A rule of customary international law (see Cybercrime Module 3 for more information about customary law) is non-intervention in internal or external affairs of another state ( Nicaragua v. United States, 1986).Thisrule is included in various treaties and conventions, such as Article 8 of the Montevideo Convention on the Rights and Duties of States of 1933, Article 3(e) of Charter of the Organization of American States of 1948, the UN General Assembly Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations of 1970, Article 2(b) and Article 2(c) of the Treaty of Amity and Cooperation in Southeast Asia of 1976, and Article 4(g) of the Constitutive Act of the African Union of 2000.
Certain forms of cyberinterventions can undermine the public's confidence in the ability of government to maintain essential services, public order, and economic stability. These forms of cyberinterventions can include: conducting DDoS attacks against critical infrastructure systems; using malware to infect critical infrastructure sectors with the intention of damaging systems, stealing, deleting, and modifying data, and/or disrupting services; and spreading disinformation, fake news, and propaganda in order to undermine the authority of the state and elicit a desired response by the target government and population. That said, the ability to draw legal lines for legitimate and illegitimate forms of cyberinterventions (based on the principles of sovereign equality, non-intervention, and territorial integrity) is an extremely fraught issue. This is owed in part to the failure of States to sufficiently articulate how the customary international legal rules should be applied in cyberspace (Tallinn Manual 2.0, p. 3). Nevertheless, discussions on these issues are underway at the United Nations, although there are competing understandings of the nature and extent of the applicability of these rules in cyberspace (see, for example, A/RES/73/266 and A/RES/73/27).
Before action can be taken by an injured country, proof is needed to establish a violation of international law and attribute the conduct to a state (as opposed to individuals acting on their own accord). Similarly to the first order rules, second order rules regarding evidentiary requirements for attribution in cyberspace are equally under debate as is the need for the establishment of an independent impartial organization to reach such conclusions (see e.g. Rand Corporation's Report on Stateless Attribution: Toward International Accountability in Cyberspace).
Even if found to be an internationally wrongful act, there are circumstances that could preclude the wrongfulness of a particular cyberoperation. These customary circumstances are introduced in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts of 2001 (United Nations, 2001; see "Circumstances Precluding Wrongfulness" box below).
Article 20 - Consent
Valid consent by a State to the commission of a given act by another State precludes the wrongfulness of that act in relation to the former State to the extent that the act remains within the limits of that consent.
Article 21 - Self-defence
The wrongfulness of an act of a State is precluded if the act constitutes a lawful measure of self-defence taken in conformity with the Charter of the United Nations.
Article 25 - Necessity
1. Necessity may not be invoked by a State as a ground for precluding the wrongfulness of an act not in conformity with an international obligation of that State unless the act: (a) is the only way for the State to safeguard an essential interest against a grave and imminent peril; and (b) does not seriously impair an essential interest of the State or States towards which the obligation exists, or of the international community as a whole.
2. In any case, necessity may not be invoked by a State as a ground for precluding wrongfulness if: (a) the international obligation in question excludes the possibility of invoking necessity; or (b) the State has contributed to the situation of necessity.
According to Rule 6 of Tallinn Manual 2.0 International Law Applicable to Cyber Operations, 2017, "a [s]tate must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States." Indeed, states are obligated to prevent their territory from being used to commit cyberattacks on other countries ( Corfu Channel case, 1949). Pursuant to the due diligence principle, states are obligated to act to terminate cyber operations conducted from their state using reasonably available means when notified of them (Rule 7 of Tallinn Manual 2.0).
The Tallinn Manuals (2013; 2017) are non-binding documents.
Rule 14 of Tallinn Manual 2.0 holds that "[a] [s]tate bears international responsibility for a cyber-related act that is attributable to the State and that constitutes a breach of an international legal obligation." The cyber acts of state organs, organs of other states, and non-state actors could be attributed to the state (see Rules 15 through 17 of Tallinn Manual 2.0; and Articles 4, 6, 8, and 11 of the International Law Commission's Responsibility of States for Internationally Wrongful Acts of 2001 included in the below box).
Article 4 Conduct of organs of a State
1. The conduct of any State organ shall be considered an act of that State under international law, whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State.
2. An organ includes any person or entity which has that status in accordance with the internal law of the State.
Article 6 Conduct of organs placed at the disposal of a State by another State
The conduct of an organ placed at the disposal of a State by another State shall be considered an act of the former State under international law if the organ is acting in the exercise of elements of the governmental authority of the State at whose disposal it is placed.
Article 8 Conduct directed or controlled by a State
The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.
Article 11 Conduct acknowledged and adopted by a State as its own
Conduct which is not attributable to a State under the preceding articles shall nevertheless be considered an act of that State under international law if and to the extent that the State acknowledges and adopts the conduct in question as its own.
The G7, in its Declaration on Responsible States Behaviour in Cyberspace, "note[d] that the customary international law of State responsibility supplies the standards for attributing acts to States, which can be applicable to activities in cyberspace. In this respect, States cannot escape legal responsibility for internationally wrongful cyber acts by perpetrating them through proxies" (2017, p. 2). Cyber proxies are "intermediaries that conduct or directly contribute to an offensive cyber action that is enabled knowingly, whether actively or passively, by a beneficiary" (Maurer, 2018, p. 173). Maurer (2018) identified three types of relationships between states and proxies based on states' level of control over proxies: delegation (proxies strictly controlled by the state); orchestration (proxies that act in accordance with a state's direction but are not tightly controlled); and sanctioning (proxies' actions passively supported by state) (pp. 173-174). Cyber proxies enable states to claim plausible deniability when cyberoperations against other countries are perpetrated from their territories. Ultimately, the use of cyber proxies makes it difficult to attribute cyberattacks to countries and hold them accountable for these acts.
The term "cyber proxies" (used above) should not be confused with the use of the term "proxy servers" (discussed in Cybercrime Module 5 on Cybercrime Investigation), which are intermediary servers that are used to legitimately access the Internet.
Advanced persistent threats (or APTs), discussed in a different segment in this Module, can serve as cyber proxies.
Maurer, Tim. (2018). Cyber Mercenaries: The State, Hackers, and Power. Cambridge: Cambridge University Press.
Another rule of customary international law is the peaceful settlement of disputes. Specifically, Article 2(3) of the UN Charter holds that "[a]ll Members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered." This rule is also included in the UN General Assembly Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations of 1970, and the UN General Assembly Manila Declaration on the Peaceful Settlement of International Disputes of 1982.
The type of cyber acts committed will determine the response to the threat. A country will respond to instances of hacking and malware distribution by non-state actors, by, for example, using criminal justice measures, such as arrest and indictments against perpetrators of these cybercrimes. This has been observed in cases of hacktivism and cyberespionage.
If a cyber act by a country, state-sponsor, or individuals and/or groups directed by a country falls below the threshold of the use of force or coerciveness (i.e., cyber acts which violate international law or at the very least are considered as an unwarranted or unfriendly cyberinterference which falls short of a cyberintervention), the injured country can respond with retorsions. Examples of retorsions are trade restrictions and sanctions.
In 2015, the United States and China signed "a bilateral agreement meant to prevent the economically motivated cyberespionage between the two countries, particularly the theft of intellectual property and trade secrets" (known as the US-China Cybersecurity Agreement). Bilateral agreements on these matters, such as the US-China Cybersecurity Agreement, require intense diplomatic efforts for their creation and a sustained political will of the parties of the agreement for their maintenance and enforcement. At the time of this writing, the US-China Cybersecurity Agreement does not appear to be achieving its original aim.
White House. (2015). Fact Sheet: President Xi Jinping's State Visit to the United States.
Other possible retorsions include expelling a country's diplomats from the injured state, breaking off diplomatic relations with the responsible state, recalling ambassadors from the state believed to be engaging in the cyberinterference, and/or freezing or terminating assistance to the responsible state (Gill, 2013, p. 230).
Injured states can engage in reprisals or countermeasures, which are unlawful acts justified under certain circumstances, to end a state's unlawful cyberintervention and/or achieve state compliance with nonintervention obligations (Article 22, International Law Commission's Responsibility of States for Internationally Wrongful Acts of 2000; Pirker, 2013, p. 212; Gill, 2013, p. 231). These countermeasures can only be implemented when the attack has been attributed to a particular country and must target only the responsible state (Gill, 2013, p. 231). It is important to note that positive, definitive attribution is difficult (for more information about attribution, see Cybercrime Module 5 on Cybercrime Investigation).
The countermeasure should only be reactive; that is, it should be implemented in response to an actual cyberintervention and not as a purely preventive measure for future cyberattacks (Gill, 2013, p. 231). If possible, before resorting to countermeasures, the injured state should request that the country responsible for the cyberintervention cease its activities (Gill, 2013, p. 231). The countermeasure chosen must not cause irreversible damage and must be time limited; that is, it must cease once the cyberintervention from the perpetrating country ceases (Gill, 2013, p. 231; Pirker, 2013, p. 213).