Ireland Takes Key Stands on International Law in Cyberspace

On July 6th, Ireland released its Position Paper on the Application of International Law in Cyberspace. Coming on the heels of the 2021 UN Group of Governmental Experts (GGE, on cyberspace) “Official Compendium,” which contained the views of 15 nations, and the 2022 publication of Canada’s position (analysis), it might be mistaken for just another in a growing (yet laudable) string of such statements. That would be a mistake, for Ireland takes on the key contentious issues with particular focus, clarity, and legal precision. Its willingness to do so is noteworthy.

Sovereignty

The 2018 announcement by the United Kingdom’s Attorney General that the UK rejects characterization of sovereignty as a binding rule of international law applicable in cyberspace (confirmed in 2022) sparked a debate over sovereignty’s status. Despite continuing academic fixation on the issue, the international community appears to broadly have made up its collective mind. Every State that opined unambiguously on the matter has taken the position that it is a rule, leaving only the question of what types of remotely conducted State cyber operations breach the obligation to respect the sovereignty of other States.

Ireland has added yet another nail to the coffin. Citing the ICJ’s judgment in Nicaragua, it confirms that “[i]n line with the stated position of many other states, Ireland considers that respect for sovereignty is an obligation in its own right.” Lest there be any confusion, it emphasizes that a “violation of state sovereignty by way of cyber activities is capable of amounting to an internationally wrongful act and triggering state responsibility, even if such a violation falls short of the threshold of non-intervention or the use of force.” This is an important point, for there appears to be an effort afoot to broaden the prohibition on intervention, partly to compensate for questions about the existence and scope of the sovereignty rule. It also tracks the 2021 acknowledgment by the United States that, although taking no definitive position on sovereignty’s status, “In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or nonintervention, could also violate international law.” The U.S. statement begs the question, “if not sovereignty, then what?”, and would therefore align nicely with the point made by Ireland.

Particularly noteworthy is Ireland’s willingness to take on the real sovereignty challenge – identifying the threshold at which a cyber operation attributable to a State violates the rule. Ireland takes a broad view, extending violations not only to operations causing physical damage to private or public cyber or non-cyber infrastructure, but also to “functional impairment to such infrastructure, interference with data, and or secondary effects.” This is further than most States have been willing to go publicly. France is a notable exception, for in 2022, it asserted that “[a]ny cyberattack against French digital systems or any effects produced on French territory by digital means” violated French sovereignty.

Somewhat surprisingly, however, Ireland’s position does not directly address interference with or usurpation of inherently governmental functions like running elections as the basis for a sovereignty violation. Other countries, like Canada, have done so, as did the Tallinn Manual 2.0 experts (see discussion here). Ireland does reference “the independence of state powers” in the position paper discussion of sovereignty, but it is unclear whether it is meant to refer to inherently governmental functions. One would hope so.

Lastly, Ireland prudently warned that “[s]overeignty may not be relied upon to justify a state’s non-compliance with applicable obligations under international law,” noting that some States have done so by engaging in cyber surveillance or censorship that compromises human rights, “in particular the right to freedom of expression, freedom of thought, conscience and religion, and the right to privacy.” This explains why some authoritarian States, such as China and Russia, warmly embrace sovereignty. Ireland’s position paper is, therefore, an important confirmation that the rule of sovereignty does not shield States from their international human rights or other international law obligations.,

Non-intervention

Like all other States that have spoken to the matter, Ireland acknowledges the applicability of the prohibition on intervention in the cyber context (see, e.g., 2021 GGE report). In doing so, it cites the ICJ’s explanation in its Nicaragua judgment that intervention consists of two elements, 1) coercion into 2) “matters in which each state is permitted, by the principle of state sovereignty, to decide freely” (the so-called domaine réservé). This mainstream characterization of intervention is the topic of an important forthcoming article in the American Journal of International Law by my friend and University of Reading colleague, Marko Milanovic.

The only aspect of the Irish position on intervention that caused me hesitation reference to “cyber operations seriously compromising healthcare systems or national elections” as capable of amounting to unlawful intervention. Although this is accurate, it should be cautioned that cyber operations directed at healthcare or elections do not necessarily comprise intervention. Intervention involves one State attempting to coerce the domaine réservé of another. It is not the physical target of the operation that is the determinative factor but instead the focus of the coercion. Of course, an operation directly targeting healthcare systems or elections would amount to intervention if intended to influence a State’s healthcare or other policies or interfere directly with their execution (stand by for Marko’s discussion of direct and indirect coercion). This point is sometimes lost during discussions of intervention, particularly by those who would broaden the rule beyond its original parameters to compensate for their rejection or narrow interpretation of the sovereignty rule.

Due Diligence

While the sovereignty debate is fading fast, and there is no disagreement over the existence of a rule of non-intervention, the question of whether there is a rule of due diligence requiring States to take action to put an end to certain hostile cyber operations from or through their territory has split States that have spoken to the matter. Such disagreement is reflected in the inability of the UN GGE to secure consensus on the existence of a due diligence rule. As a result, it has always been presented by the GGE reports (which require unanimity) as a “ voluntary, non-binding norm of responsible State behaviour” [see, e.g., 2021 report, Norm 13(c)].

Numerous States claim no such rule yet exists, including, inter alia, the “Five-Eyes” States and Israel.  The Israeli position is the most descriptive: “[W]e have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form.” In my view, this and similar statements confuse crystallization of a new rule of international law with the interpretation of an existing rule. Be that as it may, I must admit that States that have rejected the rule’s existence are among those wielding impressive legal expertise. Their view cannot be dismissed easily.

Other States, especially in the European space (and Japan), take the opposite view. Germany’s position is illustrative: “The ‘due diligence principle’, which is widely recognized in international law, is applicable to the cyber context as well and gains particular relevance here because of the vast interconnectedness of cyber systems and infrastructures.” Ireland has adopted this approach, correctly so as a matter of law in my view, citing the ICJ’s Corfu Channel and Armed Activities on the Territory of the Congo judgments.

It is with respect to the rule’s parameters that the Irish position makes the most significant contribution. States that oppose the rule (or have taken no position) sometimes express concern that it would impose obligations too heavy to shoulder as a practical matter. Ireland pushes back on such concerns. It points out that “[d]ue diligence is a standard of conduct and not result” and that the “scope of the obligation… is context specific.” Citing Tallinn Manual 2.0 Rule 7, Ireland explains that a State is only required to take “measures that are feasible in the circumstances to put an end to cyber-operations conducted from its territory or by persons within its jurisdiction that affect a right of, and produce serious adverse consequences for, other states” (emphasis added). The State must have actual or constructive knowledge of the hostile operation, the latter to “an appropriate level.”

Interestingly, Ireland suggests that there is a “preventive element” to the obligation. Although it rejects a preventive monitoring requirement, it would impose an obligation to act when there is “an identifiable risk that actors within its jurisdiction intend to conduct cyber activities” that would qualify as explained above. In such cases, “the due diligence obligation requires that reasonable and feasible measures are taken to prevent such activities or mitigate their effects.” This preventive obligation goes further than most other States that have embraced a due diligence obligation, as well as the majority of the Tallinn Manual 2.0 experts, who saw the rule as currently extending only to those qualifying operations that are underway or imminent.

Finally, displaying a sophisticated understanding of the ongoing debate, Ireland has noted that due diligence has generally been considered in the context of environmental obligations. Therefore, it suggests that the “precise parameters in [the cyber] context might benefit from further consideration,” highlighting the constructive knowledge and preventive duty issues. In this regard, Ireland’s positions resemble Finland’s, but most other national statements expressing support for the due diligence rule do not take these two issues on.

State Responsibility

Ireland’s position paper addresses two facets of State responsibility – attribution and countermeasures. As to the former, it points to the International Law Commission’s Draft Articles on the Responsibility of States for Internationally Wrongful Acts, which it characterizes as “widely accepted as largely reflecting customary international law.” The position paper singles out three bases for attribution as the most likely to arise in the cyber context: 1) acts of state organs or officials; 2) direction and control; and 3) adoption. These refer to Articles 4, 8, and 11 of the ASR and the latter two are supported, as the paper observes, by the ICJ’s Nicaragua, Genocide Convention, and Tehran Hostages judgments. This is a well-accepted approach to the subject.

Usefully, Ireland emphasizes the distinction between legal attribution and political attribution, noting that the former is a “strictly legal exercise,” while the latter is “likely to be informed by political and technical assessments, often heavily based on intelligence reports.” This difference is often missed by pundits, who sometimes wrongly insist on a level of certainty as to attribution that is only required when legal attribution is at stake. Political attribution does not require any degree of certainty as a matter of law, although the GGE has adopted a voluntary non-binding norm of responsible State behaviour on the subject [2021 report, Norm 13(b)] and has stated that “accusations of organizing and implementing wrongful acts brought against States should be substantiated.”

As a general matter, Ireland’s treatment of countermeasures is likewise standard fare. It acknowledges that a State is entitled to engage in acts or omissions that would otherwise be unlawful in order to compel another State that is failing to comply with an obligation owed the former to desist. The countermeasure must be, inter alia, proportionate and cannot include the use of force. But it need not be in kind; a cyber internationally wrongful act may be responded to by non-cyber means and vice versa. The only requirement that departs from the understanding of other States is that a countermeasure must be temporary. Although there is general agreement that countermeasures should be temporary (or reversible) if possible, States have generally not pointed to a legally binding requirement along those lines in the cyber context.

The noteworthy aspect of the Irish approach to countermeasures deals with third-party collective countermeasures. Ireland has adopted the position that “state practice indicates that such measures are permissible in limited circumstances, in particular in the context of violations of peremptory norms.” Of course, this position begs the question, when would a collective countermeasure not be permissible?

Based on having considered the matter in depth with my West Point colleague, Sean Watts,  I find the Irish position a reasonable interpretation of the law, one responsive to situations in which, as noted in the Irish statement, it may be “necessary to respond to a malicious cyber operation with a counter operation, but [the injured States] lack the technological capability to do so on their own.” In this regard, Ireland joins such States as Estonia, which sparked the debate in 2019 when its President embraced collective countermeasures.

But not all States agree. For instance, Canada has opined that it “does not, to date, see sufficient State practice or opinio juris to conclude that these are permitted under international law.” Although I disagree, as Sean Watts and I concluded, it is not an unreasonable view. Given that most States have not opined on the matter, the UK Attorney General’s 2022 characterization of the situation appears to be on point: “[S]ome countries simply do not have the capability to respond effectively by themselves in the face of hostile and unlawful cyber intrusions. It is open to States to consider how the international law framework accommodates, or could accommodate, calls by an injured State for assistance in responding.”

Use of Force and Self-Defence

Ireland has adopted the “scale and effects” approach originally suggested by the first Tallinn Manual International Group of Experts for assessing when a cyber operation rises to the level of a use of force under Article 2(4) of the UN Charter and customary international law. It is now widely accepted, including by NATO Allies.

The circumstances under which non-injurious and non-destructive cyber operations might reach the use of force threshold remains a point of uncertainty among States. In this regard, Ireland states that a use of force “may include instances where a cyber-operation does not cause physical damage, such as where there is significant impairment of functionality of critical infrastructure.” Ireland’s mention of the loss of functionality and reference to critical infrastructure are important data points in the ongoing dialogue. However, unlike those of some other States, Ireland does not tease out other factors that may be relevant. For instance, Singapore has noted, “factors that may be taken into account include, but are not limited to, the prevailing circumstances at the time of the cyber operation, the origin of the cyber operation, the effects caused or sought by the cyber operation, the degree of intrusion of the cyber operation, and the nature of the target.” Yet, considering its mention of functionality and critical infrastructure, Ireland presumably would take notice of an array of factors in performing a use of force assessment.

As to self-defense, the position paper accurately identifies the issue as assessing when a cyber operation amounts to an “armed attack” under Article 51 of the UN Charter, such that the victim State may resort to forcible measures to defend itself. It points to the scale and effects test that, in the self-defense context, the ICJ crafted in its Nicaragua judgment, but cautions that only in “exceptional circumstances” could a cyber operation reach this threshold. Nevertheless, it joins a growing number of States that reject the need for physical damage before a hostile cyber operation triggers the right of self-defence: “It is conceivable that this need not necessitate physical damage, where for example loss or impairment of functionality to ICT infrastructure is inflicted on such a scale and with such effects that it is comparable to a conventional armed attack.” Given the centrality of cyber operations to the functioning of modern societies, it seems only logical to adopt such an approach. Indeed, France, Norway, and Singapore have already accepted the possibility that a cyber operation against their national economies having severe effects could rise to the level of an armed attack. I suspect that most States would adopt the same approach in extreme cases.

International Humanitarian Law and International Human Rights Law

Ireland accepts the applicability of international humanitarian law in the cyber context during an armed conflict, as did, finally, the GGE in 2021 (its first explicit reference to international humanitarian law). The only controversial issue Ireland takes on is the definition of “attack” in the cyber context. This is a critical issue, for many of the conduct of hostilities rules are framed in terms of “attack,” as in the case of the prohibition on attacking civilian objects, the proportionality in attack rule, and the requirement to take precautions in attack.

Several states, such as Israel, have interpreted the term as limited to situations in which the operation causes death, injury, or physical damage. Ireland rejects this narrow characterization and instead “extends [the meaning of attack] to cyber operations expected to cause loss of functionality to networks or electronic systems.” It explains that “[t]o interpret the term otherwise would mean that a cyber-operation that is directed at making a civilian network (such as electricity, banking, or communications) dysfunctional, or is expected to cause such effect incidentally, might not be covered by essential IHL rules protecting civilians and civilian objects, and would not be consistent with the object and purpose of the Geneva Conventions and their Additional Protocols.”

This is an important point and one with which I generally agree. However, there is a risk of taking an interpretation crafted this broadly too far. For instance, would it prohibit a cyber operation that only temporarily interferes with the functioning of civilian cyber infrastructure? Such an interpretation would, for example, bar some psychological operations involving civilian populations that are already a common aspect of State practice during armed conflict. It will be interesting to see how Ireland explains this approach from an operational perspective.

Although Ireland took a position on this controversial issue, it did not do so on the companion issue of whether data amounts to an “object” under IHL, such that the rule prohibiting attacks on civilian objects bars cyber operations altering or deleting civilian data absent causation of the requisite harm to the system (damage or, in the Irish view, interference with functionality). As I have noted elsewhere, these issues are interrelated; neither will be easily resolved among States.

Finally, the Irish discussion of international human rights law in cyberspace is likewise relatively standard. Like many other States and the GGE, Ireland supports the Human Rights Council Resolution 20/8 statement that “the same rights that people have offline must also be protected online.” Ireland does not, however, take on the fraught issue of the extraterritorial application of human rights obligations in general, or that of whether an ability to control the enjoyment or exercise of human rights by individuals in another country (especially expression and privacy) triggers human rights obligations.

Conclusion

Having been involved in the Tallinn Manual project for the past 15 years, I am delighted that many States are now addressing the issue of how international law applies in cyberspace. Indeed, as Ireland’s position paper demonstrates, they are doing so with ever greater granularity, sophistication, and a growing willingness to take on the tough issues. And in the effort to better understand international cyber law, it is only appropriate that States take center stage. Ireland is to be commended for its willingness to do so. Other States should follow its lead.