Canada Takes on International Law in Cyberspace

This April, Global Affairs Canada (GAC, the foreign ministry) released Canada’s position on the application of international law in cyberspace. Unfortunately, for two reasons, the statement failed to attract the attention it merited. First, Canada released it on the heels of the 2019-21 U.N. Group of Governmental Experts (GGE) Report on State behaviour in cyberspace, to which an exceptionally important compendium containing the views of 15 other nations on the same subject was annexed. Second, and more significantly, it arrived as the international law community’s attention was riveted on Russia’s unlawful attack against Ukraine and the many international humanitarian law (IHL) violations and war crimes that have characterized its “special military operation.” That the Canadian statement did not draw attention is unfortunate, for it sets forth the views of an influential player in the interstate cyber law dialogue, and one that has devoted significant resources to legal capacity-building globally in the field.

In this post, I describe key elements of the Canadian statement, compare it to other States’ positions, and offer my legal assessment of certain positions Canada takes. As will be explained, it is a statement that reflects care in preparation and offers sophisticated legal analysis.

The Role of International Law

Like every other State that has set forth its views on the matter, as well as the U.N. cyber GGEs (2013, 2015, 2021) and the 2019-2021 Open-Ended Working Group, Canada endorses the applicability of international law in cyberspace, noting that it ‘ensure(s) global stability and security’. Yet, Canada goes further than most statements by zeroing in on the challenging international law question – how international law rules apply.

It is uncertainty over this question that is the source of current normative instability in international cyber affairs. Some States and commentators applaud ambiguity as affording them greater flexibility in conducting their own cyber operations and responding to hostile ones. For them, clear rules can act as obstacles to cyber operations they might need to engage in to secure their national interests.

Canada, correctly in my view, takes a different approach. In the statement, it calls on States to ‘develop and publish’ their national views because,

articulation of national positions on how international law applies to State action in cyberspace will increase international dialogue and the development of common understandings and consensus on lawful and acceptable State behaviour. These statements can help reduce the risk of misunderstandings and escalation between States arising from cyber activities.

This assertion might seem pro forma, even cliched. It is not. A lack of granular consensus regarding the parameters of rules on topics that range from the prohibitions on sovereignty and intervention to the rules governing the use of force and how to define “attacks” in IHL has produced confusion over when a State may be condemned for violating international law and when responses such as countermeasures or self-defence are permissible.

Of course, State expressions of opinio juris only contribute to stability when they are the product of informed interpretation. Therefore, Canada, as did the 2021 GGE and OEWG reports, ‘strongly advocate[s] for capacity-building on the application of international law in cyberspace’. It notes the need for ‘ensuring that the broadest possible group of States participates effectively in addressing these questions’. And GAC is “walking the walk” by supporting legal capacity-building programs in Latin America, the Caribbean, the Middle East, and Africa.

Finally, Canada acknowledges the utility of “agreed voluntary, non-binding norms for responsible State behaviour in cyberspace”, such as those that appear in the various GGE consensus reports. But Canada has stressed that these norms ‘do not replace or alter States’ binding obligations or rights under international law’. This is a critical point. Because the GGE reports are consensus products, any opposition to the characterization of a norm as a rule of international law precludes the GGE from treating it as such. The paradigmatic example is the rule of due diligence (see below), which successive GGEs have cited as a voluntary, non-binding norm but which some States that have participated in the GGEs (e.g., Estonia and Netherlands) view as a primary rule of international law rule. In other words, characterization as a voluntary, non-binding norm does not preclude a State from taking the position that the norm is, in fact, a binding rule of law.

Conventional Views

Before turning to the striking elements of the Canadian statement, it is useful to catalogue the points on which Canada adopts a conventional view of applicability. By conventional, I mean there is little disagreement among States regarding the position. While articulating these views may seem unexceptional, doing so is essential to the maturation of international law in cyberspace. After all, the more States confirm the status of a particular rule as applicable in cyberspace and explain its content, the more likely it is that States will give the rule effect in their cyber operations.

Canada recognizes the applicability to cyber operations of the law of State responsibility, a customary body of law, much of which is captured in the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts. The GAC statement notes that an internationally wrongful act in the cyber context must consist of an action or omission that breaches an international law obligation owed another State or the international community and that is attributable to the State concerned under international law (Article 2). It also singles out two circumstances precluding wrongfulness – self-defence and countermeasures (Articles 21 & 22) – but does not exclude the possibility of other circumstances, such as consent, also precluding a cyber operation’s wrongfulness (Chapter V).

Taking on an oft-confused topic, the Canadian statement notes that a State is directly or indirectly responsible for the actions of a non-State actor when the latter has ‘acted on the instructions of, or under the direction or control of’ that State. In doing so, it acknowledges the customary law status of Article 8 of the Articles on State Responsibility. Importantly, Canada cautions that ‘States bear no obligation to publicly provide the basis upon which an attribution is made’. This is a correct statement of law, although States accused of engaging in wrongful cyber conduct sometimes insist that States levelling accusations provide evidence (see, e.g., here). The farthest any UN GGE has gone in this regard is articulating a voluntary, non-binding rule of responsible State behaviour that ‘accusations of organizing and implementing wrongful acts brought against States should be substantiated’ (e.g., 2021 Report)

The statement contains one misstep regarding the law of State responsibility. It suggests, ‘The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law’. In fact, that body of law governs whether States are responsible for the internationally wrongful act of using force, cyber or non-cyber (see below).

Canada is correct, however, that the rules of State responsibility do not bear directly on the issue of self-defence. Self-defence is about when a State may respond to a hostile cyber operation, not whether it is responsible for an internationally wrongful act. But, of course, if a State responds to cyber operations forcibly without a justification such as self-defence or Security Council authorization under Chapter VII of the U.N. Charter, it will be responsible for having used force wrongfully, at least so long as law of State responsibility requirements are satisfied.

Canada also has adopted a mainstream approach to international human rights law, emphasizing that ‘all individuals enjoy the same human rights, and States are bound by the same human rights obligations, online just has offline’. In doing so, it echoes earlier statements by, inter alia, GGEs (e.g., 2021 Report), other States (e.g., U.K.), and the Human Rights Council (e.g., see here). The Canadian statement cites both the obligation to respect, and that requiring States to ensure the enjoyment and exercise of human rights to persons on a State’s territory and subject to its jurisdiction, as required by Article 2(1) of the International Covenant on Civil and Political Rights. Canada does not take on the contentious issue of whether and if so when human rights obligations attach extraterritorially (on the subject, see Milanovic).

Although the subject is often ignored in statements on international law in cyberspace, Canada emphasizes the legal obligation to settle disputes peacefully, citing Articles 2(3) and 33(1) of the UN Charter and Tallin Manual 2.0, Rule 65. Although the statement notes that the obligation is not unlimited, it does not develop the distinction between disputes involving cyber activities that are ‘likely to endanger the maintenance of international peace and security’ (Article 33(1)) and those that do not, which are primarily governed by Article 2 (3). In the former situations, States shoulder an affirmative obligation to try to settle the dispute. No such obligation attaches in the latter cases, but if an attempt is made to resolve the dispute, States may only resort to peaceful means.

The Canadian statement does note that the option of retorsion is always available as a response to a hostile cyber operation because retorsion is by definition a lawful act (or omission). In doing so, it echoes other States that have emphasized the point (e.g., see the statements by Estonia, Germany, Netherlands, Norway, Singapore, Switzerland, the U.K., and the U.S. in the 2021 compendium).

With respect to the prohibition on the use of force found in Article 2(4) of the UN Charter, Canada joins a growing number of States (e.g.,  Estonia, Germany, Italy, Netherlands, New Zealand, Norway, the U.S., and NATO) that have adopted a “scale and effects” test that the Tallinn Manual experts first suggested in the work’s 1st edition. Drawing on the International Court of Justice’s analysis of the notion of “armed attack” in the context of self-defence (Paramilitary Activities, ¶ 195), they found the approach equally helpful when considering uses of force. However, although fast becoming the standard metric against which hostile cyber operations will be judged vis-à-vis the prohibition, the standard does not resolve the question of what scale and which effects so qualify. As Canada notes, the analysis will therefore have to be made on a case-by-case basis, a point the Tallinn Manual experts also acknowledged.

Contentious or Unsettled Issues

Sovereignty: The most significant aspect of the Canadian statement is its acceptance of sovereignty as a rule of international law, and not just a principle, a position contrary to that the United Kingdom has taken since 2018 (see Attorney General statements of 2018 and 2022). Indeed, Canada notes that ‘it is axiomatic that the principle of sovereignty applies in cyberspace’.

Canada’s position on the matter, with which I strongly agree, as did the Tallinn Manual 2.0 experts (Rule 4), is consistent with that of every other State that has directly addressed the issue. In that sense, the Canadian statement is unexceptional. However, Canada’s position is highly significant because it is the second “Five Eyes” country (Australia, Canada, New Zealand, U.K., U.S.) to treat sovereignty as a rule that can be violated on its own accord. Five Eyes members have always been hesitant about expressing differences in legal interpretation. Indeed, only New Zealand previously rejected the U.K. position on this issue.

Interestingly, the United States avoided taking a firm position on the matter in its 2021 U.N. GGE compendium statement. But it did note that a cyber operation could be unlawful even though it did not violate the use of force or intervention prohibitions. And the most likely obligation such an operation would breach is the rule requiring respect for other States’ sovereignty. Moreover, when a footnote in NATO’s Allied Joint Doctrine for Cyberspace Operation recognized sovereignty as a rule, the United Kingdom reserved on the point, but the United States did not, even though it attached other reservations.

Canada’s discussion of the rule of sovereignty is particularly sophisticated in that it points to the fact that States can violate sovereignty in two ways. Most States that have addressed sovereignty recognize that cyber operations may violate another State’s sovereignty by virtue of territoriality. Canada builds out this basis, noting,

The scope, scale, impact or severity of disruption caused, including the disruption of economic and societal activities, essential services, inherently governmental functions, public order or public safety must be assessed to determine whether a violation of the territorial sovereignty of the affected State has taken place.

For Canada, then, the focus should be on the impact or severity of cyber effects in the territory of the State into which the hostile cyber operation is conducted. Notably, the references to disruption, activities, services, functions, and safety would appear to indicate that an operation need not directly cause physically damaging effects to qualify as a violation. This resembles France’s emphasis on causing “effects” that manifest on French territory as triggering a sovereignty violation.

The statement uses the term ‘significant harmful effects’ to signal when sovereignty is likely to have been violated and includes situations involving “loss of functionality”, a concept originally developed by the Tallinn Manual experts. But Canada sensibly cautions that the fact that a cyber operation is carried out on or through cyber infrastructure located in the territory of another State does not, standing alone, amount to a sovereignty violation. On the contrary, a footnote in the statement notes that espionage, without more, is not internationally wrongful. Additionally, Canada notes that negligible or de minimis direct or indirect effects do not rise to the level of a sovereignty violation.

Canada’s statement goes further by recognizing the frequently ignored second basis for a violation of sovereignty – interference with, or usurpation of, another State’s inherently governmental function (see discussion in Tallinn Manual 2.0, Rule 4 commentary). The basis is of particular significance because, as Canada perceptively notes, it applies “regardless of whether there is physical damage, injury, or loss of functionality.” I would disagree with Canada’s characterization of the interruption of healthcare as necessarily qualifying on this basis for reasons that Marko Milanovic and I have discussed elsewhere. Nevertheless, Canada’s reference to such interference or usurpation as a sovereignty violation deepens the dialogue over sovereignty.

Intervention: The U.N. GGEs and individual States have repeatedly acknowledged that the prohibition on wrongful intervention into the internal or external affairs of other States applies in the cyber context (see discussion at Tallinn Manual 2.0, Rule 66). No State has disputed this premise. There is also universal agreement that, as noted by the International Court of Justice in its Paramilitary Activities judgment (¶ 205), intervention consists of 1) coercive action against another State 2) concerning its domaine réservé, that is, areas of activity left by international law to the State regulation. Canada joins the growing list of states accepting the prohibition’s application to cyber operations

The unresolved issues regarding intervention are the activities that qualify as falling within the domaine réservé and, more importantly, the threshold at which an act of influence crosses into the realm of coerciveness. They are especially important considering the U.K.’s rejection of sovereignty as a rule of law. The question they beg is whether a relaxed interpretation of intervention’s elements can compensate for the work that the sovereignty rule would otherwise do. In my estimation, the answer is that it can only partly do so.

Canada defines coercive effects as those that ‘deprive, compel, or impose an outcome on the affected State’. As the GAC statement notes, this definition excludes public diplomacy, criticism, persuasion, and propaganda from the ambit of intervention. However, for Canada, disabling an election commission, preventing individuals from voting, and conducting cyber activities against a major gas pipeline that compel the affected State to change its position in bilateral negotiations regarding an international energy agreement would qualify as coercive. I agree. The last example is especially helpful as it illustrates intervention into a State’s external affairs; most examples tend to illustrate intervention into internal affairs.

The Canadian statement does introduce some terminological ambiguity. It refers to the domaine réservé as consisting of ‘inherently sovereign functions’. This usage risks confusion with the concept of “inherently governmental functions,” interference with which amounts to a violation of sovereignty, as the Canadian statement accurately observes (see also Tallinn Manual 2.0, Rule 4).

The domaine réservé sometimes overlaps with inherently governmental functions, as in conducting elections. But that is not always the case. For instance, educational activities fall within the domaine réservé but are not inherently governmental, for private entities deliver education in many States. Similarly, law enforcement is an inherently governmental function because only States are authorized to engage in such functions as detention. But all aspects of law enforcement do not fall within the domaine réservé. On the contrary, many, like detention, are subject to international human rights law. Canada’s use of the term inherently sovereign functions in relation to intervention is not improper, so long as the term is properly understood. Still, it might invite some degree of confusion.

Due Diligence: Whether there is a general international law rule of due diligence, and if so, whether it applies in the cyber context, remains unsettled. As the Tallinn Manual 2.0 IGE explained (Rules 6-7), this customary rule, which is reflected in the 1928 Island of Palmas arbitration and 1949 Corfu Channel judgment, obligates States to take measures to put an end to hostile cyber operations from or through their territory. It is a limited rule that only applies to ongoing or temporally imminent cyber operations mounted by States or non-State actors that cause serious adverse consequences for another State’s rights under international law. Before the obligation attaches, the territorial State must be aware of the offending operation, and a breach only occurs if that State can, but elects not to, terminate it

Due to an inability to secure consensus on the existence of such a rule, the UN GGE has always presented it as a so-called voluntary, non-binding norm of responsible State behaviour [e.g., see 2021 report, Norm 13(c)]. Many States, including most European countries that have spoken to the issue, are comfortable citing it as a rule of law, a position with which the Tallinn Manual 2.0 experts, including me, agree. But like other “Five Eyes” States (and Israel), Canada remains unwilling to characterize due diligence as a rule yet, a curious position in that the rule opens the door to responding against non-State actors or in situations where attribution is ambiguous.

However, the Canadian statement is helpful in two regards. First, it sets forth the aforementioned criteria with some granularity. Thus, even though Canada concludes that due diligence cannot yet reliably be said to be a rule, its statement contributes to identifying due diligence’s parameters.  As importantly, Canada leaves the door open to further developments.

Canada does not consider that the UN GGE consensus in 2015, and subsequently, on voluntary, non-binding norms touching on this matter precludes the recognition of a binding legal rule of due diligence under customary international law. Canada continues to study this matter.

Making the point that characterization as a non-binding norm does not settle the matter is especially important, for such norms are often misinterpreted as confirmation that a norm lacks rule status.  As noted earlier, all labelling a norm as such does is confirm that unanimity could not be achieved within the GGE on its normative status.

Countermeasures: As have most other states that have set forth their international cyberlaw positions, Canada acknowledges the right to take countermeasures in the face of internationally wrongful acts (Articles on State Responsibility, Articles 22, 49-53; Tallinn Manual 2.0, Rules 20-25). Because countermeasures are otherwise unlawful acts, they are limited. Canada points out that countermeasures are unavailable as an act of retaliation but may instead only be taken to induce compliance with international law and/or secure reparations (Article 49); may not rise to the level of a threat or use of force and must be consistent with peremptory norms (Article 50); and must be proportionate (Article 51). The statement also usefully notes a point of law that is often missed – they need not be in kind. Cyber countermeasures may be taken in response to non-cyber internationally wrongful acts and vice versa.

As to the unsettled issue of whether the State must provide evidence justifying the taking of countermeasures, Canada, correctly in my estimation, is of the view that no such obligation exists (although a State taking a countermeasure should have reasonable grounds to act). Some States have also pushed back against the existence of a duty to notify the State against which countermeasures are directed of an intention to engage in them (France, Israel, Netherlands, New Zealand, the United Kingdom, and the United States).

In their view, the scope of any such obligation needs to be further defined. The Articles on State Responsibility’s commentary to Article 52 admits of the possibility of so-called “urgent countermeasures” in certain circumstances. The States mentioned have emphasized the practical problems associated with pre-notification in the cyber context, such as revealing capabilities and enabling the targeted State to take defensive measures. On this issue, Canada observes, ‘The precise scope of certain procedural aspects of countermeasures, such as notification, needs to be further defined through State practice given the unique nature of cyberspace’.

Finally, Canada addresses the controversial issue of collective cyber countermeasures, that is, the right to engage in countermeasures on behalf of, or in concert with, a State that is entitled to take countermeasures. The GAC statement opines that there is currently ‘[in]sufficient State practice or opinio juris to conclude that these are permitted under international law’.

This is a fair position, but one with which I disagree (I’ve rethought the position I took during the Tallinn Manual deliberations). Indeed, I find the view especially problematic in the cyber context, where a victim State may lack the capacity to respond effectively to unlawful cyber operations by another State. It is a particularly important disagreement in NATO circles, where France has argued against collective countermeasures, with Estonia taking the opposite position.

Canada emphasizes, however, as did the Tallinn Manual 2.0 IGE (commentary to Rule 24), that States may assist other States if the assisting State’s actions would not otherwise be unlawful. Thus, for instance, NATO’s Cyber Rapid Reaction teams are generally on firm legal footing when assisting Allies to respond within their own systems and recover.

International Humanitarian Law: Canada correctly dismisses the misplaced concern that acknowledging IHL’s applicability to cyber operations during armed conflict somehow militarizes cyberspace or otherwise legitimizes unlawful cyber activities. In doing so, it joins the ICRC and most other States that have addressed the matter. Hopefully, the agreement reached during the last GGE that IHL applies to cyber operations during armed conflicts will put this unfortunate debate to rest once and for all.

One interesting comment made by Canada in its IHL discussion is that Parties to the 1977 Additional Protocol I to the Geneva Conventions must review new weapons, means or methods of warfare to ensure their compliance with IHL (Article 36). As a Party to the instrument, its terms bind Canada.

However, the scope of the customary obligation is somewhat unsettled.  The United States has taken the position that for States that are not Party to AP I, the weapons review obligation extends only to means of warfare (weapons) and not (methods). With Jeff Biller, I have suggested elsewhere that cyber capabilities may qualify as methods of warfare (tactics) but not necessarily means of warfare (weapons), a view that affects the scope of the customary review obligation. The Canadian statement that ‘not all cyber capabilities and activities will constitute a weapon or means or method of warfare’ is relevant to the discussion.  If the Canadian point is correct, and I believe it is, the classification of cyber capabilities and activities will loom large when assessing cyber capabilities under either AP I or customary law.

Conclusion

Although I agree with most of Canada’s analysis, especially its robust discussion of sovereignty, there are points with which I disagree, such as the positions on due diligence and collective countermeasures. But States make and authoritatively interpret international law, not law professors. Therefore, even where I disagree, I find the Canadian statement to be a significant contribution to understanding how international law applies in the cyber context. Simply put, Canada has moved the discussion forward. And it continues to do so through active international engagement on the subject and its robust global capacity-building program.