The final report of the United Nations Open-Ended Working Group (OEWG), adopted by consensus in March 2021, affirms that international law applies to cyberspace and calls upon states “to avoid and refrain from taking any measures not in accordance with international law.” Significant differences nevertheless remain concerning how international law applies to cyberspace, because states have been unable to agree on what kinds of cyber-operations international law prohibits. Instead, the OEWG’s final report simply – and rather tepidly – articulates 11 “voluntary, non-binding norms of responsible State behaviour.”
States are particularly divided over the international wrongfulness of cyber-operations that penetrate computer systems located on the territory of another state but do not rise to the level of a use of force or prohibited intervention – what are often referred to as “low intensity” cyber-operations. Low-intensity cyber-operations, which include most acts of extraterritorial law-enforcement (including counterterrorism) and espionage, are the most common form of cyber-operation and are likely to become even more common over time, given their relative lack of expense and their significant utility for states.
States have adopted three very different positions concerning whether low-intensity cyber-operations are internationally wrongful, all of which turn on whether such operations violate the sovereignty of the territorial state. The first position, endorsed by the UK and the US, is that low-intensity cyber-operations are never wrongful, because sovereignty is a principle of international law, not a primary rule that can be independently violated. The second position, defended most vigorously by France, is that low-intensity cyber-operations are always wrongful, because sovereignty is a primary rule of international law that is violated by any non-consensual penetration of a computer system located on the territory of another state – what has been called the “pure sovereigntist” approach. And the third position, adopted by states such as the Netherlands and the Czech Republic, is that although sovereignty is a primary rule of international law, only low-intensity cyber-operations that cause some kind of physical damage to the territorial state or render its cyber-infrastructure inoperable are wrongful – what has been called the “relative sovereigntist” approach.
This article has two purposes: to explain the different positions that states have taken on whether low-intensity cyber-operations violate sovereignty, and to provide a comprehensive analysis of which position is the strongest both legally and in terms of cyber policy. The article is divided into five sections. Section I briefly explains why sovereignty is a primary rule of international law, not simply a principle from which specific primary rules can be derived. Section II asks whether sovereignty applies in cyberspace as a rule, agreeing with the vast majority of states that it does. Section III explains and assesses the two positions that states have taken concerning how sovereignty applies in cyberspace as a rule: pure sovereignty and relative sovereignty. It concludes that the pure-sovereigntist position has a much stronger foundation in general international law than the relative-sovereigntist position. Section IV then analyses and rejects the most common legal objection to that conclusion: the supposed permissibility of espionage. Finally, Section V argues that a variety of policy considerations also favour pure sovereignty over relative sovereignty.
Monday, August 2, 2021
Heller: In Defense of Pure Sovereignty in Cyberspace
Kevin Jon Heller (Univ. of Copenhagen; Australian National Univ.) has posted In Defense of Pure Sovereignty in Cyberspace (International Law Studies, forthcoming). Here's the abstract: