Israel’s Cautious Perspective on International Law in Cyberspace: Part I (Methodology and General International Law)

Last week, Israel’s Deputy Attorney General for International Law, Dr. Roy Schöndorf, delivered an important virtual speech on his nation’s positions regarding the application of international law in cyberspace at the “Disruptive Technologies and International Law” conference hosted by the US Naval War College’s Stockton Center for International Law. The sophisticated presentation described Israel’s legally cautious, and occasionally surprising, positions on many of the issues that lie at the heart of the ongoing international discourse, including at multilateral fora like the Group of Governmental Experts and Open-Ended Working Group that are dealing with cyber norms.

In this two-part series, I will assess Israel’s methodology and positions. Part I examines the approach Israel takes when engaging in the complex task of determining if and how specific rules apply in the cyber context, as well as its views on key aspects of sovereignty, intervention, due diligence, attribution and countermeasures. Part II will consider Israel’s positions on the jus ad bellum, the body of law governing when states may resort to force as an instrument of their national policy, and the jus in bello (international humanitarian law), which includes the rules that govern how cyber operations may be conducted during armed conflicts.

Methodology

Dr. Schöndorf’s survey is especially erudite in terms of analytical approach. Too often, states take positions on the existence or interpretation of international law rules in the cyber context that are motivated by factors lying well beyond the accepted rules of legal interpretation, which are sometimes given short shrift. Of course, it is appropriate for national interests to inform legal views so long as the rules of interpretation are respected in good faith. But Dr. Schöndorf commendably, and very appropriately, began with the rules of interpretation. While I may differ with some of the conclusions his nation draws about the primary rules, Israel is on methodological terra firma.

In determining how international law governs cyber activities, it turns to the well-accepted customary rules of interpretation captured in Article 31 of the Vienna Convention on the Law of Treaties, by which interpretation is to be based on “the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose.” Subsequent agreement between the parties regarding interpretation or application of a provision in question, as well as subsequent practice in applying the treaty that establishes agreement among the parties regarding its interpretation, are also relevant. As to customary law, Dr. Schöndorf emphasized the uncontested requirement for both state practice and opinio juris that is reflected in Article 38(1)(b) of the Statute of the International Court of Justice.

The challenge lies in applying these traditional interpretive rubrics to cyber operations. As Dr. Schöndorf pointed out, cyber operations are often conducted transnationally, can involve cyberinfrastructure controlled by the private sector, sometimes have no meaningful physical manifestations, and at times produce unique social and economic consequences. And cyber technology and techniques are highly dynamic. He rightly concludes that these factors “suggest that an extra layer of caution must be exercised in determining how exactly international rules apply to cyber operations, and in evaluating whether and how additional rules should be developed.”

With respect to international law rules that predate the advent of cyber operations, or particular aspects of such operations, this means, as he observes, that “[t]he key question in identifying state practice is whether the practice which arose in other domains is closely related to the activity envisaged in the cyber domain. Additionally, it must be ascertained that the opinio juris which gave rise to the customary rules applicable in other domains was not domain specific.”

Although the statement is proffered with respect to customary law, it is no less accurate for treaty law. For instance, treaty law that is specific to a particular domain, like the provisions of space law, may never be extended to cyber operations beyond that domain, whereas rules such the UN Charter’s use of force prohibition that are not domain-specific are susceptible to application in the cyber domain, albeit with sensitivity to any cyber-unique characteristics. Of course, the question is how this approach by Israel shapes its view of how extant law applies in the cyber context.

Sovereignty

For some time, the most prominent debate regarding the application of international law to cyber operations has involved sovereignty (see, e.g., here and here). The debate is significant not because of the extent of disagreement (there isn’t much), but rather because of the oft-determinative legal significance of the notion in the cyber context. Indeed, it is the issue most likely to be implicated during hostile cyber operations by a state that take place outside an armed conflict, both with respect to whether they are unlawful and to the response options available to the victim state under international law.

The debate surrounds the issue of whether sovereignty is simply a principle of international law from which binding international law rules emerge, or a primary rule of international law, the violation of which by cyber means constitutes an “internationally wrongful act” (Articles on State Responsibility, art. 2). Only the United Kingdom has taken the first position publicly, whereas all other states that have opined directly on the matter characterize sovereignty as both a principle and a rule of international law (e.g., Bolivia, China, Czech Republic, Finland, France, Germany, Guatemala, Guyana, Iran, Netherlands, New Zealand, Republic of Korea, and Switzerland, as well as NATO except for the UK — see here, here, and here). Some states remain on the fence, either by failing to express a view or by discussing the matter without taking a firm position thereon, as is the case of the United States.

Israel is in the last camp. It is interesting that in the discussion of the sovereignty Dr. Schöndorf distinguished sovereignty as a territorial notion from one denoting “political will and sovereignty,” and suggests that states sometimes “conflate” the two meanings. States accepting territorial inviolability as a ground for violation of sovereignty do so based on the fact that a remotely conducted cyber operation can cause effects on their territory, although the precise effects that qualify a cyber operation as a violation remain unsettled (Tallinn Manual 2.0, Rule 4).

But it is unclear whether the conflation remark means that even if a rule of sovereignty exists in the cyber context, Israel would not view interference with, or usurpation of, inherently governmental functions as violating the target state’s sovereignty, a basis for violation endorsed by the Tallinn Manual 2.0 experts (Rule 4) and a number of States (see, e.g., Finland’s explanation of sovereignty). It is one that draws on Judge Max Huber’s well-known explanation in the 1928 Island of Palmas arbitral award that “Sovereignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.” The importance of this ground for sovereignty violation is that it does not require effects of a particular nature to manifest on the state’s territory. Mere interference, as in significant interference with the conduct of an election, or usurpation, as in conducting law enforcement activities by remote cyber means on another state’s territory, suffice.

Whether Israel will eventually accept sovereignty as a rule of international law applicable to cyber operations remains to be seen. In light of the extent to which the nation is the object of hostile cyber operations, one has to wonder whether it will heed Finland’s warning that “Agreeing that a hostile cyber operation below the threshold of prohibited intervention cannot amount to an internationally wrongful act would leave such operations unregulated and deprive the target state of an important opportunity to claim its rights.”

Intervention

Like all other states that have issued statements outlining their views, as well as the 2015 GGE, Israel accepts the possibility that cyber operations can amount to intervention into the internal affairs of other states. Intervention, as noted by the International Court of Justice in its Paramilitary Activities judgment (para. 205), requires that the act in question be both coercive and intrude into the internal or external affairs of the target state (domaine réservé). Dr. Schöndorf offered the paradigmatic example of interfering with a nation’s ability to hold an election. He also noted that the prohibition often surfaces with respect to assistance provided to an insurgent group, which was the case in Paramilitary Activities. Thus, for instance, funding hostile cyber operations having the requisite consequences or providing the malware and training necessary to employ it would amount to coercive intervention. The only point of note in his discussion of intervention is that no mention was made of intervention into external affairs, such as the conduct of diplomacy. There is no indication that this was an intentional omission meant to exclude such affairs from the reach of the rule.

Due Diligence

Like sovereignty, the question of whether there is a rule of “due diligence” applicable in the cyber context remains unsettled. As confirmed by the 2013 and 2015 Group of Governmental Experts reports that were endorsed by the General Assembly (here and here), there is wide-spread agreement that it is at least a so-called “voluntary non-binding norm of responsible state behavior.” In other words, states should take action to put an end to hostile cyber operations mounted from or through their territory. The question is whether there is a legal obligation to do so.

To fairly evaluate the matter, it must be noted that the obligation imposed by the rule of due diligence is often misunderstood. In fact, it is a very limited rule that, for its proponents, only obliges states to take feasible measures to put an end to ongoing hostile cyber operations when those operations seriously affect the legal rights of another state under international law (Tallinn Manual 2.0, Rules 6 & 7). Among the states accepting the existence of such a legal duty are Brazil, Estonia, Finland, France, Republic of Korea , and the Netherlands (but see Argentina).

Israel is of the view that there is no basis in state practice or opinio juris to conclude that such a rule has yet to crystallize in the cyber context. In this regard, Dr. Schöndorf noted that “we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context,” and pointed to its application in the field of environmental law.

However, the rule is arguably one that applies across domains. Recall that the International Court of Justice addressed the matter in its first case, Corfu Channel, which did not deal with environmental harm. There, the Court famously noted, “it is every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.” Moreover, with respect to state practice, responsible states regularly take action to counter hostile cyber operations conducted through their territory when it is feasible for them to do so, and at times even condemn other states for failing to do the same (recall the 2007 campaign against Estonia conducted primarily from Russian territory). And, as noted, a growing number of states have acknowledged their legal obligation to exercise due diligence.

Reasonable states may disagree on the status of due diligence, for sound legal arguments can be proffered by both camps. But Israel’s rejection of the norms binding legal status is surprising. In the first place, Israel presumably already acts to put an end to ongoing cyber operations that are seriously impacting the international law rights of other nations when it is feasible for Israel to take action; thus, it would be assuming no greater burden than it already handles. Moreover, one would expect Israel to embrace such a rule because it arms the nation with the ability to demand that other states take remedial action when Israel is the target of operations mounted from or through the other state’s territory by third states or non-state groups.

Most importantly, the rule of due diligence opens the door to Israeli countermeasures (Articles on State Responsibility, arts. 22 & 49-53) against states that fail to comply with the duty, either to pressure those states into compliance or to directly put an end to the hostile operations itself. This is particularly significant in Israel’s case of because the prevailing view is that countermeasures are unavailable against non-State actors whose cyber operations are not attributable to a state (Israel may disagree with their unavailability in these circumstances but, if so, it is in a small minority). And, of course, a due diligence rule would allow Israel to condemn states that look the other way when non-state actors are operating from the latters’ territory for acting unlawfully rather than merely irresponsibly. Note that this dynamic also highlights the importance of a sovereignty rule, for due diligence only obliges a state to take action if the hostile cyber operation from its territory affects a legal right of the target state.

An interesting aspect of Dr. Schöndorf’s treatment of due diligence was his discussion of state cooperation, for instance, between national computer emergency response teams (CERTs). He notes that “we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form.” In fact, at least with respect to the existence of a due diligence rule, the comment is a non sequitur because advocates of a due diligence rule do not go so far as to suggest the rule mandates international cooperation. Rather, as presently understood, the rule takes states as it finds them when assessing whether measures to terminate the ongoing hostile cyber operations are feasible.

Other issues

Finally, Israel supports two positions that are increasing uncontroversial, thereby strengthening them. First, it notes that states are not obligated to disclose the information upon which their attribution of hostile cyber operations to other states is based. Finland and New Zealand have recently taken the same position, as did the Tallinn Manual 2.0 experts (Rule 17). However, as Dr. Schöndorf perceptively noted, there may be situations in which it is wise to do so. This is a well-accepted reality, one reflected in the 2015 UN GGE report’s emphasis that allegations of unlawful cyber operations should (not “must”) be substantiated and that states should consider “all relevant information” during cyber incidents.

Second, like, inter alia, France, Netherlands, New Zealand, the United Kingdom, and the United States, as well as the Tallinn Manual 2.0 experts, Israel is of the view that there is “no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure.” This is a reference to a purported customary law obligation of states that are intending to take countermeasures (the “injured state” in the law of state responsibility) to call upon the state conducting the underlying unlawful acts (the “responsible state”) to desist, warn it of the impending countermeasures if it does not do so, and offer to negotiate (Articles on State Responsibility, art. 52 (1)). However, there may be situations in which the injured State needs to take “urgent countermeasures as are necessary to preserve its rights” (Articles on State Responsibility, art. 52 (2)). The caveat is particularly important with respect to cyber operations in view of the fact that they can unfold very rapidly, and prior notice may afford the responsible state an opportunity to render a cyber countermeasure ineffective. The Israeli position is a sensible contextual application in the cyber context of the notification requirement.

*****

In Part II of this series, I will turn to Israel’s view on when a state may use cyber force consistent with the jus ad bellum, as well as the jus in bello (international humanitarian law) rules governing cyber operations that are conducted during armed conflicts.