More on this book
Kindle Notes & Highlights
Started reading
April 23, 2018
The Experts agreed that international organisations do not enjoy sovereignty.
For example, a State enjoys sovereignty over a private ISP’s server located on its territory even if the ISP is domiciled abroad.
In the cyber context, therefore, it is a violation of territorial sovereignty for an organ of a State, or others whose conduct may be attributed to the State, to conduct cyber operations while physically present on another State’s territory against that State or entities or persons located there.
The International Group of Experts agreed that if a State’s cyber operation that is designed to result in consequences breaching the sovereignty of another State fails, for instance due to
effective defensive measures or because the operation was flawed, the latter’s sovereignty has not been breached.
Partial successes?
The Experts agreed that a cyber operation by or attributable to a State that is not intended to result in consequences that violate the sovereignty of another State, but that nevertheless generates them, is a violation of sovereignty.
NATO has established a mechanism by which Allies can request the assistance of a NATO ‘Rapid Reaction Team’ of cyber defence experts in dealing with cyber incidents.
Additionally, under diplomatic and consular law, special protections exist for certain cyber infrastructure
A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States.
However, the Experts, taking into account the present state of cyber communications, acknowledged that it is usually unlikely that such ‘transit States’ would know of, and be able to identify, malicious traffic transiting their cyber infrastructure.
The Experts concurred that States may not benefit from their unlawful conduct, nor may they take actions to the detriment of other States in response to activities that would not have occurred but for such conduct.
The Experts acknowledged that it may be extremely difficult for the target State to demonstrate that the territorial State knew its territory was being used in said manner and nevertheless disregarded that knowledge.
Accordingly, a State breaches its due diligence obligation if it is in fact unaware of the cyber operations in question, but objectively should have known that its territory was being used for the operation.
The Experts agreed that the territorial State must act to terminate the wrongful operation, but that it is at that State’s discretion to choose the means to comply with this Rule.
The Experts noted that the fact that the territorial State’s domestic legislation may set limits on intelligence sharing with other States does not excuse its inaction in stopping harmful cyber operations emanating from its territory.
Thus, whereas a State may seek external assistance, it is not legally obligated to do so.
with regard to cyber activities, international cooperation in law enforcement is especially important
suppose operatives of a State A’s intelligence agency undertake cyber operations from State B that are designed to obtain restricted data relating to the production of military equipment by a private corporation of State C. The operation involves using a rootkit attack to gain privileged access to the corporation’s files stored on servers in C’s territory. State B has jurisdiction based on subjective territoriality, whereas State C enjoys jurisdiction on the basis of objective territoriality.
Establishing jurisdiction therefore can prove difficult. As a result, jurisdictional rules have moved towards models in which any substantial connection between the offence and the territory of a State may serve as the basis for
It is not permissible for a State to extend its legislation to foreign nationals located outside its territory for cyber activity that does not have a substantial effect upon that State.
But a State could, for example, rely upon the effects doctrine to prohibit online activity occurring beyond its borders that is resulting in violence against the government, even if such activity is not criminalised where it takes place. The Experts agreed that such situations must be assessed on a case-by-case basis.
The Experts based this conclusion on the fact that there must be a reasonable balance between a State’s competence to regulate cyber activities affecting it on the one hand, and the interests of other States in having their sovereignty and the interests of their nationals respected on the other.
The armed forces of a State are ipso facto considered to ‘belong’ to that State irrespective of the nationality of its individual members.
Passive personality jurisdiction involves the extension of a State’s criminal legislation to foreign State nationals who commit criminal acts against the first State’s nationals abroad, such as hijacking an aircraft bearing its nationals or the commission of a terrorist act against them. Such offences are increasingly likely to be facilitated by cyber operations.
The International Group of Experts agreed that crimes recognised under both customary and conventional international law as subject to the universality principle include piracy, slave trade, genocide, crimes against humanity, war crimes, and
For instance, conducting cyber attacks in order to incite terror among the civilian population in the context of an armed conflict (Rule 98) or a network intrusion to acquire the names of individuals registered as a certain race in a State census in order to engage in genocide would fall within the ambit of universal jurisdiction.
a State may engage in extraterritorial enforcement jurisdiction in relation to particular cyber-related activities or purposes specifically provided for under treaties or customary international law.
must be explicit,
States enjoy extraterritorial enforcement jurisdiction in relation to the crime of piracy on the high seas, in the exclusive economic zone, and places outside the jurisdiction of any State
For instance, the International Group of Experts agreed that a State’s law enforcement authorities may not hack into servers in another State to extract evidence or introduce so-called white worms to disinfect bots there that are being used for criminal purposes without the territorial State’s agreement (unless doing so is permissible under lit. (a)).
Consent, whether granted ad hoc or pursuant to a treaty, is subject to any conditions imposed by the consenting State.
The United Nations Security Council may authorise the exercise of enforcement powers extraterritorially to implement sanctions imposed under Article 41 of the UN Charter
This is so even if it is password or otherwise protected. If, for example, a State’s law enforcement agency is able to obtain, under false pretences, the log-on credentials to a closed online forum hosted on servers located abroad, but meant to be accessible to one or more users from the State, that the State is exercising, in the estimation of the Experts, territorial enforcement jurisdiction when it accesses the forum from its own territory.
They agreed that the mere fact that a person or private entity bears a State’s nationality does not alone afford that State the legal authority to engage in an exercise of extraterritorial enforcement jurisdiction with respect to that data.
domiciled in State A that stores its data in State B. State C, as part of its law enforcement activities, wants to access that data. The Experts agreed that the consent of State A is insufficient to permit remote access by State C to the data in State B. Remotely accessing the data would be an exercise of enforcement jurisdiction by State C in State B that necessitates a specific allocation of authority under international law or State B’s consent. However, the Experts likewise emphasised that State A may exercise its jurisdiction over the entity and, for example, require it to provide the
...more
minority of the Experts was of the view that officials representing a foreign State do not enjoy functional immunity with respect to cyber-related acts they perform while they are present on the territory of the State seeking to exercise enforcement or judicial jurisdiction unless they fall within the category of high-ranking officials described above and thus enjoy personal immunity; are in the country with the State’s consent, are acting within the scope of said consent, and enjoy immunity by virtue of a specific agreement between the State’s concerned, such as a status of forces agreement;
...more
Foreign State aircraft or vessels and their crews and cargo that are temporarily present on another State’s territory as a result of distress or emergency enjoy immunity for such time as is necessary to safely resume their
As an example, consider a diplomat of State A posted in State B during a conflict between States B and C. The diplomat engages in espionage for State C. His diplomatic immunity in State B remains intact. However, it should be noted that because he is an organ of State A, State A is in breach of its obligations under the law of neutrality
To illustrate, the Experts were of the view that as a general matter the graver the underlying breach (including considerations as to the primary norm concerned), the greater the confidence ought to be in the evidence relied upon by a State considering a
The Experts concurred in the view that although doing so may be prudent in avoiding political and other tensions,122 insufficient State practice and opinio juris (in great part because cyber capabilities are in most cases highly classified) exist to conclude that there is an established basis under international law for such an obligation.
As an example, a State that conducts cyber operations during peacetime against a coastal State from a vessel located in the latter’s territorial sea is in breach of the innocent passage regime (Rule 48). If a State launches cyber ‘attacks’ (Rule 92) against civilian objects (Rule 100) in the course of an armed conflict, it violates the law of armed conflict (Rule 99
Even though certain cyber acts by States against other States may be detrimental, objectionable, or otherwise unfriendly, if they do not constitute breaches of international law obligations, States incur no legal responsibility in the sense of this
For instance, all cyber activities of US Cyber Command, the Netherlands Defence Cyber Command, the French Network and Information Security Agency (ANSSI), the Estonian Defence League’s Cyber Unit, the People’s Liberation Army cyber unit, and Israel’s Unit 8200 are fully attributable to the respective States.
As an example, if a member of a military cyber unit conducts unlawful cyber operations in defiance of orders to the contrary, the State incurs responsibility for any breach of obligations owed to other States.
Traditionally, the use of governmental assets, in particular military equipment like tanks or warships, has long constituted a nearly irrefutable indication of attribution due to the improbability of their use by persons other than State organs. This traditional rebuttable presumption cannot be easily translated into the cyber
As a general rule, the cyber operations of private persons or groups are not attributable to
The International Court of Justice has confirmed that ‘effective control’ is not to be equated with the lower ‘overall control’ threshold used to classify armed conflicts
For instance, if a State provides hacking tools to an insurgent group operating on another State’s territory that are subsequently employed by the group on its own initiative against the State where the group is based, the mere provision of these tools is insufficient to attribute the group’s operation to the supplying State. Nevertheless, the provision of the hacking tools may itself constitute a violation of international law (see Rule 66 on intervention and 68 on the use of force).
Coercion, provided for in lit. (c), is the third basis for rendering a State responsible for another State’s wrongful acts.189 The degree of coercive effect must be extremely high;
Consent need not always be express. Implicit consent may sometimes
