More on this book
Kindle Notes & Highlights
Started reading
April 23, 2018
Distress is limited to situations that involve a threat to life; it does not extend to the breach of any obligation that is unnecessary to safeguard the life of the individual or
As an illustration, assume a State has agreed by treaty to allow another State to use its satellite navigation services. Distress would be exemplified if the former suspends its navigation services due to the risk of malware infection from a third State that would alter navigational data and pose a grave risk to vessels and aircraft relying upon the system.
Both the International Court of Justice and arbitral tribunals have recognised countermeasures as lawful under international
Countermeasures must be distinguished from ‘belligerent reprisals’. Belligerent reprisals comprise certain actions taken during an armed conflict that would ordinarily violate the law of armed conflict but for the enemy’s prior unlawful conduct
By contrast, assume that a private firm in the first State is engaging in harmful cyber operations against a competitor in the second State. In such a case, it would be inappropriate for the second State to launch countermeasures against the firm unless the firm’s action can be attributed to the first State (Rules 15 and 17) or that State has wrongfully failed to control the activities of the firm and therefore breached its due diligence obligation to control its territory once it became aware of the operations
to the extent non-State actors owe States legal obligations, the ‘injured’ States are entitled to take countermeasures against the non-State actors in the event they breach such obligations.
For its advocates, this approach is especially appropriate in situations in which no State is responsible for the malicious cyber operation in question. Consider a case in which a terrorist group situated in one State engages in cyber operations against another State, and the operations result in physical damage to hardware on the territory of the latter. Had the operations been conducted by a State, they would at least have violated the latter’s sovereignty (Rule 4). The first State takes all feasible measures to terminate the group’s cyber operations originating in its territory, in line
...more
Thus, interference by one State with another State’s cyber capabilities that has been authorised by a Security Council resolution under Chapter VII of the Charter is lawful and, hence, not a countermeasure because there is no wrongfulness that needs be precluded.
Countermeasures must also be distinguished from actions taken based on a plea of necessity (Rule 26). The former differ from the plea in two main ways. First, there must be an underlying internationally wrongful act to justify countermeasures, whereas necessity has no such condition precedent. In other words, the act that precipitates a countermeasure must be attributable to a State, while acts pursuant to the plea of necessity may be taken in response to the cyber operations of non-State actors (or even when the author of the act is unidentified). Second, mere international wrongfulness
...more
Application of the law of treaties can affect the permissibility of countermeasures.
countermeasures, despite being designed to resume lawful relations between the States concerned, nevertheless present a risk of escalation.
countermeasures. Relatedly, a measure that will only exacerbate the situation is mere retaliation and, as such, impermissible.
In this regard, note that countermeasures remain available to secure reparation.
A State taking countermeasures must fulfil its obligations with respect to diplomatic and consular inviolability
The open question is the degree to which the prohibition extends to other human rights. For instance, cyber activities raise concerns regarding the right to privacy (Rule 35), thereby
begging the question of whether a cyber operation that affects this right may qualify as a countermeasure or, instead, is precluded on the basis that the right is ‘fundamental’, as that term is understood with respect to Article 50(1)(b). The International Group of Experts could achieve no consensus on this point. A further issue is the extraterritorial applicability of human rights norms. As discussed in Rule 34, whether or how human rights apply extraterritorially is unsettled and controversial.
open question until uncertainty as to the use of force and armed attack thresholds is resolved.
Until it happens a few times irl..
It should be reemphasised, however, that all of the Experts agreed that cyber countermeasures may not rise to the level of an armed attack.
The interconnected and interdependent nature of cyber systems can render it difficult to determine accurately the consequences likely to result from cyber countermeasures.
And, by the same measure, the original injury that justified the countermeasure.
The International Group of Experts agreed that there is no procedural requirement that an injured State take measures to mitigate harm it is suffering before taking countermeasures. Nor does the lack of mitigation affect the proportionality of the countermeasures in question.
Only States may take countermeasures. For example, an information technology firm may not act on its own initiative in responding to a harmful cyber operation targeting it by styling its response as a
Although the majority was of the view that States may not lawfully take countermeasures on behalf of another State, members thereof were split over whether a State may assist another State in conducting the latter’s countermeasures.
An injured State must immediately end a countermeasure that is violating the rights of third States or other parties once it becomes aware of this
Necessity refers to a circumstance in which a State’s ‘essential interest’ faces ‘grave and imminent peril’ and the sole means of averting that peril is temporary non-compliance by the State with its international obligations of ‘lesser weight or
The determination of whether an interest is essential is always contextual.
the Experts also acknowledged that there might be extreme cases where a State may use cyber means to respond to cyber acts that gravely threaten the essential interests of the ‘international community as a whole
Most of the Experts agreed that, for instance, a cyber operation that would debilitate the State’s banking system, cause a dramatic loss of confidence in its stock market, ground flights nation-wide, halt all rail traffic, stop national pension and other social benefits, alter national health records in a manner endangering the health of the population, cause a major environmental disaster, shut down a large electrical grid, seriously disrupt the national food distribution network, or shut down the integrated air defence system would provide the basis for the application of this Rule.
For example, the plea of necessity may be invoked in the face of a non-State actor’s cyber operation in circumstances where no State is responsible for the operation. In such cases, action pursuant to the plea of necessity may be permissible irrespective of the effects that manifest in non-responsible States, except as explained
Take the case of a State that is the victim of cyber operations conducted by non-State actors using cyber infrastructure located in another State and causing major damage to the former’s critical infrastructure. The victim State has the technical ability to respond with operations to shut down the infrastructure used. If doing so would affect the essential interests of other States, the operations are prohibited despite the magnitude of the harm that the victim State is suffering or about to suffer.
Unlike countermeasures (Rule 20), necessity is not dependent on the prior unlawful conduct of another State.
The decision that measures are required at the time taken must be ‘clearly established on the basis of the evidence reasonably available at the
Thus, for instance, a cyber operation targeting the banking system or stock market may have certain immediate effects, but the loss of confidence in the longer term may be the factor that qualifies as ‘grave and imminent peril’.
Since acting based on necessity is an exceptional measure, doing so is only permissible when no other way to address the situation
It should be cautioned that whether measures based on the plea of necessity may involve forcible action is unsettled in international law.294 The International Group of Experts was split on this issue.
The notion of contribution in this context does not generally extend to actions that are lawful under international law and fall within the domaine réservé
Necessity also differs from distress as a circumstance precluding wrongfulness (Rule 19) in that the interest protected need not be human life. It need only qualify as ‘essential’.
Unlike cessation, assurances and guarantees are not required in every case, but only in those in which the injured State is reasonably concerned that it will not be protected by simple cessation of the internationally wrongful action or omission.
The International Group of Experts further agreed that mere distress over having temporarily lost access to the Internet or losing personal e-correspondence that lacks pecuniary impact does not qualify as material damage.
The majority of the Experts was of the view that exfiltration violates no international law prohibition irrespective of the attendant severity. They suggested that the legal issue is not severity, but instead whether the method employed is unlawful. A few Experts took the position that at a certain point the consequences suffered by the target State are so severe (e.g., the exfiltration of nuclear launch codes) that the operation is a violation of sovereignty
It must be cautioned that it can be challenging for a target State to distinguish cyber espionage activities from other cyber operations, including offensive cyber operations. For example, both cyber espionage and offensive cyber operations usually require penetration of a system, often by the introduction of malware or a successful phishing operation.
Despite the absence of an international law prohibition of espionage, States are entitled to, and have, enacted domestic legislation that criminalises cyber espionage carried out against them.
International law regulates cyber operations by non-State actors only in limited cases.
The International Group of Experts agreed that cyber operations conducted by non-State actors that are not attributable to States (Rules 15 and 17) do not violate the sovereignty of the State into which they are launched (Rule 4), constitute intervention (Rule 66), or amount to a use of force (Rule 68) because these breaches can be committed only by States.
Non-State actors are not entitled to engage in the responses that States may conduct under the law of State responsibility when facing hostile cyber operations by or attributable to other States. In particular, cyber responses by non-State actors cannot qualify as countermeasures (Rule 24), although as explained in Rules 15 and 17, non-State actors may be empowered by States to act on their behalf.
The Universal Declaration of Human Rights is often cited as reflective of certain key customary
realisation of human rights must be considered in the regional and national context bearing in mind different political, economic, legal, social, cultural, historical and religious
The precise interplay between the law of armed conflict ( Part IV ) and international human rights law remains unsettled and is determined with respect to the specific legal rules in question.
The Experts noted that the issue of whether entities other than States are bound by international human rights law and, if so, the extent to which they are so bound, is unsettled and controversial.
Freedom of expression410 is an international human right often implicated in the cyber context. This is not only because it is a right in itself, but also because an ability to exercise the right is sometimes necessary for the enjoyment of other human rights.
The right to hold an opinion freely is a guarantee so central to the object and purpose of international human rights law that, unlike the freedom of expression, its exercise may not be restricted.
