Principle of Non-Intervention in the Cyber Domain

As Nation States increase the domestic and international interconnectedness of their societies, they in turn, increase their vulnerability to manipulation, disruption, and attacks on the critical infrastructure and services that support the political, economic, and social activities of their nation [1].  This poses a challenge when these vulnerabilities are exploited by one State over another, as the available international law for such scenarios has been written with armed attacks and physical breaches in mind. Cyber operations can have the same impact as a military attack; however, the majority of cyber-attacks do not result in physical damage to infrastructure or injury to persons, and from an international law perspective, are below the threshold to be considered a "use of force" or an "armed attack" by a State [2].

Article 2(1) of the UN Charter states that “the Organization is based on the principle of the sovereign equality of all its Members”[3]. Although the principle of non-intervention is not specifically mentioned within the Charter, it is generally accepted that it is implied through this statement of sovereign equality.

The Principle of Non-Intervention is “one of the most potent and elusive of all international law principles”[4]. It is considered potent due to the countermeasures deployed in response to an intervention but elusive due to the uncertainty and lack of clarity regarding which actions constitute a breach of the non-intervention principle within the cyber domain. This absence of certainty largely stems from the fact that States find themselves applying a legal framework implemented many years before the emergence of cyber technologies being used in the attacks. This has resulted in frustration within the international community due to the emergence of “grey areas”, as the existing law trails behind the advancement of technology and an ever-increasing risk that these “grey areas” will be used to the advantage of some States’ over others [5].

Greater clarity is needed regarding the international law principle of non-intervention within the cyber domain. Focus and attention are especially required on State-based interventions that do not meet the current “use of force” criteria. 

The significance of Sovereignty

The principle of sovereignty first emerged from the 1648 Treaty of Westphalia that gave birth to the modern system of nation-states. As a foundational principle of international law, the concept of sovereignty is “the collection of rights held by a state, first in its capacity as the entity entitled to exercise control over its territory and second in its capacity to act on the international plane, representing that territory and its people” [6]. It is widely agreed that the principle of State sovereignty does apply in cyberspace, and this is reflected in Rule 1 of the Tallinn Manual 2.0 [7].

The principle of Non-Intervention

The principle of non-intervention is an extension upon the concept of sovereignty, reflected by Rule 66 of the Tallinn Manual 2.0, where it states that “a State may not intervene, including by cyber means, in the internal or external affairs of another State”[8]. Furthermore, this principle is considered a customary norm implied within Articles 2(1), 2(3), and 2(4) of the United Nations Charter and the Friendly Relations Declaration of 1970. 

An act will be considered a prohibited intervention by a State if the following two conditions are met:

1. the act must relate to matters that involve the internal or external affairs of the target State; and
2. the act must be coercive in nature. [9]

The following diagram shows the categorisation of cyber acts that are considered “wrongful” from the perspective of international law:

Figure 1 - Wrongful Cyber Acts[10]

As shown, there are three categories of cyber acts that are considered “wrongful” for a State to engage in – intervention, use of force, and armed attack. It should be noted that all three are considered interventions in their own right and can occur in parallel – with the use of force and then armed attacks seen as progressively worse categories of intervention. The International Court of Justice [ICJ] also confirmed the parallel nature of such interventions in the Case Concerning Armed Activities on the Territory of the Congo in 2005. The ICJ found that Uganda had failed to meet both “obligations arising under principles of non-use of force and non-intervention”[11].

The ability to clearly distinguish prohibited intervention from other acts is important, as prohibited intervention is classified as an internationally wrongful act, enabling the target State to respond with countermeasures. 

Cyber Shades of Grey

The problem with applying the existing international legal framework to the cyber domain is that the nature and impact of cyber operations are often very different from traditional military operations. For example, rule 69 of the Tallinn Manual 2.0 defines a cyber operation to be a use of force “when its scale and effects are comparable to non-cyber operations rising to the level of a use of force”[12]. The issue with this definition is that cyber operations can significantly impact a target State without causing physical harm to humans or damage to infrastructure and without crossing the required threshold to be considered a use of force or an armed attack based on existing international law. For this reason, the international community needs to achieve improved clarity regarding cyber operations that should constitute a prohibited intervention against a State versus those that do not. This is needed to ensure that every State has an appropriate legal avenue available to implement countermeasures in response to the attacks where appropriate.

Rule 66[13] of the Tallinn Manual 2.0 also states that a prohibited intervention must be a coercive act with the potential for compelling the target State to engage in an action that it would otherwise not take or to refrain from taking actions it would otherwise take. The element of coercion was also a point of judgment in the Nicaragua vs United States case of 1986, with the International Court of Justice stating:

“The element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State. ”[14]

This requirement for “coercion” is a source of much discussion in the international community, with some arguing that the traditional standard of coercion is outdated and not appropriate when considering cyber operations; calling for “the introduction of a more nuanced approach, that takes into account interventions that are non-coercive in nature”[15].

The Russian government interference in the 2016 US presidential election is an example of an intervention where the element of “coercion” could not be clearly established based on the current understanding of international law. Federal elections are clearly a governmental function of the United States of America. Thus, in theory, the disruption of an election could be considered a usurpation activity that is considered unlawful under international law.

On this occasion, the interference did not come in the form of altering electoral results or an attack on the technology and infrastructure hosting the electoral process. Instead, the interference came by way of a hack into the email system used by the Democratic National Committee [DNC] and a subsequent mass release of information to the public. The emails that were released were released without any alteration[16] and without an obvious intent to “coerce” the State (United States of America).

Most international lawyers agree that spying and cyber espionage violates domestic rather than international law [17]. This is mainly due to foreign spying being “so widespread that customary international law arguably does not prohibit it”[18], however, it could be argued that the mass release of information by the Russian government went beyond the scope of espionage; with the information used as a weapon in its own right, triggering the customary norm of non-intervention[19].

Prohibited Intervention 2.0

The concerns regarding applying existing international law to the cyber domain have many international law professionals considering lex ferenda, or future law, in this space. In addition, there is an increasing concern that the element of coercion is not an effective measure to delineate wrongful cyber interference and a view that an alternative standard is required to cater for cyber operations[20].

One school of thought is that the “wrongfulness of cyber intervention ought to be defined not by whether it is coercive by nature, but by whether a cyber intervention prevented a state from freely exercising functions associated with its internal and external affairs”[21].  This would consider the degree of influence exerted by a cyber operation on the victim state with more of a focus on the deprivation of free choice, without the explicit need for the coercion to be proven.

Conclusion

The rapid development of technology, the proliferation of the Internet, and the ongoing interconnection of critical infrastructure and services have resulted in increasing concern regarding the regulation of cyberspace and the supporting legal framework.

International law provides the base on which cyber principles and laws can be developed; however the lex lata or existing principle of non-intervention “does not neatly apply to cyberspace in the way that it applies to the physical world, particularly because information is widely available and cyberspace transcends political borders”[22].

Cyber operations are unlike the use of military or economic force, and it is not always straightforward to distinguish whether actions undertaken in cyberspace are coercive and non-coercive in nature. Therefore, there is a need for further development of international law regarding the non-intervention rule to ensure that actions involving some level of subversion or usurpation of a victim State’s protected prerogatives, or domain reserve, are actionable under international law. In addition, victim States need to be empowered to utilise countermeasures when subjected to these disruptive interventions as they occur and a legal mechanism to seek reparations afterwards.

 ______________________________________________

References

[1] Kilovaty, “Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information”, 150.

[2] Nordström, “The Regulation of Cyber Operations Below the Threshold of Article 2(4) of the Charter”, 31.

[3] United Nations, “Article 2(1)—(5)”.

[4] Lowe, International Law, 104.

[5] Riazi, “Filling Gaps: Cyberspace & Grey Zone Dangers”.

[6] Crawford, Brownlie's Principles of Public International Law, 452.

[7] Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 11.

[8] ibid., 312.

[9] Ibid., 314.

[10] Walton, “Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law”.

[11] DRC v. Uganda judgement, 6.

[12] Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 333.

[13] Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 312.

[14] Nicaragua vs United States of America judgement, para. 205.

[15] Kilovaty, “Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information”, 146; Rotondo & Salvati, “Fake News, (Dis)information, and the Principle of Nonintervention”, 210.

[16] Schmitt, “Grey Zones in the International Law of Cyberspace”, 8.

[17] Ohlin, "Did Russian Cyber Interference in the 2016 Election Violate International Law?", 1581.

[18] ibid.,1584.

[19] Kilovaty, “Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information”

[20] Kilovaty, “The Elephant in the Room: Coercion”; Tsagourias, “Electoral Cyber Interference, Self-Determination and The Principle of Non-Intervention in Cyberspace, 2.

[21] ibid.

[22] Kilovaty, “Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information”

Bibliography

Corn, G. 2020. “Punching on the Edges of the Grey Zone: Iranian Cyber Threats and State Cyber Responses”. Just Security. Published 11 Feb 2020. Accessed 02 Apr 2020. <https://www.justsecurity.org/68622/punching-on-the-edges-of-the-grey-zone-iranian-cyber-threats-and-state-cyber-responses>.

Corn, G. & Taylor, R. “Sovereignty in the Age of Cyber.” American Journal of International Law Unbound 111 (2017): 207—12. <https://doi.10.1017/aju..2017.57>.

Crawford, J. Brownlie's Principles of Public International Law (9th edn), New York: Oxford University Press, 2019. <https://doi.org/10.1093/he/9780198737445.001.0001>.

International Court of Justice. Armed Activities on the Territory of the Congo [Democratic Republic of the Congo v. Uganda], Judgment, I.C.J. Reports 2005, p. 168. < https://www.icj-cij.org/files/case-related/116/116-20051219-JUD-01-00-EN.pdf>.

International Court of Justice. Military and Paramilitary Activities in and against Nicaragua [Nicaragua v. United States of America]. Merits, Judgment. I.C.J. Reports 1986, p. 14. < https://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf>.

Kilovaty, I. “Doxfare: Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information.” Harvard National Security Journal 9, Spring 2018. <https://ssrn.com/abstract=2945128>.

Kilovaty, I. “The Elephant in the Room: Coercion.” American Journal of International Law Unbound 113 (2019): 87–91. <https://doi.org/10.1017/aju.2019.10>.

Lowe, V. International Law. New York: Oxford University Press, 2007.

Nordström, C. “The Regulation of Cyber Operations Below the Threshold of Article 2(4) of the Charter.” Master’s Thesis, Uppsala Universitet. <http://www.diva-portal.se/smash/get/diva2:1317991/FULLTEXT01.pdf>.

Ohlin, Jens David. "Did Russian Cyber Interference in the 2016 Election Violate International Law?". Texas Law Review 95, No. 6 (June 2017, 1579—1598). <https://scholarship.law.cornell.edu/cgi/viewcontent.cgi?article=2632&context=facpub>.

Riazi, T. “Filling Gaps: Cyberspace & Grey Zone Dangers.” NATO Association of Canada, September 24, 2019. <http://natoassociation.ca/filling-gaps-cyberspace-grey-zone-dangers>.

Rotondo, A. & Salvati, P. “Fake News, (Dis)information, and the Principle of Nonintervention”. The Cyber Defense Review, SPECIAL EDITION: International Conference on Cyber Conflict (CYCON U.S.), November 14-15, 2018: Cyber Conflict During Competition (2019), pp. 209-224. <https://www.jstor.org/stable/10.2307/26846129>.

Schmitt, M. “Grey Zones in the International Law of Cyberspace”. The Yale Journal of International Law 42, No. 2, 2017. < https://cpb-us-w2.wpmucdn.com/campuspress.yale.edu/dist/8/1581/files/2017/08/Schmitt_Grey-Areas-in-the-International-Law-of-Cyberspace-1cab8kj.pdf>.

Schmitt, M. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. 2nd ed. Cambridge: Cambridge University Press, 2017. <https://doi.org/10.1017/9781316822524>.

Tsagourias, N. “Electoral Cyber Interference, Self-Determination and The Principle of Non-Intervention in Cyberspace”. In Governing Cyberspace: Behaviour, Power and Diplomacy, edited by Broeders, D. & van den Berg, B. Maryland: Rowman & Littlefield, 2020.

United Nations. “Article 2(1)—(5)”. Charter of the United Nations. Last modified February 6, 2020. <https://legal.un.org/repertory/art2.shtml>.

United Nations. “Responsibility of States for Internationally Wrongful Acts”. 2001. <https://legal.un.org/ilc/texts/instruments/english/draft_articles/9_6_2001.pdf>.

Walton, B. “Duties Owed: Low-Intensity Cyber Attacks and Liability for Transboundary Torts in International Law”. The Yale Law Journal 126, No. 5 (March 2019, 1242—1599). <https://www.yalelawjournal.org/note/duties-owed-low-intensity-cyber-attacks-and-liability-for-transboundary-torts-in-international-law>.