{"id":10519,"date":"2024-05-04T04:14:42","date_gmt":"2024-05-04T08:14:42","guid":{"rendered":"https:\/\/journals.law.harvard.edu\/ilj\/?p=10519"},"modified":"2024-05-04T04:54:01","modified_gmt":"2024-05-04T08:54:01","slug":"cyber-espionage-and-public-international-law-the-african-union-rejects-the-tallinn-manuals-relativist-approach-to-cyber-sovereignty","status":"publish","type":"post","link":"https:\/\/journals.law.harvard.edu\/ilj\/2024\/05\/cyber-espionage-and-public-international-law-the-african-union-rejects-the-tallinn-manuals-relativist-approach-to-cyber-sovereignty\/","title":{"rendered":"Cyber Espionage and Public International Law: The African Union Rejects the Tallinn Manual\u2019s Relativist Approach to Cyber Sovereignty"},"content":{"rendered":"

Patrick C. R. Terry*<\/strong><\/p>\n

1. Introduction<\/h2>\n

For some time now, States and scholars have been debating whether mere cyber espionage, exemplified by the acquisition of data stored on servers located within another State\u2019s territory, violates that State\u2019s sovereignty. Some States and most experts compiling the Tallinn Manual argue that such activities, when conducted without causing any harmful effects on the target State\u2019s territory, do not amount to sovereignty violations and are, therefore, not unlawful. This argument has never been convincing, but it has now become very difficult to sustain, following the recent statement on the matter by the African Union (AU), thereby expressly representing its 55 member States.<\/p>\n

As I have argued in the past,[1]<\/sup> cyber espionage activities need not have caused harmful effects in order to amount to a violation of the target State\u2019s sovereignty. The AU concurs with this position.[2]<\/sup> Its recently published Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace states that cyber espionage activities violate the target State\u2019s sovereignty when they aim for data stored on servers located in its territory, irrespective of whether they thereby cause any negative effects.<\/p>\n

Most experts who compiled the highly influential Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations disagree with this assessment. They argue in favor of a de minimis<\/em> approach that requires cyber espionage activities to have negative or harmful effects on the target State\u2019s territory for them to qualify as a sovereignty violation.<\/p>\n

However, in order to justify this assertion, the experts would need to show that the general rule of international law on sovereignty violations, which has traditionally not required such negative effects, has, at least with respect to cyber espionage, evolved in the way they claim. Based on a review of States\u2019 officially expressed views, strongly reinforced by the AU\u2019s recent statement, they cannot do this convincingly. Therefore, the Tallinn Manual\u2019s contrary position does not reflect current customary international law.<\/p>\n

2. Violation of Sovereignty as a Violation of Public International Law<\/h2>\n

There is widespread agreement that violating another State\u2019s sovereignty is unlawful under public international law.[3]<\/sup> As early as 1927, the Permanent Court of International Justice (PCIJ) had already declared that a State, \u201cfailing the existence of a permissive rule to the contrary [\u2026] may not exercise its power in any form in the territory of another State.\u201d[4]<\/sup> In 1949, shortly after its creation, the International Court of Justice (ICJ) also stressed that \u201c[b]etween independent States, respect for territorial sovereignty is an essential foundation of international relations.\u201d[5]<\/sup><\/p>\n

Recently, the United Kingdom has sought to call this long-standing view into question by arguing that respecting another State\u2019s sovereignty was not a rule but only a principle of international law that merely serves to justify legal rules derived from it, such as the prohibition of interventions.[6]<\/sup> Unsurprisingly, the United Kingdom has received very little official support from other States for this novel line of argument.[7]<\/sup> In fact, some States, such as France, Germany, and Canada, have explicitly rejected the United Kingdom\u2019s view.[8]<\/sup> In 2020, North Atlantic Treaty Organization (NATO) member States reaffirmed that sovereignty is a primary rule of international law, forcing the United Kingdom to add a reservation.[9]<\/sup> International courts,[10]<\/sup> the UN Security Council,[11]<\/sup> and the General Assembly[12]<\/sup> have consistently taken that view, as have many States in the past.[13]<\/sup> The AU has now thrown its weight behind this position as well.[14]<\/sup><\/p>\n

This near-unanimous view affirms that violating another State\u2019s sovereignty is unlawful under international law.<\/p>\n

3. Mere Cyber Espionage is Un<\/em>lawful<\/h2>\n

In contrast to traditional forms of espionage, cyber espionage often does not require the physical presence of a \u2018spy\u2019 on the target State\u2019s territory. Rather, States often conduct such espionage remotely without sending an agent abroad. In fact, monitoring and intrusion into electronic databases often occur from within the spying State\u2019s territory.[15]<\/sup> This practice makes it more difficult to claim a violation of the target State\u2019s territorial sovereignty.<\/p>\n

However, when States engage in cyber espionage, they usually attempt to obtain data stored on servers in the target State by manipulating software or exploiting security risks and subsequently copying the desired data. In such cases, States are actually engaged in remotely conducted activities on the target State\u2019s territory.<\/p>\n

Territorial sovereignty, though, encompasses a State\u2019s \u201cright to exercise therein, to the exclusion of any other State, the functions of a State,\u201d[16]<\/sup> which means a State \u201cmay not exercise its power in any form in the territory of another State.\u201d[17]<\/sup> The intrusion of one State into another State\u2019s data violates the target State\u2019s territorial sovereignty when the data is stored on servers requiring physical infrastructure on the target State\u2019s territory.[18]<\/sup> By carrying out such actions, <\/em>the spying State is unlawfully exercising its own governmental authority on the target State\u2019s territory.[19]<\/sup> The fact that the target State\u2019s authorities, in many cases, would require a court order to access the data obtained by the spying State underlines the governmental character of the act of espionage.[20]<\/sup> That the act of espionage is initiated remotely and undertaken by technical means is irrelevant, as the intrusion and interception take place on the target State\u2019s territory. Cyber espionage, undertaken in order to obtain data stored on servers in the target State, is therefore unlawful.[21]<\/sup><\/p>\n

4. Mere Cyber Espionage is Lawful<\/h2>\n

This is disputed by those who agree with the position adopted by the Tallinn Manual 2.0,[22]<\/sup> according to which an act of cyber espionage that merely obtains data located on the territory of another State does not violate that State\u2019s sovereignty.[23]<\/sup> This argument is sometimes referred to as the de minimis<\/em>[24]<\/sup> or relativist[25]<\/sup> approach to sovereignty, according to which cyber espionage only violates another State\u2019s sovereignty if it produces noticeable negative effects in the target State.[26]<\/sup> Others even argue that some kind of harm or damage must have been caused on the target State\u2019s territory for such activities to qualify as a sovereignty violation.[27]<\/sup> While there is disagreement on the precise degree of harm or damage necessary,[28]<\/sup> a number of States have publicly supported that view.[29]<\/sup><\/p>\n

5. Assessment of the Tallinn Manual\u2018s Approach to Sovereignty<\/h2>\n

This relativist approach, however, fails to convince. As Kevin Jon Heller has explained persuasively, the prohibition of intruding on another State\u2019s sovereignty qualifies as a general rule of international law.[30]<\/sup> As such, it applies to any act that implicates international law, including cyber espionage.[31]<\/sup> It is incorrect that advances in technology and science create a lacuna in international law, which may simply be closed by creating new rules.[32]<\/sup> Rather, at least initially, the general rules of international law apply automatically[33]<\/sup> as the ICJ confirmed in its Advisory Opinion on the Legality of Nuclear Weapons<\/em>.[34]<\/sup> Of course, subsequent amendments by States are always possible.<\/p>\n

The relevant general rule of international law on sovereignty applicable here does not require harm or damage to be caused on the other State\u2019s territory for an intrusion to be unlawful.[35]<\/sup> For example, the unauthorized overflight of a foreign aircraft over a State\u2019s territory is generally viewed as an unlawful violation of territorial sovereignty, although the mere overflight will not cause any damage or harm to the State concerned.[36]<\/sup> The United States reaction to the Chinese surveillance balloon that, in early 2023, crossed United States territory on an alleged mission to spy on military installations confirms this. Although there was no claim of harm or damage intended or caused, \u201csenior State Department officials\u201d stated that \u201cthe presence of this balloon in our airspace is a clear violation of our sovereignty, as well as international law, and it is unacceptable that this has occurred.\u201d[37]<\/sup> Similarly, despite usually not causing any harm to the target State, the conduct of cross-border criminal investigations without that State\u2019s consent is generally viewed as a usurpation of governmental functions and, therefore, as a sovereignty violation, irrespective of any damage caused.[38]<\/sup> Applied to the cyber realm, the conclusion must, therefore, be that in the case of cyber espionage, no harm or damage is required to qualify the remote intrusion onto the other State\u2019s territory as unlawful.[39]<\/sup><\/p>\n

Undoubtedly, States are free to create new rules of customary international law (leges speciales<\/em>) regarding cyber espionage.[40]<\/sup> For such a process to be successful, however, sufficient State practice and sufficient State reaction to evidence opinio juris <\/em>in support of such a change are required.[41]<\/sup> Given the Common African Position, recently issued by the Peace and Security Council of the AU, such a development seems far off.[42]<\/sup> Although some States support the relativist approach to sovereignty in cyberspace,[43]<\/sup> many others do not.[44]<\/sup> Rather, the latter have taken the view that an unlawful intrusion into a State\u2019s cyber system is a violation of sovereignty, irrespective of whether harm or damage was caused.[45]<\/sup><\/p>\n

France[46]<\/sup> and Iran,[47]<\/sup> two of the States explicitly rejecting the de minimis<\/em> threshold, are, in fact, major cyber actors.[48]<\/sup> Moreover, considering their reasons for rejecting the Budapest Cybercrime Convention, it seems China and the Russian Federation, well-known for their massive cyber-espionage operations,[49]<\/sup> also support the pure sovereignty approach. Both States disapproved of the Budapest Cybercrime Convention on the grounds that Article 32 (b) of the treaty, which in specific circumstances allows one State to access computer data in another State without the latter\u2019s consent, amounted to a violation of State sovereignty.[50]<\/sup> This fact is particularly relevant, as the ICJ has stated that any analysis of State practice and opinio juris<\/em> in order to identify a rule of customary international law must include those \u201cStates whose interests are specially affected.\u201d[51]<\/sup> The relativist approach to sovereignty fails that test: some major players in the field of cyber espionage oppose it. Now, in February 2024, the 55 member States of the AU that are more vulnerable to and whose interests are therefore also \u2018specially affected\u2019 by acts of cyber espionage[52]<\/sup> have likewise rejected the approach to sovereignty espoused by the authors of the Tallinn Manual.[53]<\/sup><\/p>\n

6. Conclusion<\/h2>\n

The AU\u2019s statement confirms that, by now, many States, including some of the most important perpetrators and many of the particularly vulnerable targets of cyber espionage, have come to oppose the approach to sovereignty adopted in the Tallinn Manual. This reality confirms that no lex specialis<\/em> has been created with respect to cyber espionage that negates a sovereignty violation in cases where no noticeable negative effects have been caused.<\/p>\n

Acts of cyber espionage that serve to obtain data stored on the target State\u2019s territory violate that State\u2019s sovereignty and are, therefore, unlawful. The Tallinn Manual\u2019s current relativist approach to sovereignty in cyberspace does not have sufficient support among States to be viewed as reflective of customary international law.<\/p>\n

[hr gap=”1″]<\/p>\n

<\/a>* Patrick C. R. Terry<\/strong> is a professor of law and the dean of the faculty of law at the University of Public Administration in Kehl (Germany). I wish to thank Cody Corliss and the editors of the Harvard International Law Journal, especially Amirah Mimano, for insightful comments on previous drafts of this piece and during the editing process. All errors are mine.<\/p>\n

[1] Patrick C. R. Terry, \u201cThe Riddle of the Sands\u201d \u2013 Peacetime Espionage and Public International Law<\/em>, 51 Geo. J. Int\u2019l L. 377 (2020).<\/p>\n

[2] Mohamed Helal, Common African Position on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace, and all associated Communiqu\u00e9s adopted by the Peace and Security Council of the African Union<\/em> \u00b6\u00b6 15-16 (Ohio St. Legal Stud, Research Paper No. 823, 2024), https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=4714756<\/a>.<\/p>\n

[3] Chim\u00e8ne Keitner, Foreign Election Interference and International Law, in<\/em> Election Interference: When Foreign Powers Target Democratic Institutions 1, 14-15 (Duncan Hollis & Jens Ohlin eds., 2020); Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace<\/em>, 89 Int\u2019l L. Stud. 123 (2013); Michael N. Schmitt, Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law<\/em>, 19 Chi. J. of Int\u2019l L. 30, 40, 42-43 (2018); see also<\/em> Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 11-29, especially Rule 4 (at 17) (Michael N. Schmitt ed., 2017); Russell Buchan & I\u00f1aki Navarrete, Cyber Espionage and International Law, in<\/em> Research Handbook on International Law and Cyberspace 231, 240-43 (Nicholas Tsagourias & Russell Buchan eds., 2021).<\/p>\n

[4] The Case of the S.S. Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, <\/em>at 18 (Sept. 7, 1927); see also <\/em>Island of Palmas Case (Neth. v. U.S.), 2 R.I.A.A. 829, 838 (Perm. Ct. Arb. 1928).<\/p>\n

[5] Corfu Channel Case (U.K. v. Alb.), Judgment, 1949 I.C.J. Rep. 4, at 35 (Apr. 9, 1949); see also<\/em> Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005 I.C.J. Rep. 168, \u00b6\u00b6 153, 165, 257, 259 (Dec. 19, 2005).<\/p>\n

[6] Jeremy Wright, U.K. Attorney General, Speech at the Royal Institute of International Affairs: Cyber and International Law in the 21st <\/sup>Century (May 23, 2018), https:\/\/www.gov.uk\/government\/speeches\/cyber-and-international-law-in-the-21st-century<\/a>; see<\/em> Suella Braverman, U.K. Attorney General, Speech at the Royal Institute of International Affairs: International law in Future Frontiers (May 19, 2022); https:\/\/www.gov.uk\/government\/speeches\/international-law-in-future-frontiers<\/a>.<\/p>\n

[7] See <\/em>Michael N. Schmitt & Liis Vihul, Respect for Sovereignty in Cyberspace<\/em>, 95 Tex. L. Rev. 1639 (2017) (under the Trump Administration, the United States seemed to take an ambivalent view on whether respecting another State\u2019s sovereignty was a rule of international law. The Department of Defense General Counsel, Paul C. Ney, Jr., stated that the United States position \u2018share[d] some similarities with the view expressed by the U.K. Government in 2018\u2019. However, Ney\u2019s subsequent legal analysis of espionage indicated that he believed it was indeed unlawful to violate another State\u2019s sovereignty); see <\/em>Paul C. Ney, Jr., General Counsel, U.S. Department of Defense, DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (Mar. 2, 2020), https:\/\/www.defense.gov\/Newsroom\/Speeches\/Speech\/Article\/2099378\/dod-general-counsel-remarks-at-us-cyber-command-legal-conference\/<\/a>; see also<\/em> Dan Efrony & Yuval Shany, A Rule Book on the<\/em> Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice<\/em>, 112 Am. J. Int\u2019l L. 583, 640 (2018) (where the authors point out that no State accused of violating another State\u2019s sovereignty has claimed to be entitled to do so); see<\/em> Harald Hongju Koh, Legal Adviser, U.S. Department of State, Speech at USCYBERCOM Inter-Agency Legal Conference: International Law in Cyberspace (Sept. 18, 2012), https:\/\/2009-2017.state.gov\/s\/l\/releases\/remarks\/197924.htm<\/a>; Brian J. Egan, Legal Adviser, U.S. Department of State, Speech at the University of California, Berkeley School of Law: Remarks on International Law and Stability in Cyberspace (Nov. 10, 2016), https:\/\/2009-2017.state.gov\/s\/l\/releases\/remarks\/264303.htm<\/a> (under the Obama Administration, the United States adopted the view that violating another State\u2019s sovereignty was unlawful).<\/p>\n

[8] G.A. Off. Compendium of Voluntary Nat\u2019l Contributions on the Subject of How Int\u2019l L. Applies to the Use of Info. and Commc\u2019n Tech. by States Submitted by Participating Gov\u2019t Experts in the Group of Gov\u2019t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int\u2019l Sec. Established Pursuant to G.A. Res. 73\/266, U.N. Doc. A\/76\/136, Netherlands, 55-57 (July 13, 2021), https:\/\/front.un-arm.org\/wp-content\/uploads\/2021\/08\/A-76-136-EN.pdf<\/a> (hereinafter Netherlands); G.A. Unofficial Translation of France\u2019s Response to Res. 73\/27 \u201cDevelopments in the Field of Information and Telecommunications in the Context of International Security\u201d and Res. 73\/266 \u201cAdvancing Responsible State Behaviour in Cyberspace in the Context of International Security,\u201d \u00b6 3 (a) (2019), https:\/\/www.diplomatie.gouv.fr\/IMG\/pdf\/190514-_french_reponse_un_resolutions_73-27_-_73-266_ang_cle4f5b5a-1.pdf<\/a> (hereinafter France); Ger. Fed. Gov\u2019t, On the Application of International Law in Cyberspace<\/em> 3-4 (Mar. 2021), https:\/\/www.auswaertiges-amt.de\/blob\/2446304\/32e7b2498e10b74fb17204c54665bdf0\/on-the-application-of-international-law-in-cyberspace-data.pdf<\/a> (hereinafter Germany); Can. Fed. Gov\u2019t, International Law Applicable in Cyber Space<\/em> \u00b6 13 (Apr. 22, 2022), https:\/\/www.international.gc.ca\/world-monde\/issues_development-enjeux_developpement\/peace_security-paix_securite\/cyberspace_law-cyberespace_droit.aspx?lang=eng#a3<\/a> (hereinafter Canada); Pol. Ministry of Foreign Affairs, The Republic of Poland\u2019s Position on the Application of International Law in Cyber Space <\/em>3 (Dec. 29, 2022), https:\/\/www.gov.pl\/web\/diplomacy\/the-republic-of-polands-position-on-the-application-of-international-law-in-cyberspace<\/a> (hereinafter Poland).<\/p>\n

[9] North Atlantic Treaty Organization, Allied Joint Publication-3.20, Allied Joint Doctrine for Cyberspace Operations (Edition A Version 1)<\/em> 20 fn. 26 (Jan. 2020).<\/p>\n

[10] Military and Paramilitary Activities in and against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. Rep 14, \u00b6\u00b6 87-91, 251 (June 27, 1986); Certain Activities Carried Out by Nicaragua in the Border Area (Costa Rica v. Nicar.), 2015 I.C.J. Rep. 665, \u00b6\u00b6 66-99, 221-23 (Dec. 16, 2015); Weber and Saravia v. Ger., 2006-XI Eur. Ct. H.R. App. No. 54934\/00, \u00b6 88 (June 29, 2006); see also<\/em> Re Canadian Security Intelligence Service Act<\/em>, 2009 F.C. 1058 (Can.) (dealing with espionage).<\/p>\n

[11] S.C. Res. 138, \u00b6 2 (June 30, 1960); S.C. Res. 1234, \u00b6 1 (April 9, 1999); S.C. Res. 1304 \u00b6 4 (a), (June 16, 2000).<\/p>\n

[12] G.A. Res. 2625 (XXV) (Nov. 25, 1970); see also<\/em> U.N. Convention against Transnational Organized Crime, art. 4 (2), Annex I to G.A. Res. 55\/25 (Nov. 15, 2020).<\/p>\n

[13] Keitner, supra<\/em> note 3, 14-15; Schmitt, supra<\/em> note 3, 40, 42-43; see Full Text: International Strategy of Cooperation on Cyberspace<\/em>, Xinhua News Agency \u00b6 2 (Mar. 1, 2017), http:\/\/www.xinhuanet.com\/\/english\/china\/2017-03\/01\/c_136094371_2.htm<\/a>.<\/p>\n

[14] Helal, supra<\/em> note 2, \u00b6 16.<\/p>\n

[15] Stefan Talmon, Sachverst\u00e4ndigengutachten gem\u00e4\u00df Beweisbeschluss SV-4 des 1. Untersuchungsausschusses des Deutschen Bundestages der 18. Wahlperiode<\/em> 1\u201339, at 19-20 (2014) (Ger.), https:\/\/www.bundestag.de\/blob\/282872\/2b7b605da4c13cc2bc512c9c899953c1\/mat_a_sv-4-2_talmon-pdf-data.pdf<\/a>; but see<\/em> Anne Peters, Surveillance Without Borders? <\/em>The Unlawfulness of the NSA-Panopticon, Part I<\/em>, EJIL: Talk! 2 (Nov. 1, 2013), http:\/\/www.ejiltalk.org\/surveillance-without-borders-the-unlawfulness-of-the-nsa-panopticon-part-i\/<\/a>; see also<\/em> Aaron Shull, Cyberespionage and International Law, in<\/em> GigaNet 8th Annual Symposium 5 (2013).<\/p>\n

[16] Island of Palmas Case, supra <\/em>note 4, <\/em>838.<\/p>\n

[17] The Case of the S.S. Lotus, supra <\/em>note 4, 18.<\/p>\n

[18] Nicholas Tsagourias, The Legal Status of Cyberspace: Sovereignty Redux?, in<\/em> Research Handbook on International Law and Cyberspace, 9, 22-23 (Nicholas Tsagourias & Russell Buchan eds., 2021); von Heinegg, supra <\/em>note 3,<\/em> 125-26; see also<\/em> Tallinn Manual on the International Law Applicable to Cyber Warfare 15, 18 (Michael N. Schmitt ed., 2013); Tallinn Manual 2.0, supra <\/em>note 3, 13.<\/p>\n

[19] International Telecommunication Union (ITU), Understanding Cybercrime: Phenomena, Challenges and Legal Response 277-78 (2012), http:\/\/www.itu.int\/ITU-D\/cyb\/cybersecurity\/docs\/Cybercrime%20legislation%20EV6.pdf<\/a>; I\u00f1aki Navarrete, L\u2019espionnage en tamps de paix en droit international public<\/em>, 52 Can. Y.B. Int\u2019l L. 1, 30-34 (2015); cf<\/em>. Peters, supra<\/em> note 15, 2.<\/p>\n

[20] See, e.g.,<\/em> Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. \u00a7 2518; \u00a7\u00a7 100 a, 100 e Strafprozessordnung (German Code of Criminal Procedure) for criminal proceedings and \u00a7\u00a7 5, 51 Bundeskriminalamtgesetz (Law on the Federal German Police Office) for preventive measures (Ger.).<\/p>\n

[21] Russell Buchan, Cyber Espionage and International Law, 54-55 (2019); Kevin Jon Heller, In Defense of Pure Sovereignty in Cyber Space<\/em>, 97 Int\u2019l L. Stud. 1432, 1480-86 (2021).<\/p>\n

[22] Tallinn Manual 2.0, supra <\/em>note 3, Rule 32 (especially Comment 8, at 171).<\/p>\n

[23] Ibid.<\/em><\/p>\n

[24] Przemyslaw Roguski, Application of International Law to Cyber Operations: A Comparative Analysis of States\u2019 Views<\/em>, The Hague Program for Cyber Norms Policy 4 (Policy Brief, 2020).<\/p>\n

[25] Heller, supra<\/em> note 21, 1436.<\/p>\n

[26] Heller, supra<\/em> note 21, 1461-63; see, e.g.,<\/em> Tallinn Manual 2.0, supra <\/em>note 3, Rule 4 (Comment 14, at 22).<\/p>\n

[27] Buchan, supra<\/em> note 21, 53-54; Heller, supra<\/em> note 21, 1461-63.<\/p>\n

[28] See, e.g.,<\/em> Tallinn Manual 2.0, supra <\/em>note 3, Rule 4 (Comment 14, at 22); Germany, supra<\/em> note 8, 4; Netherlands, supra<\/em> note 8, 57; G.A. Off. Compendium of Voluntary Nat\u2019l Contributions on the Subject of How Int\u2019l L. Applies to the Use of Info. and Commc\u2019n Tech. by States Submitted by Participating Gov\u2019t Experts in the Group of Gov\u2019t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int\u2019l Sec. Established Pursuant to G.A. Res. 73\/266, U.N. Doc. A\/76\/136, United States, 140 (July 13, 2021); https:\/\/front.un-arm.org\/wp-content\/uploads\/2021\/08\/A-76-136-EN.pdf<\/a> (hereinafter United States); Richard Kadl\u010d\u00e1k, Special Envoy for Cyberspace Director of Cybersecurity Department, Statement at the 2nd Substantive Session of the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security of the First Committee of the General Assembly of the United Nations 2 (Feb. 11, 2020), https:\/\/www.nukib.cz\/download\/publications_en\/CZ%20Statement%20-%20OEWG%20-%20International%20Law%2011.02.2020.pdf<\/a> (hereinafter Czech Republic); Canada, supra <\/em>note 8, \u00b6\u00b6 15, 17.<\/p>\n

[29] Germany, supra<\/em> note 8, 4; Netherlands, supra<\/em> note 8, 57; United States, supra<\/em> note 28, 140; Czech Republic, supra<\/em> note 28, 3; Canada, supra<\/em> note 8, \u00b6\u00b6 15, 17.<\/p>\n

[30] Heller, supra <\/em>note 21, 1451-54.<\/p>\n

[31] Heller, supra<\/em> note 21, 1451-54; Antonio Coco & Talita de Souza Dias, \u2018Cyber Due Diligence\u2019: A Patchwork of Protective Obligations in International Law<\/em>, 32 Eur. J. Int\u2019l L. 771, 779-80 (2021).<\/p>\n

[32] Heller, supra<\/em> note 21, 1451-53; Coco & de Souza Dias, supra<\/em> note 31, 779-80.<\/p>\n

[33] Heller, supra<\/em> note 21, 1454; Coco & de Souza Dias, supra<\/em> note 31, 779-80.<\/p>\n

[34] Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion), 1996 I.C.J. Rep. 226, \u00b6 86 (July 8, 1996) (\u201cIndeed, nuclear weapons were invented after most of the principles and rules of humanitarian law applicable in armed conflict had already come into existence; [\u2026] However, it cannot be concluded from this that the established principles and rules of humanitarian law applicable in armed conflict did not apply to nuclear weapons. Such a conclusion would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kind of weapons, those of the past, those of the present and those of the future\u201d).<\/p>\n

[35] Heller, supra <\/em>note 21, 1464-68; Buchan & Navarrete, supra <\/em>note 3, 243-44.<\/p>\n

[36] Military and Paramilitary Activities in and against Nicaragua, supra <\/em>note 10, <\/em>\u00b6\u00b6 87-91, 251.<\/p>\n

[37] U.S. Dept. of State, Senior State Department Officials on the People\u2019s Republic of China<\/em>, Special Briefing (Feb. 3, 2023), https:\/\/www.state.gov\/senior-state-department-officials-on-the-peoples-republic-of-china\/<\/a>; see also<\/em> Donald Rothweill, Too Much Hot Air? A Balloon which Tested the Limits of International Law<\/em>, Australian National University College of Law (Feb. 16, 2023), https:\/\/law.anu.edu.au\/research\/essay\/cipl-discussion-paper-series\/too-much-hot-air-balloon-which-tested-limits\/<\/a>.<\/p>\n

[38] The Case of the S.S. Lotus, supra<\/em> note 4, 18-19; s<\/em>ee also<\/em> Tallinn Manual 2.0, supra <\/em>note 3, Rule 11 (at 66), especially Comment 14 (at 69-70); Fran\u00e7ois Delerue at al., The Geopolitical Representations of International Law in the International Negotiations on the Security and Stability in Cyberspace<\/em>, Report No. 75, 52 (\u201cgenerally\u2026accepted\u201d) (Minist\u00e8re des Arm\u00e9es, 2020).<\/p>\n

[39] Heller, supra<\/em> note 21, 1458-61, 1464-74.<\/p>\n

[40] Heller, supra<\/em> note 21, 1454.<\/p>\n

[41] Heller, supra<\/em> note 21, 1454; Case Concerning the Continental Shelf (Libyan Arab Jamahiriya v. Malta),<\/em> 1985 I.C.J. Rep. 13, \u00b6 27 (June 3, 1985); Legality of the Threat or Use of Nuclear Weapons, supra<\/em> note 34, \u00b6 64.<\/p>\n

[42] Common African Position, supra<\/em> note 2, \u00b6 17.<\/p>\n

[43] See <\/em>supra<\/em> note 29.<\/p>\n

[44] See <\/em>France, supra <\/em>note 8, \u00b6 3 (a) (at 8) (according to France\u2019s official response to two GA resolutions, no harm is necessary for a violation of sovereignty to have occurred); see<\/em> Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace, art. II, \u00b6 4 (Aug. 18, 2020), https:\/\/nournews.ir\/En\/News\/53144\/General-Staff-of-Iranian-Armed-Forces-Warns-of-Tough-Reaction-to-Any-Cyber-Threat<\/a> (for Iran\u2019s position on sovereignty violations in cyberspace); see also<\/em> Switzerland\u2019s Position Paper on the Application of International Law in Cyberspace<\/em>, Swiss Federal Department of Foreign Affairs 2, https:\/\/www.eda.admin.ch\/content\/dam\/eda\/en\/documents\/aussenpolitik\/voelkerrecht\/20210527-Schweiz-Annex-UN-GGE-Cybersecurity-2019-2021_EN.pdf<\/a>; see<\/em> G.A. Off. Compendium of Voluntary Nat\u2019l Contributions on the Subject of How Int\u2019l L. Applies to the Use of Info. and Commc\u2019n Tech. by States Submitted by Participating Gov\u2019t Experts in the Group of Gov\u2019t Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of Int\u2019l Sec. Established Pursuant to G.A. Res. 73\/266, U.N. Doc. A\/76\/136, Brazil, 18 (July 13, 2021), https:\/\/front.un-arm.org\/wp-content\/uploads\/2021\/08\/A-76-136-EN.pdf<\/a>; Poland, supra<\/em> note 8, at 3; Przemyslaw Roguski, Poland\u2019s Position on International Law and Cyber Operations: Sovereignty and Third-Party Countermeasures<\/em>, Just Security (Jan. 18, 2023), https:\/\/www.justsecurity.org\/84799\/polands-position-on-international-law-and-cyber-operations-sovereignty-and-third-party-countermeasures\/<\/a>; see also<\/em> Rashad Rolle, Lawyers to Act in N.S.A. Spy Row<\/em>, The Tribune (June 5, 2014) (responding to accusations that the NSA had recorded every cell phone conversation in the Bahamas, that State\u2019s Minister for Foreign Affairs, Fred Mitchell, declared: \u201cThe Bahamas wishes to underscore the most worthy principles of this organisation, as expressed in the OAS charter: that international law is the standard of conduct of States, the primacy of sovereignty, maintenance of territorial integrity, freedom from undue external intrusion and influence [\u2026]\u201d), http:\/\/www.tribune242.com\/news\/2014\/jun\/05\/lawyers-act-ns-spy-row\/<\/a>; see further<\/em> Note Verbale Dated 22 July 2013 from the Permanent Mission of The Bolivarian Republic of Venezuela to the United Nations Addressed to the Secretary-General (on Behalf of the MERCUSOR Member States Argentina, Bolivia, Brazil, Uruguay, And Venezuela), U.N. Doc. A767\/746 (July 22, 2013) (in relation to the NSA \u201cinterception of telecommunications\u201d the MERCUSOR member States declared that these \u201cconstitute unacceptable behaviour that violates our sovereignty [\u2026]\u201c), https:\/\/digitallibrary.un.org\/record\/754199<\/a>; African Common Position, supra<\/em> note 2, \u00b6\u00b6 15-16.<\/p>\n

[45] Ibid<\/em>.<\/p>\n

[46] See<\/em> supra<\/em> note 44.<\/p>\n

[47] See<\/em> supra<\/em> note 44.<\/p>\n

[48] Arthur B.P. Laudrain, France\u2019s New Offensive Cyber Doctrine<\/em>, Lawfare (Feb. 26, 2019), https:\/\/www.lawfareblog.com\/frances-new-offensive-cyber-doctrine<\/a>; Boris Toucas, With its New \u2018White Book\u2019, France Looks to become a World-Class Player in Cyber Space<\/em>, Texas National Security Review\/War on the Rocks (Mar. 29, 2018), https:\/\/warontherocks.com\/2018\/03\/with-its-new-white-book-france-looks-to-become-a-world-class-player-in-cyber-space\/<\/a>; Eric Rosenbaum, Iran is \u2018Leapfrogging Our Defenses\u2019 in a Cyber War \u2018My Gut is We Lose\u2019: Hacking expert Kevin Mandia<\/em>, CNBC News (Nov. 18, 2021), https:\/\/www.cnbc.com\/2021\/11\/18\/iran-leapfrogging-our-defenses-in-cyber-war-hacking-expert-mandia-.html<\/a>; Catherine A. Theohary, Iranian Offensive Cyber Attack Capabilities<\/em>, Congressional Research Service (Jan. 13, 2020), https:\/\/sgp.fas.org\/crs\/mideast\/IF11406.pdf<\/a>; Publicly Reported Iranian Cyber Actions in 2019<\/em>, Center for Strategic & International Studies, https:\/\/www.csis.org\/programs\/technology-policy-program\/publicly-reported-iranian-cyber-actions-2019<\/a>.<\/p>\n

[49] See, e.g.,<\/em> Bill Whitaker, Solar Winds: How Russian Spies Hacked the Justice, State, Treasury, Energy and Commerce Departments<\/em>, CBS News (July 4, 2021), www.cbsnews.com\/news\/solarwinds-hack-russia-cyberattack-60-minutes-2021-07-04\/<\/a>; Zolan Kanno-Youngs & David E. Sanger, U.S. Accuses China of hacking Microsoft<\/em>, The New York Times (Aug. 26, 2021), www.nytimes.com\/2021\/07\/19\/us\/politics\/microsoft-hacking-china-biden.html<\/a>.<\/p>\n

[50] Eleonore Pouwels, The Road Towards Cyber-Sovereignty Passes Through Africa<\/em>, Konrad Adenauer Foundation (Dec. 9, 2019), https:\/\/www.kas.de\/de\/laenderberichte\/detail\/-\/content\/the-road-towards-cyber-sovereignty-passes-through-africa<\/a>.<\/p>\n

[51] The North Continental Shelf Cases (Ger. v. Den. and Neth.), 1969 I.C.J. Rep. 3, \u00b6 74 (Feb. 20, 1969) (\u201c[\u2026] State practice, including that of States whose interests are specially affected<\/em>, should have been both extensive and virtually uniform in the sense of the provision invoked; – and should moreover have occurred in such a way as to show a general recognition that a rule of law or legal obligation is involved\u201d); Nico Krisch, International Law in Times of<\/em> Hegemony: Unequal Power and the Shaping of the International Legal Order<\/em>, 16 Eur. J. Int\u2019l L. 369, 380 (2005).<\/p>\n

[52] Common African Position, supra<\/em> note 2, \u00b6 17.<\/p>\n

[53] Common African Position, supra<\/em> note 2, \u00b6\u00b6 15-16.<\/p>\n

[hr gap=”1″]<\/p>\n

Cover image credit\u00a0<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Patrick C. R. Terry<\/p>\n","protected":false},"author":96,"featured_media":10520,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_FSMCFIC_featured_image_caption":"","_FSMCFIC_featured_image_nocaption":null,"_FSMCFIC_featured_image_hide":null,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[121,366],"tags":[405,409],"class_list":["post-10519","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article-series","category-perspectives","tag-security","tag-technology"],"jetpack_featured_media_url":"https:\/\/journals.law.harvard.edu\/ilj\/wp-content\/uploads\/sites\/84\/computer-number-environment-pattern-line-coding-1172040-pxhere.com-1.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/peZu3S-2JF","jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts\/10519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/comments?post=10519"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts\/10519\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/media\/10520"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/media?parent=10519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/categories?post=10519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/tags?post=10519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}