (n 109).
112
APEC TEL, ‘TEL Strategic Action Plan: 2010–2015’ (2010/TELMIN/024, endorsed by
TELMIN8, Okinawa, Japan, 30–31 October 2010) 4 <http://aimp.apec.org/Documents/2010/
MM/TELMIN/10_telmin8_024.pdf> accessed 29 November 2013.
113
APEC TELMIN8, ‘Okinawa Declaration: ICT as an engine for new socio-economic
growth’ (Okinawa, Japan, 30-31 October 2010) para. 19. See also APEC TEL, ‘TEL Strategic
Action Plan: 2010–2015’, ibid. 4; APEC TELMIN10, ‘Saint Petersburg Declaration: Building
confidence and security in the use of ICT to promote economic growth and prosperity’ (St.
Petersburg, Russia, 7–8 August 2012) para. 26 <http://www.apec.org/Meeting-Papers/
Ministerial-Statements/Telecommunications-and-Information/2012_tel.aspx> accessed 29 Nov-
ember 2013.
114
Ministry of Information, Communications and Culture Malaysia, ‘Malaysia Urges APEC
TEL to Intensify Cybersecurity Cooperation’ (Press Release, 26 September 2011).
115
See Thomas (n 27) 14.
116
Ongoing TEL cyber security projects include the APEC Training Program for Preventa-
tive Education on ICT Misuse; Computer Security Incident Response Team (CSIRT) Capacity
Building and Cooperation; Security of Mobile Devices; Cyber Security Awareness Raising
Project; and the International PKI and e-Authentication Training Program. Examples of
workshops include: Comparing Approaches to Combating Botnets (2013); Cyber Security Policy
Development in the APEC Region (2011); the ISP Voluntary Cyber Security Code of Practice

16 / Date: 7/5
been working to develop cyber security related guidelines for member countries such as
the Guiding Principles for PKI-based Approaches to Electronic Authentication and
Implementation Guidelines for Action Against Spam, both of which were adopted in the
2005 Lima Declaration by TELMIN6.117 APEC has also been working closely with
other institutions such as the OECD, the International Telecommunications Union, and
ASEAN, in many cyber security areas including ‘security of information systems and
networks, awareness raising, malware, the protection of children online and botnets’.118
Through such engagement, as well as facilitating cyber cooperation between countries
at the CERT level, APEC ensures that its critical activities in the field of cyber security
have ‘the widest possible input and support’, extending its reach even to Taiwan and
Hong Kong – ‘two of the most networked economies in the region’ – filling the gap of
ASEAN-based approaches in regional security architecture.119
4. ASIA-PACIFIC REGIONALISM AND CYBER SECURITY

At a special session entitled ‘the cyber dimension to Asian security’ during the 12th
Asia Security Summit (Shangri-La Dialogue), it was widely acknowledged that in
moving forward, regional States would have to ‘identify shared goals and the lowest
denominator of interest and priorities’ in relation to cyber security.120 Most of the
Asia-Pacific’s cyber security initiatives, particularly by ASEAN and APEC, have been
focused upon regional cooperation in building national cyber security resilience and
more comprehensive efforts to address common threats such as the malicious cyber
activities of criminal and terrorist organisations. However, there are three additional
security concerns that have started detracting from regional cooperation in securing
cyberspace.
First, there are marked differences in the understanding of how principles of
international law are or ought to be applied in establishing the means by which the
common goal of a secure and stable cyberspace can be achieved. One approach regards
cyberspace as a ‘free space’ and considers that the ‘openness’ of the Internet should be
preserved and that cyber security policies need to respect human rights such as free
speech, freedom of expression, the free flow of information, and privacy.121 At the other
end of spectrum is a top-down governmental regulatory approach, often associated with
(2010). See APEC TEL, ‘Telecommunications and Information’ (APEC, 2013) <http://www.
apec.org/Groups/SOM-Steering-Committee-on-Economic-and-Technical-Cooperation/Working-
Groups/Telecommunications-and-Information.aspx> accessed 19 November 2013; APEC TEL,
‘Security and Prosperity Steering Group’ (APEC, 2013) <http://www.apec.org/Groups/SOM-
Steering-Committee-on-Economic-and-Technical-Cooperation / Working-Groups/Telecommunications-
and-Information/Security-and-Prosperity-Steering-Group.aspx> accessed 19 November 2013.
117
See APEC TELMIN6, ‘Lima Declaration’ (Lima, Peru, June 2005) paras 39–40, also
Annexes D and E <http://www.apec.org/Meeting-Papers/Ministerial-Statements/Telecommunications-
and-Information/2005_tel.aspx> accessed 29 November 2013.
118
OECD (n 11) annex 1, 36.
119
Thomas (n 27) 14.
120
International Institute for Strategic Studies (n 24) 47.
121
See OECD (n 11) 4.

17 / Date: 7/5
the PRC’s official cyber policy, which envisages the imposition of law and order
including the ban on the use of the Internet ‘to incite ethnic hatred and separatism, to
promote cult and to distribute salacious, pornographic, violent or terrorist infor-
mation’.122 As the Chinese Assistant Foreign Minister, Zheng Zeguang, reportedly
noted in his opening address to the ARF ‘Workshop on Measures to Enhance Cyber
Security’, the Chinese Government’s position is based on the firm legal understanding
that ‘[i]nternational cyber governance should follow the principles of state sovereignty
and non-interference in other’s internal affairs’.123
Second, as the cyber infrastructure develops at an alarmingly rapid pace and the
government and the whole of society becomes reliant on it, some regional States are
increasingly concerned by the potential vulnerability of governments in cyberspace.124
Such recognition of government vulnerability in cyberspace has a logical fit with the
ethos of ASEAN, which was indeed established to cooperatively ensure the legitimacy
of government in each member State. ASEAN-related cyber security initiatives such as
the 2006 ARF Statement, as well as the 2002 Shanghai Declaration and the 2005
Cybersecurity Strategy adopted by APEC, are in this respect a reflection of the
traditional cooperative security policy in the Asia-Pacific.
Third, the increased recognition of cyberspace as the fifth domain of warfare poses
challenges to the development of regional cyber security architecture. As discussed in
Section 2 above, hostile or malicious use of cyberspace has the potential to amplify the
existing tensions between regional States and could even trigger a spiral of conflict. In
the ARF, while the need to ‘reduce the risk of misperception, escalation and conflict’ is
clearly recognised among member States,125 each State’s strategic considerations, as
well as different approaches to the legal regulation of cyber security, pose challenges to
regional efforts to develop a code of conduct for cyberspace.126 Realistically, States do
not find any strong political motive towards strict rules on cyber security while
uncertainty remains as to their implications for the geopolitical landscape and the full
potential of cyberspace for strategic and tactical use is being explored to advance own
national interests. In the interim, attention will have to be given to an international or
regional dialogue on ‘rules of engagement’ in cyberspace and confidence building
measures to reduce the risk of misperception, escalation and conflict as a matter of
priority. The political agreement reached in June 2013 by the 15 nations Group of
Governmental Experts on Information Security that States would not use proxies to
engage in malicious cyber activities,127 can be considered a significant first step
towards establishing such ‘rules of engagement’.
122
‘ASEAN Regional Forum Annual Security Outlook’ (vol 14, 2013) 46 <http://
aseanregionalforum.asean.org/library/arf-publication.html> accessed 29 November 2013.
123
Quoted in Feakin (n 30).
124
See above Ministry of Information, Communications and Culture Malaysia (n 114) and
accompanying text.
125
‘Chairman’s Statement of the 19th ASEAN Regional Forum’ (n 79).
126
See ‘Co-Chair’s Summary Report on ARF Workshop on Measures to Enhance Cyber
Security – Legal and Cultural Aspects’.
127
See UNODA Secretary General, ‘Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of International Security’ (24
June 2013) UN Doc A/68/98 para. 23. See also Lewis (n 2) 6.

18 / Date: 7/5
5. CONCLUSION
Attempts to secure and stabilise cyberspace at domestic and regional policy levels in
the Asia-Pacific region have resulted in successful regional cooperation. First, regional
institutions, particularly ASEAN and APEC, have made concerted efforts to galvanise
regional States into collective action in improving regional ICT infrastructure and cyber
capacity, particularly in developing States. In doing so, they have sought to maximise
the regional and national socio-economic benefits of the digital age, while at the same
time reducing the risk of cyber intrusion and destabilisation via potential ‘weak links’
in an increasingly interconnected regional cyber infrastructure. Second, States have
united against the serious threat posed by malicious cyber activities conducted by
non-State actors, often across national borders. In particular, ASEAN, the ARF and
APEC have sought to prevent, regulate, and mitigate the effects of malicious use of the
Internet for criminal and terrorist purposes, largely through enhancing information
sharing between national CERTs as well as domestic law enforcement agencies, and by
setting regional standards for national cyber-related laws and policy.
However, these measures only go some way to addressing regional cyber security
concerns, and their effectiveness is threatened by new challenges, in particular the
emerging pre-eminence of sovereignty considerations in cyber policy-making. The
strategic and tactical advantages that States can gain from the exploitation of cyber-
space, as well as the difficulty of attributing cyber attacks and intrusions, amplify
existing geopolitical tensions in the Asia-Pacific. The potential for State-sponsored
cyber intrusions has seen cyber security increasingly characterised as a matter of
national security, and as such dialogue on it has become increasingly militarised.
Despite the efforts of regional forums, the transposition of cyber security into a national
security concern threatens to inhibit the realisation of strong and secure regional cyber
architecture. Therefore, it is imperative for regional leaders to intensify their efforts to
formulate and adopt ‘rules of engagement’ in cyberspace in order to reduce the risk of
misperception, escalation and conflict as a matter of priority.

19 / Date: 7/5
22. The United Nations and the regulation of

cyber-security
Christian Henderson*
1. INTRODUCTION
The importance of cyberspace in today’s interconnected and highly complex world
cannot be overstated. It has become central to the smooth running of the world
economy, the carrying out of daily business transactions, political communications, as
well as for social networking. The late 1990s saw an exponential growth in the use of
the Internet with over 2.5 billion users across the world today.1
While in general the development of cyberspace has undoubtedly proved to be in an
immensely positive development, its rise has also been accompanied by a more sinister
side, in that the development of information and communication technologies (ICTs)
has given rise to various risks to individuals, societies and States more broadly.
Although ‘governments have attempted to address these issues by creating national-
level mechanisms, the very transnational nature of cyberspace has forced the inter-
national community to debate and form norms or rules that should promote good
behavior in cyberspace’.2 Activity in this respect has been occurring in various
institutional and regional forums for some time. For example, the Council of Europe’s
Budapest Convention on Cybercrime entered into force in 2004 and is seen as a
positive precedent in the regulation of this element of cyber-security.3
Activity within the UN to address cyber-security issues begun when the Russian
Federation introduced a draft resolution into the UN General Assembly (UNGA) in
1998 on ‘[d]evelopments in the field of information and telecommunications in the
context of international security’.4 Subsequent initial activity within the UN proved
somewhat ‘dull without much movement … towards dealing with issues in cyber-
space’.5 Yet, ‘mounting reports of disruptions and the increasing potential of cyber
attacks disturbing the peace in the real world led countries to examine these challenges
* The author wishes to thank April Longstaffe for her research assistance in preparing this
chapter.
1
World Internet Usage and Population Statistics, Internet World Stats, 30 June 2012
<http://www.internetworldstats.com/stats.htm> accessed 28 September 2014.
2
Rahul Prakash and Darshana M. Baruah, ‘The UN and Cyberspace Governance’ (ORF
Issue Brief 86, February 2014) 1. <http://orfonline.org/cms/export/orfonline/modules/issuebrief/
attachments/issuebrief68_1394871027354.pdf> accessed 28 September 2014.
3
4
UNGA Res 53/70 (4 December 1998) UN Doc A/RES/53/70.
5
Prakesh and Baruah (n 2) 1.
465
1 / Date: 7/5
more seriously within the UN’.6 Indeed, the Distributed Denial of Service Attacks
(DDoS) on Estonia (2007) and Georgia (2008), the Stuxnet worm attack upon Iran
(2010) and the Edward Snowden revelations (2013) regarding the use of ICTs by States
to spy upon one another brought to light in dramatic fashion the realities of cyberspace
being used in unscrupulous ways and raised the profile of cyber-security on the UN’s
agenda. In light of these events, it is fair to say that ‘[t]he issue of cyber security is
quickly making its way up the agenda of global public policy issues demanding
attention’.7
While one might, nonetheless, take the view that ‘[t]here has been only limited U.N.
action on the issue of cyber-security’,8 this is arguably down to the fact that there have
been fundamental differences on fundamental issues between Eastern and Western
States. The main sticking points appear to be whether there should be a free flow of
information or whether there should be governmental restrictions upon it; whether the
focus should be on economic espionage and criminal activity or upon the use of
cyberspace to carry out attacks; and whether existing international law applies to
cyber-security issues or whether new rules and norms need to be developed, perhaps in
the form of a new treaty. In this respect, the UN ‘has been working for over a decade
to eliminate these differences and create a mechanism to ensure the security and
stability of cyberspace’.9 As this chapter will attempt to highlight, the UN, through its
work on both issues of cyber-warfare and cyber-crime,10 is now moving with some
momentum.
The UN’s activities in this area are highly fragmented with a very complex system of
bodies and with expertise scattered throughout the system meaning that a full analysis
is beyond the limited scope of this chapter. The purpose of this chapter is thus twofold.
Its primary aim is to provide an overview of UN activities and initiatives concerning
the regulation of cyberspace and cyber-security. The chapter also attempts to discern
whether any regulatory norms have emerged in this field of activity. While it will touch
upon issues such as the use of force in cyberspace and cyber-crime, these have been
dealt with in-depth in other chapters of this Handbook.11
6
Ibid. 1–2.
7
Paul Meyer, ‘Cyber security takes the floor at the UN’, opencanada.org (12 November
2013) <http://opencanada.org/features/the-think-tank/comments/cyber-security-takes-the-floor-at-
the-un/> accessed 28 September 2014.
8
Oona A Hathaway and others, ‘The law of cyber-attack’ (2012) 100 Cal. L. Rev. 817,
865.
9
10
While there is an obvious overlap between the two, cyber-warfare is mainly concerned
with how ‘[information] technologies and means can potentially be used for purposes that are
inconsistent with the objectives of maintaining international stability and security and may
adversely affect the security of States’ (see A/RES/53/70) while cyber-crime, on the other hand,
is concerned in general with ‘the criminal misuse of information technologies’ (See UNGA Res
55/63 (22 January 2001) UN Doc A/RES/55/63).
11
See Roscini (Ch 11 of this book); Kastner and Mégret (Ch 9 of this book).

2 / Date: 7/5
The UN and the regulation of cyber-security 467
2. THE UNITED NATIONS GENERAL ASSEMBLY

While the UNGA may in several respects be considered the second organ of the UN in
regard to the maintenance of international peace and security, and can only make
recommendations as opposed to legally oblige States to take a particular course of
action,12 it has nonetheless been central in the process of norm development in the
context of cyber-security. The main discursive work of the UNGA occurs in its various
committees, of which there are six.13 Three of the UNGA’s six committees have met to
discuss the issue of cyber-security and negotiate draft resolutions in relation to it, which
were then submitted to the plenary for adoption at the UNGA’s annual session each
year.
(a) The First Committee
The First Committee of the UNGA – the Disarmament and International Security
Committee – is concerned with disarmament and related international security ques-
tions and was the first committee to engage with issues of cyber-security. Indeed, the
issue of information security has been on the agenda of the UN since 1998 when the
Russian Federation introduced its draft resolution in the First Committee on ‘[d]evel-
opments in the field of information and telecommunications in the context of
international security’, which was subsequently adopted without a vote.14 This resolu-
tion built upon previous work on the ‘[r]ole of science and technology in the context of
security, disarmament and other related fields’15 and has been subsequently introduced
every year since. Its key elements are that it:
+ mentions the dual use of developments in the area and the military potential of
ICTs for the first time;16
+ expresses concern about the use of such technology ‘inconsistent with the
objectives of maintaining international stability and security’;17
+ notes the need for broad international cooperation;18
+ calls upon Member States to promote at multilateral levels the consideration of
existing and potential threats in the field of information security;19
12
UN Charter (1945) arts 10–17.
13
The six main committees of the UNGA are: First Committee (Disarmament and
International Security Committee); Second Committee (Economic and Financial Committee);
Third Committee (Social, Humanitarian and Cultural Committee); Fourth Committee (Special
Political and Decolonization Committee); Fifth Committee (Administrative and Budgetary
Committee); and Sixth Committee (Legal Committee).
14
15
UNGA ‘Role of science and technology in the context of security, disarmament and other
related fields’ (18 November 1998) UN Doc A/53/576.
16
UNGA Res 53/70 (n 14) preamble.
17
Ibid.
18
Ibid.
19
Ibid. para. 1.

3 / Date: 7/5
+ mentions the need to prevent cyber-crime and cyber-terrorism;20 and

+ invites Member States to inform the UN Secretary-General of their views
regarding ‘definitions and the development of ‘international principles’.21
In introducing this resolution, Sergey Ivanov, Minister of Defence of the Russian

Federation from 2001 to 2007, stated that ‘Russia want[ed] to develop international law
regimes for preventing the use of information technologies for purposes incompatible
with missions of ensuring international stability and security’.22 However, the US has
always taken, and as noted below continues to take, the position that ‘[t]he same laws
that apply to the use of kinetic weapons should apply to state behaviour in cyberspace’
while trying to increase cooperation among law enforcement agencies.23 In this respect,
the original push by Russia for what was perceived as an international treaty was met
with suspicion by the US and EU States in the belief that a treaty could be used to limit
the freedom of information under the guise of increasing information and telecommu-
nications security.24
Yet, while the idea of an international treaty to regulate cyberspace was divisive, this
did not impact upon general support for the resolution itself. Indeed, in 2005, an
important change took place in the First Committee in that the draft resolution that had
been introduced into the UNGA annually by Russia was adopted but went to a recorded
vote.25 The US was the only State to vote against the resolution.26 Arguably as a result
of US opposition the draft resolution introduced in 2006 was no longer sponsored
by Russia alone, but also co-sponsored by China, Armenia, Belarus, Kazakhstan,
Kyrgyzstan, Myanmar, Tajikistan, and Uzbekistan.27 Additional States joined as
co-sponsors in subsequent years.28
However, after President Obama succeeded President Bush as President of the United
States in 2009 the US adopted a ‘reset’ policy not only with regards to Russia but also
with the UN itself.29 The US subsequently initially agreed to discuss cyber-warfare and
20
Ibid. preamble.
21
Ibid. para. 2.
22
Christopher A Ford, ‘The trouble with cyber arms control’ (2010) 29 The New Atlantis: A
J. of Technology and Society 52, 65.
23
Ibid. 67.
24
China was initially relatively quiet on this issue but subsequently appeared to align itself
with the position of Russia.
25
See UNGA, Developments in the field of information and telecommunications in the
context of international security: Report of the First Committee (16 November 2005) UN Doc
A/60/452.
26
Ibid.
27
See UNGA, Developments in the field of information and telecommunications in the
context of international security – Armenia, Belarus, China, Kazakhstan, Kyrgyzstan, Myanmar,
Russian Federation, Tajikistan and Uzbekistan: draft resolution (11 October 2006) UN Doc
A/C.1/61/L.35.
28
UNGA, Developments in the field of information and telecommunications in the context
of international security: Report of the First Committee (9 November 2006) UN Doc A/61/389.
29
Tim Maurer, ‘Cyber norm emergence at the United Nations: An analysis of the activities
of the UN regarding cyber-security’ (Belfer Center for Science and International Affairs,

4 / Date: 7/5
cyber-security with representatives of the First Committee.30 In January 2010, President

Obama then presented a position paper with the objective of bringing the two parties
together31 and, later that year, the US went on to reverse its long-time policy position
towards the annually introduced resolution and for the first time became a co-sponsor
of the draft resolution.32 Yet, this did not mean that the US had fully aligned itself with
the position of the Russian Federation. On the contrary, there were two key changes to
the 2010 draft from the original draft of the resolution:
+ omission of the reference to, and attempts to come up with, definitions that were
perceived as a first step towards a cyber arms control treaty; and
+ substitution of the reference to ‘international principles’ with references to what
was perceived as more benign language in the form of ‘international concepts’
and ‘possible measures’.
While the resolution, albeit with certain amendments,33 continues to be introduced in

the UNGA each year, the main work of the First Committee and the focus of its
resolutions has centered on the work of several Groups of Governmental Experts
(GGEs), which will be addressed below. Before doing so, it should not be forgotten that
work on the issue of cyber-security has also been undertaken in the Second and Third
Committees of the UNGA.
(b) The Second Committee
The Second Committee – the Economic and Financial Committee – is concerned with
economic questions, so might not immediately be seen to be relevant in discussions
regarding cyber-security. However, while it is fair to say that the First Committee has
tended to focus upon issues of cyber-warfare and the Third Committee upon issues of
cyber-crime,34 the Second Committee has addressed both through its ‘Global Culture of
Cyber-security’ initiative. The three resolutions of the UNGA’s Second Committee on
this initiative are concerned with both cyber-warfare and cyber-crime and all reference
the resolutions of both the First and Third Committees.35
In light of the decision of the Third Committee to no longer focus on cyber-crime,
the US introduced a new draft resolution in the Second Committee in 2002 entitled
Discussion Paper #2011–11, September 2011) 23 <http://belfercenter.hks.harvard.edu/files/

maurer-cyber-norm-dp-2011-11-final.pdf> accessed 28 September 2014.
30
Ibid.
31
Ibid.
32
Ibid. 24.
33
For example, the inclusion of references to the importance of respect for human rights
and fundamental freedoms in the use of information and communications technologies, the need
to address threats consistent with the free flow of information, and references to the various
initiatives of the UN Secretary-General and the responses of Member States.
34
See sections 2(a) and 2(c) of this chapter respectively.
35
UNGA Res 57/239 (31 January 2003) UN Doc A/RES/57/239; UNGA Res 58/199 (30
January 2004) UN Doc A/RES/58/199; UNGA Res 64/211 (17 March 2010) UN Doc
A/RES/64/211.

5 / Date: 7/5
‘[c]reation of a global culture of cyber-security’. While initially co-sponsored by Japan,

Australia and Norway, after a number of revisions to the original draft 36 other
Member States joined as co-sponsors, including the Russian Federation.36 Indeed, one
of the revisions was to introduce references to resolutions adopted within the UNGA’s
First Committee, which had, as noted above, been mainly drafted by Russia. It was
subsequently adopted without a vote.37
There were several significant elements to this original resolution. First, in order to
attract the support of many developing countries the resolution had a focus on capacity
building, which was something that the GGEs subsequently set much store by.38 The
preamble noted, for example, that ‘gaps in access to and the use of information
technologies by States can diminish the effectiveness of international cooperation in
combating the criminal use of information technology’ while the final operative
paragraph ‘[s]tresse[d] the necessity to facilitate the transfer of information technology
and capacity-building to developing countries, in order to help them to take measures in
cybersecurity’.39 Secondly, the resolution had annexed to it a series of ‘[e]lements for
creating a global culture of cybersecurity’, which Member States were invited to take
into account.40 These elements covered nine areas: awareness, responsibility, response,
ethics, democracy, risk assessment, security design and implementation, security
management, and reassessment.41 While these were titled ‘principles’, as opposed to
‘elements’, in the original draft, along with the fact that they were originally due to be
‘adopted’ but which was later changed so that Member States were to simply take them
‘into account’, they nonetheless arguably represented a certain consensus regarding
regulatory norms in the context of cyber-security.42
These ‘elements’ were expanded upon in the second resolution of the Second
Committee on the creation of a global culture of cyber-security, that was adopted by the
UNGA in January 2005, with the addition of the ‘protection of critical information
infrastructures’.43 These elements included actions such as having emergency networks
regarding cyber-vulnerabilities, threats and incidents,44 examining information infra-
structures and the interdependencies between them,45 promoting partnerships, including
the sharing of information, between public and private stakeholders,46 having adequate
substantive and procedural laws and trained personnel to enable effective investigations
and prosecutions in response to attacks,47 and engaging in international cooperation to
36
UNGA, Macroeconomic policy questions: science and technology for development:
Report of the Second Committee (21 December 2002) UN Doc A/57/529/Add.3. China did not
co-sponsor the resolution.
37
UNGA Res 57/239 (n 35).
38
See section 2(d) of this chapter.
39
UNGA Res 57/239 (n 35) para 5.
40
Ibid. para. 3.
41
Ibid. appendix.
42
Maurer (n 29) 44.
43
UNGA Res 58/199 (n 35). See appendix for the expanded elements.
44
Ibid. annex, element 1.
45
46
47

6 / Date: 26/3
secure critical information infrastructures.48 The resolution, and the included elements,
was co-sponsored by 69 countries, this time including China but not Russia.49
Nonetheless, the broadening of the elements could be perceived as a progressive step
towards the formation of a regulatory cyber-security regime.50
The final resolution was adopted in 2010 after the US policy shift.51 It was sponsored
by the US on behalf of 39 States, although not Russia or China. This resolution was
entitled the ‘[c]reation of a global culture of cybersecurity and taking stock of national
efforts to protect critical information infrastructures’ and included an annex outlining a
‘[v]oluntary self-assessment tool for national efforts to protect critical information
infrastructures’. This is explained as ‘a voluntary tool that may be used by Member
States, in part or in its entirety, if and when they deem appropriate, in order to assist in
their efforts to protect their critical information infrastructures and strengthen their
cybersecurity’.52 These include ‘[t]aking stock of cybersecurity needs and strategies’,
‘[s]takeholder roles and responsibilites’, ‘[p]olicy processes and participation’,
‘[p]ublic-private cooperation’, ‘[i]ncident management and recovery’, ‘[l]egal frame-
works’, and ‘[d]eveloping a global culture of cybersecurity’.53 Notably, these highlight
the importance of cooperation among States, including through ‘international
information-sharing and collaboration’.54
(c) The Third Committee
The Third Committee – the Social, Humanitarian and Cultural Committee – is, as its
title suggests, concerned mainly with social and humanitarian issues, but in the context
of cyber-security and cyber-crime. Two years after the Russian Federation introduced
its resolution in the First Committee in 1998 the Third Committee discussed a draft
resolution introduced by the US and 38 other States entitled ‘[c]ombating the criminal
misuse of information technologies’.55 It was co-sponsored by the Russian Federation,
but not China, with a further 19 Member States subsequently co-sponsoring it and was
adopted without a vote on 22 January 2001.56
The key objective of this resolution was to establish a ‘legal basis for combating the
criminal use of information technologies’.57 In attempting to realize this objective, the
resolution had several key elements. First, it ‘recogniz[ed] that the free flow of
information can promote economic and social development, education and democratic
governance’.58 Second, it ‘[e]xpress[ed] concern that technological advancements ha[d]
48
49
UNGA, Macroeconomic policy questions: science and technology for development:
Report of the Second Committee (15 December 2003) UN Doc A/58/481/Add.2.
50
Maurer (n 29) 44.
51
UNGA Res 64/211 (n 35).
52
Ibid. n.2.
53
Ibid. annex.
54
Ibid. preamble.
55
UNGA A/55/593, 16 November 2000.
56
UNGA 55/63 (4 December 2000) UN Doc A/RES/55/63.
57
UNGA A/57/529/Add.3 (n 36).
58
UNGA A/RES/55/63 (n 56) preamble.

7 / Date: 7/5
created new possibilities for criminal activity, in particular the criminal misuse of
information technologies’.59 Third, it ‘recogniz[ed] the need for cooperation between
States and private industry in combating the criminal misuses of information tech-
nologies’.60 Lastly, it noted the value of ten measures to combat the criminal misuse of
information technologies including, inter alia, eliminating safe havens for those who
criminally misuse information technologies;61 law enforcement cooperation amongst
concerned States;62 information sharing;63 the appropriate training of law enforcement
personnel;64 protecting the confidentiality, integrity and availability of data and
computer systems and ensuring criminal misuse is penalized;65 the preservation of and
quick access to electronic data pertaining to particular criminal investigations;66 the
timely investigation and exchange of evidence of the criminal misuse of information
technologies;67 increasing public awareness of the need to prevent and combat
criminality in this area;68 the designing of information technologies to help detect and
prevent criminal misuse, trace criminals and collect evidence;69 the development of
solutions taking into account both the protection of individual freedoms and privacy;
and the preservation of the capacity of governments to fight such criminal misuse.70
In 2001, a follow-up resolution – again, entitled ‘[c]ombating the criminal misuse of
information technologies’ – was introduced by the US and 73 other Member States,
again including the Russian Federation but not China, with eight Member States
joining later, and was adopted without a vote on 23 January 2002.71 This took note of
the measure set forth above, and again invited Member States to take them into account
in their efforts to combat the criminal misuse of information technologies.72
Several resolutions, sponsored by Italy, entitled ‘[s]trengthening the United Nations
Crime Prevention and Criminal Justice Programme, in particular its technical
cooperation capacity’ drew attention to the issue of ‘cyber crime’ and ‘the use of new
information technologies to abuse and exploit children’, and ‘invit[ed] the United
Nations Office on Drugs and Crime to explore, within its mandate, ways and means of
addressing these issues.’73
59
Ibid.
60
Ibid.
61
Ibid. para. 1(a).
62
Ibid. para. 1(b).
63
Ibid. para. 1(c).
64
UNGA A/RES/55/63 (n 56) para 1(d).
65
Ibid. para. 1(e).
66
Ibid. para. 1(f).
67
Ibid. para. 1(g).
68
Ibid. para. 1(h).
69
Ibid. para. 1(i).
70
Ibid. para. 1(j).
71
72
Ibid. para. 2.
73
UNGA Res 63/195 (18 December 2008) UN Doc A/RES/63/195; UNGA Res 64/179 (10
December 2009) UN Doc A/RES/64/179; UNGA Res 65/232 (21 December 2010) UN Doc
A/RES/65/232; UNGA Res 66/181 (25 July 2011) UN Doc A/RES/66/181, UNGA Res 67/189
(20 December 2012) UN Doc A/RES/67/189; UNGA Res 68/193 (18 December 2013) UN Doc
A/RES/68/193.

8 / Date: 7/5
Lastly, the Third Committee adopted a resolution in 2013 entitled ‘[t]he right to
privacy in the digital age’.74 The Edward Snowden revelations earlier in the year were
a key reason for the adoption of this resolution. It was in this sense no surprise that its
two key sponsors were Brazil and Germany, the leaders of which were the main victims
of NSA surveillance operations. While it was first thought that the response of these
two States would be ‘an initiative on the international security front at the UN, in the
end, Brazil and Germany decided it was best to present the matter in the context of
respect for international human rights law and the right to privacy in particular’.75 In
this regard, the resolution emphasizes that ‘illegal surveillance of communications,
their interception and the illegal collection of personal data constitute a highly intrusive
act that violates the right to privacy and freedom of expression and may threaten the
foundations of a democratic society’.76 The resolution recalls the obligation of States to
‘ensure that measures taken to counter terrorism comply with international law’ and
recalls the privacy provisions of the International Covenant on Civil and Political
Rights as well as the Universal Declaration of Human Rights.77 The resolution calls
upon States ‘to take measures to put an end to violations of those rights’78 and, in doing
so, ‘establish independent national oversight mechanisms capable of ensuring trans-
parency and accountability of state surveillance of communications, their interception
and collection of personal data’.79 The resolution also requests that the UN High
Commissioner for Human Rights reports ‘on the protection of the right to privacy in the
context of domestic and extraterritorial surveillance of communications, their inter-
ception and collection of personal data’ and for a final report to be submitted by the
High Commissioner to the 2015 Session of the General Assembly.80
While this was undoubtedly an important development in the context of cyber-
security, it is also arguably true that ‘[t]he difficult political and legal questions
underlying references to “unlawful interference with privacy” and constraints on
“extraterritorial surveillance” will keep lawyers and diplomats busy for months if not
years to come’.81
(d) The Groups of Governmental Experts
Overall, and as demonstrated by the above sections, the UNGA has been active in
regards to discussing principles, elements, good practice, etc regarding the behaviour of
Member States in the context of cyber-security. However, what the above also arguably
shows is that ‘[a]t the multilateral level, the UN will have to begin to address the cyber
security issue in a more coherent fashion. The General Assembly can ill afford to have
two deliberative streams (i.e. the First and Third Committee) acting in ignorance of one
another’.82 Indeed, ‘[t]he airing of declaratory policy at the annual General Assembly
74
75
Meyer (n 7).
76
UNGA A/RES/68/167 (n 74) preamble.
77
Ibid.
78
Ibid. para. 4(b).
79
Ibid. para. 4(d).
80
Ibid. para. 5.
81
Meyer (n 7).
82
Ibid.

9 / Date: 7/5
sessions should not substitute for purposeful action by states in more operational
forums to tackle the pressing problems raised by destabilizing state conducted cyber
operations’.83 In this respect, the establishment of several Groups of Governmental
Experts has been a significant development. Four GGEs have been established since
2004 that have examined the existing and potential threats from the cyber-sphere and
possible cooperative measures to address them. The purpose of this section is to give an
overview of the work of these groups.
(i) The First Group of Governmental Experts

The first GGE was established in 2004 by the UNGA’s First Committee. The previous
year, following on from a proposal by Russia,84 Member States had:
Request[ed] the Secretary-General to consider existing and potential threats in the sphere of
information security and possible cooperative measures to address them, and to conduct a
study on [relevant international concepts aimed at strengthening the security of global
information and telecommunications systems], with the assistance of a group of governmental
experts, to be established in 2004, appointed by him on the basis of equitable geographical
distribution and with the help of Member States in a position to render such assistance, and
to submit a report on the outcome of the study to the General Assembly at its sixtieth
session.85
Yet, over the course of three meetings the GGE failed to even find the smallest
common denominator of agreement. It is perhaps quite unusual for such an outcome to
occur at the UN where an activity is usually only initiated when it is clear before it
starts that there is at least some smallest denominator that everyone can agree on.86 Yet,
the UN Secretary-General concluded in 2005 that it was due to ‘the complexity of the
issues involved’ that ‘no consensus was reached on the preparation of a final report’.87
A member of the Russian delegation at the GGE meetings claimed that ‘[t]he main
stumbling block was the question of whether international humanitarian law and
international law sufficiently regulate the security aspects of international relations in
cases of “hostile” use of ICTs for politicomilitary purposes’.88 The issue of whether
existing law sufficiently regulated cyber-threats is, as noted above, something that has
been an issue between Russia and the US. While Moscow urged the development of
83
Ibid.
84
Russia noted in its report to the UN Secretary-General that ‘the group will give the
international community a unique opportunity to examine the entire range of issues involved’.
UNGA ‘Developments in the field of information and telecommunications in the context of
information security: Report to the Secretary General’ (17 September 2003) UN Doc A/58/373.
85
UNGA Res 58/32 (8 December 2003) UN Doc A/RES/58/32 para. 4. The eventual GGE
consisted of governmental experts from 15 States: Belarus, Brazil, China, France, Germany,
India, Jordan, Malaysia, Mali, Mexico, the Republic of Korea, Russia, South Africa, UK, and
US. They unanimously elected Andrey V. Krutskikh of Russia as its Chairman.
86
Maurer (n 29) 22.
87
UNGA, Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security: Report of the Secretary-
General (5 August 2005) UN Doc A/60/202, 2.
88
Maurer (n 29) 22.

10 / Date: 7/5
new norms and rules Washington was of the opinion that ‘the law of armed conflict and
its principles of necessity, proportionality and limitation of collateral damage already
govern the use of such technologies’.89
Furthermore, the group was not able to agree on whether the discussions should
focus on ‘information content or information infrastructures’.90 The US and EU were,
as noted above, suspicious of the motives of Russia, more specifically that it was
attempting to limit the freedom of information under the guise of increasing infor-
mation and telecommunications security. Washington had clear concerns regarding any
‘extension to governments of the right to approve or ban information transmitted into
national territory from outside its borders should it be deemed disruptive politically,
socially or culturally’.91 Indeed, ‘US apprehensions stemmed from concerns that
authoritarian regimes would attempt to control the free flow of information using such
a mechanism and restrict freedom of speech and expression.’92
However, despite the lack of agreement, ‘the work of the GGE was not in vain as it
successfully raised the profile of the relevant issues on the international agenda’.93 In
addition, despite its notable failure the first GGE had initiated a certain momentum
within the UN to consider cyber security. As such, during the 60h session of the
UNGA, when the first GGE had been due to report, Member States adopted a
resolution in which they
Request[ed] the Secretary-General, with the assistance of a group of governmental experts, to

be established in 2009 on the basis of equitable geographical distribution, to continue to study
existing and potential threats in the sphere of information security and possible cooperative
measures to address them, as well as the [relevant international concepts aimed at strength-
ening the security of global information and telecommunications systems], and to submit a
report on the results of this study to the General Assembly at its sixty-fifth session.94
The momentum that had developed as a result of the GGE initiative could only be
increased by the fact that between the adoption of the resolution in 2005 requesting the
establishment of a second GGE and its actual establishment in 2009 cyber-warfare had
begun to make the headlines, with the DDoS attack against Estonia in 2007 and then, in
2008, with cyber-conflict issues during the Georgian-Russian war.95 Yet, these events
89
UNGA, Developments in the field of information and telecommunications in the context
of information security: Report to the Secretary General (28 December 2004) UN Doc
A/59/116/Add.1.
90
‘Fact Sheet – Developments in the Field of Information and Telecommunications in the
Context of International Security, United Nations Office for Disarmament Affairs’ <http://unoda-
web.s3.amazonaws.com /wp-content / uploads/2013/06/Information_Security_Fact_Sheet.pdf>
91
UNGA A/59/116/Add.1 (n 89).
92
93
Maurer (n 29) 22.
94
UNGA Res 60/45 (8 December 2005) UN Doc A/RES/60/45 para 4 [emphasis added].
95
It is perhaps worth noting that the classification of these two incidents as examples of
‘cyber-warfare’ is not absolutely certain and is still dependent to an extent on the emerging
consensus as to how to classify such incidents. See, in general, Michael Schmitt (ed.), Tallinn
Manual on the International Law Applicable to Cyber Warfare (CUP 2013).

11 / Date: 7/5
did not mean that agreement amongst the second group of experts was assured. On the
contrary, given the intensity of the situations and the parties involved things might
equally have gone the other way. As it happened, however, a consensus began to
emerge within the group with the inclusion in its report of some progressive steps.
(ii) The Second Group of Governmental Experts

Given the intervening events it was interesting that Estonia was a member of the second
GGE,96 having been the first State to suffer a massive DDoS attack. The GGE, having
first convened in November 2009, met four times and in July 2010 issued the first
report of a GGE.97 It is clear that with the issuance of this report the UN took ‘a step
forward’ in its regulation of cyber-security.98 In coming to a consensus the group was
of the view that ‘[e]xisting and potential threats in the sphere of information security
are among the most serious challenges of the twenty-first century’.99 Indeed, the threat
was considered significant enough to pose a threat to ‘international peace and national
security’.100 It recalled some of the existing efforts to combat the criminal use of
information technology and noted the intention to create a ‘global culture of cyber
security’.101
In adding some flesh to the bones of this statement the report highlighted the ‘dual
use’ character of cyberspace.102 Indeed, the notion that the Internet is ‘neutral’ so that
the use to which it is put and the consequences of this are dependent upon the intent of
its user is a recurring theme of resolutions of the UNGA.103 It also identified criminals,
terrorists, and States as potential perpetrators of offences in cyberspace with indi-
viduals, businesses, national infrastructures, and governments as potential victims.104
Importantly, and arguably as a result of the events in Estonia, the report also
acknowledged the attribution problem in connection with cyber-attacks.105 Given the
impasse between the US and the Russian Federation with regard to the utility of
existing international law in addressing cyber-security or whether further rules and
norms should be developed, it was perhaps of no surprise that the report equivocally
noted that ‘[e]xisting agreements include norms relevant to the use of ICTs by States’
96
The eventual GGE consisted of governmental experts from 15 States: Belarus, Brazil,
China, Estonia, France, Germany, India, Israel, Italy, Qatar, the Republic of Korea, Russia, South
Africa, UK, and US. Mr. Andrey V. Krutskikh (Russia) was unanimously elected to Chair the
Group.
97
and Telecommunications in the Context of International Security: Note by the Secretary-General
(30 July 2010) UN Doc A/65/201.
98
Hathaway and others (n 8) 49.
99
UNGA A/65/201 (n 97) 2.
100
Ibid.
101
Ibid. 7. For more on this concept see section 2(b) above on the work of the Second
Committee.
102
Ibid. 6.
103
UNGA A/65/201 (n 97).
104
Ibid.
105
Ibid.

12 / Date: 7/5
although ‘[g]iven the unique attributes of ICTs, additional norms could be developed
over time’.106
Arguably the most significant developments in the report of the second GGE,
however, were the five recommendations it made ‘for the development of confidence-
building and other measures to reduce the risk of misperception resulting from ICT
disruptions’107:
+ dialogue among States to discuss norms pertaining to State use of ICTs, to reduce
collective risk and protect critical national and international infrastructures;
+ confidence-building, stability, and risk reduction measures to address the impli-
cations of State use of ICTs, including exchanges of national views on the use of
ICTs in conflict;
+ information exchanges on national legislation, national ICT security strategies
and technologies, policies and best practices;
+ identification of measures to support capacity-building in less developed coun-
tries; and
+ the elaboration of common terms and definitions in connection with information
security.
With these recommendations, the GGE had begun to cement four progressive themes of
an emerging regulatory framework for cyber-security within the UNGA: common
understandings of acceptable State behaviour, practical cooperation, confidence-
building measures, and capacity-building measures. Though perhaps vague and, as the
UN Secretary-General noted, the international community had ‘only begun to develop
the norms, laws and modes of cooperation needed’,108 ‘these recommendations
represent real progress in overcoming a long impasse between the US and Russia over
how to address cyber-security issues. The cooperation may even suggest possibilities
for a future multilateral treaty under the auspices of the UN which Russia has been
advocating for some time’.109
However, in 2010, the year in which the report had been issued and during which
time the major WikiLeaks releases occurred and the Stuxnet attack against Iran had
begun to unfold, a further important turning point arose in enabling the work of the UN
to progress further and, in particular, establish further cooperation and normative
understandings. Indeed, as noted above, it was at this point that the US decided to
engage with other States to address the concerns it had over cyberspace and, in
particular, for the first time to co-sponsor the Russian draft resolution in the First
Committee.110 Overall, the US’s ‘support of the UN Resolution of 2009 (co-sponsored
with Russia) as well as the successful completion of the second GGE were signs
106
Ibid. 8.
107
Ibid. 8.
108
UNGA A/65/201 (n 97) 4.
109
Hathaway and others (n 8) 50.
110
UNGA Res 65/41 (8 December 2010) UN Doc A/RES/65/41. The resolution was
sponsored by three dozen counties including China.

13 / Date: 7/5
indicting this change’.111 Furthermore, and in an attempt to build upon the substantial
progress made in the report of the second GGE, the 2010 version of the resolution also
included a new request to the Secretary-General to establish a further GGE in 2012
which was to submit a report at the 68th session of the UNGA in 2013.112
(iii) The Third Group of Governmental Experts

The third GGE was tasked with building upon the assessments and recommendations
contained in the report of the second GGE and continuing to study existing and
potential threats in the sphere of information security and possible cooperative
measures to address them.113 The GGE had three one-week meetings. The first was
held in New York in August 2012, the second in Geneva in January 2013, and the last
in June 2013 in New York, with the Committee issuing its report on 7 June 2013.114
Forming a backdrop to the meetings of the GGE, in 2011 China, Russia, Tajikistan
and Uzbekistan requested that the UN Secretary-General distribute to the 66th Session
of the UNGA an International Code of Conduct for Information Security which they
had drafted, and which was an attempt to provide further regulation to cyber-norms and
governance.115 In describing this document, China stated that it was ‘a series of basic
principles of maintaining information and network security which cover the political,
military, economic, social, cultural, technical and other aspects’.116 The Code suggested
creating a multilateral mechanism in the form of a treaty to govern the Internet,
something which, as noted above, had been vehemently opposed by the US. In
response to the distribution of the Code of Conduct the US commented that ‘[a]t its
111
112
UNGA A/RES/65/41 (n 110), para. 4. Similar to previous resolutions noted above, this
paragraph stated that the UN Member States:
Request[ed] the Secretary-General, with the assistance of a group of governmental experts, to
be established in 2012 on the basis of equitable geographical distribution, taking into account
the assessments and recommendations contained in the above-mentioned report, to continue
to study existing and potential threats in the sphere of information security and possible
cooperative measures to address them, as well as [relevant international concepts aimed at
strengthening the security of global information and telecommunications systems], and to
submit a report on the results of this study to the Assembly at its sixty-eighth session.
Again, in 2011 the UNGA unanimously approved a resolution calling for a follow up to the last
GGE (See UNGA Res 66/24 (2 December 2011) UN Doc A/RES/66/24).
113
The following Member States participated in the GGE: Argentina, Australia, Belarus,
Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, Russia, UK and USA.
Ms. Deborah Stokes (Australia) was unanimously elected to Chair the Group.
114
and Telecommunications in the Context of International Security: Note by the Secretary-General
(24 June 2013) UN Doc A/68/98.
115
UNGA, Letter dated 12 September 2011 from the Permanent Representatives of China,
the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the
Secretary-General (14 September 2011) UN Doc A/66/359, see appendix.
116
‘China, Russia and Other Countries Submit the Document of International Code of
Conduct for Information Security to the United Nations’, Foreign Ministry of People’s Republic
of China (13 September 2011) <http://nz.chineseembassy.org/eng/zgyw/t858978.htm> accessed
29 September 2014.

14 / Date: 7/5
heart, it calls for multilateral governance of the Internet that would replace the
multistakeholder approach, where all users have a voice, with top-down control and
regulation by states’.117
The Code reflected the concerns of its sponsor States, in particular it restricted its
signatories from using ‘ICTs including networks to carry out hostile activities or acts of
aggression and pose threats to international peace and security. Not to proliferate
information weapons and related technologies’.118 However, the US was of the opinion
that
the draft Code appears to propose replacing existing international law that governs the use of
force and relations among states in armed conflict with new, unclear, and ill-defined rules and
concepts. Indeed, one of the primary sponsors of the draft Code has stated repeatedly that
long-standing provisions of international law, including elements of jus ad bellum and jus in
bello that would provide a legal framework for the way that states could use force in
cyberspace, have no applicability. This position is not justified in international law and risks
creating instability by wrongly suggesting the Internet is an ungoverned space to which
existing law does not apply.119
Furthermore, the Code suggested ‘that policy authority for Internet-related public issues
is the sovereign right of States, which have rights and responsibilities for international
Internet-related public policy issues’. The Code contained clauses curbing ‘dissemina-
tion of information which incites terrorism, secessionism, extremism or undermines
other countries’ political, economic and social stability, as well as their spiritual and
cultural environment’.120 However, the US was clear that:
[T]he introduction of a draft Code of Conduct for Information Security presented an

alternative view that seeks to establish international justification for government control over
Internet resources. … It would legitimize the view that the right to freedom of expression can
be limited by national laws and cultural proclivities, thereby undermining that right as
described in the Universal Declaration on Human Rights.121
Ultimately, there was little support for the draft Code of Conduct which had little
impact upon the report of the third GGE. However, the third GGE ‘made significant
progress on agreeing on some of the defining aspects’ of cyber-security.122 As with the
report of the second GGE and resolutions of the three committees of the UNGA, the
report again noted the immense benefits brought by ICTs but also recognized their
dual-use capabilities in that they could be used ‘for purposes that are inconsistent with
international peace and security’.123 Similarly, it again noted the problem whereby the
117
Statement by Delegation of the United States of America, ‘Other Disarmament Issues and
International Security Segment of Thematic Debate in the First Committee of the Sixty-seventh
Session of the United Nations General Assembly’ (2 November 2013) <http://www.state.gov/t/
avc/rls/200050.htm> accessed 28 September 2014.
118
International Code of Conduct for Information Security (n 16).
119
Statement by Delegation of the United States of America (n 117).
120
International Code of Conduct for Information Security (n 16).
121
Statement by Delegation of the United States of America (n 117).
122
123
UNGA A/68/98 (n 114) 6.

15 / Date: 26/3
actors involved ‘often act with impunity’ and their malicious use of ICTs ‘is easily
concealed and attribution to a specific perpetrator can be difficult’.124
The report then focused on building upon the four progressive themes of the
emerging regulatory framework for cyber-security within the UNGA: practical
cooperation, common understandings of acceptable State behaviour, confidence-
building measures, and capacity-building measures, and offered recommendations in
respect to each including the important role of the private sector and civil society in any
efforts. Where perhaps the report made most progress, however, was in its recom-
mendations on ‘norms, rules and principles of responsible behavior by States’. It was
first noted that ‘[t]he application of norms derived from existing international law
relevant to the use of ICTs by States is an essential measure to reduce risks to
international peace, security and stability’.125 This was important, given the debate
noted above between the US and the Russian Federation on this issue. If the report had
left it at that, question marks would have remained over what the GGE had meant when
it referred to ‘existing international law’. However, it went on to note that ‘international
law and in particular the United Nations Charter, is applicable and is essential to
maintaining peace and stability and promoting an open, secure, peaceful and accessible
ICT environment’.126 This affirmation of the UN Charter, and perhaps in particular its
rules on the non-use of force and self-defence, was significant. As the report noted
further, ‘State sovereignty and the international norms and principles that flow from
sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction
over ICT infrastructure within their territory.’127
On this subject, the report was also clear that ‘State efforts to address the security of
ICTs must go hand-in-hand with respect for human rights and fundamental freedoms
set forth in the Universal Declaration of Human Rights and other international
instruments.’128 This was a significant step that allayed some of the fears of Western
States with regard to attempts by certain States to curb free use of the Internet. Lastly
on the subject of the applicability of existing international law the report noted that
‘States must meet their international obligations regarding internationally wrongful acts
attributable to them.’129
However, the report was clear that further work was needed in this context. Indeed, it
stressed, again, that ‘[c]ommon understandings on how such norms shall apply to State
behavior and the use of ICTs by States requires further study’.130 What was also
notable was its recognition that ‘[g]iven the unique attributes of ICTs, additional norms
could be developed over time’, something which was arguably attributable to the efforts
of some States to do just that.131
124
Ibid.
125
Ibid. 8 [emphasis added].
126
Ibid.
127
Ibid.
128
Ibid.
129
Ibid.
130
Ibid.
131
Ibid.

16 / Date: 26/3
In his Foreword to the new report, the UN Secretary-General noted the ‘broad
recognition that misuse [of ICTs] poses risks to international peace and security’.
However, he also specifically
appreciate[d] the report’s focus on the centrality of the Charter of the United Nations and
international law as well as the importance of States exercising responsibility. The recom-
mendations point the way forward for anchoring ICT security in the existing framework of
international law and understandings that govern State relations and provide the foundation
for international peace and security.132
On 27 December 2013, the UNGA unanimously adopted a resolution in which it took

note of the outcome of the third GGE, although did not specifically reiterate the
conclusion that existing international law applies to cyberspace.133 It also requested the
Secretary-General to establish a further GGE that would report to the UNGA in 2015
and would study, in addition to threats and cooperative measures, the issues of the use
of ICTs in conflicts and how exactly international law applies to State use of these
technologies. The fourth GGE, with an expanded 20 experts, had its first meeting in
New York in July 2014. The work of the GGEs, as such, continues. However, it is
arguably the case that ‘as the mandate of the group becomes more specific it will
increasingly be challenged to find enough common ground on which to base a
consensual report that adds value to what has already been produced’.134
It is not strictly accurate to claim that ‘[t]he conflicting currents of state views as
evidenced in the First Committee debates are unlikely to be resolved via the GGE
process’, as, and as set out above, the GGEs have adopted positions accommodating –
albeit in a somewhat equivocal fashion – of the two main streams of views. However,
it is still nonetheless the case that while the reports of the GGEs are of constructive use
States will ultimately ‘have to look to other multilateral, regional and bilateral forums
to see what might be feasible in terms of confidence building measures and agreed
norms of behaviour’.135
3. THE UNITED NATIONS SECURITY COUNCIL

The UN Security Council (UNSC) is the only body able to create binding international
law.136 The UNSC’s resolutions to date have not generally been concerned with aspects
of cyber-security. However, it has been active in the field of cyber-security, particularly
terrorism-related aspects of it.
132
Ibid. 4. The centrality of the UN Charter in this context has also been noted by several
commentators: ‘At the heart of the system is the UN Charter. It provides the legal framework
which is the most accurate way to conceptualize the relationships between its various entities.’
See Maurer (n 28) 12.
133
134
Meyer (n 7).
135
Ibid.
136
UN Charter (1945) art 25.

17 / Date: 7/5
On 28 September 2001 the UNSC established the Counter-Terrorism Committee

through UNSC Resolution 1373 (2001) following the terrorist attacks of 11 September
2001.137 The Counter-Terrorism Implementation Task Force was subsequently created
by the UN Secretary-General in 2005 to ensure the coordination of the activities related
to Resolution 1373 (2001).138 The Task Force went on to establish various working
groups, one of which was concerned with Countering the Use of the Internet for
Terrorist Purposes.
The working Group’s mandate is located within the 2006 United Nations Global
Counter-Terrorism Strategy which includes a paragraph on exploring ways and means
to ‘(a) Coordinate efforts at the international and regional levels to counter terrorism in
all its forms and manifestations on the Internet; (b) Use the Internet as a tool for
countering the spread of terrorism, while recognizing that States may require assistance
in this regard’.139 While the Working Group was established in response to the 9/11
attacks it only later became linked to the broader cyber-security debate and today
consists of various bodies, including Interpol, the Office of the High Commissioner for
Human Rights and the United Nations Office on Drugs and Crime.
The Working Group has four goals:140
+ identify and bring together stakeholders and partners on the abuse of the Internet
for terrorist purposes, including using the web for radicalization, recruitment,
training, operational planning, fundraising and other means;
+ explore ways in which terrorists use the Internet;
+ quantify the threat that this poses and examine options for addressing it at
national, regional and global levels; and
+ examine what role the UN might play.
The work of the Working Group began with a ‘mapping exercise of relevant laws,
conventions, resources and initiatives’.141 This was based on information provided by
various Member States, interviews conducted with various stakeholders, and publicly
available information. A stakeholders’ meeting was held in November 2008 which
‘focused on creating common understanding among sectors which may have divergent
ideas on countering use of the Internet for terrorist purposes, with the ultimate aim of
determining what if any international action might be appropriate’.142
As a result, the Working Group published its first report in February 2009 which
analyzed information provided by Member States and reflected the conclusions of the
137
UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373 para 6.
138
This was endorsed by the UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/
288 para 5.
139
Ibid. sec II, para 12.
140
See Counter-terrorism Implementation Task Force, ‘Working Group on Countering the
Use of the Internet for Terrorist Purposes’ <http://www.un.org/en/terrorism/ctitf/wg_
counteringinternet.shtml> accessed 28 September 2014.
141
Ibid.
142
Ibid.

18 / Date: 26/3
stakeholders’ meeting.143 Significantly, it concluded that at that moment there was no

obvious terrorist threat in the area and that it was not obvious that it was a matter for
action within the counter-terrorism remit of the UN. It did, however, outline ways
suggested by Member States through which the UN could further contribute, including
facilitating Member States sharing of best practices, building a database of research
into use of the Internet for terrorist purposes, conducting more work on countering
extremist ideologies, and creating international legal measures aimed at limiting the
dissemination of terrorist content on the Internet.
In 2010 the Working Group began to build upon the work of the first report by
addressing legal and technical challenges surrounding the efforts to counter the terrorist
use of the Internet. The Working Group held two meetings with various stakeholders
and published a report in May 2011.144 The section on legal aspects distinguishes
Internet-specific and non-Internet-specific laws and in doing so highlights that there
have been three discernable trends:
+ States that apply existing cyber-crime legislation to terrorist use of the Internet;
+ States that apply existing counter-terrorism legislation to Internet-related acts; and
+ States that have enacted specific legislation on terrorist use of the Internet.
Ultimately the report calls for a harmonization of national legislations by implementing

regional instruments such as the Budapest Convention on Cybercrime or the Common-
wealth Model Law on Cybercrime as well as international instruments such as the
Convention against Transnational Organized Crime.
A third phase of the Working Group which began in 2011 has focused on the use of
the Internet to counter the appeal of terrorism, specifically by analyzing the role of
counter-narratives and effective messengers who can deliver these narratives. A report
on this issue consisted of a summary of a conference held in Riyadh in January 2011
on ‘The Use of the Internet to Counter the Appeal of Extremist Violence’.145 The
Conference ‘focused on identifying good practices in using the Internet to undermine
the appeal of terrorism, to expose its lack of legitimacy and its negative impact, and to
undermine the credibility of its messengers’.146 Key themes included ‘the importance of
143
UN Counter-terrorism Implementation Task Force, Report of the Working Group on
Countering the Use of the Internet for Terrorist Purposes (February 2009) <http://www.un.org/
en/terrorism/ctitf/pdfs/wg6-internet_rev1.pdf> accessed 28 September 2014.
144
UN Counter-terrorism Implementation Task Force, Countering the Use of the Internet for
Terrorist Purposes: Legal and Technical Aspects (May 2011) <http://www.un.org/en/terrorism/
ctitf/pdfs/WG_Compendium-Legal_and_Technical_Aspects_2011.pdf> accessed 28 September
2014.
145
For the conference summary and follow-up/recommendations see UN Counter-terrorism
Implementation Task Force, ‘CTITF Working Group on Use of the Internet for Terrorist
Purposes Riyadh Conference on “Use of the Internet to Counter the Appeal of Extremist
Violence’ (January 2011) <http://www.un.org/en/terrorism/ctitf/pdfs/ctitf_riyadh_conference_
summary_recommendations.pdf> accessed 28 September 2014.
146
Ibid. 1.

19 / Date: 7/5
identifying the target audience, crafting effective messages, identifying credible mes-
sengers, and using appropriate media to reach vulnerable communities’.147 The
Conference ‘agreed that Governments might not always be best placed to lead this
work and needed the cooperation of civil society, the private sector, academia, the
media and victims of terrorism’.148 Importantly, it was also agreed that ‘[g]iven the
global nature of terrorist narratives and the need to counter them in the same space,
there was a special role for the United Nations in facilitating discussion and action’.149
4. THE ECONOMIC AND SOCIAL COUNCIL

The third (and final) intergovernmental body of the UN to deal with issues of
cyber-security is the Economic and Social Council (ECOSOC) which is the principal
body for coordination, policy review, policy dialogue and recommendations on
economic, social and environmental issues. ECOSOC has held a general interest in
issues of cyber-security and related issues. In 2010, it opened its session with a briefing
title ‘Cyber security: emerging threats and challenges’ and the following year it held a
special event on ‘Cybersecurity and development’.150 However, it is in two of its
functional commissions – the Commission on Crime Prevention and Criminal Justice
and the Commission on Narcotic Drugs – where most activity has occurred, particu-
larly in connection with the criminal use of cyber-space.
(a) The Commission on Crime Prevention and Criminal Justice
The Commission on Crime Prevention and Criminal Justice (CCPCJ) was established
by ECOSOC in 1992 and acts as the principal policymaking body of the UN in the
field of crime prevention and criminal justice.151 The first session of the Commission
took place in 1992 with its work focusing on, as its name might suggest, crime and
justice. In this respect, in 1998 the Commission requested the UNGA to include in the
agenda of the Tenth Crime Congress a workshop on ‘crimes related to the computer
network’.152 The following year, in 1999, the Commission also proposed a draft
resolution for ECOSOC on the ‘Work of the United Nations Crime Prevention and
Criminal Justice Programme’ requesting the Secretary-General to conduct a study on
effective measures that could be taken at national and international levels to prevent
147
UN Counter-terrorism Implementation Task Force (n 145).
148
Ibid.
149
Ibid.
150
See ECOSOC, ‘2010 ECOSOC General segment briefing on “Cyber security: emerging
threats and challenges” – Background note’ <http://www.un.org/en/ecosoc/julyhls/pdf10/gs_
briefing_background_note.pdf> accessed 28 September 2014. and ECOSOC, ‘Special Event on
Cybersecurity and Development – Informal summary’ (9 December 2011) <http://www.un.org/
en/ecosoc/cybersecurity/summary.pdf> accessed 28 September 2014 respectively.
151
ECOSOC Res 1992/1 (6 February 1992). This was upon a request of the UNGA Res
46/152 (18 December 1991) UN Doc A/RES/46/152.
152
ECOSOC E/1998/30-E/CN.15/1998/11.

20 / Date: 26/3
and control computer-related crimes in light of the workshop at the Tenth Crime
Congress and to report on his results at CCPCJ’s tenth session.153
The ultimate result of the consideration given to such crimes at the Tenth Crime
Congress in 2000 was the adoption by the UNGA of the Vienna Declaration on Crime
and Justice, in which Member States
decide[d] to develop action-oriented policy recommendations on the prevention and control

of computer-related crime, and [invited] the Commission on Crime Prevention and Criminal
Justice to undertake work in this regard, taking into account the ongoing work in other
forums. [The Member States also committed themselves] to working towards enhancing
[their] ability to prevent, investigate and prosecute high-technology and computer-related
crime.154
At the CCPCJ’s tenth session in 2001 a plan of action for implementing the Vienna
Declaration was adopted including ‘[a]ction against high-technology and computer
related crime’ which recommended a series of national and international measures.155
What was noticeable is that up until this point the focus had been on computer crime as
opposed to ‘cyber’ crime and security.156 Indeed, it was only in the CCPCJ’s 2002
report that the term ‘cyber’ was mentioned for the first time,157 with a call for a UN
convention on ‘cybercrime’ appearing in its 2004 report.158 However, despite this
activity it was only in 2010 that cyber-crime became a prominent theme in its annual
reports, with some speakers again bringing up the possibility of global convention
against cyber-crime.159 It was also notable the extent to which cyber-issues were
prominent in the various issues discussed, including in the use of information
technologies to exploit children, economic fraud and identity-related crime, and
activities relating to combating cyber-crime including technical assistance and capacity-
building. Subsequent reports have included discussion on, for example, cyber-crime in
connection with the trafficking of cultural property,160 and organized crime.161
Furthermore, ECOSOC and the UNGA requested the CCPCJ to establish, in line
with paragraph 42 of the Salvador Declaration on Comprehensive Strategies for Global
Challenges: Crime Prevention and Criminal Justice Systems and Their Development in
a Changing World, an open-ended intergovernmental expert group on cyber-crime.162
This group was to conduct a comprehensive study of the problem of cyber-crime and
responses to it by Member States, the international community and the private sector,
153
ECOSOC Res 1999/23 (28 July 1999). For the report of the UN Secretary General see
ECOSOC E/CN.15/2001/4.
154
‘Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-first
Century, UNGA Res 55/59 (4 December 2000) para. 18.
155
ECOSOC E/2001/30/Rev.1-E/CN.15/2001/13/Rev.1
156
Maurer (n 28) 37.
157
ECOSOC E/2002/30-E/CN.15/2002/14.
158
ECOSOC E/2004/30–E/CN.15/2004/16. This was by the representative of Thailand.
159
ECOSOC E/2011/30-E/CN.15/2011/21.
160
ECOSOC E/2014/30 E/CN.15/2014/20.
161
Ibid.
162
ECOSOC Res 2010/18 (22 July 2010); UNGA Res 65/230 (21 December 2010) UN Doc
A/RES/65/230.

21 / Date: 7/5
including the exchange of information on national legislation, best practices, technical

assistance and international cooperation, with a view to examining options to
strengthen existing and to propose new national and international legal or other
responses to cyber-crime.
The first session of the group was held from 17 to 21 January 2011.163 The UNGA
noted with appreciation the work of the Expert Group and encouraged it to enhance its
efforts to complete its work and to present the outcome of the study to the CCPCJ in
due course.164 The second session of the group was subsequently held from 25 to 28
February 2013.165 The report included discussion on issues such as legislation and
frameworks, criminalization, law enforcement and investigations, electronic evidence
and criminal justice, international cooperation and prevention.
(b) The Commission on Narcotic Drugs
The Commission on Narcotic Drugs has focused on the use and abuse of the Internet
only from a drug trafficking perspective in line with its functional mandate and did so
as early as 1996.166 In 2000 the Commission eventually adopted a resolution solely
focused upon and titled ‘Internet’ which was brought to the attention of ECOSOC.167
After the adoption of this resolution there was no further specific resolution on the
Internet or cyber-issues, although repeated references were made to it as part of
the Commission’s discussions. However, in 2004, in reference to the 2000 resolution,
the Commission prepared a draft resolution for ECOSOC on the ‘Sale of inter-
nationally controlled licit drugs to individuals via the Internet’.168 In 2005, the
Commission prepared a further resolution for ECOSOC entitled ‘Strengthening inter-
national cooperation in order to prevent the use of the Internet to commit drug-related
crimes’169 while in 2007 prepared a similar resolution on ‘International cooperation in
preventing the illegal distribution of internationally controlled licit substances via the
Internet.’170
163
The report on that meeting is contained in document UNODC, ‘Report on the meeting of
the open-ended intergovernmental expert group to conduct a comprehensive study of the
problem of cybercrime held in Vienna from 17 to 21 January 2011’ (31 March 2011) UN Doc
UNODC/CCPCJ/EG.4/2011/3.
164
UNGA A/RES/67/189 (n 73).
165
The report on that meeting is contained in document UNODC ‘Open-ended inter-
governmental expert group on cybercrime: Draft report’ (28 February 2013) UN Doc UNODC/
CCPCJ/EG.4/2013/L.1.
166
ECOSOC ‘Commission on Narcotic Drugs: Report on the forty-second session’ (1999)
UN Doc E/1999/28/Rev.1.
167
ECOSOC CND Res 43/8 (15 March 2000).
168
ECOSOC Res 2004/42 (21 July 2004).
169
ECOSOC CND Res 48/5 (2005).
170
ECOSOC CND Res 50/11 (2007).

22 / Date: 7/5
5. SUBSIDIARY ORGANS AND SPECIALIZED AGENCIES

Aside from the intergovernmental bodies found within the UN Charter, there are
several subsidiary organs and specialized agencies of the UN that work in the field of
cyber-security. Although they are not expressly mentioned in the UN Charter they find
their legal base there. Indeed, under Article 22 of the UN Charter ‘[t]he General
Assembly may establish such subsidiary organs as it deems necessary for the
performance of its functions’ while Article 57 states that the ‘various specialized
agencies, established by intergovernmental agreement … shall be brought into relation-
ship with the United Nations’. Of the many that exist, those key in the context of
cyber-security are the International Telecommunications Unit, the United Nations
Institute for Disarmament Research, and the United Nations Office on Drugs and
Crime. Although an extensive analysis of their individual roles and functions is beyond
the scope of this chapter, their key functions in connection with cyber-security will be
briefly addressed.
(a) International Telecommunications Unit
The International Telecommunication Union (ITU) is the UN specialized agency for

ICTs and has most responsibility for practical aspects of cyber-security. While it
existed prior to the UN’s founding in 1945 it subsequently joined the UN system as a
specialized agency under Article 57 of the UN Charter. The ITU is not only a forum for
discussion of cyber-security issues, and thus advances the broad agenda set by its
Member States by focusing on specific initiatives, but it also plays a key role in setting
technical standards.
The ITU Secretary-General launched the Global Cyber-Security Agenda in May
2007 which he described as being an ‘international framework for cyber-security’.171 A
key part of this was the establishment of a high-level group of experts on cyber-
security. The group held three meetings between 2007 and 2008 before publishing its
Global Strategic Report in 2008,172 which focused on five areas:
+ legal measures;
+ technical and procedural measures;
+ organizational measures;
+ capacity-building; and
+ international cooperation.
The recommendations of the group of experts to the ITU included:
+ developing model legislation for Member States to adopt. The ITU has also
developed a tool kit for cyber-crime legislation with sample language including
171
Maurer (n 28) 30.
172
See ITU, ‘Global Cybersecurity Agenda (GCA)’ <http://www.itu.int/osg/csd/cyber
security/gca/global_strategic_report/global_strategic_report.pdf> accessed 28 September 2014.

23 / Date: 7/5
explanatory comments which could form the basis for a harmonization of

cyber-crime laws;
+ the creation of a ‘Cyber-security Readiness Index’;
+ a framework for national infrastructure protection; and
+ a conceptualization of what a culture of cyber-security could be understood to
mean.
The ITU Secretary-General has taken on a particularly visible role in the cyber-security
agenda of the ITU. For example, at the 2010 World Telecom Development Conference
in Hyderabad he proposed a ‘no first attack vow’ for cyberspace and that States ‘should
undertake not to harbour cyberterrorists and attackers in their country unpunished’173 as
well as drafting five principles of cyber-peace.174 More recently in 2014, the ITU, along
with the United Nations Children’s Fund, and partners of the Child Online Protection
Initiative, released updated Guidelines to strengthen online protection for children.175
The ITU’s initiatives in the context of Child Online Protection have ‘been identified as
an effort whose merit all states agree on and where trust can be built so that
socialization effects could potentially produce positive spill over effects for the broader
cyber-security agenda’.176
(b) United Nations Institute for Disarmament Research
The United Nations Institute for Disarmament Research (UNIDR) is a voluntarily

funded autonomous institute within the UN and generates ideas and promotes action on
disarmament and security. It was one of the first UN bureaucracies to become involved
in the issue of cyber-security and today its ‘cyber work aims to carry out policy-
focused capacity-building at the national, regional and multilateral level, as well as
relevant research and analysis’.177
It has hosted two conferences relating to the discussions in the UNGA’s First
Committee. In 1999, the United Nations Department for Disarmament Affairs funded a
two-day discussion meeting on ‘Developments in the field of information and telecom-
munications in the context of international security’.178 This conference was titled the
same as the resolution introduced by Russia a year earlier and highlighted the different
primary concerns that States had at that time. In 2008 Russia then funded a conference
on ‘Information and Communication Technologies and International Security’ with the
objective being ‘[t]o examine the existing and potential threats originating from the
hostile use of information and communication technologies, discuss the unique
173
Henning Wegener, ‘Cyber peace’ in International Telecommunication Union and World
Federation of Scientists, The Quest for Cyber Peace (ITU 2011) 81 <http://www.itu.int/dms_
pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf> accessed 28 September 2014.
174
Ibid. 78.
175
See ITU, ‘COP Guidelines’ <http://www.itu.int/en/cop/Pages/guidelines.aspx> accessed
28 September 2014.
176
Maurer (n 28) 30.
177
See United Nations Institute for Disarmament Research, ‘Cyber’ <http://www.unidir.org/
est-cyber> accessed 28 September 2014.
178
Maurer (n 28) 28.

24 / Date: 7/5
challenges posed by ICTs to international security and possible responses’.179 Today, as

well as acting as a consultant to the GGEs, it has also hosted three cyber-security
conferences, with the most recent in 2014 focusing on preventing cyber-conflict.
(c) United Nations Office on Drugs and Crime
Although cyber-security is not formally within the domain of the UN Office on Drugs
and Crime (UNODC), the Third Committee of the UNGA first requested for UNODC
to become involved in technical assistance specifically relating to ‘cyber crime’ in
2008.180 Member States officially requested UNODC to work on the use of the Internet
for terrorist purposes for the first time at the 20th session of the Commission on Crime
Prevention and Criminal Justice in April 2011 after it was first mentioned at the 19th
session the year before. UNODC’s Terrorism Prevention Unit contributed to a CTITF
publication in 2012 for law enforcement investigators and criminal justice officers in
connection with cases involving ‘[t]he use of the internet for terrorist purposes’.181 It
also took the lead in the 2013 Global Programme on Cybercrime which, as described
above,182 had been initiated by the CCPCJ and which aimed to assist Member States in
strengthening existing national and international legal responses to cybercrime.
6. CONCLUSION
As with many areas of international life, events within the UN in the context of
cyber-security have arguably been overtaken by events on the ground, and the UN is
struggling to catch up. The functioning of the UN in this or, indeed, any area of
activity, is down to the will and ability of its Member States. While there remains a
clear divide within the international community regarding the focus of any emerging
regulatory framework and the underlying approach to govern cyberspace there has been
a discernable shift in the will among States to take action to regulate activity within
cyberspace in some form. Indeed, we have witnessed a distinct shift in activity, and
perhaps momentum towards something substantial and meaningful being achieved
within and by the UN.
Finnemore and Sikkink perceptively observed that ‘[n]orms do not appear out of thin
air; they are actively built by agents having strong notions about appropriate or
desirable behaviour in their community’.183 While this chapter has only been able to
offer a somewhat limited account of the activities of the UN and its Member States in
this area, achievements can be seen in the number of UNGA resolutions adopted in
various committees, the increasing number of sponsors of these resolutions, the
179
Ibid.
180
UNGA A/RES/63/195 (n 37).
181
UNODC, ‘The use of the internet for terrorist purposes’ (UN, 2012) <http://
www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf> accessed 28
September 2014.
182
See section 4(a) above on the CCPCJ.
183
Martha Finnemore and Kathryn Sikkink, ‘International norm dynamics and political
change’ (1998) 52(4) Int’l. Organization 887, 894–6.

25 / Date: 7/5
progressive work of the GGEs, and the work on the issue of cyber-security taking place
across a range of organs, agencies and bodies. Furthermore, while certain concerns
have been continuously repeated in the UNGA since 1998, in particular the need for
advancing ICTs but with caution over their dual-use nature, there has also been
continuous, if sometimes sluggish, progress in finding common ground and elaborating
upon it. Indeed, the need for practical cooperation between not just States but also
between States and other stakeholders, the need to develop common understandings of
acceptable State behaviour, and the need for confidence-building, transparency and
capacity-building measures have become themes cemented most visibly within the
discourse of the GGEs but also discernable in the work of the other UN organs.
Dialogue and communication between the various UN organs, bodies and groups now
needs to be improved to enable further integrated concerted action and norm develop-
ment.
Yet, it would be shortsighted to think that a regulatory framework can emerge solely
within the forum of the UN. Indeed, the UN itself has continuously noted the valuable
efforts that have been made by international organizations and regional entities in this
area, such as the African Union, ASEAN, the Council of Europe, ECOWAS, the EU,
and the Shanghai Cooperation Organization, to name a few. However, States have also
begun to act bilaterally in seeking to cooperate, come to common understandings, and
build confidence and transparency between them in their operations in cyberspace. A
good example of this is the working group on cyber-security recently established
between the US and China.184 With US concerns regarding a new international
regulatory framework in the form of a treaty still visible, the application of existing
international rules and norms along with the existence of softer, albeit complex,
regulation in this area looks set to continue for some time yet.
184
BBC News, ‘US and China to set up cyber security working group’ (13 April 2013)
<http://www.bbc.co.uk/news/world-asia-china-22137950> accessed 28 September 2014.

26 / Date: 7/5
Index
Aaltola, M 25 ASEAN Convention on Counter Terrorism

Acharya, A 451 162
Ackerman, R 446, 447, 448 Asia-Pacific cyber security 446–64
Afghanistan War 276, 324 ASEAN CERT programs 454, 460, 462
African Union Cybersecurity Convention (AU ASEAN Cooperation Plan 455
Convention) 192, 196, 197, 200 ASEAN Defence Ministers Meetings
Ago, R 58, 233, 244 (ADMMs) 454, 455
Akande, D 274, 327 ASEAN Economic Community Blueprint
Akehurst, M 19, 31–2, 34 453
Albright, D 243, 330 ASEAN Information Infrastructure and
Aldrich, R 123, 361 Hanoi Plan of Action 452
Alexander, K 418 ASEAN Political-Security Community 454
Alston, P 337 ASEAN Regional Forum (ARF) 455–8
Ambos, K 118–43, 156 ASEAN Telecommunications and IT
Andress, J 229 Ministers (TELMIN), ICT
Anonymous group 157, 213 infrastructure and capacity
Antolin-Jenkins, V 248, 249 development 452–4, 461
Antonopoulos, C 28, 55–71 ASEAN Telecommunications and IT
Aoki, K 76 Ministers (TELMIN), Mactan Cebu
Appelbaum, B 324 Declaration 454
Arcaric, M 406 cyber security confidence building measures
Areng, L 429, 445 (CBMs) 449
Argomaniz, J 404–5 cyberspace ‘rules of engagement’ measures
Arias, A 206 463
Arimatsu, L 121, 149, 228, 307, 326–42, 345, e-ASEAN Framework Agreement 452
368, 398 geopolitical landscape 447–51
Armacost, M 390 government vulnerability concerns 463
armed force and conflict non-State actors involvement 449–50
classification of armed see classification of regional approaches 451–63
cyber warfare, international armed Singapore Declaration 452–3
conflict sovereignty considerations 447–8, 463
cyber attacks as ‘armed attacks’ 263–70, technological capabilities and cyber
272–3, 275, 276, 279–80, 281–2 infrastructure disparities 449–50
cyber attacks and crime of aggression Asia-Pacific cyber security, Asia-Pacific
138–9 Economic Cooperation (APEC) 458–62
cyber operation as see cyber operations as a Action Agenda for New Economy 458–9
use of force, as armed force Cybersecurity Strategy 460–61, 463
determining whether armed force has been e-APEC Strategy 459, 460
applied 122–3 international institution cooperation 462
existence of, cyber attacks as war crimes private sector engagement 461–2
121–6 Security and Prosperity Steering Group
international humanitarian law applied to (SPSG) 458, 460, 461–2
cyber warfare 371–4 terrorist attacks, effects of 459
law of armed conflict (LOAC), and law of attribution
neutrality 396–9 and anonymity problems, classification of
Arquilla, J 212 cyber warfare 333
491
Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 1 / Date: 8/5
of attack to one of the parties to the conflict Bowett, D 272

125–6, 129 Brazil 113, 178, 179–80, 184, 473
identification problems 296, 362–4 Brenner, S 191, 196, 200
methods and collateral damage 322 Brierly, J 33
problems and due diligence, law of Brinkel, T 219
neutrality 394–5 Brkan, M 420–21
State responsibility see State responsibility, Broad, W 243, 261
attribution in cyberspace Brölmann, C 21
Austin, G 83, 285, 286, 288, 289, 291 Brown, G 247, 249, 264, 330
Australia 41, 43, 49, 158–9, 446, 448, 449 Brownlie, I 32, 187, 239, 266
Azerbaijan 392 Bruguière, J-M 84, 85
Bryant, R 15
Baker, C 175–7
Buchan, R 56, 65, 104, 112, 119, 149,
Baker, S 262
Balmond, L 406 168–89, 224, 225, 236, 241, 282, 317,
Bannelier-Christakis, K 128, 130, 161, 228, 330, 398
307, 308, 311, 314, 317, 343–65, 372, Buck, S 27
398 Budapest Convention 149, 162–3, 192–7,
Barlow, J 13, 96–7 198–9, 200, 202–5, 412, 414, 418–19
Barnes, S 22 Burnham, G 310
Barrett, E 307, 312 Burton, C 414, 417
Barriga, S 138, 140, 141 Byassee, W 15
Barron-Lopez, L 287
Bartelson, J 17, 18 Caballero-Anthony, A 451
Baruah, D 465, 466, 475, 478, 480 Cammack, C 137, 139
Barzashka, I 330 Carrapico, H 404
Beal, V 55 Cartwright, J 347
Beck, L 128, 129, 135, 136 Cassese, A 121
Beitollahi, H 264 Cathcart, B 375
Belk, R 307 Cavelty, M 437
Bellamy, A 314 Cerf, V 109, 426
Benatar, M 138, 281 CERTs (Computer Emergency Response
Bendiek, A 404, 408, 409, 419 Teams) 221–2, 223, 411, 440–41, 454,
Bently, L 96 460, 462
Berne Convention, intellectual property rights Cesana, S 164
74, 78, 79, 84 Chadwick, O 388
Besson, S 16 Chesney, R 337
Bethlehem, D 18, 278 Chesterman, S 185, 226
Blair, D 223 China 70, 111, 165, 319, 370, 457, 463, 478
Blake, D 346 and cyber espionage 114, 158, 168, 169,
Blakeney, M 74 172, 179, 184, 241, 245–6, 333, 448
Blockmans, S 423, 425 Internet censoring and monitoring 45,
Blommestein, M van 212, 223 112–13, 115, 323
Boczek, B 390 US–China cyber security working group
Boothby, W 120, 123, 124, 129, 133, 134, 490
135, 232, 242 Chowdhury, N 404
Borgmann-Prebil, Y 417 Christakis, T 268
Borneman, W 381 Christie, D 325
Bossuyt, F 419 civilian population
Bothe, M 351, 368 attacks against 128, 154, 160–61, 191,
botnets and remote control 309, 313, 315, 319 242–5, 323–4, 372
see also hackers consumer protection, EU cybersecurity law
Bouwmeester, H 370 411

Index 493
infrastructure damage and indirect killing principle of proportionality 134–6

310 see also civilian population
principle of distinction see under principle Computer Emergency Response Teams
of distinction, relevance of (CERTs) 221–2, 223, 411, 440–41, 454,
principle of proportionality 372–3 460, 462
see also collateral damage Computer Incident Response Capability
Clark, R 140, 141 (NCIRC), NATO 429, 433, 444
Clarke, R 188, 224–5, 253, 260, 317 computer systems
classification of cyber warfare 326–42 botnets and remote control 309, 313, 315,
actor identification problems 326 319
and international humanitarian law 326–7, and computer companies as targets, and
331–2, 335, 336, 339–40
principle of distinction 360–61
classification of cyber warfare, international
copyright protection of software see
armed conflict 328–35
anonymity and attribution problems 333 cyberspace, intellectual property rights,
armed force use 328–32 copyright protection of computer
by a State against another State 332–5 software
critical infrastructure and essential services, ‘digital divide’ and right to development
harm to 330–32 107–8, 109–10
Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) 242,
attacks 331 249–50, 259–60, 264, 265, 331, 392
hacktivist involvement 334–5 evidence requirements and territorial
intensity and duration of violence, relevance location 63–5
of 330, 332 facilities, law of neutrality 397, 399
private sector actors’ involvement 334–5 forgery and fraud 196
and State effective control 330, 334–5 hackers see hackers
classification of cyber warfare, identification and attribution 62–3, 69–70
non-international armed conflict 336–41 integrity crimes 191
definition 336, 339–40, 362 interconnectivity between military and
extension of weapons treaties to 327 civilian systems 131–3
geographical scope and territorial malware 252–3, 257, 261, 308, 309, 312,
boundaries 337 313, 444
intensity of hostilities 340–41 network attacks 118–20, 186–8, 194
and international humanitarian law 339–40 viruses see viruses
organized armed group, involvement of WIPO Model Provisions on the Protection
337–40 of Computer Programs 84
‘virtual group’ involvement 338–40 see also cyber attacks; Internet
Clinton, H 109, 184 Connolly, K 52
Clough, J 190, 194, 195 Constantinou, A 266
coercion use 181–3, 249, 250–52, 253 Conti, G 232
Cohen, J 14–15, 22 Cook, K 339
Cohen, M 76 copyright issues 48, 193, 197
Colarik, A 229 protection of computer software see
Coleman, G 213, 217 cyberspace, intellectual property rights,
collateral damage copyright protection of computer
and cyber weapons see ethical challenges of software
cyber weapons, collateral damage Corn, G 327
dual use function and collateral effects Cornish, P 227
377–8 Correa, C 74
international humanitarian law applied to Corten, O 237, 243
cyber warfare 373 Costa, J-P 356
principle of distinction see under principle Crawford, J 19, 56
of distinction Cremona, M 405, 422

crime see cybercrime; international criminal terminology problems 297–8

responsibility cyber deterrence and public international law,
Croom, C 230 security of critical infrastructures 287–90
Cubby, B 159 Critical Information Infrastructure (CII)
Curran, J 31 288–9
Currie, R 182 military security and nuclear power plants
cyber attacks 288–9
as adjunct to traditional means 370–71 peacetime protection of critical
as ‘armed attacks’ 263–70, 272–3, 275, 276, infrastructures 289
279–80, 281–2 cyber espionage 212, 219–20, 222, 224–6,
definitions 346–7, 348 230, 311, 316–17, 369, 398–9, 408
duration of attack 124–5, 129, 330, 332
cyber espionage and international law 168–89,
hackers see hackers
180–88
viruses see viruses
see also computer systems; individual accessing and copying of electronic
countries; Internet information 171
Cyber Conflict Studies Association (CCSA) coercion and violation of territorial integrity
289, 296 181–3
cyber defence and NATO see NATO and definition 170–74
cyber defence espionage as permissible exception to
cyber deterrence, and international non-intervention principle 185
cooperation, need for strengthening 166 Google cyber attack 168, 184
cyber deterrence and public international law international humanitarian law 172
284–304 Mandiant Report 168, 169, 333
consequence based approach 300–301 non-State actors 172–4
and critical infrastructures 302–3 in peacetime 172
cyber attacks in support of military attack principle of non-intervention 180–86
with conventional means 285 prohibition against use of force and
cyber weapons’ use 284 argument for inclusion of computer
EastWest Institute, A Measure of Restraint systems 186–8
in Cyberspace 288–9 sovereignty over information in cyberspace
imminence of attack 301–2 183–4, 186
NATO’s collective defence 291 sovereignty as protection of territorial and
nuclear-deterrence see nuclear deterrence political integrity 182, 183
protection via deterrence 290–91 States’ refusal to accept responsibility for
retaliation via offensive means 291 espionage when accused 195–6
security against cyber treats 286–90 Tallinn Manual see Tallinn Manual
UN Charter on the threat and use of force transboundary espionage 171–2
299–302 UN Charter and prohibition against use of
UN General Assembly (UNGA) and force 186–8
protection of critical information US spy plane incident (Gary Powers) 177
infrastructures 288 cyber espionage and international law, as
US Presidential Decision Directive on cyber threat to international peace and security
capacity 284, 297–8 174–80
cyber deterrence and public international law, confidential information from private
cyber deterrent feasibility and technical companies 179
considerations 295–8 espionage inhibits and deters functional
nuclear deterrence, differences from 296–7, cooperation claim 177–8
299 espionage as tool that enables functional
potential adversaries, identification cooperation argument 175–7
problems 296 human rights violations 179–80
self-defence, both passive and active 297–8, increased knowledge of other States’
299, 300–302, 304 capabilities argument 174–5

Index 495
information storage and speed of access securitization and digital surveillance

178–9 219–20, 222
international agreements, compliance and see also ‘State’ headings
verification mechanisms 176–7 cyber operations as a use of force 233–54
national infrastructure information 179 Distributed Denial of Service (DDoS) 242,
sovereign equality of States 175, 177–8, 249–50
179–80 HPCR Manual on International Law
cyber exploitation and cyber attacks, Applicable to Air and Missile Warfare
difference between 240–42 238, 240
cyber network attack (CNA) definition 264 UN General Assembly conditions 234–5
cyber operations 211–32 UN General Assembly’s Declaration on the
‘air gap’ protection 212
Definition of Aggression 237
Budapest Convention (Council of Europe
cyber operations as a use of force, as armed
Convention on Cybercrime) 149,
162–3, 192, 193–4, 412, 414, 418 force 235–40
common operational means and methods arming and training of armed groups as use
217–18 of force 238
cyber sabotage (cybotage) 212 cyberspace as fifth domain of warfare
cyberspace virtual layers 221–2 239–40
diversity in strategic objectives 215–17 effects of the action and direct destructive
hackers see hackers effects on property 236–7
military cyber operations 212–13, 214, identified by reference to instruments used
226–32 237
military cyber operations, operationalizing instrument-based approach and use of
230–32 weapons 236
military cyber operations, ‘targeting’ and intention to coerce 236–8
process 232 malware as weapon 238–9, 243, 244–5
national security strategy 215–16 target-based approach, conducted against
non-profit organizations and pressure national critical infrastructure (NCI)
groups 217 236
operationalizing cyber operations 229–32 weapons definition 238
private enterprises digitally collecting and cyber operations as a use of force, UN
providing information 211–12, 222 General Assembly (UNGA) prohibition
private enterprises supplying tools to enable of use of force 235–6, 237, 238, 240–53
cyber activities 216, 222 conduct related to cyber attacks and
software monitoring 218 malware supply 252–3
State’s critical infrastructure, digital nature cyber attacks causing physical damage to
of 216 property, or injury of persons 242–5
cyber operations, State-level cyber paradigms cyber attacks severely disrupting the
218–29 functioning of infrastructures and
CERTs (Computer Emergency Response security 245–50
Teams) 221–2, 223, 411, 440–41, 454, cyber exploitation and cyber attacks,
460, 462 difference between 240–42
governance and public-private involvement cyber exploitation as violation of
222, 223 sovereignty 241
intelligence and counter-intelligence 224–6, cyber infrastructure used to launch cyber
230 attack 253
Internet governance and diplomacy 220–21 data deletion as use of force, but without
law enforcement 222–4, 230 physical damage 244–5
military operations 226–9 disruptive cyber operation as use of force,
military operations, ‘adequate’ legal basis need to establish 248
requirement 228–9 economic targets as economic coercion 249
protection of (critical) infrastructure 221–2 minimum threshold of gravity debate 243–4

serious disruption of essential services UN Global Counter-Terrorism Strategy 151

without destroying infrastructures 247 US excessive intelligence collection
significant disruption of essential services methods, criticism of 167
249–50 see also cyber security
violation of the principle of cyber terrorism, cyber attacks and general
non-intervention and use of coercion international crime of terrorism 155–62
250–52, 253 civilian population, spreading terror among
virus attacks 244–5 160–61
website defacement 252 customary international law crime of
cyber security transnational terrorism 155–6, 158
Asia-Pacific see Asia-Pacific cyber security industrial protest as terrorism, problems
cyber attacks severely disrupting, UNGA with 159–60
245–50 international humanitarian law and
human rights 112–15 principles of distinction and
intelligence information 224–6, 230, 259 proportionality 160–61
law, EU see EU cybersecurity law private motivation for attacks 158–9
UN regulation see UN and the regulation of ‘special intent’ element 158
cyber security State-sponsored cyber attacks 158, 161–2,
see also cyber deterrence; cyber terrorism 164
cyber terrorism 147–67 cyber terrorism, ‘sectoral’ international
comprehensive instrument and regulation anti-terrorism conventions 151–5
need 163–7 attacks against protected persons 154
concept 147–51 cyber ‘weapon’ concept 154
data retention schemes 167 ‘physical attack’ question 153–4
definition, lack of an agreed legal 147–8, violence understood as physical force 154
152 cyber warfare 119–20, 408, 436–7, 438
facilitative acts of terrorism 150–51 classification see classification of cyber
and general Internet use by terrorist groups warfare
150 and humanitarian law see international
hacking techniques 157, 158 humanitarian law applied to cyber
international humanitarian law applied to warfare
cyber warfare 369–70 war crimes see international criminal
International Telecommunication Union responsibility, cyber attacks as war
(ITU), model cyber crime legislation crimes
165 cyber weapons
international treaty, lack of 149 concept 154, 284
as new terrorist tactic 148 ethical challenges see ethical challenges of
political motive element and organised cyber weapons
crime overlap 149–50 international criminal responsibility 139
prohibited harms to protected targets 153–4 treaties, extension of 327
as prohibited intervention 148–9 cybercrime
regional and national instruments 149, Cybercrime Convention of the Council of
162–3, 166–7 Europe 118
supervisory control and data acquisition definition 118, 407–8
(SCADA) systems 147 EU Cybercrime Centre (EC3), EU
Tallinn Manual see Tallin Manual cybersecurity law 409, 413
technical measures, possible necessary EU Cybercrime Convention Committee
165–6 (T-CY) 418–19
terrorist groups, lack of perceived threat Eurojust cross-border prosecution 409, 412,
from 164 413
UN Draft Comprehensive Anti-Terrorism UN Office on Drugs and Crime (UNODC)
Convention, terrorist offences 489
definition 155–7, 158, 159, 160, 161–2 see also international criminal responsibility

Index 497
cybercrime, international legal dimensions system interference 195

190–207 technical means of protection and
adjudication and enforcement 201 preventive measures 204–5
awareness-raising campaigns 205 territoriality principle of regulation and
child pornography 196–7 enforcement 198–200
comprehensive multilateral instrument, need UN Convention against Transnational
for 206 Organized Crime (Palermo
computer integrity crimes 191 Convention) 198, 199
computer-related forgery and fraud 196 cyberspace
cooperation between States 198–9 data protection see data protection
copyright issues 193, 197 definition 14–24
‘crimes’ committed in virtual worlds 191 as global commons see cyberspace, legal
cybercrime definition 190–92 status, cyberspace as global commons
data retention requirements 203 human rights see human rights
denial of service attacks 195 law of neutrality see law of neutrality
EU Council of Europe Convention on virtual layers 15, 221–2
Cybercrime (Budapest Convention) cyberspace, infrastructure
149, 162–3, 192–7, 198–9, 200, 202–5, ASEAN, ICT infrastructure and capacity
412, 414, 418–19 development 452–4, 461
EU Framework Decision 162, 192–3, collateral damage and malfunction of
202–3, 415 civilian facilities 349–50, 354
harm to property or persons 191 critical infrastructure and essential services,
human rights and liberties protection 199, serious disruption of 245–50, 268–70,
203–4 302–3, 310, 330–32
illegal interception and protection of cyber infrastructure used to launch cyber
privacy of electronic communication attack 253
194–5 dual-use of cyber infrastructure and
intellectual property issues 193 principle of distinction 131–3
international regime to fight cybercrime property, harm to property or persons,
198–200 cybercrime, international legal
international substantive law 192–8 dimensions 191
jurisdiction problems 200–203, 206–7 protection of critical 221–2
mutual assistance and extradition 199–200 secure ICT infrastructure, NATO and cyber
national legislation and fragmentation 201 defence 433–4
offences where a computer system is security of critical see cyber deterrence and
targeted intentionally 194 public international law, security of
penalties for illegal access 194 critical infrastructures
personal data protection 204 State’s critical infrastructure, digital nature
privacy rights 203–4 of 216
production and distribution of devices used technological capabilities and cyber
to commit offences 195–6 infrastructure disparities 449–50
safe havens, need for elimination of 206 UN General Assembly (UNGA), cyber
search and seize powers and territorial attacks causing physical damage to
issues 199 property 242–5
self-regulation 204–5 cyberspace, intellectual property rights 72–93
service providers, liability and Berne Convention 74, 78, 79, 84
responsibility 203, 205 cybercrime, international legal dimensions
similar activities with different legalities in 193
different countries 193 EU intellectual property laws 80–83
sovereignty issues 196–7 EU Unitary Patent Regulation 81, 84
spamming 195 European Patent Convention (EPC) 78, 81,
State of origin and State of destination 83–4, 91
conflict 202–3 in international law 73–7

Paris Convention 74, 78, 80 transnational online publishing 30–31

property and sovereignty, distinction in law see also cyberspace, legal status; legal
75–7 dimensions
trade marks and domain names 91–2 cyberspace jurisdiction,
TRIPs Agreement 74, 79, 80, 84 adjudicative/legislative jurisdiction 35–51
Uniform Domain Name Dispute Resolution advertising and selling drugs 39, 50
Policy (UDRP) 74, 92 copyright claims 48
cyberspace, intellectual property rights, defamation and data protection 43–5, 47
copyright protection of computer democratic legitimacy problems 38
software 83–91 destination approach and accessibility
‘author’s own intellectual creation’ 85–7 38–44
EU Database Directive 84–5 destination approach and targeting 44–7,
EU Information Society Directive 90–91 48–9
EU Software Directive 84, 85–7, 88, 90 destination approach under customary
idea–expression dichotomy principle 88–9 international law 47–9
ISPs and ‘notify-and-take down’ approach effects doctrine 48
87–8 ‘everything that is not prohibited is
non-literal copying of software 88 permitted’ approach 36–7
permitted acts with regard to computer free trade commitments 42–3
programs 90–91 online gambling 40–42, 47
possible cyber attacks and response of origin approach 49–51
international law 89–90 publishing pornography 39
protection of computer-related inventions State’s legal standards 35–6
by patent l 91 surfers purchasing artefacts from third
software originality definition 85–6 parties 38–9
WIPO Copyright Treaty 74, 84 territoriality principle within non-territorial
cyberspace, intellectual property rights, cyberspace 37–51
territorial nature 77–83 trademark owners 45–6
EU copyright law and territoriality principle US due process requirement 47
81–2 voluntary compliance or enforcement via
EU supranational laws and harmonisation local intermediaries 49
of intellectual property laws 80–82 cyberspace, legal status 13–29
international conventions 78–9 cyberspace definition 14–24
lex loci protectionis 79, 82–3 cyberspace global domain within the
private international law 82–3 information environment 15
in public international law and intellectual cyberspace layers 15, 221–2
property law 77–82 future challenges 28–9
relaxation of territoriality principle 79 see also cyberspace jurisdiction; legal
cyberspace jurisdiction 30–54 dimensions
competence under public international law cyberspace, legal status, cyberspace as global
31–5 commons 24–8
enforcement jurisdiction 51–3 Antarctica, legal status as example 26–7
international law scope 31–3 cyberspace differences from other global
jurisdictional principles versus legal commons 28
harmonisation 34–5 high seas designation 25–6
piracy sites, blocking 52–3 and Outer Space Treaty 26
self-censorship 53 and sovereignty principle 27–8
States claiming regulatory competence in cyberspace, legal status, sovereignty and
parallel 33–4 international law 16–24
territorial fragmentation of the internet 52–3 activities endangering important national
territoriality principle and sovereignty 33 interests 20
transnational corporations, power and cyberspace as sovereign entity, and
interests of 31 self-determination by community 22–4

Index 499
deterritorialisation as detachment of NATO, 2020 Report on cyber defence 274,

regulatory authority from a specific 275
territory 21–2 NATO Cooperative Cyber Defence Centre
effects doctrine 20 of Excellence (CCDCOE) 258
external sovereignty power 17–18 NATO and security challenges to critical
extraterritorial extension 16–17, 19 infrastructure 270
indirect exercise 20–21 Non-Aligned Movement (NAM) and
jurisdiction 18–22 anticipatory self-defence 271, 272
no-sovereignty thesis and self-regulation 16 proportionality test 274–5
power concept 18 in response to armed attack 369
spill over effects 21 scepticism over 281–3
and Tallinn Manual see Tallinn Manual
technology regulation 21
topicality of cyber security 257–9
territory as element of sovereignty 18, 21
UN General Assembly Resolution on
cyberspace, self-defence in 255–83 misuse of information technologies 280
ad hoc international institutions and rules UN Security Council and inherent right to
for the Internet, need for 282–3 self-defence 277–8
against non-State actors 276–80 US Patriot Act 269–70
against non-State actors, and private and violation of the principle of
trans-border harm, difference between non-intervention 261–2
279–80 cyberspace, self-defence in, UN Charter
anticipatory self-defence 270–73 Article 51 255, 261
collective self-defence 260, 270, 275–6, and anticipatory self-defence 271–3
434–7 ‘critical infrastructure’ targeted by cyber
conditions concomitant to exercise of 273–5 attacks 268–70
cyber attacks preceded/accompanied a customary law applying ‘separately from
conventional attack 260, 261–2 international treaty law’ 267–8
cyber attacks and unlawful use of force 263 cyber attacks as ‘armed attacks’ 263–70,
cyber network attack (CNA) definition 264 272–3, 275, 276, 279–80, 281–2
cyber sanctions 281 and ‘use of force’ 265, 267
cyber security intelligence information cyberspace sovereignty
sharing with private sector companies, considerations, Asia-Pacific cyber security
call for 259 447–8, 463
cyberspace as interconnection of electronic and cyber espionage 175, 177–8, 179–80,
pathways 256 182, 183–4, 186
Distributed Denial of Service (DDoS) cyber exploitation as violation of 241
259–60, 264, 265 and cybercrime, international legal
EU Directive on attacks against information dimensions 196–7
systems 269 and cyberspace as global commons 27–8
immediacy, understanding of 275 and human rights 100–101
industrial control systems, programmable and intellectual property, distinction in law
logic controllers 261 75–7
information requests and use of and international law see cyberspace, legal
private-sector ISPs 264 status, sovereignty and international
Institut de Droit International, Santiago law
Resolution on self-defence 266, Internet freedom and Internet sovereignty
270–71, 277 contrasts 111
jus ad bellum legal approach 262–3 and non-intervention policies 97
legal doctrine, prevailing approaches 262–3 and territoriality principle 33
malware 257, 261 violations, and law of neutrality 380–81,
National Strategies and Policies on 389, 394–5, 397–8
cybersecurity 258–9 see also State practice; State responsibility;
NATO, 2010 Strategic Concept 257–8 territoriality

Danton, J 80 Dreier, T 74, 78

Dashwood, A 422 Droege, C 119–26passim, 129, 130, 131, 133,
d’Aspremont, J 173 136, 137, 143, 329, 341, 343, 347, 352,
data protection 131, 204, 318, 416–17 353, 360, 364
backup data use 316 Drummond, D 168
data destruction, and principle of dual-use function 115, 131–3, 358–62, 377–8
proportionality 375–6 Ducheine, P 119, 211–32, 240, 366, 370, 407
deletion as use of force, but without Dulles, J 292
physical damage 244–5 Dunlap, C 262, 359
European Data Protection Supervisor Dupert, R 261
(EDPS) 407–8 duration of attack 124–5, 129, 330, 332
Internet and data transmission 398, 399
jurisdiction and defamation 43–5, 47 Easton, C 72
privacy rights 203–4 EastWest Institute, A Measure of Restraint in
retention schemes, and cyber terrorism 167 Cyberspace 188–9, 288–9
supervisory control and data acquisition Eaton, J 62
(SCADA) systems 147 economic cooperation see Asia-Pacific cyber
Davidson, O 354, 359 security, Asia-Pacific Economic
Davis, J 260 Cooperation (APEC)
DDoS (Distributed Denial of Service) see economic, social and cultural rights 104–8
under computer systems economic targets as economic coercion 249
De Hert, P 193, 195, 202 Edwards, L 88
Deconinck, G 264 Edwards, S 109
Deeks, A 337 Elisan, C 309
Dehghan, S 261 Emerson, R 23
Dekker, I 295 Erdbrink, T 361
Delupis, I 185 Erlank, W 76
Demarest, G 170 espionage see cyber espionage
DeNardis, L 220 essential services, serious disruption of
Denmark, A 24 245–50, 268–70, 302–3, 310, 330–32
Denning, D 157, 164, 312, 314 see also cyberspace, infrastructure
Derclaye, E 86 Estonia, cyber attacks 56, 64, 221, 259–60,
Derejko, N 337 262, 276, 335, 349–50, 429, 437–8,
Dervan, L 132, 134 475–6
deterrence see cyber deterrence Estrin, D 341
‘digital divide’ and right to development ethical challenges of cyber weapons 307–25
107–8, 109–10 autonomous propagation methods,
Dinniss, H 119, 122–39passim, 143, 236, 263, avoidance of 317
345, 346, 347, 351, 356, 361 backup data use 316
Dinstein, Y 123, 149, 237, 238, 240, 265, 267, botnets and remote control 309, 313, 315,
271, 273, 274, 285, 301–2, 303, 347, 319
382, 387 cyber attack damage repair 316–17
Dinwoodie, G 73, 75, 78, 79, 80, 82 cyber espionage to cyber attack escalation
Dipert, R 309 311, 316–17
Distefano, G 355 cyber weapons definition 309–10
Doerr, O 139 infrastructure damage and indirect killing
Döge, J 263 310
domain names 21–2, 74, 76, 79, 92, 116 justification for cyber attack 312
Dörmann, K 120, 124, 128, 129, 131, 133, malware 308, 309, 312, 313
263, 329, 343, 348, 352 overkill tendencies 315
Dörr, O 236, 237 peculiarities of cyber weapons and
Doswald-Beck, L 238, 327, 348, 385, 387 differences from traditional weapons
Drahos, P 72, 74 310–11

Columns Design XML Ltd / Job: Tsagourias-Research_Handbook_International_Law_and_Cyberspace / Division: Index /Pg. Position: 10 / Date:
8/5
Index 501
precision, lack of 308 Television Without Frontiers Directive 50

principle of responsibility for conduct in Trade Mark Directive 80
warfare 316–17 Unitary Patent Regulation 81, 84
product tampering and perfidy 312–14 website blocking 52
prolonged effect of damage 316 EU cyber security law 403–25
system interdependence challenges 311 anti-terrorism measures 424
targeting errors 314–15 Area of Freedom, Security and Justice
traditional counterattacks, combining with (AFSJ) 405, 410–11, 413, 415, 420,
312 421, 424
unreliability of cyber weapons 314–15 CERT (Computer Emergency Response
ethical challenges of cyber weapons, collateral Team) 411
damage 317–25 Common Foreign and Security Policy
analysis costs and development of (CFSP) 413, 414, 419, 421–4
mitigation procedures 321–3 Common Security and Defence Policy
attack propagation costs 320–21 (CSDP) 403, 413, 420–24
attribution methods 322 consumer protection 411
blocking network services 323 core EU values, inclusion of 411
bulletin boards and blogs, use of 322 Council of Europe Convention on
denial-of-service attacks 319 Cybercrime (Budapest Convention)
direct damage, costs of recovering from and 149, 162–3, 192–7, 198–9, 200, 202–5,
costs of repair 320 412, 414, 418–19
economic value of attacks 324–5 cyber espionage 408
and information extraction problems cyber resilience 408, 412
318–19, 321 cyber security and cybercrime definitions
psychological damage 323–4 407–8
types 317–18 cyber war 408
vulnerability analysis 323 Cybercrime Convention Committee (T-CY)
EU 418–19
Copyright Directive 45, 86 cybercrime reduction strategies 412–13
copyright law and territoriality principle differing policy fields, need for combination
81–2 of 405
Council of Europe Convention on Digital Agenda for Europe (DAE) 411
Cybercrime (Budapest Convention) EU Commission Communication, ‘Network
149, 162–3, 192–7, 198–9, 200, 202–5, and Information Security’ 410, 411
412, 414, 418–19 EU Cybercrime Centre (EC3) 409, 413
Data Protection Directive 44 EU Cybersecurity Strategy 411–14
Database Directive 84–5 Eurojust cross-border prosecution of
Directive on attacks against information cybercrime 409, 412, 413
systems 269 European Data Protection Supervisor
Electronic Commerce Directive 39, 41, (EDPS) 407–8
50–51 European Information Sharing and Alert
Europe-only communication network System (EISAS) 409
suggestion 53 European Network and Information
exclusive origin rule 50–51 Security Agency (ENISA) 409, 411,
and facilitative acts of terrorism 150–51 412
Framework Decision on Attacks against European Police College (CEPOL) 413
Information Systems 162, 192–3, European Public-Private Partnership for
202–3, 415 Resilience (EP3R) 410
Information Society Directive 90–91 European Security Strategy 411
intellectual property laws 80–83 Europol support 408–9, 412, 413
Online Music Recommendation 81 EU–US Working Group on Cyber-Security
privacy and personal data protection 103 and Cyber-Crime (WGCC) 408, 411,
Software Directive 84, 85–7, 88, 90 414

8/5
information sharing and mutual assistance European Court of Human Rights (ECtHR)
412 Balan v Moldova 72
institutional framework 408–10 Infopaq 82, 86
international cyberspace policy, intellectual property rights 77
establishment of coherent 414 national differences on freedom of
Internet regulation 406 expression 100, 101
Lisbon Treaty 403–4, 413, 416, 420–21 originality for computer programs and
policies on cybercrime and cybersecurity databases 86
410–14 Yildirim v Turkey 53, 101
principle of conferral 405, 419–20 see also EU cybersecurity law
private actor involvement 410, 412 European Court of Justice (CJEU)
States’ operational capability, strengthening
Donner (Free Movement of Goods) 45
412
ECOWAS (Small Arms and Light Weapons)
Stockholm Programme 410
technological resources, development of 422
413–14 European Parliament v Council of the
TEU mutual defence clause 418 European Union 424
TEU ‘non-contamination clause’ 421–3 Gambelli 41–2
TEU, ‘Union’s External Action’ 413 Google Spain v Agencia Española de
TFEU data protection rules 416–17 Protección de Datos 44–5
TFEU on establishment and functioning of L’Oréal v eBay International 45
the internal market 416 Mauritius 419, 423
TFEU on judicial cooperation in criminal Pammer and Hotel Alpenhof 45–6
matters 415 Pinckney v KDG Mediatech 46
TFEU solidarity clause 417–18 role of see EU cybersecurity law, legal basis
see also European Court of Human Rights choice and role of Court of Justice
(ECtHR); European Court of Justice Wintersteiger v Products 4U 48
(CJEU) see also EU cybersecurity law
EU cyber security law, legal basis choice and European Network and Information Security
role of Court of Justice 419–24 Agency (ENISA) 258
‘centre of gravity’ approach’ 423 European Parliament and solidarity clause
comprehensive approach, need for 421–4 417–18
cyber defence issues 423, 424 European Patent Convention (EPC) 78, 81,
principle of consistency 420 83–4, 91
EU cyber security law, legal instruments, extradition 199–200
fragmentation in 414–19 see also Snowden (Edward) revelations
Directive proposal for measures to ensure a
high common level of network and Fanelli, R 232
information security 415–16 Fassbender, B 175
EU Framework Decision on attacks against Fawcett, J 72, 73, 82, 83
information systems 415 Feakin, T 446, 449, 457, 458, 463
European Parliament and solidarity clause Fedosov, S 436
417–18 Feinstein, L 277
General Data Protection Regulation Fenrick, W 132
proposal 416–17 Ficsor, M 74
judicial cooperation 415 Fidler, D 94–117, 172, 174, 178, 179, 188,
mainstream cyberspace issues into EU 189, 203, 223, 226
external relations proposal 419 Fildes, J 261
Regulation proposal on electronic Finnemore, M 489
identification and trust services for Fitzmaurice, G 32
electronic transactions 416 Fleck, D 226, 382, 384, 386
European Convention on Human Rights Fleming, P 148, 150
(ECHR) 100, 199, 204 Flory, P 293

8/5
Index 503
Focarelli, C 75, 148, 188, 226, 228, 241, Gill, T 134, 149, 161, 183, 214, 224, 226,
255–83, 300, 312 228, 307, 308, 311, 314, 316, 361,
Føllesdal, A 404 366–79
Foltz, A 330 Gillet, M 138
force Gioia, A 390
armed force and conflict see armed force Gjelten, T 97, 307, 309, 436
and conflict Glennon, M 278, 346
cyber operations as use of see cyber global commons see cyberspace, legal status,
operations as use of force cyberspace as global commons
Forcese, C 185 Global Network Initiative (GNI) 115
Ford, C 468 Goel, S 307
Forowicz, M 134 Goetz, M 212
Forseberg, T 18 Goldsmith, J 13, 16, 21, 119, 125, 126, 131,
France 38, 78, 110 139, 187, 241
Franck, T 277 Gombeer, K 281
Franzese, P 182 Goodman, S 448
Freedman, L 215 Google cyber attack 168, 184
Friedman, A 213 Gorman, S 324, 332
Gosnell Handler, S 236
Gable, K 165 Govaere, I 404
Garcia-Mora, M 185 Graber, C 21
Gardam, J 301 Graham, M 256
Garside, J 52 Gray, C 271, 274
Gasser, H-P 161 Green, L 385
Gattegno, I 164 Greenberg, L 358, 361
Gazmin, V 450 Greenwald, G 284, 297
Geers, K 342 Greenwood, C 120, 277, 329, 368
Geiss, R 125, 132, 133, 134, 135, 137, 341 Griller, S 420
Gellman, B 115 Grimm, D 23
Geneva Conventions Gross, D 256
armed conflict and attack 122, 123–4, 142, Gross, M 308
241–2, 282, 327, 328, 329, 352, 367–8, Grotius, H 25, 76
371–2, 376, 398 Guelff, R 385
civilians taking ‘direct part in hostilities’ 128 Guitton, C 330
collateral damage to civilian objects 373,
374 Haaster, J van 23, 211, 227, 230, 231
and international humanitarian law 120, hackers 56, 157, 158, 213, 334–5, 348–9, 398
129, 130, 131, 134, 135, 136, 137, 172, see also botnets and remote control;
343, 371–2 malware; virus attacks
non-international armed conflict 126, 161, Hagopian, A 310
336, 339–40, 362 Hague Convention 134, 327, 385–7, 391, 393,
principle of distinction 130, 133, 344, 345, 394, 396–7, 398, 399
362 Hanifah, A 448
principle of precaution 136, 137 Hankel, G 134
principle of proportionality 134, 135 Hanspach, M 212
Georgia, cyber attacks 56, 243, 260–62, 277, Hardin, G 28
319, 349–50, 391–2, 439, 466, 475–6 Hardin, R 339
Germany 38, 39–40, 41, 43 Hardt, S 228
and US NSA cyber espionage 62–3, 113, Haslam, E 123, 124
178, 179–80, 184, 473 Hathaway, O 118, 122, 125, 126, 127, 131,
Gervais, M 138–9 135, 139, 347, 466, 476, 478
Gharibi, H 234 Healey, J 219, 223, 428
Gibson, W 22 Heath, K 75, 147–67, 191

15/5
Heckathorn, D 339 cyber security 112–15

Heinl, C 447, 449, 450, 453, 455 extraterritorial application of right to
Heinsch, R 140 privacy 114
Heintschel von Heinegg, W 241 Global Network Initiative (GNI) 115
Heliskoski, J 422 Internet freedom and Internet sovereignty
Henckaerts, J-M 130, 238, 327, 348 contrasts 111
Henderson, C 257, 432, 460, 465–90 Internet governance 111–12
Herdegen, M 246 private enterprise and cyber technologies
Herman, M 174 115–16
Hern, A 331 Wassenaar Arrangement on Export Controls
Herrera, G 21 and ‘dual use’ ICT technologies 115
Hervik, P 35
human rights, Internet technology and
Hessbruegge, J 66
international politics
Hestermeyer, H 355
Hider, J 261 communication technologies, evolution of
Hildebrandt, M 26 95–6
Hillion, C 405, 420, 421, 423 cyberspace connection with human rights
Hinkle, K 123, 125, 126 96–7
Hmoud, M 280 military potential of the Internet 97
Hong, X 79 packet switching 95–6
Hörnle, J 50, 82 sovereignty and non-intervention policies
Horsley, T 420 97
HPCR Manual on International Law US political dominance 96, 97, 113–14
Applicable to Air and Missile Warfare Hunter, D 24
238, 240 Huntley, T 187
Hugenholtz, B 78, 81 Huntsman, J 223
human rights 94–117 Hurt, C 40
cybercrime and liberties protection 199, Hutchins, E 229–30
203–4
cyberspace and general principles of ICANN (Internet Corporation for Assigned
international law 98–9 Names and Numbers) 21–2, 74, 76, 79,
‘digital divide’ and right to development 116
107–8, 109–10 ICRC see International Committee of the Red
economic, social and cultural rights 104–8 Cross (ICRC)
International Covenant on Economic, Social
identification problems see attribution
and Cultural Rights (ICESCR) 104–7
Imburgia, J 346
Internet access as new human right 109–10
right to freedom of expression and national indiscriminate attacks see principle of
differences 100–102, 110 distinction, relevance of, prohibition of
and sovereignty 100–101 indiscriminate attacks in cyberspace
UN ‘Right to Privacy in the Digital Age’ industrial protest as terrorism, problems with
draft resolution 113 159–60
violations, and cyber espionage 179–80 information
see also international humanitarian law access, cyber espionage and international
human rights, civil and political rights 99–104 law 171, 178–9
authoritarian government restriction 102 Critical Information Infrastructure (CII)
Freedom House report 102, 114 288–9
Internet censorship 100–102 EU Commission Communication, ‘Network
right to privacy and national differences and Information Security’ 410, 411
103–4 EU Directive proposal on information
human rights, international relations and security 415–16
cyberspace 110–16 European Information Sharing and Alert
authoritarian government threats 112–13 System (EISAS) 409

8/5
Index 505
European Network and Information Declaration of Independence of Kosovo 37,

Security Agency (ENISA) 409, 411, 65
412 due diligence disputes 67–9, 394–5
extraction problems, and ethical challenges Fisheries Jurisdiction (Spain v Canada) 244
318–19, 321 Gabčíkovo-Nagymaros Project
illegal interception and protection of (Hungary/Slovakia) 279, 355
privacy 194–5 Legality of the Threat or Use of Nuclear
industry cooperation and information Weapons 123, 235, 238, 265, 267,
sharing 444 271–2, 279, 293–5, 299, 301, 303,
NATO Communications and Information 343–4
(NCI) Agency 431–2 Martens Clause and protection and
private sector involvement in information
authority of the principles of
sharing 179, 211–12, 222, 259, 264
international law 344
sovereignty over 183–4, 186
see also cyber security Navigational and Related Rights (Costa
infrastructure see cyberspace, infrastructure Rica v Nicaragua) 246–7, 355
Inkster, N 112 Nicaragua 60, 64, 65, 126, 175, 180–81,
Institut de Droit International, Santiago 182, 186, 233, 236–8, 242–3, 250, 252,
Resolution on self-defence 266, 270–71, 253–5, 266, 267, 273–5, 278, 301, 334,
277 376–7
intellectual property rights see cyberspace, Nottenbohm Case (Lichtenstein v
intellectual property rights Guatemala) 19
intelligence see cyber espionage Oil Platforms (Islamic Republic of Iran v
intensity of attack 124–5, 330, 332, 340–41 United States) 265, 267, 273, 275
Inter-American Court of Human Rights on principle of non-intervention 251, 253
idea–expression dichotomy 89 Pulp Mills (Argentina v Uruguay) 69, 279
Velasquez-Rodriguez 66–7 SAS Institute v World Programming Ltd 90
international armed conflict, classification see on self-defence against non-State actors
classification of cyber warfare, 276, 277
international armed conflict US Diplomatic and Consular Staff in
International Committee of the Red Cross Tehran 57, 67, 333, 335
(ICRC) International Covenant on Civil and Political
armed conflict definition 329 Rights (ICCPR) 100, 101, 103–4, 114,
customary law status 136 199
‘effective contribution’ requirement 130–31, International Covenant on Economic, Social
134, 335 and Cultural Rights (ICESCR) 104–7
intensity threshold 340–41 international crime of terrorism see cyber
Interpretive Guidance on the Notion of terrorism, cyber attacks and general
Direct Participation in Hostilities international crime of terrorism
362–3, 372 International Criminal Court (ICC)
non-international armed conflict 336–7, 340 ‘act of aggression’ 137, 138–41
weapons definition 238 crimes against humanity 141–2
International Court of Justice (ICJ) jurisdiction 120, 126
Armed Activities in Congo 270 war crimes definition 121
Arrest Warrant Case (Democratic Republic international criminal responsibility 118–43
of Congo v Belgium) 19, 20 attribution of attack to one of the parties to
‘author’s own intellectual creation’ 86–7 the conflict 125–6, 129
Bosnian Genocide 57, 59, 60, 68, 70, 278, computer network attacks (CNAs),
334, 352 overview 118–20
Congo v Uganda 67–8 cyber attacks and crimes against humanity
Corfu Chanel Case (UK v Albania) 17, 141–2
63–4, 66, 67, 182, 250, 254, 279, 333, cyber warfare definition 119–20
394–5 cybercrime definition 118

8/5
International Criminal Court see Prosecutor v Tadić 60, 121, 125, 126, 127,
International Criminal Court (ICC) 278, 327, 328, 334, 335, 336–7, 345,
international criminal responsibility concept 348, 368, 384
120 international humanitarian law
jurisdiction for cyber attacks 120 and classification of cyber warfare 326–7,
Tallinn Manual see Tallin Manual 331–2, 335, 336, 339–40
see also cybercrime international criminal responsibility, cyber
international criminal responsibility, cyber attacks as war crimes 129–37
attacks and crime of aggression 120, principal of distinction see principle of
137–41 distinction
‘act of aggression’ 137, 138–41 see also human rights
leadership clause 137–8 international humanitarian law applied to
use of any weapons 139 cyber warfare 366–79
use of armed force 138–9 attacks of a perfidious nature, banning of
international criminal responsibility, cyber 374
attacks as war crimes 121–37 collateral effects and feasible precautions
armed conflict, existence of 121–6 373
civilians lose immunity from attack if they conducting of attacks, law of armed
take ‘direct part in hostilities’ 128 conduct relating to 371–4
cyber attacks causing excessive collateral cyber attacks as adjunct to traditional means
damage and principle of 370–71
proportionality 134–6 cyber surveillance and espionage 369
data as a protected object 131 cyber terrorism 369–70
delimitation problems and principle of Geneva Convention see Geneva Convention
distinction 130–31 geographical scope of armed conflict 368–9
determining whether armed force has been International Humanitarian Law or Law of
applied 122–3 Armed Conflict (IHL/LOAC) 366–71
dual-use of cyber infrastructure and non-international armed conflicts 368
principle of distinction 131–3 principle of distinction 372
duration of participation 124–5, 129 principle of proportionality in attacks
and Geneva Convention see Geneva against civilians or civilian objects
Convention 372–3
geographical scope of armed conflict 126–7 prohibition of means of attack not directed
intensity of attack 124–5 at specific military objectives 373–4
interconnectivity between military and rules relating to the targeting of persons and
civilian computer systems 131–3 objects 372
international humanitarian law (IHL) self-defence in response to armed attack
principles 129–37 369
minor disruptions 124 stand-alone cyber attacks 369–70
principle of distinction 130–33, 135 targeting of objects directly converted into a
principle of precaution 136–7 military function 374
principle of proportionality 134–6 weapons or methods of combat which
prohibition of indiscriminate attacks and would cause superfluous injury to
principle of distinction 133 enemy combatants, restrictions on 374
quality of attacks 124–5 international humanitarian law applied to
responsible agent 127–9 cyber warfare, principle of
violent effects of CNA producing lasting proportionality in attacks employing
harmful result 123–4 cyber weapons 374–8, 379
International Criminal Tribunal for the Former any attack not reasonably likely to cause
Yugoslavia (ICTY) physical effects upon civilians or
armed conflict definition 121–2 civilian objects 376–7
Prosecutor v Galic 135, 161, 373 data destruction 375–6

8/5
Index 507
dual use function and collateral effects see also computer systems; cyber attacks
377–8 Iran 169, 182, 390
military ‘information operations’ not Iran–US Claims Tribunal, Yeager v Islamic
considered as attack 375 Republic of Iran 60–61
operations considered as mere Stuxnet attack 56, 133, 153, 212, 243, 261,
inconvenience 375 288, 308, 310, 315, 316, 318, 322, 324,
International Law Commission (ILC) 57–9, 330, 361, 370, 376–7, 466
66, 125–6 Iraq 141, 350, 390–91
international law and cyber espionage see Israel 276–7, 285, 341
cyber espionage and international law
International Multilateral Partnership Against Jacobs, D 61
Cyber Threats (IMPACT) 257 James, A 16
international obligation breach, and State Jamnejad, M 183, 250, 252
responsibility see State responsibility, Janczewski, L 229
international obligation breach Japan 448
international peace and security threat, cyber Jaycox, M 223
espionage see cyber espionage and Jennings, P 446
international law, as threat to Jennings, R 182, 186
international peace and security Jensen, E 268, 291, 327, 361, 397
international relations, and cyberspace see Jewkes, Y 157
human rights, international relations and Johnson, D 2, 13, 16, 37–8
cyberspace Johnson, R 245
international substantive law, and cybercrime Jordan, D 227
192–8 Joubert, V 429, 435
International Telecommunication Regulations Joyner, C 236, 265
(ITRs) 111–12 jurisdiction see cyberspace jurisdiction
International Telecommunication Union (ITU)
165, 257 Kaesling, K 81
International Tribunal of the Law of the Sea Kahn, J 296
(ITLOS), due diligence concept 66 Kamal, A 29
Internet Kammerhofer, J 277
access as new human right 109–10 Kanuck, S 19
blocking network services 20, 319, 323 Kaplan, D 308
censorship 100–102 Kastenberg, J 392
and cyberspace, differences in meaning Kastner, P 148, 149, 190–207, 223, 265, 407,
55–6 460, 466
and data transmission, law of neutrality Katz, J 283
398, 399 Kaurin, P 317
domain names 21–2, 74, 76, 79, 92, 116 Kegel, G 78
freedom and Internet sovereignty contrasts Keller, H 134
111 Kelsey, J 343, 346, 353, 360, 361, 396
general use by terrorist groups 150 Kemp, G 139
‘Internet sovereignty’ perspective 98 Ker, P 159
neutrality 476 Kerr, O 201
online gambling 40–42, 47 Kessler, O 119, 123, 125, 139
regulation 111–12, 220–21, 406 Keyser, M 418
service providers, liability and Kimmel, P 324
responsibility 203, 205 kinetic effects equivalency (KEE) test see
social networks as targets 361 principle of distinction, relevance of,
technology, and human rights see human kinetic effects equivalency (KEE) test
rights, Internet technology and Kingbury, K 324
international politics Kirkpatrick, D 219
territorial fragmentation 52–3 Kirsch, S 156

15/5
Kleinwächter, W 95, 97 neutrality definition 382–4

Klimburg, A 218, 418, 428, 442 non-belligerency practice 384
Knake, R 188, 253, 260, 317 non-discrimination principle 387, 388–9
Koepsell, D 14 non-participation principle 387–8
Koh, H 14, 56, 63, 187–8, 234, 242, 243, 263, permanent neutrality position 382–3
351 sources in customary international law 381,
Kohl, U 18, 20, 30–54, 72, 79, 183, 190, 200, 385–7
201, 226 Tallinn Manual see Tallinn Manual
Kolasky, R 331 temporary neutrality 383–4
Kolb, A 88 territorial sovereignty violations 380–81,
Koops, B-J 223 389, 394–5, 397–8
Korns, S 392 UN Charter regime and Security Council
Korzak, E 330 Resolution effects 389–91, 393, 394,
Kostic, D 140 395
Koufa, K 151, 157 Lawson, S 222, 370
Koutrakos, P 413, 420 League of Arab States Convention 196, 197,
Kramer, E 255 200, 202–3
Kraska, J 119–20 Lee, D 250
Krasner, S 17 Lee, Y 448
Kreβ, C 140, 141 legal dimensions
Kuehl, D 15 of cybercrime see cybercrime, international
Kulsrud, C 380 legal dimensions
Kunig, P 181, 182, 252 law of neutrality see law of neutrality
Kur, A 74, 78 military operations, ‘adequate’ legal basis
Kurbalija, J 220 requirement 228–9
Kurlantzick, J 456 self-defence in cyberspace 262–3
Kwon, H 449, 457 see also cyberspace jurisdiction;
cyberspace, legal status
Lahmann, H 132, 133, 134, 135, 137 Leiner, B 95
Lanchester, J 212 Lemley, M 75
Landler, M 259 Lessig, L 15, 16
Lanz, C 389 Levie, H 329–30
Larik, J 405 Lewis, J 446, 449, 463
Lauterpacht, H 57, 236 Libicki, M 290, 297, 323
law of neutrality 380–400 Lieber, F 344
belligerent’s right to use force to counter Lieber, K 293
violations of State’s neutrality 394 Liefländer, T 274
computer facilities 397, 399 Lin, H 118, 119, 122, 123, 132, 241, 249,
cyber activity attribution problems and due 269, 308
diligence 394–5 Liptak, A 36
cyber context 391–9 Lisbon Treaty, EU cybersecurity law 403–4,
cyber context, expressly applicable rules 413, 416, 420–21
392–4 Loewenheim, U 84
cyber espionage and communication with Lombois, C 34
belligerents 398–9 Lotrionte, C 236, 265
Georgia, South Ossetia War and website Lowe, A 48
hacking 381–2 Lowe, V 37, 397
Hague Convention 134, 327, 385–7, 391, Lubell, N 119, 120, 123, 124, 129, 131, 276,
393, 394, 396–7, 398, 399 337
Internet and data transmission 398, 399 Lucarelli, E 256
Iraqi invasion of Kuwait and modified Lucas, G 261
nature of neutrality 390–91 Luiijf, E 219, 223
law of armed conflict (LOAC) 396–9 Lülf, C 120, 123, 127

8/5
Index 509
Lynch, C 113 Miryousefi, A 234

Lynn, W 258 Monar, J 405
Moore, J 271, 388
MacAskill, E 284, 297 Morgan, P 290, 303
McBurney, P 240 Morley, D 30
McClure, R 119 Morozov, E 102
McConnell, B 285, 286, 288, 289, 291 Morris, N 63
McConnell, M 262 Moseley, A 311
Malin, C 309 Mueller, B 189
malware 252–3, 257, 261, 308, 309, 312, 313, Müllerson, R 233
444 Mulvenon, J 24, 287, 289, 296
see also hackers
Murphy, J 180, 189, 244
Mandiant Report 168, 169, 333
Murphy, T 25
Mann, F 19, 32
Marauhn, T 427 Mutz, G 32
Markoff, J 255, 259, 392 Myers, S 277
Marsden, C 406 Myjer, E 256, 284–304
Martin, C 190
Masli, U 449 Nakashima, E 115, 249, 333, 361
Mason, S 358 Nasu, H 446–64
Matera, C 406 national involvement see State practice; State
Maurer, T 468, 470, 471, 474, 475, 481, 487, responsibility
488 NATO
Maybaum, M 229 2010 Strategic Concept 257–8
Mayer, F 406, 418 2020 Report on cyber defence 274, 275
Mégret, F 148, 149, 190–207, 223, 265, 407, collective defence 291
460, 466 collective self-defence 260, 270
Melnitzky, A 179, 187 Cooperative Cyber Defence Centre of
Melzer, N 119, 122, 123, 124, 125, 128, 129, Excellence (CCDCOE) 258
131, 138, 244, 247, 329, 348, 353, 354, information security initiatives 70
362, 363 NATO and cyber defence 426–45
Mendez, F 410 Allied Command Operations (ACO) 432
Meyer, D 256 CERTs (Computer Emergency Response
Meyer, J 359 Teams) 440–41
Meyer, P 466, 473, 481 Communications and Information (NCI)
military operations Agency 431–2
cyber attack in support of conventional 260, Computer Incident Response Capability
261–2, 285 (NCIRC) 429, 433, 444
cyber operations directed against civilians Consultation, Control and Command (NC3)
see principle of distinction, relevance Board 431
of, prohibition of military cyber Cooperative Cyber Defence Centre of
operations directed against civilians Excellence (NATO CCD COE) 441,
cyber operations, notion of 212–13, 214, 442
226–32 Cyber Defence Management Board
‘information operations’ not considered as (CDMB) 431, 432, 439
attack 375 Cyber Defence Programme (Prague
and Internet technology 97 Capabilities Commitment) 429
principle of distinction 358–9 Euro-Atlantic Disaster Response
security against cyber treats 286, 288–9 Coordination Centre (EADRCC) 438
targeting of objects directly converted into exercises 432, 440–41, 443
military function 374 governance 430–32
Miquelson-Weismann, M 197, 199, 204 industry cooperation and information
Mirtl, P 218 sharing 443, 444

8/5
international organizations, liaison with nuclear deterrence

432, 442, 443 differences from cyber deterrence 296–7,
Malware Information Sharing Platform 299
(MISP) 444 strategy see cyber deterrence and public
NATO decision and NATO operation, international law, nuclear-deterrence
meanings of 428 strategy (strategy of massive
North Atlantic Council (NAC) 430–31, 435, retaliation)
437 nuclear security 272, 288–9
Policy on Cyber Defence 429, 430, 437–8, Nunziato, D 100
439–40, 442 Nye, J 28, 286
Rapid Reaction Teams (RRTs) 439–40
Science for Peace and Security Programme Obama, B 164
442 O’Connell, M 56, 70, 255, 261, 263, 278,
Strategic Concept for the Defence and 281, 282, 289, 437
Security of the Members of NATO O’Donnell, B 119–20
429–30, 432, 434–6 O’Driscoll, M 384, 388
see also Estonia; Georgia Oehmichen, A 156
NATO and cyber defence, key aspects 432–43 Oeter, S 131
assistance to Member States and Olásolo, H 134
Memoranda of Understanding (MoUs) Olzak, T 229
439–40 Omanovic, E 115
civil crisis management 438–9 Onuf, N 17
collective self-defence 434–7 operations, cyber see ‘cyber operations’
consultation 437–8 headings
cyber crisis management 434–40 Ophardt, J 137, 140, 346
cyber defence cooperation 442–3, 444 Opsahl, K 223
cyber warfare perceptions 436–7, 438 Owens, W 242, 247, 286
defence of NATO’s own networks 432–4
exercises to ensure preparedness 440–41 Palojärvi, P 242
secure ICT infrastructure 433–4 Panetta, L 333
strategic ambiguity on concept of ‘armed Paris Convention, intellectual property rights
attack’ 435 74, 78, 80
training, education, and research 441–2 Parizo, E 259
Nemerofsky, J 186 Parks, W 175
Netherlands 41, 216, 225, 227, 331 Pastukhov, O 92
Neumann, P 215 Pateraki, A 414, 417
neutrality law see law of neutrality Pauli, D 147
New Zealand 41, 448 Paulus, A 139–40, 141
Newton-Small, J 253 peacetime
Nollkaemper, A 61 cyber espionage and international law in
Non-Aligned Movement (NAM) and 172
anticipatory self-defence 271, 272 protection of critical infrastructures 289
non-international armed conflict Pelican, L 176–7
classification of cyber warfare see perfidy 129, 312–14, 357
classification of cyber warfare, Permanent Court of International Justice
non-international armed conflict (PCIJ)
international humanitarian law applied to Factory at Chorzów (Indemnities) 57
cyber warfare 368 Lotus 18, 19, 20, 21, 36, 37, 48, 51, 65,
non-intervention principle see principle of 181, 344
non-intervention Oder River Commission 279
non-State actors involvement 172–4, 276–80, S.S. ‘Wimbledon’ 28
449–50 Pernik, P 398
Noyes, M 307 persons, attacks on see civilian population

8/5
Index 511
Peters, A 65, 113 critical date for assessment of existence of

Peterson, A 115 attack 350
Philippines 204 interference with functionality as damage
Pictet, J 124, 127, 368 351–2
Pila, J 80 limits of 349–53
Pillay, N 108 problem of assessment of damage 349–51
Pilloud, C 130, 133, 136, 329, 336, 338, 339, principle of distinction, relevance of,
340, 362 prohibition of indiscriminate attacks in
Pirker, B 182, 224, 226 cyberspace 357–64
Pocar, F 201 ‘civilianization’ of war 358
Poellet, K 247, 249 computers and computer companies as
PoKempner, D 225 targets 360–61
political motive for terrorism, and organised ‘direct participation in hostilities’
crime 149–50 interpretation 362–4
political rights see human rights, civil and dual-use objects, distinction between
political rights civilian objects and military objectives
Porcedda, M 408 358–62
pornography 39, 196–7 identification problems and protection of
Porter, A 404, 408, 409, 419 civilians 362–4
Portnoy, M 448 Internet and social networks as targets 361
Post, D 2, 13, 16, 37–8 military objectives definition 358–9
Pouw, E 228 prohibition of perfidy 357
Prakash, R 465, 466, 475, 478, 480 ‘war-sustaining’ installations 359–60
Press, D 293 principle of non-intervention
principle of conferral, EU cybersecurity law cyber espionage and international law,
405, 419–20 international law application 180–86
principle of distinction law of neutrality 387–8
and dual-use of cyber infrastructure and sovereignty and non-intervention policies
principle of distinction 131–3 97
international criminal responsibility, cyber violation 250–52, 253, 261–2
attacks as war crimes 130–33, 135 principle of precaution, cyber attacks as war
international humanitarian law 160–61, 372 crimes 136–7
principle of distinction, relevance of 343–65
principle of proportionality
armed conflict law 345
cyber attacks as war crimes 134–6
cyber attack definitions 346–7, 348
cyber-psychological operation (PSYOP) and international crime of terrorism 160–61
denial of services 354 and international humanitarian law see
effectiveness in cyberspace 347–8 international humanitarian law applied
Geneva Conventions 130, 133, 344, 345, to cyber warfare, principle of
362 proportionality in attacks employing
Lieber Code 344 cyber weapons
Martens Clause 344, 356 self-defence in cyberspace 274–5
prohibition of cyber attacks against the Prislan, V 26
civilian population and objects 346–53 private motivation for attacks 158–9
prohibition of military cyber operations private persons or entities, acts of, and State
directed against civilians 353–7 responsibility 60, 61
principle of distinction, relevance of, kinetic private sector
effects equivalency (KEE) test 348–9 classification of cyber warfare 334–5
acts of violence 348–9 cyber espionage and confidential
collateral damage and malfunction of information sharing 179, 259, 264
civilian facilities 349–50, 354 and cyber technologies 115–16, 195–6,
computer system hacking as attack 348–9 211–12, 216, 222, 223

8/5
engagement, Asia-Pacific Economic Saul, B 75, 147–67, 191

Cooperation (APEC) 461–2 Scassa, T 182
involvement, EU cybersecurity law 410, Schabas, W 141
412 Schachtman, N 262, 426, 436
property Schaller, C 175
infrastructure see cyberspace, infrastructure Schell, B 190
intellectual see cyberspace, intellectual Schiller, H 30, 31
property rights Schjolberg, S 206
public international law Schmitt, E 334
and cyber deterrence see cyber deterrence Schmitt, M 1–9, 118, 123–31passim, 138,
and public international law 139, 149, 187, 214, 240, 246, 253, 255,
and intellectual property 77–82 263, 264, 267, 268, 270, 273, 276, 280,
299–301, 302, 326, 329, 338, 339, 341,
Rahmatian, A 72–93, 226 347, 352, 353–4, 359, 361, 363–4
Randelzhofer, A 139 Tallinn Manual see Tallinn Manual
Raymond, D 318 Schreier, F 240
Reed, T 351 Schricker, G 84
Rees, N 447, 450, 457 Schrijver, N 26
regulation Schultz, T 20, 398
comprehensive multilateral instrument, need Schwartz, P 104
for 206 Scoville, H 175
cyber terrorism, comprehensive instrument security see cyber security
and regulation need 163–7 Segal, A 311
Internet 111–12, 220–21, 406 Segura-Serrano, A 246
see also ‘legal’ headings Seidl-Hohenveldern, I 78
Reinold, T 276, 277 self-censorship, jurisdiction in cyberspace 53
Reitman, R 112 self-defence in cyberspace see cyberspace,
Reydam, L 34 self-defence in
Rid, T 232, 240, 243, 285, 288, 289–90, 296, Serbia and Montenegro 350
298, 367, 369, 370, 377, 437 Shachtman, N 392
Roberts, A 385 Shackelford, S 263
Robins, K 30 Shafer, G 332
Robinson, N 404 Shakarian, P 392
Rona, G 278 Shamah, D 332
Ronzitti, N 233, 390 Shanahan, L 160
Rosati, E 86 Shanker, T 334
Roscini, M 75, 148, 187, 224, 226, 228, Sharp, W 236
233–54, 262, 263, 264, 265, 268, 275, Shaw, M 32, 394
282, 299, 312, 331, 466 Shearer, I 34
Ross, M 417 Sheldon, J 436
Rothman, M 219 Shelling, T 296
Rowe, N 307–25 Sherman, B 86
Ruggie, J 18 Sikkink, K 489
Russia 70, 111, 114, 277–8, 457, 478 Silver, D 139, 237
see also Estonia; Georgia Simma, B 255
Russo, F 390 Simpson, B 381, 399
Ryngaert, C 20, 32, 33 Singel, R 262, 437
Singer, D 426–7
Safferling, C 140 Singer, P 213, 262, 426
Sanger, D 212, 218, 360 Slaughter, A-M 277
Sassòli, M 360 Smith, G 48
Satzger, H 139 Smith, J 185
Saudi Arabia 244–5, 330 Smith, M 215

8/5
Index 513
Smith, T 317, 319, 325, 350 State responsibility, international obligation

Snowden (Edward) revelations 53, 62, 64, breach 65–70
94–5, 112, 113–15, 169, 172–3, 179, cooperation and concerted action, need for
180, 219, 224, 466, 473 70, 71
Sommer, P 212 due diligence violation 66–9, 71
South Korea 448 grounds for establishing responsibility 66
sovereignty see cyberspace sovereignty lack of consensus on 65
Spernbauer, M 423, 425 notification selection criteria 69–70
Sri Lanka 157 Steiger, D 131–2, 247
Staker, C 37, 397 Stohl, M 148, 150
State practice Stone, J 175
classification of cyber warfare 330, 334–5
Stone Sweet, A 409, 420
cyber espionage and national infrastructure
Stout, C 324
information 179
cyber espionage and refusal to accept Strate, L 22
responsibility when accused 195–6 Strawser, B 312, 314
cybercrime and national legislation and Sulmasy, G 185
fragmentation 201 Swaine, J 260
operational capability, strengthening, EU Swanson, L 119, 123, 260
cybersecurity law 412 Syria 158, 260, 360, 361, 370, 371, 376
State-level cyber operations see cyber
operations, State-level cyber paradigms Tadjdeh, Y 427
State-sponsored cyber attacks 158, 161–2, Tallinn Manual
164 cyber attack definition 348, 374, 376
States claiming regulatory competence in cyber operation as use of force 188, 242,
parallel 33–4 245, 250, 252–3, 299–301, 302, 328,
see also cyberspace sovereignty 329, 330, 335
State responsibility 55–71 cyber operations against civilians 353–4,
acts of private persons or entities 60, 61 363, 375
Articles on the Responsibilities of States cyber terrorism 161
(ARS) 58–61, 66, 68 cyber warfare and the applicability of
breach of international obligation 61–2 international law 366, 475
computer hacking attacks 56 dual-use entities as military targets 361
de facto agents 59, 60, 66 interference with functionality as damage
exercise of government authority elements 351
in absence of State authority function international criminal responsibility 119–20,
60–61 123, 124, 127–39passim, 141
government authority delegation 59–60 law of neutrality 386–7, 392–3, 394–5, 397,
Internet and cyberspace, differences in 398, 399
meaning 55–6 non-international armed conflicts 369
requirements 57–62 organization criterion 338
State responsibility, attribution in cyberspace and self-defence 265, 273, 369
62–5 standard of the reasonable
acts emanating from location under commander/combatant 373
exclusive jurisdiction of another State State responsibility, attribution in
65 cyberspace 63, 64, 65, 69
ambiguity and margin of discretion 63 Taubman, A 72, 74
computer identification 62–3, 69–70 Taylor, P 18
electronic surveillance 62–3, 64, 65 technology
evidence requirements and territorial and cyber deterrence see cyber deterrence
location of computers 63–5 and public international law, cyber
personal identification problems 62, 63 deterrent feasibility and technical
Tallinn Manual see Tallinn Manual considerations

8/5
cyber deterrent feasibility and technical Traynor, I 260

considerations 297–8 Trezise, H 446–64
and cyber infrastructure disparities 449–50 Tsagourias, N 13–29, 33, 48, 63, 64, 72, 75,
cyber terrorism and possible necessary 98, 149, 224, 231, 235, 247, 261–2, 267,
technical measures 165–6 278, 287, 296, 301, 394, 398, 448
cybercrime and technical means of Tullos, O 264
protection and preventive measures Turns, D 118, 127, 128, 131, 149, 349, 362,
204–5 363, 364, 380–400
Internet technology and human rights see
human rights, Internet technology and UK
international politics BT v One in A Million 92
private enterprise and cyber technologies computer program protection 86–7
115–16 Copyright, Designs and Patents Act 72, 84,
technological resources, development of, 85, 86–7, 89, 90–91
EU 413–14 copyright law and territoriality principle
Temple Lang, J 406 78–9
terminology problems, cyber deterrence and cybercrime cost 1
public international law 297–8 cybersquatting 92
territoriality Digital Economy Act 75
coercion and violation of territorial integrity Gambling Act 51
181–3 Harrods v Dow Jones Co 43
objective, cybercrime and principle of John Richardson Computers Ltd v Flanders
nationality 202 89
principle 33, 48, 198–200 Lewis & Ors v King 43
search and seize powers and cybercrime military cyber operations definition 227
199 Navitaire 89
sovereignty as protection of territorial Obscene Publications Act 39
integrity 182, 183 R v Perrin 39, 50
territorial nature of intellectual property see R v Sheppard & Amor 19
cyberspace, intellectual property rights, SAS Institute v World Programming Ltd 89
territorial nature Twentieth Century Fox Film Corp & Ors v
territorial sovereignty violations, law of British Telecommunications 52
neutrality 380–81, 389, 394–5, 397–8 Vidal-Hall & Ors v Google Inc 44
see also cyberspace sovereignty UN Charter
terrorism see cyber terrorism self-defence in cyberspace see cyberspace,
Thomas, N 449, 452, 458, 461, 462 self-defence in, UN Charter Article 51
Thomson, J 16 and use of force 186–8, 265, 267, 299–302
Tiirmaa-Klaar, H 220, 223, 428 UN Convention against Transnational
Tikk, E 250, 260, 281, 350, 438 Organized Crime 149, 198, 199
Timberg, C 333 UN Counter-Terrorism Implementation
Timlin, K 449 Taskforce (CTITF) 147, 151
Timofeeva, Y 38 UN Draft Comprehensive Anti-Terrorism
Tirmaa-Klaar, H 418 Convention, terrorist offences definition
Tladi, D 278 155–7, 158, 159, 160, 161–2
Tobanksy, L 15 UN General Assembly (UNGA)
Toebes, B 106 Declaration on the Definition of Aggression
Torremans, P 72, 73, 79, 82, 83 237
Touré, H 147 and prohibition of use of force see cyber
Townsend, M 157 operations as a use of force, UN
Trachtman, J 17, 28 General Assembly (UNGA) and
transnational corporations, power and interests prohibition of use of force
of 31 protection of critical information
Trauner, F 404 infrastructures 288

8/5
Index 515
regulation of cyber security see UN and the Groups of Governmental Experts (GGEs),
regulation of cyber security, General Second Group, ICT disruptions and
Assembly (UNGA) risk 477, 480–81
Resolution on misuse of information Groups of Governmental Experts (GGEs),
technologies 280 Third Group 478–81
UN Global Counter-Terrorism Strategy 151 Second Committee (Economic and
UN Hostages Convention 154 Financial Committee) and Global
UN Internationally Protected Persons Culture of Cyber-security initiative
Convention 154 469–71
UN Office of Drugs and Crime (UNODC), Second Committee, global culture of cyber
cyber terrorism definition 147, 150 security 470–71
Second Committee, voluntary
UN and the regulation of cyber security
self-assessment tool for national efforts
465–90
471
differences on fundamental issues between Third Committee (Social, Humanitarian and
Eastern and Western States 466 Cultural Committee) 471–3, 489
Economic and Social Council (ECOSOC) Third Committee (Social, Humanitarian and
484–6 Cultural Committee), resolution
emerging regulatory framework for cyber combating the criminal misuse of
security 477 information technologies 471–2
information security 467–9, 474–81 Third Committee (Social, Humanitarian and
International Code of Conduct for Cultural Committee) resolution on
Information Security 478–81 right to privacy in the digital age 473
International Telecommunications Unit, Third Committee (Social, Humanitarian and
Global Cyber-Security Agenda 487–8 Cultural Committee) and UN Crime
International Telecommunications Unit, Prevention and Criminal Justice
online protection for children 488 Programme 472
Internet neutrality 476 Vienna Declaration on Crime and Justice
norms, rules and principles of responsible 485–6
behaviour by States, recommendations UN Reports of International Arbitral Awards
for 480 (RIAA)
UN Charter affirmation and rules on the Island of Palmas Case (US v Netherlands)
non-use of force and self-defence 480 17, 279
Trail Smelter 279
UN Global Counter-Terrorism Strategy 482
UN ‘Right to Privacy in the Digital Age’ draft
UN Institute for Disarmament Research
resolution 113
(UNIDR) 488–9 UN Security Council Resolutions
UN Office on Drugs and Crime (UNODC) inherent right to self-defence 277–8
489 regulation of cyber security 481–4
UN Security Council (UNSC) 481–4 and terrorism 150–51, 156, 158
UN and the regulation of cyber security, UN Special Tribunal for Lebanon 155–6, 158
General Assembly (UNGA) 467–81 UN Terrorist Bombings Convention 154–5
First Committee (Disarmament and US
International Security) 467–9, 474–6, botnets 319
477–8, 488 Cable News Network LP v cnnews.com 47,
Groups of Governmental Experts (GGEs) 52
469, 470, 473–81 Caroline 271, 273
Groups of Governmental Experts (GGEs), Comprehensive National Cybersecurity
First Group 474–6 Initiative (CNCI) 258–9
Groups of Governmental Experts (GGEs), CompuServe v Patterson 19, 20
Fourth Group 481 Computer Associates v Altai 89
Groups of Governmental Experts (GGEs), Computer Software Act 84
Second Group 476–8 copyright authorship and lex originis 79

8/5
Cyber Policy Review 55, 56 website blocking 52

cyber security intelligence information Yahoo! v La Ligue contre le racisme et
sharing with private sector companies, l’antisémitisme 193
call for 259 Young v New Haven Advocate 47
Digital Millenium Copyright Act (DCMA)
74–5, 90 Vagts, D 381, 389, 391
drones’ hacking claims 245 Valeriano, B 427
due process requirement 47 Van Bochoven, L 428
east coast blackout 349 Van Elsuwege, P 413
Espionage Act 171–2 Van Ginkel, B 222
EU–US Working Group on Cyber-Security Van Hoboken, J 224
and Cyber-Crime (WGCC) 408, 411, Van Vooren, B 404, 421, 422
414 Vassilaki, I 38
excessive intelligence collection methods, Verdelho, P 200
criticism of 167 Vermeulen, M 414
Federal Anti-Tampering Law 312–13 ‘virtual group’ involvement, classification of
Hartford Fire Insurance Co v California 49 cyber warfare 338–40
International Shoe Co v Washington 20, 47 virtual worlds, ‘crimes’ committed in 191
International Strategy for Cyberspace virus attacks 244–5
13–14, 343 malware 252–3, 257, 261, 308, 309, 312,
Iran–US Claims Tribunal, Yeager v Islamic 313, 444
Republic of Iran 60–61 Stuxnet see under Iran
National Security Strategy, and anticipatory see also hackers
self-defence 271, 285 Viscusi, W 324
NSA cyber espionage 62–3, 113, 178, Vité, S 326
179–80, 184, 473 Vivant, M 84, 85
NSA electronic surveillance practices 62, Vogler, J 24–5
64, 65 Von Heinegg, W 182, 186
Patriot Act 165, 269–70
People v World Interactive Gaming Wachenfeld, M 390
Corporation 47 Wala, R 278
political dominance 96, 97, 113–14 Walden, I 220
Presidential Decision Directive on cyber Walker, G 397, 400
capacity 284, 297–8 Wall, D 191, 194
Presidential Policy Directive, cyber Waltz, K 97, 174
espionage definition 170–71 Walzer, M 307
privacy and personal data protection 103, war crimes see international criminal
114 responsibility, cyber attacks as war
Reno v American Civil Liberties Union 256 crimes
Restatement (Third) of Foreign Relations ‘war-sustaining’ installations 359–60
Law 49 warfare see cyber warfare
Snowden (Edward) revelations 53, 62, 64, Wassenaar Arrangement on Export Controls
94–5, 112, 113–15, 169, 172–3, 179, and ‘dual use’ ICT technologies 115
180, 219, 224, 466, 473 Waters, S 399
spy plane incident (Gary Powers) 177 Watkin, K 214
Strategic Command, nuclear deterrence 296 Watt, H 410
T-Mobile West Corp. v Crow 19 Watts, A 182, 186
territoriality principle 80 Waxman, M 138, 187, 236, 242, 247, 262,
The Exchange v McFaddon 17 265, 427
US v $734, 578.82 in US Currency 47 weapons see cyber weapons
US v Yousef 20 Wegener, H 488
US–China cyber security working group Weisbord, N 137
490 Weissbrodt, D 118, 119, 123, 139

8/5
Index 517
Wenger, A 358 Wriston, W 181

Werle, G 120, 127 WTO Appellate Body, United States –
Werner, W 119, 123, 125, 139, 295 Measures Affecting the Cross-Border
Wessel, R 258, 403–25, 432 Supply of Gambling and Betting Services
Wikileaks see Snowden (Edward) revelations 42, 52
Wills, A 224, 414 Wu, T 13, 22
Willson, D 392
Wilmshurst, E 249, 278, 326 Yadron, D 324, 332
Wilson, C 92 Yar, M 157
Winterfeld, S 229 Yoo, J 185
Woltag, J-C 149, 426 Younes, A 92
Wood, M 183, 250, 252 Young, B 55
World Conference on International
Telecommunications 111–12, 265–6 Zekoll, J 405, 410
Wortham, A 187 Zhang, L 233
Wray, R 110 Ziolkowski, K 170, 171, 178, 182, 183, 224,
Wright, J 134, 136 226, 238, 241, 245, 258, 426–45
Wright, Q 181, 185 Zuckerberg, M 109

8/5

8/5

Tsagourias 2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tsagourias 2015

Uploaded by

Copyright:

Available Formats

JOBNAME: Tsagourias PAGE: 1 SESS: 2 OUTPUT: Mon May 18 10:36:31 2015

RESEARCH HANDBOOK ON INTERNATIONAL LAW

Nicholas Tsagourias and Russell Buchan - 9781782547389

RESEARCH HANDBOOKS IN INTERNATIONAL LAW

Research Handbook on International Sports Law

Nicholas Tsagourias and Russell Buchan - 9781782547389

Research Handbook on International

RESEARCH HANDBOOKS IN INTERNATIONAL LAW

Cheltenham, UK + Northampton, MA, USA

Nicholas Tsagourias and Russell Buchan - 9781782547389

© The Editors and Contributors Severally 2015

Edward Elgar Publishing, Inc.

A catalogue record for this book

Library of Congress Control Number: 2015930151

This book is available electronically in the

ISBN 978 1 78254 738 9 (cased)

Typeset by Columns Design XML Ltd, Reading

Nicholas Tsagourias and Russell Buchan - 9781782547389

List of contributors vii

PART I CYBERSPACE AND GENERAL PRINCIPLES OF

1 The legal status of cyberspace 13

PART II CYBER THREATS AND INTERNATIONAL LAW

7 Cyber terrorism 147

PART III CYBER ATTACKS AND THE JUS AD BELLUM

10 The notion of cyber operations 211

vi Research handbook on international law and cyberspace

12 Self-defence in cyberspace 255

PART IV CYBERWAR AND THE JUS IN BELLO

14 Distinctive ethical challenges of cyberweapons 307

PART V REGIONAL AND INTERNATIONAL APPROACHES TO

19 Towards EU cybersecurity law: Regulating a new policy field 403

Nicholas Tsagourias and Russell Buchan - 9781782547389

Kai Ambos, Professor of Criminal Law, Criminal Procedure, International Criminal

Constantine Antonopoulos, LL.B (Thrace), LL.M (Cantab), Ph.D (Nottingham):

Karine Bannelier-Christakis is Associate Professor of International Law at the

Russell Buchan is a Senior Lecturer in International Law at the University of

viii Research handbook on international law and cyberspace

Society of International Law’s Francis Lieber Prize for an outstanding monograph in

Carlo Focarelli is Professor of International Law, University of Perugia and LUISS

Nicholas Tsagourias and Russell Buchan - 9781782547389

Christian Henderson is currently Senior Lecturer in Public International Law at the

Philipp Kastner is an Assistant Professor at the Faculty of Law of the University of

Frédéric Mégret is an Associate Professor at the Faculty of Law, McGill University,

Nicholas Tsagourias and Russell Buchan - 9781782547389

x Research handbook on international law and cyberspace

Dr Andreas Rahmatian is a Senior Lecturer at the University of Glasgow where he

Nicholas Tsagourias and Russell Buchan - 9781782547389

of International Law Studies. Professor Schmitt was previously Professor of Inter-

Nicholas Tsagourias is Professor of International Law at the University of Sheffield.

Ramses A. Wessel is Professor of International and European Institutional Law and

Nicholas Tsagourias and Russell Buchan - 9781782547389

xii Research handbook on international law and cyberspace

Nicholas Tsagourias and Russell Buchan - 9781782547389

Prosecutor v. Aleksovski (Judgment), ICTY-95-14/1-T (25 June 1999) .................................. 127

Nicholas Tsagourias and Russell Buchan - 9781782547389

xvi Research handbook on international law and cyberspace

European Court of Human Rights

European Court of Justice/Court of Justice of the European Union

Bezpečnostní softwarová asociace – Svaz softwarové ochrany v. Ministerstvo kultury,

Nicholas Tsagourias and Russell Buchan - 9781782547389

Table of cases xvii

Brownlie v. State Pollution Control Commission, (1992) 27 NSWLR 78 ................................. 48

Bulgarian Supreme Administrative Court, decision no. 13627,