Published online by Cambridge University Press: 21 October 2019
Since the end of the Cold War, international law has increasingly been challenged by states and other actors. Specific norms have also been challenged in their application by new realities and obstacles. This article focuses on these challenges as they arise from the development of cyberspace and cyber operations, and offers an overview of the main questions arising with regard to the application of international law to cyber operations. By analysing the application of the existing norms of international law to cyber operations as well as identifying their limits, the article offers an accurate lens through which to study the contestation or process of reinterpretation of some norms of international law. The objective of the article is not to deliver a comprehensive analysis of how the norms of international law apply to cyber operations but to provide an overview of the key points and issues linked to the applicability and application of the norms as well as elements of contextualisation, notably after the failure of the 2016–17 United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. The article comprises three parts. The first part focuses on the applicability of international law to cyber operations. The second part identifies challenges that affect the applicability and application of international law in general, while the third part analyses challenges that affect specific norms of international law, highlighting their limits in dealing with cyber threats.
The author is grateful to Professor Moshe Hirsch and the participants at the 2018 ESIL Research Forum, as well as to Alix Desforges, Aude Géry, Emma Nyhan, Argyri Panezi and the anonymous reviewers for their useful comments on a previous version of this article. The views expressed herein are those of the author in his personal capacity.
1 See generally Heike Krieger and Georg Nolte, ‘The International Rule of Law – Rise or Decline? Points of Departure’, Berlin Potsdam Research Group / KFG – The International Rule of Law: Rise or Decline?, KFG Working Paper Series No 1, 2016; Pert, Alison, ‘International Law in a Post-Post-Cold War World – Can It Survive?’ (2017) 4 Asia & the Pacific Policy Studies 362CrossRefGoogle Scholar. See also, for instance, the discussion on this question in the EJIL: Talk! Contributing Editors’ Debate: Andreas Zimmermann, ‘Times Are Changing – and What About the International Rule of Law Then?’ EJIL: Talk!, 5 March 2018, https://www.ejiltalk.org/times-are-changing-and-what-about-the-international-rule-of-law-then; Monica Hakimi, ‘International Law in “Turbulent Times” – Part 1’, EJIL: Talk!, 6 March 2018, https://www.ejiltalk.org/international-law-in-turbulent-times-part-i; Christian Tams, ‘Decline and Crisis: A Plea for Better Metaphors and Criteria’, EJIL: Talk!, 7 March 2018, https://www.ejiltalk.org/decline-and-crisis-a-plea-for-better-metaphors-and-criteria; Lorna McGregor, ‘The Thickening of the International Rule of Law in “Turbulent” Times’, EJIL: Talk!, 8 March 2018, https://www.ejiltalk.org/the-thickening-of-the-international-rule-of-law-in-turbulent-times.
2 Koh, Harold Hongju, ‘The Trump Administration and International Law’ (2017) 56 Washburn Law Journal 413Google Scholar; Moran, Clare Frances, ‘Crystallising the International Rule of Law: Trump's Accidental Contribution to International Law’ (2017) 56 Washburn Law Journal 491Google Scholar; Jack Goldsmith, ‘The Trump Onslaught on International Law and Institutions’, Lawfare, 17 March 2017, https://www.lawfareblog.com/trump-onslaught-international-law-and-institutions.
3 Zimmermann (n 1) 1.
4 Krieger and Nolte (n 1) 1, 12.
5 The first UN GGE was appointed by the UN General Assembly in 2004 (UNGA Res 58/32 (8 December 2003), UN Doc A/RES/58/32), but it failed to adopt a consensus report. It was followed by three successful UN GGE appointed in 2009 (UNGA Res 60/45 (8 December 2005), UN Doc A/RES/60/45); 2012 (UNGA Res 66/24 (2 December 2011), UN Doc A/RES/66/24); and 2014 (UNGA Res 68/243 (27 December 2013), UN Doc A/RES/68/243), which adopted consensus reports respectively in 2010 (UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (16 July 2010), UN Doc A/65/201); 2013 (UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (24 June 2013), UN Doc A/68/98); and 2015 (UNGA, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22 July 2015), UN Doc A/70/174). A fifth UN GGE was appointed by the UN General Assembly in 2016 (UNGA Res 70/237 (23 December 2015), UN Doc A/RES/70/273), but at its last meeting, in June 2017, it failed and the governmental experts were unable to reach a consensus on its final report.
6 UN Doc A/68/98, ibid para 19; UN Doc A/70/174, ibid para 24 ff.
7 In that sense, the two editions of the Tallinn Manual, published in 2013 and 2017, offer a good overview of the applicability and application of the norms of international law to cyber operations: Schmitt, Michael N (ed), The Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013)CrossRefGoogle Scholar (Tallinn Manual 1.0); Schmitt, Michael N and Vihul, Liis (eds), The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017)CrossRefGoogle Scholar (Tallinn Manual 2.0). See also, notably, Delerue, François, Cyber Operations and International Law (Cambridge University Press 2019 forthcoming)Google Scholar; Delerue, François and Géry, Aude, ‘Le droit international et la cyberdéfense’ in Danet, Didier, Cattaruzza, Amaël and Taillat, Stéphane (eds), La Cyberdéfense – Politique de l'espace numérique (Armand Colin 2018)Google Scholar; Bannelier, Karine and Christakis, Théodore, Cyberattaques – Prévention-Réactions: Rôles des Etats et des Acteurs Privés [Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors] (Les Cahiers de la Revue Défense Nationale 2017)Google Scholar; Radziwill, Yaroslav, Cyber-Attacks and the Exploitable Imperfection of International Law (Brill/Nijhoff 2015)CrossRefGoogle Scholar; Roscini, Marco, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014)CrossRefGoogle Scholar; Kerschischnig, Georg, Cyberthreats and International Law (Eleven International 2012)Google Scholar; Dinniss, Heather Harrison, Cyber Warfare and the Laws of War (Cambridge University Press 2012)CrossRefGoogle Scholar.
8 See, eg, John Markoff and Andrew E Kramer, ‘U.S. and Russia Differ on a Treaty for Cyberspace’, The New York Times, 27 June 2009, https://www.nytimes.com/2009/06/28/world/28cyber.html; Arimatsu, Louise, ‘A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations’ in Czosseck, Christian, Ottis, Rain and Ziolkowski, Katharina (eds), 2012 4th International Conference on Cyber Conflict (NATO CCD COE Publications 2012)Google Scholar; Ido Kilovaty and Itamar Mann, ‘Towards a Cyber-Security Treaty’, Just Security, 3 August 2016, https://www.justsecurity.org/32268/cyber-security-treaty; Eilstrup-Sangiovanni, Mette, ‘Why the World Needs an International Cyberwar Convention’ (2018) 31 Philosophy & Technology 379CrossRefGoogle Scholar.
9 Sand, Peter H, de Sousa Freitas, Jorge and Pratt, Geoffrey N, ‘An Historical Survey of International Air Law before the Second World War’ (1960) 7 McGill Law Journal 24Google Scholar, 28.
10 ibid 29–31.
11 Convention relating to the Regulation of Aerial Navigation (entered into force 13 October 1919) 11 LNTS 173; Additional Protocol to the Convention relating to the Regulation of Aerial Navigation (entered into force 1 May 1920) 11 LNTS 173.
12 Sand, de Sousa Freitas and Pratt (n 9) 32.
13 Jankowitsch, Peter, ‘The Background and History of Space Law’ in von der Dunk, Frans (ed), Handbook of Space Law (Edward Elgar 2015) 1Google Scholar, 2.
14 UNGA Res 1348 (XIII) (13 December 1958) (adopted without vote).
15 UNGA Res 1472 (XIV) (12 December 1959) (adopted without vote).
16 UNGA Res 1962 (XVIII) (13 December 1963) (adopted without vote).
17 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies (entered into force 10 October 1967) 610 UNTS 205.
18 UNGA Res 2222 (XXI) (19 December 1966) (adopted without vote).
19 Agreement Governing the Activities of States on the Moon and Other Celestial Bodies (entered into force 11 July 1984) 1363 UNTS 21 (Moon Agreement).
20 Outer Space Treaty (n 17) 7, art 2; ibid, art 11.
21 UN Doc A/68/98 (n 5) 3, para 19.
22 UN Doc A/70/174 (n 5) 3, para 24.
23 See, notably, Report of the Secretary-General on Developments in the Field of Information and Telecommunications in the Context of International Security (Addendum) (9 September 2013), UN Doc A/68/156/Add.1; Report of the Secretary-General on Developments in the Field of Information and Telecommunications in the Context of International Security (30 June 2014), UN Doc A/69/112; Report of the Secretary-General on Developments in the Field of Information and Telecommunications in the Context of International Security (Addendum) (18 September 2014), UN Doc A/69/112/Add 1.
24 See, eg, Government of France, General Secretariat for Defence and National Security (SGDSN), ‘Revue stratégique de cyberdéfense’, 12 February 2018, 82, 85 and 87, http://www.sgdsn.gouv.fr/evenement/revue-strategique-de-cyberdefense; Australian Government, Department of Home Affairs, ‘Australia's Cyber Security Strategy: Enabling Innovation, Growth & Prosperity’, April 2016, 7, 28, 40–41, https://cybersecuritystrategy.pmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf; Ministry of Foreign Affairs of the Russian Federation, ‘Doctrine of Information Security of the Russian Federation’, 5 December 2016, art 34, http://www.mid.ru/en/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/2563163; UK Government, ‘National Cyber Security Strategy 2016–2021’, 1 November 2016, 63, https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
25 Prucher, Jeff (ed), The Oxford Dictionary of Science Fiction (Oxford University Press 2006)Google Scholar.
26 See, eg, Scott Thill, ‘March 17, 1948: William Gibson, Father of Cyberspace’, WIRED, 17 March 2009, http://archive.wired.com/science/discoveries/news/2009/03/dayintech_0317.
27 Gibson, William, Burning Chrome (Omni 1982) 72Google Scholar.
28 Gibson, William, Neuromancer (Ace Books 1984) 69Google Scholar.
29 In 2000, William Gibson commented on the origins of the term and criticised it in a documentary on his work, stating ‘[a]ll I knew about the word “cyberspace” when I coined it, was that it seemed like an effective buzzword. It seemed evocative and essentially meaningless. It was suggestive of something, but had no real semantic meaning, even for me, as I saw it emerge on the page’: Neale, Mark, No Maps for These Territories (Docurama 2000)Google Scholar.
30 ‘Cyberwar: War in the Fifth Domain’, The Economist, 1 July 2010, https://www.economist.com/briefing/2010/07/01/war-in-the-fifth-domain; see also Christy Marx, Battlefield Command Systems of the Future (Rosen 2005) 14; Radziwill (n 7) 3, 13.
31 Lavenue, Jean-Jacques, ‘Cyberespace et droit international: pour un nouveau jus communicationis’ (1996) 21 Revue de la recherche juridique: droit prospectif 811Google Scholar; Kulesza, Joanna, International Internet Law (Routledge 2012) 145–46CrossRefGoogle Scholar; Shackelford, Scott J, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge University Press 2014) 57 ffCrossRefGoogle Scholar; Radziwill (n 7) 3, 92–95; Tsagourias, Nicholas, ‘The Legal Status of Cyberspace’ in Tsagourias, Nicholas and Buchan, Russell (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2015) 28CrossRefGoogle Scholar; ‘IEG of the Global Commons’ UNEP 2016.
32 See generally Mark Barrett and others, Assured Access to the Global Commons: Maritime, Air, Space, and Cyber (NATO 2011), http://www.act.nato.int/globalcommons.
33 Rid, Thomas, Cyber War Will Not Take Place (Oxford University Press 2013) 165–66Google Scholar. See also Allen, Patrick D and Gilbert, Denis P Jr, ‘The Information Sphere Domain Increasing Understanding and Cooperation’ in Czosseck, Christian and Geers, Kenneth (eds), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press 2009) 132–42Google Scholar.
34 It has been argued that cyberspace is a transversal domain interconnecting the four other domains: Ventre, Daniel, Cyberespace et acteurs du cyberconflit (Lavoisier & Hermes 2011) 87–88Google Scholar; Baudin, Laura, Les cyber-attaques dans les conflits armés: qualification juridique, imputabilité et moyens de réponse envisagés en droit international humanitaire (L'Harmattan 2014) 22Google Scholar.
35 See, eg, the definition of ‘cyberspace’ in Office of the Chairman of the Joint Chiefs of Staff, DOD Dictionary of Military and Associated Terms (The Joint Staff 2019), 59, https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf; see also Rosenne, Shabtai, The Perplexities of Modern International Law: General Course on Public International Law (Brill/Leiden 2004) 348–49Google Scholar.
36 Tanenbaum, Andrew S and Wetherall, David J, Computer Networks (5th edn, Prentice Hall 2012) 28–29Google Scholar; Clark, David, Berson, Thomas and Lin, Herbert S (eds), At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (National Academies Press 2014) 21Google Scholar.
37 cf text at subs 1.3.
38 Ann Väljataga, ‘Back to Square One? The Fifth UN GGE Fails to Submit a Conclusive Report at the UN General Assembly’, NATO Cooperative Cyber Defence Centre of Excellence, 1 September 2017, https://ccdcoe.org/incyder-articles/back-to-square-one-the-fifth-un-gge-fails-to-submit-a-conclusive-report-at-the-un-general-assembly.
39 Arun M Sukumar, ‘The UN GGE Failed. Is International Law in Cyberspace Doomed as Well?’, Lawfare, 4 July 2017, https://lawfareblog.com/un-gge-failed-international-law-cyberspace-doomed-well; Adam Segal, ‘The Development of Cyber Norms at the United Nations Ends in Deadlock. Now What?’, Council on Foreign Relations, 29 June 2017, https://www.cfr.org/blog/development-cyber-norms-united-nations-ends-deadlock-now-what.
40 UN Doc A/68/98 (n 5) para 19; UN Doc A/70/174 (n 5) para 24 ff. cf text in subs 1.3.
41 ‘German Diplomat Selected to Chair UN Group of Experts on Cybersecurity’, Auswärtiges Amt [German Federal Foreign Office], 30 August 2016, https://www.auswaertiges-amt.de/en/aussenpolitik/themen/160830-vorsitz-expertengruppe-/283006.
42 Geneva Internet Platform (GIP) and DiploFoundation, ‘UN GGE: Quo Vadis?’, Geneva Digital Watch Newsletter, 30 June 2017, https://dig.watch/DWnewsletter22.
43 Michele G Markoff, ‘Explanation of Position at the Conclusion of the 2016–2017 UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security’, U.S. Department of State, 23 June 2017, https://www.state.gov/explanation-of-position-at-the-conclusion-of-the-2016-2017-un-group-of-governmental-experts-gge-on-developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-sec.
44 Representaciones Diplomáticas de Cuba en El Exterior, ‘71 UNGA: Cuba at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’, 23 June 2017, http://misiones.minrex.gob.cu/en/un/statements/71-unga-cuba-final-session-group-governmental-experts-developments-field-information.
45 ibid.
46 Andrey Krutskikh, ‘Response of the Special Representative of the President of the Russian Federation for International Cooperation on Information Security Andrey Krutskikh to TASS’ Question Concerning the State of International Dialogue in this Sphere’, Ministry of Foreign Affairs of the Russian Federation, 29 June 2017, http://www.mid.ru/en/foreign_policy/news/-/asset_publisher/cKNonkJE02Bw/content/id/2804288.
47 Elaine Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’, The Diplomat, 31 July 2017, https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe; Michael N Schmitt and Liis Vihul, ‘International Cyber Law Politicized: The UN GGE's Failure to Advance Cyber Norms’, Just Security, 30 June 2017, https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms.
48 In respect of Cuba, see Representaciones Diplomáticas de Cuba en El Exterior (n 44). The Russian Federation proposed a draft Convention on International Information Security in 2011, and the Russian position in favour of an international treaty on this matter was repeatedly reaffirmed: Convention on International Information Security (entered into force 22 September 2011), Ministry of Foreign Affairs of the Russian Federation, http://www.mid.ru/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/191666.
49 BRICS is a group acronym that refers to Brazil, Russia, India, China and South Africa.
50 BRICS Leaders Xiamen Declaration, 2017 BRICS Summit, 5 September 2017, para 56, http://www.bricschn.org/English/2017-09/05/c_136583711_2.htm.
51 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) Merits, Judgment [1986] ICJ Rep 14, [186].
52 Alex Grigsby, ‘The Year in Review: The Death of the UN GGE Process?’, Council on Foreign Relations Blog, 21 December 2017, https://www.cfr.org/blog/year-review-death-un-gge-process.
53 Pauwelyn, Joost, ‘Fragmentation of International Law’, in Max Planck Encyclopedia of Public International Law (Oxford University Press 2006)Google Scholar paras 1–5.
54 See, generally, ILC, Report on the Work of the 58th Session (1 May–9 June and 3 July–11 August 2006), UN Doc A/61/10, Ch XII.
55 The future of the discussions, notably at the UN and multilateral levels, has been discussed extensively at several events following the failure of the fifth UN GGE, notably at the UN Institute for Disarmament Research Conference ‘ICTs in the Context of International Peace and Security: Current Conditions and Future Approaches’, organised as a side event of the UNGA on 11 October 2017, as well as the French initiative on the ‘Role and Responsibilities of Private Actors in Strengthening the Stability and International Security of Cyberspace’, organised also as a side event of the UNGA on 18 September 2017, https://www.unmultimedia.org/avlibrary/asset/1970/1970538.
56 A similar view has been expressed by Michael Fischerkeller and Richard Harknett regarding the development of cyber norms of behaviour: ‘Because norms first emerge through behaviors, and then mature through international discourse, the fact that there is disagreement about what constitutes acceptable behavior suggests that global norms are unlikely to be adopted in the near term. Global cyberspace norms of responsible behavior cannot take root if the universe of “like-minded” states is a small proportion of salient cyber actors’: Fischerkeller, Michael P and Harknett, Richard J, ‘Deterrence Is Not a Credible Strategy for Cyberspace’ (2017) 61 Orbis 381CrossRefGoogle Scholar, 383.
57 UNGA Res 73/27 (5 December 2018), UN Doc A/RES/73/27.
58 UNGA Res 73/266 (22 December 2018), UN Doc A/RES/73/266.
59 Noortmann, Math and Ryngaert, Cedric, ‘Introduction: Non-State Actors: International Law's Problematic Case’ in Noortmann, Math and Ryngaert, Cedric (eds), Non-State Actor Dynamics in International Law: From Law-Takers to Law-Makers (Ashgate 2010) 1Google Scholar.
60 As recalled by the ICJ: ‘From a formal standpoint, the constituent instruments of international organizations are multilateral treaties, to which the well-established rules of treaty interpretation apply. … But the constituent instruments of international organizations are also treaties of a particular type; their object is to create new subjects of law endowed with a certain autonomy, to which the parties entrust the task of realizing common goals’: Legality of the Use by a State of Nuclear Weapons in Armed Conflict, Advisory Opinion [1996] ICJ Rep 66, [18]–[19].
61 Walter, Christian, ‘Subjects of International Law’ in Max Planck Encyclopedia of Public International Law (Oxford University Press 2013)Google Scholar paras 5, 26.
62 Peter Muchlinski, ‘Multinational Enterprises as Actors in International Law: Creating “Soft Law” Obligations and “Hard Law” Rights’ in Noortmann and Ryngaert (n 59) 14.
63 Noortmann and Ryngaert (n 59) 1–2; Jean d'Aspremont, ‘International Law-Making by Non-State Actors: Changing the Model or Putting the Phenomenon into Perspective?’ in Noortmann and Ryngaert (n 59) 171.
64 GCSC, ‘About – GCSC’, https://cyberstability.org/about.
65 GCSC, ‘Call to Protect the Public Core of the Internet’, November 2017, https://cyberstability.org/wp-content/uploads/2017/11/call-to-protect-the-public-core-of-the-internet.pdf.
66 See, eg, Joanna Kulesza and Rolf H Weber, ‘Protecting the Public Core of the Internet’, in GCSC, Briefings from the Research Advisory Group (GCSC Issue Brief No 1, Global Commission on the Stability of Cyberspace 2017) 75, https://cyberstability.org/wp-content/uploads/2017/12/GCSC-Briefings-from-the-Research-Advisory-Group_New-Delhi-2017.pdf.
67 Angela McKay and others, ‘International Cybersecurity Norms: Reducing Conflict in an Internet-Dependent World’, Microsoft, 2015, https://www.microsoft.com/en-us/cybersecurity/content-hub/reducing-conflict-in-lnternet-dependent-world.
68 Scott Charney and others, ‘From Articulation to Implementation: Enabling Progress on Cybersecurity Norms’, Microsoft, 2016, https://www.microsoft.com/en-us/cybersecurity/content-hub/enabling-progress-on-cybersecurity-norms.
69 See, eg, the intervention of Brad Smith, Microsoft President and Chief Legal Officer, at the 2017 RSA Conference: Brad Smith, ‘The Need for a Digital Geneva Convention’, Microsoft, 14 February 2017, https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention.
70 Charney and others (n 68) 10–12.
71 Smith (n 69).
72 On the creation of an international mechanism for attribution of cyber operations and, more generally, on cyber security, it is interesting to note that existing work generally focuses on the objects rather than the functioning and structures of international organisations. For this reason, they have focused mainly on the International Atomic Energy Agency (IAEA), the International Telecommunications Union (ITU), the Organisation for the Prohibition of Chemical Weapons (OPCW), as well as international investigations and fact-finding commissions. I emphasise the necessity in looking at other models of international organisations, and that the World Tourism Organization (UNWTO) should also be considered as a potential model. Indeed, the UNWTO offers a model of an organisation first created by non-state actors sharing similar objectives and later joined by states, which led to the transformation of a private organisation into an intergovernmental organisation with a specific system of membership, which allows the involvement of non-state actors.
73 John S Davis and others, Stateless Attribution: Toward International Accountability in Cyberspace (RAND 2017), https://www.rand.org/pubs/research_reports/RR2081.html.
74 On the decline of multilateral treaties, see notably ‘Agora: The End of Treaties?’ organised in 2014 by the American Society of International Law (ASIL): Meyer, Timothy, ‘Collective Decision-Making in International Governance’ (2014) 108 AJIL Unbound 30CrossRefGoogle Scholar; Trachtman, Joel P, ‘Reports of the Death of Treaty Are Premature, but Customary International Law May Have Outlived Its Usefulness’ (2014) 108 AJIL Unbound 36CrossRefGoogle Scholar; Szewczyk, Bart MJ, ‘Custom and Treaties as Interchangeable Instruments of National Policy’ (2014) 108 AJIL Unbound 41CrossRefGoogle Scholar; Fazal, Tanisha M, ‘The Fall and Rise of Peace Treaties’ (2014) 108 AJIL Unbound 46CrossRefGoogle Scholar; Koivurova, Timo, ‘Increasing Relevance of Treaties: The Case of the Arctic’ (2014) 108 AJIL Unbound 52CrossRefGoogle Scholar; Buys, Cindy Galway, ‘An Empirical Look at U.S. Treaty Practice: Some Preliminary Conclusions’ (2014) 108 AJIL Unbound 57CrossRefGoogle Scholar; Israel, Brian, ‘Treaty Stasis’ (2014) 108 AJIL Unbound 63CrossRefGoogle Scholar; Cantú-Rivera, Humberto, ‘The Expansion of International Law Beyond Treaties’ (2014) 108 AJIL Unbound 70CrossRefGoogle Scholar.
75 For instance, in the 2015 UN GGE reports, four ‘norms, rules and principles for the responsible behaviour of states’ constitute mere interpretations of existing norms of international law into this new context, such as norms (c), (e), (f) and (g): see, generally, François Delerue and Aude Géry, ‘État des lieux et perspectives sur les normes de comportement responsable des États et mesures de confiance dans le domaine numérique’, CEIS, 20 January 2017, https://ceis.eu/fr/etat-des-lieux-et-perspectives-sur-les-normes-de-comportement-responsable-des-etats-et-mesures-de-confiance-dans-le-domaine-numerique.
76 Letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, UN Doc A/66/359.
77 Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, UN Doc A/69/723.
78 As clearly stated in the ‘Purpose and Scope’ of the 2015 International Code of Conduct for Information Security, ‘[t]he purpose of the present code of conduct is to identify the rights and responsibilities of states in the information space, promote constructive and responsible behaviour on their part and enhance their cooperation in addressing common threats and challenges in the information space, in order to establish an information environment that is peaceful, secure, open and founded on cooperation, and to ensure that the use of information and communications technologies and information and communications networks facilitates the comprehensive economic and social development and well-being of peoples, and does not run counter to the objective of ensuring international peace and security’: ibid 4.
79 Delerue and Géry (n 75) 17–21.
80 Krutskikh (n 46).
81 Statute of the International Law Commission, annexed to UNGA Res 174 (II) (21 November 1947), UN Doc RES/174 (II), art 1. This article mirrors art 13(1)(a) of the UN Charter, according to which the General Assembly shall initiate studies and make recommendations for the purpose of encouraging the progressive development of international law and its codification.
82 Statute of the ILC, ibid art 2.
83 François Delerue, ‘The Codification of the International Law Applicable to Cyber Operations: A Matter for the ILC?’ (2018) 7 ESIL Reflections, http://esil-sedi.eu/?p=12885&lang=fr.
84 ‘L'Iran affirme avoir abattu un drone de reconnaissance américain’, Le Monde, 4 December 2011, http://www.lemonde.fr/proche-orient/article/2011/12/04/l-iran-affirme-avoir-abattu-un-drone-de-reconnaissance-americain_1613231_3218.html; ‘Iran Airs Footage of Downed US Drone’, PRESS TV, 8 December 2011; Scott Shane and David E Sanger, ‘Drone Crash in Iran Reveals Secret U.S. Surveillance Bid’, The New York Times, 7 December 2011, http://www.nytimes.com/2011/12/08/world/middleeast/drone-crash-in-iran-reveals-secret-us-surveillance-bid.html; Greg Jaffe and Thomas Erdbrink, ‘Iran Says It Downed U.S. Stealth Drone; Pentagon Acknowledges Aircraft Downing’, The Washington Post, 4 December 2011, http://www.washingtonpost.com/world/national-security/iran-says-it-downed-us-stealth-drone-pentagon-acknowledges-aircraft-downing/2011/12/04/gIQAyxa8TO_story.html?wprss=rss_national-security.
85 David E Sanger and Nicole Perlroth, ‘U.S. Said to Find North Korea Ordered Cyberattack on Sony’, The New York Times, 17 December 2014, http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html; Dave Boyer, ‘White House Threatens “Proportional” Response to North Korea Cyberattacks on Sony Pictures’, The Washington Times, 18 December 2014, https://www.washingtontimes.com/news/2014/dec/18/white-house-threatens-proportional-response-north-/.
86 Tsagourias, Nicholas, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 Journal of Conflict and Security Law 229CrossRefGoogle Scholar, 233; Matt Tait, ‘On the Need for Official Attribution of Russia's DNC Hack’, Lawfare, 28 July 2016, https://www.lawfareblog.com/need-official-attribution-russias-dnc-hack.
87 David D Clark and Susan Landau, ‘Untangling Attribution’, in Committee on Deterring Cyberattacks: Informing Strategies and Developing Options, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (National Academies Press 2010) 25, 37; Clark, Berson and Lin (n 36) 58; Roscini, Marco, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233Google Scholar, 240 (this article has been republished with minor changes in Roscini, Marco, ‘Evidentiary Issues in International Disputes related to State Responsibility for Cyber Operations’ in Finkelstein, Claire, Ohlin, Jens David and Govern, Kevin (eds), Cyber War: Law and Ethics for Virtual Conflicts (Oxford University Press 2015)Google Scholar).
88 ILC, Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries (2001) UN Doc A/56/10 (2001) (ARSIWA), arts 4–7.
89 Corfu Channel (United Kingdom v Albania), Merits, Judgment [1949] ICJ Rep 4, 18; De Frouville, Olivier, ‘Attribution of Conduct to the State: Private Individuals’ in Pellet, Alain and others (eds), The Law of International Responsibility (Oxford University Press 2010) 261Google Scholar.
90 De Frouville, ibid 261–64; see also Klabbers, Jan, International Law (Cambridge University Press 2013) 128CrossRefGoogle Scholar; ‘Commentary to the Articles on State Responsibility’ (2001) 2 Yearbook of the International Law Commission (Part II) 31, 47, commentary to art 8(1). For instance, in the Tehran Hostage case, the ICJ did not rely on the fact that the group of militant students, who occupied the US Embassy in Tehran and US Consulates in Shiraz and Tabriz, were Iranian citizens in order to attribute their conduct to Iran: United States Diplomatic and Consular Staff in Tehran (United States of America v Iran), Judgment [1980] ICJ Rep 3, [58]–[60]. The ICJ noted, however, that this ‘does not mean that Iran is, in consequence, free of any responsibility in regard to those attacks’: ibid [61].
91 ARSIWA (n 88) arts 8–11.
92 Shackelford, Scott, ‘From Nuclear War to Net War: Analogizing Cyber Attacks in International Law’ (2009) 27 Berkley Journal of International Law 192Google Scholar, 203; Tallinn Manual 1.0 (n 7) 3, 29–34, commentary to rule 6, paras 1–14; Woltag, Johann-Christoph, Cyber Warfare: Military Cross-Border Computer Network Operations under International Law (Intersentia 2014) 87–94Google Scholar; Roscini, Marco, ‘World Wide Warfare: Jus ad bellum and the Use of Cyber Force’ (2010) 14 Max Planck Yearbook of United Nations Law 85Google Scholar, 100.
93 Milanovic, Marko, ‘State Responsibility for Genocide’ (2006) 17 European Journal of International Law 553CrossRefGoogle Scholar, 577, 583; Talmon, Stefan, ‘The Responsibility of Outside Powers for Acts of Secessionist Entities’ (2009) 58 International & Comparative Law Quarterly 493CrossRefGoogle Scholar, 502.
94 In both Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v Uganda), Judgment [2005] ICJ Rep 168, and Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro), Judgment [2007] ICJ Rep 43.
95 ICTY, Prosecutor v Tadić, Judgment, IT-94-1-A, Appeals Chamber, 15 July 1999; for the purpose of this section we focus on the Appeal Chamber's decision, as the question of attribution was also addressed in the first instance decision: ICTY, Prosecutor v Tadić, Judgment, IT-94-1-T, Trial Chamber, 7 May 1997.
96 ICTY, Prosecutor v Zlatko Aleksovski, Judgment, IT-95-14/1-A, Appeals Chamber, 25 March 2000, [145]; Prosecutor v Zejnil Delalić, Zdravko Mucić (aka ‘PAVO’), Hazim Delić and Esad Landzo (aka ‘ZENGA’) (Čelebići Case), Judgment, IT-96-21-A, Appeals Chamber, 20 February 2001, [20]; ICTY, Prosecutor v Kordic, Judgment, Trial Chamber, IT-95-14/2-T 32, 26 February 2001, [112]. See also Shaw, Malcolm N, International Law (7th edn, Cambridge University Press 2014) 575Google Scholar; Klabbers (n 90) 129.
97 See also Shackelford (n 92) 203; Woltag (n 92) 91.
98 In a similar manner, the actions of Anonymous and the Russian Business Network show how an unorganised group is able to conduct widespread coordinated cyber operations: Roscini (n 92) 100–01; Woltag (n 92) 90–93.
99 Tikk, Eneken and Kaska, Kadri, ‘Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons’, in 9th European Conference on Information Warfare and Security, Thessaloniki, Greece (Academic Publishing 2010) 288Google Scholar.
100 Dmitri Galuškevitš [2007] Harju County Court (Estonia) No 1-07-15185; Katri Lindau, ‘Cyber Security in Estonia: Lessons from the Year 2007 Cyberattack’, Master's thesis, Tallinn University, 2012; Ottis, Rain, ‘Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective’, in Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth (Academic Publishing 2008) 163Google Scholar.
101 See, generally, Kulesza, Joanna, Due Diligence in International Law (Brill/Nijhoff 2016)CrossRefGoogle Scholar; Mazzeschi, Riccardo Pisillo, ‘Due diligence’ e responsabilità internazionale degli stati (Giuffrè 1989)Google Scholar. See also International Law Association Study Group on Due Diligence in International Law, ‘First Report’, 7 March 2014, 2.
102 Bannelier and Christakis (n 7) 13–26; Tallinn Manual 2.0 (n 7) 30, rule 6; Kulesza (n 101) 288–301; Bannelier-Christakis, Karine, ‘Cyber Diligence: A Low-Intensity Due Diligence Principle for Low-Intensity Cyber Operations?’ (2015) 14 Baltic Yearbook of International Law 23Google Scholar; Schmitt, Michael N, ‘In Defense of Due Diligence in Cyberspace’ (2015) 125 Yale Law Journal Forum 68Google Scholar.
103 ARSIWA (n 88) arts 28–54.
104 The injured state may also resort to the plea of necessity under the law of state responsibility.
105 Marauhn, Thilo and Stein, Torsten, ‘Völkerrechtliche Aspekte von Informationsoperationen’ (2000) 60 Zeitschrift für ausländisches öffentliches Recht und Völkerrecht 1Google Scholar, 26; Sklerov, Matthew J, ‘Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses against States who Neglect Their Duty to Prevent’ (2009) 201 Military Law Review 1Google Scholar, 36; Roscini (n 92) 113; Dinniss (n 7) 105; Roscini (n 7) 3, 104–07; Robin Geiß and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus away from Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace. International Law, International Relations and Diplomacy (NATO Cooperative Cyber Defence Centre of Excellence 2013) 632–33. See also Hinkle, Katharine C, ‘Countermeasures in the Cyber Context: One More Thing To Worry About’ (2011) 37 The Yale Journal of International Law Online 11Google Scholar, 11; Hathaway, Oona A and others, ‘The Law of Cyber-Attack’ (2012) 100 California Law Review 817Google Scholar, 857; O'Connell, Mary Ellen, ‘Cyber Security without Cyber War’ (2012) 17 Journal of Conflict and Security Law 187CrossRefGoogle Scholar, 204; Schmitt, Michael N, ‘“Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law’ (2014) 54 Virginia Journal of International Law 698, 698–99Google Scholar.
106 Delerue (n 7) Chs 6 and 10. Against this view, Sheng Li considers the regime of counter-measures as not adapted for active cyber defence for three reasons: (i) it offers insufficient protection for vulnerable states as only the injured state can take counter-measures; (ii) recourse to counter-measures might erode the prohibition of the use of force; and (iii) it does not offer a solution for threats arising from non-state actors: Li, Sheng, ‘When Does Internet Denial Trigger the Right of Armed Self-Defense?’ (2013) 38 Yale Journal of International Law 179, 211–15Google Scholar.
107 Dave Boyer, ‘White House Threatens “Proportional” Response to North Korea Cyberattacks on Sony Pictures’, The Washington Times, 18 December 2014, https://www.washingtontimes.com/news/2014/dec/18/white-house-threatens-proportional-response-north-; Julie Hirschfeld Davis and Gardiner Harris, ‘Obama Considers “Proportional” Response to Russian Hacking in U.S. Election’, The New York Times, 11 October 2016, http://www.nytimes.com/2016/10/12/us/politics/obama-russia-hack-election.html.
108 This is, for instance, the approach adopted by France in its 2018 Strategic Review of Cyberdefence: Secrétariat national à la Défense et la Sécurité nationale, ‘Revue stratégique de cyberdéfense’, February 2018, 82–83, http://www.sgdsn.gouv.fr/evenement/revue-strategique-de-cyberdefense. See the commentary in François Delerue and Aude Géry, ‘France's Cyberdefense Strategic Review and International Law’, Lawfare, 23 March 2018, https://www.lawfareblog.com/frances-cyberdefense-strategic-review-and-international-law.
109 Tallinn Manual 2.0 (n 7) 36–37.
110 UK Government, Attorney General's Office, ‘Cyber and International Law in the 21st Century’, 23 May 2018, https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century.
111 ibid.
112 Tallinn Manual 1.0 (n 7); Tallinn Manual 2.0 (n 7).