Patrick C. R. Terry*
1. Introduction
For some time now, States and scholars have been debating whether mere cyber espionage, exemplified by the acquisition of data stored on servers located within another State’s territory, violates that State’s sovereignty. Some States and most experts compiling the Tallinn Manual argue that such activities, when conducted without causing any harmful effects on the target State’s territory, do not amount to sovereignty violations and are, therefore, not unlawful. This argument has never been convincing, but it has now become very difficult to sustain, following the recent statement on the matter by the African Union (AU), thereby expressly representing its 55 member States.
As I have argued in the past,[1] cyber espionage activities need not have caused harmful effects in order to amount to a violation of the target State’s sovereignty. The AU concurs with this position.[2] Its recently published Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace states that cyber espionage activities violate the target State’s sovereignty when they aim for data stored on servers located in its territory, irrespective of whether they thereby cause any negative effects.
Most experts who compiled the highly influential Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations disagree with this assessment. They argue in favor of a de minimis approach that requires cyber espionage activities to have negative or harmful effects on the target State’s territory for them to qualify as a sovereignty violation.
However, in order to justify this assertion, the experts would need to show that the general rule of international law on sovereignty violations, which has traditionally not required such negative effects, has, at least with respect to cyber espionage, evolved in the way they claim. Based on a review of States’ officially expressed views, strongly reinforced by the AU’s recent statement, they cannot do this convincingly. Therefore, the Tallinn Manual’s contrary position does not reflect current customary international law.
2. Violation of Sovereignty as a Violation of Public International Law
There is widespread agreement that violating another State’s sovereignty is unlawful under public international law.[3] As early as 1927, the Permanent Court of International Justice (PCIJ) had already declared that a State, “failing the existence of a permissive rule to the contrary […] may not exercise its power in any form in the territory of another State.”[4] In 1949, shortly after its creation, the International Court of Justice (ICJ) also stressed that “[b]etween independent States, respect for territorial sovereignty is an essential foundation of international relations.”[5]
Recently, the United Kingdom has sought to call this long-standing view into question by arguing that respecting another State’s sovereignty was not a rule but only a principle of international law that merely serves to justify legal rules derived from it, such as the prohibition of interventions.[6] Unsurprisingly, the United Kingdom has received very little official support from other States for this novel line of argument.[7] In fact, some States, such as France, Germany, and Canada, have explicitly rejected the United Kingdom’s view.[8] In 2020, North Atlantic Treaty Organization (NATO) member States reaffirmed that sovereignty is a primary rule of international law, forcing the United Kingdom to add a reservation.[9] International courts,[10] the UN Security Council,[11] and the General Assembly[12] have consistently taken that view, as have many States in the past.[13] The AU has now thrown its weight behind this position as well.[14]
This near-unanimous view affirms that violating another State’s sovereignty is unlawful under international law.
3. Mere Cyber Espionage is Unlawful
In contrast to traditional forms of espionage, cyber espionage often does not require the physical presence of a ‘spy’ on the target State’s territory. Rather, States often conduct such espionage remotely without sending an agent abroad. In fact, monitoring and intrusion into electronic databases often occur from within the spying State’s territory.[15] This practice makes it more difficult to claim a violation of the target State’s territorial sovereignty.
However, when States engage in cyber espionage, they usually attempt to obtain data stored on servers in the target State by manipulating software or exploiting security risks and subsequently copying the desired data. In such cases, States are actually engaged in remotely conducted activities on the target State’s territory.
Territorial sovereignty, though, encompasses a State’s “right to exercise therein, to the exclusion of any other State, the functions of a State,”[16] which means a State “may not exercise its power in any form in the territory of another State.”[17] The intrusion of one State into another State’s data violates the target State’s territorial sovereignty when the data is stored on servers requiring physical infrastructure on the target State’s territory.[18] By carrying out such actions, the spying State is unlawfully exercising its own governmental authority on the target State’s territory.[19] The fact that the target State’s authorities, in many cases, would require a court order to access the data obtained by the spying State underlines the governmental character of the act of espionage.[20] That the act of espionage is initiated remotely and undertaken by technical means is irrelevant, as the intrusion and interception take place on the target State’s territory. Cyber espionage, undertaken in order to obtain data stored on servers in the target State, is therefore unlawful.[21]
4. Mere Cyber Espionage is Lawful
This is disputed by those who agree with the position adopted by the Tallinn Manual 2.0,[22] according to which an act of cyber espionage that merely obtains data located on the territory of another State does not violate that State’s sovereignty.[23] This argument is sometimes referred to as the de minimis[24] or relativist[25] approach to sovereignty, according to which cyber espionage only violates another State’s sovereignty if it produces noticeable negative effects in the target State.[26] Others even argue that some kind of harm or damage must have been caused on the target State’s territory for such activities to qualify as a sovereignty violation.[27] While there is disagreement on the precise degree of harm or damage necessary,[28] a number of States have publicly supported that view.[29]
5. Assessment of the Tallinn Manual‘s Approach to Sovereignty
This relativist approach, however, fails to convince. As Kevin Jon Heller has explained persuasively, the prohibition of intruding on another State’s sovereignty qualifies as a general rule of international law.[30] As such, it applies to any act that implicates international law, including cyber espionage.[31] It is incorrect that advances in technology and science create a lacuna in international law, which may simply be closed by creating new rules.[32] Rather, at least initially, the general rules of international law apply automatically[33] as the ICJ confirmed in its Advisory Opinion on the Legality of Nuclear Weapons.[34] Of course, subsequent amendments by States are always possible.
The relevant general rule of international law on sovereignty applicable here does not require harm or damage to be caused on the other State’s territory for an intrusion to be unlawful.[35] For example, the unauthorized overflight of a foreign aircraft over a State’s territory is generally viewed as an unlawful violation of territorial sovereignty, although the mere overflight will not cause any damage or harm to the State concerned.[36] The United States reaction to the Chinese surveillance balloon that, in early 2023, crossed United States territory on an alleged mission to spy on military installations confirms this. Although there was no claim of harm or damage intended or caused, “senior State Department officials” stated that “the presence of this balloon in our airspace is a clear violation of our sovereignty, as well as international law, and it is unacceptable that this has occurred.”[37] Similarly, despite usually not causing any harm to the target State, the conduct of cross-border criminal investigations without that State’s consent is generally viewed as a usurpation of governmental functions and, therefore, as a sovereignty violation, irrespective of any damage caused.[38] Applied to the cyber realm, the conclusion must, therefore, be that in the case of cyber espionage, no harm or damage is required to qualify the remote intrusion onto the other State’s territory as unlawful.[39]
Undoubtedly, States are free to create new rules of customary international law (leges speciales) regarding cyber espionage.[40] For such a process to be successful, however, sufficient State practice and sufficient State reaction to evidence opinio juris in support of such a change are required.[41] Given the Common African Position, recently issued by the Peace and Security Council of the AU, such a development seems far off.[42] Although some States support the relativist approach to sovereignty in cyberspace,[43] many others do not.[44] Rather, the latter have taken the view that an unlawful intrusion into a State’s cyber system is a violation of sovereignty, irrespective of whether harm or damage was caused.[45]
France[46] and Iran,[47] two of the States explicitly rejecting the de minimis threshold, are, in fact, major cyber actors.[48] Moreover, considering their reasons for rejecting the Budapest Cybercrime Convention, it seems China and the Russian Federation, well-known for their massive cyber-espionage operations,[49] also support the pure sovereignty approach. Both States disapproved of the Budapest Cybercrime Convention on the grounds that Article 32 (b) of the treaty, which in specific circumstances allows one State to access computer data in another State without the latter’s consent, amounted to a violation of State sovereignty.[50] This fact is particularly relevant, as the ICJ has stated that any analysis of State practice and opinio juris in order to identify a rule of customary international law must include those “States whose interests are specially affected.”[51] The relativist approach to sovereignty fails that test: some major players in the field of cyber espionage oppose it. Now, in February 2024, the 55 member States of the AU that are more vulnerable to and whose interests are therefore also ‘specially affected’ by acts of cyber espionage[52] have likewise rejected the approach to sovereignty espoused by the authors of the Tallinn Manual.[53]
6. Conclusion
The AU’s statement confirms that, by now, many States, including some of the most important perpetrators and many of the particularly vulnerable targets of cyber espionage, have come to oppose the approach to sovereignty adopted in the Tallinn Manual. This reality confirms that no lex specialis has been created with respect to cyber espionage that negates a sovereignty violation in cases where no noticeable negative effects have been caused.
Acts of cyber espionage that serve to obtain data stored on the target State’s territory violate that State’s sovereignty and are, therefore, unlawful. The Tallinn Manual’s current relativist approach to sovereignty in cyberspace does not have sufficient support among States to be viewed as reflective of customary international law.
* Patrick C. R. Terry is a professor of law and the dean of the faculty of law at the University of Public Administration in Kehl (Germany). I wish to thank Cody Corliss and the editors of the Harvard International Law Journal, especially Amirah Mimano, for insightful comments on previous drafts of this piece and during the editing process. All errors are mine.
[1] Patrick C. R. Terry, “The Riddle of the Sands” – Peacetime Espionage and Public International Law, 51 Geo. J. Int’l L. 377 (2020). [2] Mohamed Helal, Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace, and all associated Communiqués adopted by the Peace and Security Council of the African Union ¶¶ 15-16 (Ohio St. Legal Stud, Research Paper No. 823, 2024), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4714756. [3] Chimène Keitner, Foreign Election Interference and International Law, in Election Interference: When Foreign Powers Target Democratic Institutions 1, 14-15 (Duncan Hollis & Jens Ohlin eds., 2020); Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace, 89 Int’l L. Stud. 123 (2013); Michael N. Schmitt, Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law, 19 Chi. J. of Int’l L. 30, 40, 42-43 (2018); see also Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 11-29, especially Rule 4 (at 17) (Michael N. Schmitt ed., 2017); Russell Buchan & Iñaki Navarrete, Cyber Espionage and International Law, in Research Handbook on International Law and Cyberspace 231, 240-43 (Nicholas Tsagourias & Russell Buchan eds., 2021). [4] The Case of the S.S. Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 18 (Sept. 7, 1927); see also Island of Palmas Case (Neth. v. U.S.), 2 R.I.A.A. 829, 838 (Perm. Ct. Arb. 1928). [5] Corfu Channel Case (U.K. v. Alb.), Judgment, 1949 I.C.J. Rep. 4, at 35 (Apr. 9, 1949); see also Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. Rep. 168, ¶¶ 153, 165, 257, 259 (Dec. 19, 2005). [6] Jeremy Wright, U.K. Attorney General, Speech at the Royal Institute of International Affairs: Cyber and International Law in the 21st Century (May 23, 2018), https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century; see Suella Braverman, U.K. Attorney General, Speech at the Royal Institute of International Affairs: International law in Future Frontiers (May 19, 2022); https://www.gov.uk/government/speeches/international-law-in-future-frontiers. [7] See Michael N. Schmitt & Liis Vihul, Respect for Sovereignty in Cyberspace, 95 Tex. L. Rev. 1639 (2017) (under the Trump Administration, the United States seemed to take an ambivalent view on whether respecting another State’s sovereignty was a rule of international law. The Department of Defense General Counsel, Paul C. Ney, Jr., stated that the United States position ‘share[d] some similarities with the view expressed by the U.K. Government in 2018’. However, Ney’s subsequent legal analysis of espionage indicated that he believed it was indeed unlawful to violate another State’s sovereignty); see Paul C. Ney, Jr., General Counsel, U.S. Department of Defense, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (Mar. 2, 2020), https://www.defense.gov/Newsroom/Speeches/Speech/Article/2099378/dod-general-counsel-remarks-at-us-cyber-command-legal-conference/; see also Dan Efrony & Yuval Shany, A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice, 112 Am. J. Int’l L. 583, 640 (2018) (where the authors point out that no State accused of violating another State’s sovereignty has claimed to be entitled to do so); see Harald Hongju Koh, Legal Adviser, U.S. Department of State, Speech at USCYBERCOM Inter-Agency Legal Conference: International Law in Cyberspace (Sept. 18, 2012), https://2009-2017.state.gov/s/l/releases/remarks/197924.htm; Brian J. Egan, Legal Adviser, U.S. Department of State, Speech at the University of California, Berkeley School of Law: Remarks on International Law and Stability in Cyberspace (Nov. 10, 2016), https://2009-2017.state.gov/s/l/releases/remarks/264303.htm (under the Obama Administration, the United States adopted the view that violating another State’s sovereignty was unlawful). [8] G.A. Off. Compendium of Voluntary Nat’l Contributions on the Subject of How Int’l L. Applies to the Use of Info. and Commc’n Tech. by States Submitted by Participating Gov’t Experts in the Group of Gov’t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int’l Sec. Established Pursuant to G.A. Res. 73/266, U.N. Doc. A/76/136, Netherlands, 55-57 (July 13, 2021), https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf (hereinafter Netherlands); G.A. Unofficial Translation of France’s Response to Res. 73/27 “Developments in the Field of Information and Telecommunications in the Context of International Security” and Res. 73/266 “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security,” ¶ 3 (a) (2019), https://www.diplomatie.gouv.fr/IMG/pdf/190514-_french_reponse_un_resolutions_73-27_-_73-266_ang_cle4f5b5a-1.pdf (hereinafter France); Ger. Fed. Gov’t, On the Application of International Law in Cyberspace 3-4 (Mar. 2021), https://www.auswaertiges-amt.de/blob/2446304/32e7b2498e10b74fb17204c54665bdf0/on-the-application-of-international-law-in-cyberspace-data.pdf (hereinafter Germany); Can. Fed. Gov’t, International Law Applicable in Cyber Space ¶ 13 (Apr. 22, 2022), https://www.international.gc.ca/world-monde/issues_development-enjeux_developpement/peace_security-paix_securite/cyberspace_law-cyberespace_droit.aspx?lang=eng#a3 (hereinafter Canada); Pol. Ministry of Foreign Affairs, The Republic of Poland’s Position on the Application of International Law in Cyber Space 3 (Dec. 29, 2022), https://www.gov.pl/web/diplomacy/the-republic-of-polands-position-on-the-application-of-international-law-in-cyberspace (hereinafter Poland). [9] North Atlantic Treaty Organization, Allied Joint Publication-3.20, Allied Joint Doctrine for Cyberspace Operations (Edition A Version 1) 20 fn. 26 (Jan. 2020). [10] Military and Paramilitary Activities in and against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. Rep 14, ¶¶ 87-91, 251 (June 27, 1986); Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v. Nicar.), 2015 I.C.J. Rep. 665, ¶¶ 66-99, 221-23 (Dec. 16, 2015); Weber and Saravia v. Ger., 2006-XI Eur. Ct. H.R. App. No. 54934/00, ¶ 88 (June 29, 2006); see also Re Canadian Security Intelligence Service Act, 2009 F.C. 1058 (Can.) (dealing with espionage). [11] S.C. Res. 138, ¶ 2 (June 30, 1960); S.C. Res. 1234, ¶ 1 (April 9, 1999); S.C. Res. 1304 ¶ 4 (a), (June 16, 2000). [12] G.A. Res. 2625 (XXV) (Nov. 25, 1970); see also U.N. Convention against Transnational Organized Crime, art. 4 (2), Annex I to G.A. Res. 55/25 (Nov. 15, 2020). [13] Keitner, supra note 3, 14-15; Schmitt, supra note 3, 40, 42-43; see Full Text: International Strategy of Cooperation on Cyberspace, Xinhua News Agency ¶ 2 (Mar. 1, 2017), http://www.xinhuanet.com//english/china/2017-03/01/c_136094371_2.htm. [14] Helal, supra note 2, ¶ 16. [15] Stefan Talmon, Sachverständigengutachten gemäß Beweisbeschluss SV-4 des 1. Untersuchungsausschusses des Deutschen Bundestages der 18. Wahlperiode 1–39, at 19-20 (2014) (Ger.), https://www.bundestag.de/blob/282872/2b7b605da4c13cc2bc512c9c899953c1/mat_a_sv-4-2_talmon-pdf-data.pdf; but see Anne Peters, Surveillance Without Borders? The Unlawfulness of the NSA-Panopticon, Part I, EJIL: Talk! 2 (Nov. 1, 2013), http://www.ejiltalk.org/surveillance-without-borders-the-unlawfulness-of-the-nsa-panopticon-part-i/; see also Aaron Shull, Cyberespionage and International Law, in GigaNet 8th Annual Symposium 5 (2013). [16] Island of Palmas Case, supra note 4, 838. [17] The Case of the S.S. Lotus, supra note 4, 18. [18] Nicholas Tsagourias, The Legal Status of Cyberspace: Sovereignty Redux?, in Research Handbook on International Law and Cyberspace, 9, 22-23 (Nicholas Tsagourias & Russell Buchan eds., 2021); von Heinegg, supra note 3, 125-26; see also Tallinn Manual on the International Law Applicable to Cyber Warfare 15, 18 (Michael N. Schmitt ed., 2013); Tallinn Manual 2.0, supra note 3, 13. [19] International Telecommunication Union (ITU), Understanding Cybercrime: Phenomena, Challenges and Legal Response 277-78 (2012), http://www.itu.int/ITU-D/cyb/cybersecurity/docs/Cybercrime%20legislation%20EV6.pdf; Iñaki Navarrete, L’espionnage en tamps de paix en droit international public, 52 Can. Y.B. Int’l L. 1, 30-34 (2015); cf. Peters, supra note 15, 2. [20] See, e.g., Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2518; §§ 100 a, 100 e Strafprozessordnung (German Code of Criminal Procedure) for criminal proceedings and §§ 5, 51 Bundeskriminalamtgesetz (Law on the Federal German Police Office) for preventive measures (Ger.). [21] Russell Buchan, Cyber Espionage and International Law, 54-55 (2019); Kevin Jon Heller, In Defense of Pure Sovereignty in Cyber Space, 97 Int’l L. Stud. 1432, 1480-86 (2021). [22] Tallinn Manual 2.0, supra note 3, Rule 32 (especially Comment 8, at 171). [23] Ibid. [24] Przemyslaw Roguski, Application of International Law to Cyber Operations: A Comparative Analysis of States’ Views, The Hague Program for Cyber Norms Policy 4 (Policy Brief, 2020). [25] Heller, supra note 21, 1436. [26] Heller, supra note 21, 1461-63; see, e.g., Tallinn Manual 2.0, supra note 3, Rule 4 (Comment 14, at 22). [27] Buchan, supra note 21, 53-54; Heller, supra note 21, 1461-63. [28] See, e.g., Tallinn Manual 2.0, supra note 3, Rule 4 (Comment 14, at 22); Germany, supra note 8, 4; Netherlands, supra note 8, 57; G.A. Off. Compendium of Voluntary Nat’l Contributions on the Subject of How Int’l L. Applies to the Use of Info. and Commc’n Tech. by States Submitted by Participating Gov’t Experts in the Group of Gov’t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int’l Sec. Established Pursuant to G.A. Res. 73/266, U.N. Doc. A/76/136, United States, 140 (July 13, 2021); https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf (hereinafter United States); Richard Kadlčák, Special Envoy for Cyberspace Director of Cybersecurity Department, Statement at the 2nd Substantive Session of the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security of the First Committee of the General Assembly of the United Nations 2 (Feb. 11, 2020), https://www.nukib.cz/download/publications_en/CZ%20Statement%20-%20OEWG%20-%20International%20Law%2011.02.2020.pdf (hereinafter Czech Republic); Canada, supra note 8, ¶¶ 15, 17. [29] Germany, supra note 8, 4; Netherlands, supra note 8, 57; United States, supra note 28, 140; Czech Republic, supra note 28, 3; Canada, supra note 8, ¶¶ 15, 17. [30] Heller, supra note 21, 1451-54. [31] Heller, supra note 21, 1451-54; Antonio Coco & Talita de Souza Dias, ‘Cyber Due Diligence’: A Patchwork of Protective Obligations in International Law, 32 Eur. J. Int’l L. 771, 779-80 (2021). [32] Heller, supra note 21, 1451-53; Coco & de Souza Dias, supra note 31, 779-80. [33] Heller, supra note 21, 1454; Coco & de Souza Dias, supra note 31, 779-80. [34] Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), 1996 I.C.J. Rep. 226, ¶ 86 (July 8, 1996) (“Indeed, nuclear weapons were invented after most of the principles and rules of humanitarian law applicable in armed conflict had already come into existence; […] However, it cannot be concluded from this that the established principles and rules of humanitarian law applicable in armed conflict did not apply to nuclear weapons. Such a conclusion would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kind of weapons, those of the past, those of the present and those of the future”). [35] Heller, supra note 21, 1464-68; Buchan & Navarrete, supra note 3, 243-44. [36] Military and Paramilitary Activities in and against Nicaragua, supra note 10, ¶¶ 87-91, 251. [37] U.S. Dept. of State, Senior State Department Officials on the People’s Republic of China, Special Briefing (Feb. 3, 2023), https://www.state.gov/senior-state-department-officials-on-the-peoples-republic-of-china/; see also Donald Rothweill, Too Much Hot Air? A Balloon which Tested the Limits of International Law, Australian National University College of Law (Feb. 16, 2023), https://law.anu.edu.au/research/essay/cipl-discussion-paper-series/too-much-hot-air-balloon-which-tested-limits/. [38] The Case of the S.S. Lotus, supra note 4, 18-19; see also Tallinn Manual 2.0, supra note 3, Rule 11 (at 66), especially Comment 14 (at 69-70); François Delerue at al., The Geopolitical Representations of International Law in the International Negotiations on the Security and Stability in Cyberspace, Report No. 75, 52 (“generally…accepted”) (Ministère des Armées, 2020). [39] Heller, supra note 21, 1458-61, 1464-74. [40] Heller, supra note 21, 1454. [41] Heller, supra note 21, 1454; Case Concerning the Continental Shelf (Libyan Arab Jamahiriya v. Malta), 1985 I.C.J. Rep. 13, ¶ 27 (June 3, 1985); Legality of the Threat or Use of Nuclear Weapons, supra note 34, ¶ 64. [42] Common African Position, supra note 2, ¶ 17. [43] See supra note 29. [44] See France, supra note 8, ¶ 3 (a) (at 8) (according to France’s official response to two GA resolutions, no harm is necessary for a violation of sovereignty to have occurred); see Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace, art. II, ¶ 4 (Aug. 18, 2020), https://nournews.ir/En/News/53144/General-Staff-of-Iranian-Armed-Forces-Warns-of-Tough-Reaction-to-Any-Cyber-Threat (for Iran’s position on sovereignty violations in cyberspace); see also Switzerland’s Position Paper on the Application of International Law in Cyberspace, Swiss Federal Department of Foreign Affairs 2, https://www.eda.admin.ch/content/dam/eda/en/documents/aussenpolitik/voelkerrecht/20210527-Schweiz-Annex-UN-GGE-Cybersecurity-2019-2021_EN.pdf; see G.A. Off. Compendium of Voluntary Nat’l Contributions on the Subject of How Int’l L. Applies to the Use of Info. and Commc’n Tech. by States Submitted by Participating Gov’t Experts in the Group of Gov’t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int’l Sec. Established Pursuant to G.A. Res. 73/266, U.N. Doc. A/76/136, Brazil, 18 (July 13, 2021), https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf; Poland, supra note 8, at 3; Przemyslaw Roguski, Poland’s Position on International Law and Cyber Operations: Sovereignty and Third-Party Countermeasures, Just Security (Jan. 18, 2023), https://www.justsecurity.org/84799/polands-position-on-international-law-and-cyber-operations-sovereignty-and-third-party-countermeasures/; see also Rashad Rolle, Lawyers to Act in N.S.A. Spy Row, The Tribune (June 5, 2014) (responding to accusations that the NSA had recorded every cell phone conversation in the Bahamas, that State’s Minister for Foreign Affairs, Fred Mitchell, declared: “The Bahamas wishes to underscore the most worthy principles of this organisation, as expressed in the OAS charter: that international law is the standard of conduct of States, the primacy of sovereignty, maintenance of territorial integrity, freedom from undue external intrusion and influence […]”), http://www.tribune242.com/news/2014/jun/05/lawyers-act-ns-spy-row/; see further Note Verbale Dated 22 July 2013 from the Permanent Mission of The Bolivarian Republic of Venezuela to the United Nations Addressed to the Secretary-General (on Behalf of the MERCUSOR Member States Argentina, Bolivia, Brazil, Uruguay, And Venezuela), U.N. Doc. A767/746 (July 22, 2013) (in relation to the NSA “interception of telecommunications” the MERCUSOR member States declared that these “constitute unacceptable behaviour that violates our sovereignty […]“), https://digitallibrary.un.org/record/754199; African Common Position, supra note 2, ¶¶ 15-16. [45] Ibid. [46] See supra note 44. [47] See supra note 44. [48] Arthur B.P. Laudrain, France’s New Offensive Cyber Doctrine, Lawfare (Feb. 26, 2019), https://www.lawfareblog.com/frances-new-offensive-cyber-doctrine; Boris Toucas, With its New ‘White Book’, France Looks to become a World-Class Player in Cyber Space, Texas National Security Review/War on the Rocks (Mar. 29, 2018), https://warontherocks.com/2018/03/with-its-new-white-book-france-looks-to-become-a-world-class-player-in-cyber-space/; Eric Rosenbaum, Iran is ‘Leapfrogging Our Defenses’ in a Cyber War ‘My Gut is We Lose’: Hacking expert Kevin Mandia, CNBC News (Nov. 18, 2021), https://www.cnbc.com/2021/11/18/iran-leapfrogging-our-defenses-in-cyber-war-hacking-expert-mandia-.html; Catherine A. Theohary, Iranian Offensive Cyber Attack Capabilities, Congressional Research Service (Jan. 13, 2020), https://sgp.fas.org/crs/mideast/IF11406.pdf; Publicly Reported Iranian Cyber Actions in 2019, Center for Strategic & International Studies, https://www.csis.org/programs/technology-policy-program/publicly-reported-iranian-cyber-actions-2019. [49] See, e.g., Bill Whitaker, Solar Winds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments, CBS News (July 4, 2021), www.cbsnews.com/news/solarwinds-hack-russia-cyberattack-60-minutes-2021-07-04/; Zolan Kanno-Youngs & David E. Sanger, U.S. Accuses China of hacking Microsoft, The New York Times (Aug. 26, 2021), www.nytimes.com/2021/07/19/us/politics/microsoft-hacking-china-biden.html. [50] Eleonore Pouwels, The Road Towards Cyber-Sovereignty Passes Through Africa, Konrad Adenauer Foundation (Dec. 9, 2019), https://www.kas.de/de/laenderberichte/detail/-/content/the-road-towards-cyber-sovereignty-passes-through-africa. [51] The North Continental Shelf Cases (Ger. v. Den. and Neth.), 1969 I.C.J. Rep. 3, ¶ 74 (Feb. 20, 1969) (“[…] State practice, including that of States whose interests are specially affected, should have been both extensive and virtually uniform in the sense of the provision invoked; – and should moreover have occurred in such a way as to show a general recognition that a rule of law or legal obligation is involved”); Nico Krisch, International Law in Times of Hegemony: Unequal Power and the Shaping of the International Legal Order, 16 Eur. J. Int’l L. 369, 380 (2005). [52] Common African Position, supra note 2, ¶ 17. [53] Common African Position, supra note 2, ¶¶ 15-16.
