The United Kingdom on International Law in Cyberspace

The United Kingdom has long been a thought leader in applying international law to cyberspace. In 2018, the then-Attorney General, Jeremy Wright, spoke on the subject in a granular address at Chatham House, making the United Kingdom one of the first countries to set forth its views on how international law applies to cyberspace during peacetime and armed conflict. The topics ranged from sovereignty and non-intervention to human rights and international humanitarian law.

Although many other states have since embraced most of the views expressed therein, and rightly so, the Chatham House address is best remembered for Wright’s surprising rejection of a rule of sovereignty applicable to cyber operations. Every state that has taken a firm and unambiguous position on the matter has disagreed with the U.K. assertion (most recently Canada). Given that fact, the debate has taken on disproportionate dimensions during discussions on how international law governs cyberspace, masking the substantial agreement that exists between the United Kingdom and other states.

This post briefly examines two further U.K. statements on international law’s role in cyberspace, a 2021 statement for the U.N. Group of Government Experts (GGE) on cyberspace and a speech last week by U.K. Attorney General Suella Braverman at Chatham House. As will be apparent, little has changed since 2018, although each statement has added a degree of granularity to the U.K. positions.

The 2021 UN GGE Statement

In June 2021, the United Kingdom and 14 other states contributed statements regarding their views on international law in cyberspace to an Annex to the 2021 GGE consensus report, the third GGE report to deal with international law (2013 and 2015). As with the 2018 Chatham House speech, it is an important survey of U.K. positions, although it did not shift or further develop U.K. positions in any substantial way.

As in 2018, the statement again characterized sovereignty as a “general principle” that is a “fundamental concept in international law.” No one would dispute that characterization. However, echoing the 2018 position, the statement notes, “the United Kingdom does not consider that the general concept of sovereignty by itself provides a sufficient or clear basis for extrapolating a specific rule or additional prohibition for cyber conduct going beyond that of non-intervention….” By this approach, the prohibition on intervention into other states’ internal or external affairs will be the floor of internationally wrongful conduct for most remotely conducted cyber operations by or otherwise attributable to states.

So, despite an undeniable trend in the opposite direction by 2021 (one that is continuing), the United Kingdom did not budge from its position on sovereignty. Its view is arguably sensible from a policy perspective. It enables the United Kingdom to remotely conduct cyber operations into another state’s territory without, at least in its view, committing what others might see as the internationally wrongful act of failing to respect that state’s sovereignty.

Sometimes, such operations are needed to defend national interests, although I would add that international law usually fulfills that need by allowing countermeasures and actions based on the plea of necessity (Articles on State Responsibility, arts. 22 and 25). Yet, the cost of the position is that it deprives the United Kingdom of an ability to characterize hostile cyber operations into its own territory that are attributable to other states as being in breach of U.K. sovereignty – by virtue of either the nature of the effects caused or interference with its inherently governmental functions, the two bases for a sovereignty breach (see Tallinn Manual 2.0, Rule 4 commentary).

What was new in the statement’s sovereignty discussion was an acknowledgment that there are differing views on the matter. Indeed, in NATO’s 2020 Allied Joint Doctrine for Cyberspace Operations, an obscure but significant footnote (26) recognizing the rule of sovereignty appears. The footnote drove the United Kingdom to reserve on that point, a highly unusual step to take in military doctrine. Importantly, none of its NATO Allies followed suit, not even the United States (which reserved on other points). In that regard, the U.S. statement in the 2021 GGE report Annex is intriguing. It provides, “[i]n certain circumstances, one state’s non-consensual cyber operation in another state’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law.” The comment begs the question of “if not a violation of sovereignty, what else might that internationally wrongful act be?”

The substantial pushback on its sovereignty position led the U.K. to suggest in the statement “that differing viewpoints on such issues should not prevent states from assessing whether particular situations amount to internationally wrongful acts and arriving at common conclusions on such matters.” To be sure, in some cases, this will be true. As an example, a significantly destructive cyber operation would, for many states, amount to both a wrongful use of force and a violation of sovereignty. For the United Kingdom, only the former violation would occur, but all the parties would agree the operation is unlawful. Similarly, a cyber operation that manipulated election returns would, for many states, violate sovereignty based on interference with an inherently governmental function and constitute wrongful intervention. Again, the United Kingdom would view the operation as only a violation of the non-intervention rule. But in both cases, it would be characterized as wrongful.

The problem with the assertion is that this will not always be the case, for the key rules – sovereignty, non-intervention, and the use of force – have different elements (see commentary to Tallinn Manual 2.0, Rules 4, 66, and 69). A territorial sovereignty violation, for instance, is generally understood as requiring certain physical effects, whereas no such requirement exists for non-intervention. And while sovereignty violations include interference with “inherently governmental functions,” non-intervention extends to activities reserved to states (internal and external affairs) that might not qualify as inherently governmental, as in the case of state decisions regarding educational activities. And as the International Court of Justice noted in its Nicaragua case (¶205), coercion “defines, and indeed forms the very essence of, prohibited intervention.” Neither sovereignty breach nor the wrongful use of force requires coercive intent to be wrongful. The point is that the United Kingdom is correct that states often will agree on whether a cyber operation violates international law, although they may not concur on the same basis for wrongfulness. Yet, this will not always be possible, as I pointed out in a previous contribution to EJIL: Talk!

Notably, the 2021 U.K. statement addressed an issue that the 2018 Chatham House statement had not, due diligence. It rejected the characterization of “due diligence” as a rule of international law, a position consistent with those of a number of other states, such as the “Five Eyes” and Israel, but contrary to the view of Japan and most European nations that have spoken to the matter.

For those who see due diligence as a rule of international law, states are obligated to take feasible measures to put an end to ongoing cyber operations by other states or non-state actors from or through cyber infrastructure on their territory that cause serious adverse consequences for another state’s international law right (see Tallinn Manual 2.0, Rule 6 commentary). However, the three UN GGE reports dealing with international law instead treat due diligence as a so-called “voluntary non-binding norm of responsible State behavior,” that is, action that states should, but are not bound to, take in the face of harmful cyber operations from their territory.

In its statement, the United Kingdom points to the GGEs’ consistent characterization as a voluntary norm to demonstrate that there is “not yet State practice sufficient to establish a specific customary law rule of ‘due diligence’ applicable to activities in cyberspace.” This is an unpersuasive justification. As noted by the International Court of Justice in its Nuclear Weapons Advisory Opinion, new technologies are subject to existing international law (¶ 86, confirming that existing international humanitarian law applies to weapons of the future). Therefore, the issue is not the sufficiency of state practice in establishing a new due diligence rule. Such a rule already exists, as confirmed in 1949 by the International Court of Justice in its first case, Corfu Channel, which stated in dictum that “it is every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States” (at 22). In doing so, the Court echoed the 1923 Island of Palmas arbitration, in which Judge Huber observed that a state must “protect within [its] territory the rights of other States” (at 839).

Instead, the pertinent question is whether it is reasonable to interpret that pre-existing rule as applicable to cyber operations. On this point, reasonable minds may differ, although I believe states may apply the rule reasonably in the cyber context, in good faith, and consistent with its object and purpose (see here).

The 2021 U.K. statement also acknowledged that the U.N. Charter’s “use of force” prohibition [art. 2(4)] and “inherent right” of self-defence against an “armed attack”(art. 51) apply in the cyber context. However, it was cautious when confirming these indisputable premises. For instance, the statement failed to address the central issue of whether non-destructive or non-injurious cyber operations, such as those that would severely disrupt the United Kingdom’s national economy or financial system, could amount to either a use of force or an armed attack. Instead, it merely suggested that if cyber operations cause effects comparable to those generated by kinetic actions that qualify as a use of force or armed attack, the cyber operations will likewise qualify. The U.K.’s hesitancy to move beyond this self-evident conclusion is notable considering the slowly growing willingness of other states to take that step (see, e.g., Norway and France).

In other regards, such as those dealing with legal attribution, countermeasures, human rights law, and humanitarian law, the 2021 statement was well-founded in accepted international law but not particularly novel in terms of further clarifying its application to cyberspace.

The 2022 Chatham House Speech

There is nothing in Attorney General Braverman’s speech that changes any position taken by the United Kingdom in 2018 or 2021. However, the Attorney General made several points that merit attention.

The bulk of the speech dealt with the rule of non-intervention. All three UN GGE reports have acknowledged the non-intervention rule, and no state opposes its application in the cyber context. Moreover, the United Kingdom had earlier unambiguously confirmed its applicability to cyber operations in both 2018 and 2021.

By the rule, a state may not coercively interfere (“intervene”) in other states’ internal or external affairs, their so-called “domaine réservé” (see Tallinn Manual 2.0, Rule 66 commentary). The domaine réservé consists of areas of activity that international law leaves to states. For instance, the International Court of Justice pointed out in its Nicaragua judgment that the “choice of a political, economic, social and cultural system, and the formulation of foreign policy” fall within the domaine réservé (¶ 205). But, illustrating an area beyond the domaine réservé, international human rights law limits actions a state may take regarding the freedom of expression, including the right to receive information (Tallinn Manual 2.0, Rule 35). Therefore, another state’s cyber operation to facilitate enjoyment of that right by providing wireless internet access or disabling cyber infrastructure used to block political speech generally would not intrude into the domaine réservé because international law addresses free expression and limits state choices (but such an operation might be unlawful on other bases).

The speech is notable because it develops the U.K.’s position on non-intervention, focusing primarily on the element of coercion. It has long been anticipated that the United Kingdom would seek to soften the coercion requirement to counterbalance its rejection of the sovereignty rule. Although the Attorney General appears to do so, I am uncertain that the position she articulates actually adjusts the margin of appreciation concerning the parameters of coercion.

Some have characterised coercion as forcing a State to act differently from how it otherwise would – that is, compelling it into a specific act or omission. Imagine, for example, a cyber operation to delay another State’s election, or to prevent it from distributing tax revenues to fund essential services. To my mind, these are certainly forms of coercion.

But I want to be clear today that coercion can be broader than this. In essence, an intervention in the affairs of another State will be unlawful if it is forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty. While the precise boundaries of coercion are yet to crystallise in international law, we should be ready to consider whether disruptive cyber behaviours are coercive even where it might not be possible to point to a specific course of conduct which a State has been forced into or prevented from taking. (emphasis added)

In my view, depriving a state of control over activities that it wishes (freedom) to either carry out or from which it wants to refrain (control) falls squarely within the concept of coercion, whether accomplished by affecting the target state’s ability to engage in such conduct or its will to do so. Consequently, such a cyber operation amounts to intervention when targeting another state’s domaine réservé.

The Attorney General provides illustrative examples designed to tease out the U.K. position. But in doing so, she arguably oversimplifies the rule by focusing on the coercive effect on the target of the cyber operation, as in her example of disrupting the energy supply. As traditionally understood in international law, the coercive effect must be on the target state’s choice, which encompasses an ability to control the domaine réservé as it wishes. It is not enough that the target of the cyber operation is related to a domaine réservé. For example, cyber operations that are purely malicious or engaged in for criminal purposes would sometimes (although not always) fail to qualify because they lack a coercive effect on the State with respect to an activity in its domaine réservé. In this regard, it is the intent to conduct the cyber operation causing the state to lose control over its domaine réservé that matters, not the motive behind the operation.

To illustrate, consider cyber operations directed against a medical facility, an example the Attorney General proffers, and which recalls the 2017 North Korean WannaCry ransomware attack that disrupted health care in the U.K. As Marko Milanovic and I have explained,

Although the attack was coercive in fact, WannaCry was not coercive vis-a-vis the domaine réservé of health care. Rather, the operation was designed to secure a ransom payment; albeit highly disruptive, it did not deprive the United Kingdom of the ability to exercise control over health care in the country, nor did it affect its will with regard to health care choices….

We distinguished that type of operation from a ransomware attacks that disrupts a state’s crisis management (a domaine réservé) response by shutting down essential facilities. Since they would dispossess affected states of their “ability to execute specific elements of their crisis management plans to deal with the pandemic, and were designed to do so,” the attacks would qualify as intervention.

Clearly, it’s complicated. The U.K.’s assertion that loss of control over the domaine réservé due to hostile cyber operations by or otherwise attributable to another state amounts to wrongful intervention is sound. But as understood traditionally, coercion must be directed at the injured state’s exercise of choice regarding, or control over, the domaine réservé. There is nothing in the Attorney General’s speech that is contrary to this clarification, but it is unclear from the examples provided whether the U.K. agrees with it.

The other key point the Attorney General made deals with collective countermeasures. Countermeasures are actions or omissions that would be unlawful but for the fact that they are designed to cause another state to desist in unlawful conduct or provide reparations that might be due the state taking the countermeasures (Articles on State Responsibility, arts. 22 and 49).

In 2019, the Estonian President gave a speech at the annual CyCon conference in which she asserted, “Among other options for collective response, Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation.” In doing so, the President raised the prospect of looking to other states for assistance in mounting cyber countermeasures or even conducting the countermeasures on the first state’s behalf, much as self-defense may be exercised collectively. Yet, the same year, the French Ministry of the Armies countered, “Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.”

The lawfulness of collective countermeasures is a hot topic among states (I support the option). States lacking a robust cyber capability are particularly interested in resolving the matter since they may not be able to mount cyber countermeasures in response to unlawful cyber operations directed at them without the assistance of other states. This does not necessarily leave them “defenseless” because cyber countermeasures need not be in kind. For instance, a state could close its territorial sea to innocent passage as a countermeasure against a state conducting unlawful cyber operations. Nevertheless, the reality is that without access to collective countermeasures, such states are hobbled in their responses.

The Attorney General highlighted the issue but staked out no position. However, in light of the currency and criticality of the ongoing debate for many states, the U.K.’s decision to leave the door open to the possibility of collective countermeasures under international law is extremely significant; it helps keep the discussion center stage.

Concluding Reflection

The U.K. remains a mainstream state with regard to assessing how international law governs cyberspace. The sole exception is its position on sovereignty, but the ever-growing number of states taking the opposite view and the U.K.’s own desire to find common ground with other states when characterizing cyber operations as unlawful mean the issue is fading quickly in terms of practical significance.

Most importantly, the U.K. is to be commended for publicly and repeatedly expressing its views on the matter. Some states and pundits claim ambiguity is a valuable strategic commodity when assessing international law’s applicability to cyberspace. But as the Attorney General insightfully observed,

The law needs to be clear and well understood if it is to be part of a framework for governing international relations and to rein in irresponsible cyber behaviour. Setting out more detail on what constitutes unlawful activity by States will bring greater clarity about when certain types of robust measures are justified in response.

The U.K. continues to be a global leader in that effort.