International Law and Sovereignty in Cyberspace : The UK position explored (Part 1)

 -  -  9

Spread the love


On May 23rd 2018, Jeremy Wright delivered a speech concerning the United Kingdom’s (hereinafter ‘UK’) position regarding applicable international law in cyberspace.[1] Concurring with the international community,[2] he stated that cyber operations reaching the threshold of prohibited intervention, use of force and cyber operations causing similar consequences to those following an armed attack are unlawful (excluding self-defence or Security Council consent).[3] However, he stated that there cannot be a “specific rule or additional prohibition for cyber activity”[4] extrapolated from the principle of sovereignty, indicating that cyber operations falling below the prohibited intervention threshold do not violate international law. Crucially, this suggests that the UK considers sovereignty solely as a principle, from which rules like the prohibition of intervention and prohibition on the use of force emerge, rather than a rule of international law capable of violation.

International law is decentralized in nature and created by treaty or custom (made up of state practice and opinio juris).[5]  Its legitimacy depends upon broad acceptance and application whilst also adapting  to changing times. Within this framework, sovereignty has been defined as the independence of a state to a portion of the globe and the right to exclusively exercise functions within that portion (Island of Palmas).[6] 

This briefing paper will address three points in relation to the UK’s position. Firstly, treaties and customary international law regarding sovereignty will be discussed. Secondly, drawing on academic opinion and approaches taken by other states, sovereignty will be discussed within the frontier of cyberspace and contrasted with the UK’s position. Finally, the implications of the UK’s position, advantages and disadvantages regarding both proactive and reactive cyber operations and the implications the UK might face as a result will be examined. It will be concluded that sovereignty as a rule is firmly established and could sensibly be assumed to apply to cyberspace. However, due to cyberspace’s nebulous nature, evolving technology, and the presence of sophisticated and hostile non-state actors in the cyber realm, Jeremy Wright’s position arguably confers a net advantage to the UK.

The UK’s position in relation to current law

Prior to determining whether Jeremy Wright’s statement reflects current law, the nature of sovereignty must be established, requiring examination of treaty and customary law. Further, if sovereignty exists as a rule, it must be determined whether it extends to cyberspace.

Article 2(1) of the UN Charter mentions a “principle of sovereign equality”[7], attesting to the importance of sovereignty in international law, yet the wording employed is not particularly telling of sovereignty’s nature, which is similarly unclear in other treaties. According to the UN Convention Against Transnational Organized Crime, a state is disallowed “to undertake in the territory of another State the exercise of jurisdiction and performance of functions that are reserved exclusively for the authorities of that other State”[8]. Although this appears to hint at sovereignty being a rule (i.e. preventing states from infringing on territorial sovereignty or inherently governmental functions)[9], the unspecific wording limits the persuasiveness. It could similarly be seen as pointing to rulesarising from the principle of sovereignty (like prohibited intervention). However, the breadth of evidence signalling that sovereignty is a rule runs deeper in customary international law (state practice and opinio juris).

For state practice to be persuasive as signifying a rule of customary international law, it must be “widespread, representative and consistent”[10]. Examples evidencing widespread and general acceptance include, among others, Iran’s assertion and USA’s acknowledgment that USA violated Iranian sovereignty, when its Navy riverine craft entered Iranian waters,[11] and Russian and Pakistani assertions, that counterterrorist drone strikes are violations of sovereignty.[12] Opinio juris is evident in statements from governmental officials,[13] through ex-prime minister Khruschev’s reference to sovereignty as “an obligation”[14] or more recently, president Obama’s statement that USA actions are “bound”[15] by respect for sovereignty. The language utilised points to an existing individual rule which must be obliged, evidencing general state belief that they are bound by sovereignty, which is essential for valid opinio juris.[16]

Furthermore, several International Court of Justice (hereinafter ‘ICJ’) judgments suggest the UK’s position does not reflect current law. Most notable are the Corfu Channel Judgement where the court states the “action of the British navy constituted a violation of Albanian sovereignty”[17] and the Nicaragua Case. Here, the court deemed attacks on Nicaraguan ports were a use of force, but additionally infringements of Nicaraguan “territorial sovereignty”[18]. The explicit wording indicating sovereignty can be violated suggests, as Schmitt and Vihul highlight, that the court considers sovereignty as a fully separate rule “with no less normative force”[19] than the prohibition of intervention and prohibition on the use of force.[20] Although ICJ judgments do not create law,[21] this does not diminish the argument as they may in fact evidence state practice.[22] Accordingly, several judgments signalling a rule of sovereignty add legitimacy to the argument that current law recognises sovereignty as a rule, standing in contradiction to Jeremy Wright’s assertion.

As it has been established that sovereignty exists as a primary rule, the question is whether it intrinsically extends to cyberspace, given the Attorney General’s cyber specific wording. Corn and Taylor maintain the rule of sovereignty is not applicable to cyberspace, given the lack of cyber specific opinio juris and state practice as well as other exceptions to sovereignty’s applicability, e.g. space.[23]  The variety of opinion is evident; in February 2020, Czech Republic explicitly recognised sovereignty as a rule, citing it as an “independent obligation”[24], thereby joining countries such as the Netherlands, France and Germany in this sentiment.[25] However, the American DOD, recently came out with a statement resembling the UK’s approach.[26]

It has been argued that a cyber specific rule is unnecessary, as the exemptions to sovereignty exist only due to treaties or their settlement in customary law.[27]  Importantly, exemptions develop gradually. Indeed, the Outer Space Treaty (stating sovereignty does not extend to outer space),[28] was signed several years after Gagarin, a military officer of the USSR,[29] could be said to have violated multiple states’ territory on his mission. Similarly, reaching concrete views on international law regarding cyberspace may require time. However, other aspects pointing to the rule of sovereignty extending to cyberspace warrant discussion.

The Tallinn Manual 2.0 suggests the UK’s position fails to accurately reflect current law as it maintains sovereignty exists as a rule in cyberspace.[30] Rule 4 articulates a “state must not conduct cyber operations that violate the sovereignty of another state”[31] but as Jensen highlights, the assumption that sovereignty functions as rule underlies this.[32] Additionally, the Tallinn Manual sets out parameters for actions which may constitute violations of sovereignty, for example, actions that usurp or interfere with intrinsically governmental functions or actions of a certain degree infringing on a state’s territorial sovereignty.[33] The French approach, which envisions that “any unauthorised penetration”[34] or “production of effects on French territory”[35] violates sovereignty, demonstrates the variety of opinion regarding what constitutes a violation of sovereignty in cyberspace.

The Tallinn Manual 2.0, as a scholarly writing, does not create law per se, and further does not represent official views of organisations such as NATO.[36] This does not, however, limit its usefulness as it was written by a group of international experts and required unanimity when identifying rules.[37] Moreover, Schmitt underlines that as an expert teaching, the Tallinn Manual 2.0 qualifies under Article 38(1)(d) of the Statute of the International Court of Justice as an auxiliary way to determine international law.[38] Further evidence of expert belief that sovereignty as a rule extends to cyberspace is evident in UN reports, specifically, the 2015 UN GGE Report. This was confirmed by Resolution 70/237 to guide states on use of ICT’s,[39] and noted; “State sovereignty and international norms and principles that flow from sovereignty apply to state conduct of ICT-related activities”.[40] This wording suggests sovereignty is separate from other principles, pointing to its existence as a separate rule, and further, where resolutions are adopted by consensus, they may signify opinio juris.[41]

The current state of the law suggests sovereignty is a primary rule, applying to cyberspace, yet future crystallization of customary international law will provide greater clarity. Based on the strength of customary international law pointing to sovereignty existing as a separate rule in the non-cyber context and on the strength of the Tallinn Manual 2.0 and UN reports as subsidiary means for the determination of law, it may be concluded that the UK’s position does not accurately reflect current international law. The advantages and disadvantages that follow from the UK’s position now warrant discussion.

Keep an eye out for Part 2 of this article which will be published next week

[1] Jeremy Wright, Attorney General, ‘Cyber and International Law in the 21st Century’ (Speech at Chatham House, London, 23 May 2018)  <> accessed 15 July 2020.

[2] Gary P Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ [2017] AJIL Unbound 207, 208.

[3] Wright (n 1).

[4] ibid.

[5] Alina Kaczorowska-Ireland, Public International Law (5th edn, Taylor & Francis Group 2015) 22.

[6] Island of Palmas Case (The Netherlands v USA) (1928) 2 RIAA 829, 838.

[7] Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 1 UNTS 16, Art 2(1).

[8] UNGA Res 55/25 annex UN Convention Against Transnational Organized Crime, Art 4.

[9] Michael N Schmitt, ‘“Virtual” Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law’ (2018) 19 CJIL 30, 43-45.

[10] Benkharbouche v Secretary of State for Foreign and Commonwealth Affairs [2017] UKSC 2 [31].

[11] ‘Iran Frees Captured US Marines’ FARS News Agency (Tehran, 13 January 2016) <> accessed 17 July 2020.

[12] Omer Farooq Khan, ‘Russia Backs Pakistan Fury on US Drones’ (Times of India, 12 October 2012) <> accessed 17 July 2020 cited in Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 TLR 1639,1658.

[13] Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 TLR 1639, 1661.

[14] Nikita S Khrushchev, ‘On Peaceful Coexistence’ (1959) 38 Foreign Affairs 1, 3 <> accessed 17 July 2020.

[15] Barack Obama, ‘Remarks by the President at the National Defense University’ (National Defense University, Washington DC, 23 May 2013) <> accessed 17 July 2020.

[16] North Sea Continental Shelf Cases (Federal Republic of Germany/Denmark; Federal Republic of Germany/Netherlands) (Merits) [1969] ICJ Rep 3, 77.

[17] Corfu Channel Case (UK v Albania) (Merits) [1949] ICJ Rep 4, 35.

[18] Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) (Merits) [1986] ICJ Rep 14, 251.

[19] Schmitt and Vihul (n 13) 1654.

[20] ibid.

[21] Kaczorowska-Ireland (n 5) 24.

[22] ibid.

[23] Corn and Taylor (n 2)  208-210.

[24] Richard Kadlčák, ‘Czech Republic Statement’ (2nd Substantive Session of the OEWG, New York, 11 February 2020) <> accessed 19 July 2020. 

[25] Przemysław Roguski, ‘The Importance of New Statements on Sovereignty in Cyberspace by Austria, the Czech Republic and United States’ (Just Security, 10 May 2020) <> accessed 19 July 2020.

[26] Paul Ney, ‘DOD General Counsel Remarks’ (speech at U.S. Cyber Command Legal Conference, Virginia, 2 March 2020) <>  accessed 19 July 2020.

[27]  Schmitt andVihul (n 13) 1644.

[28] UNGA Res 2222/XXI annex (19 December 1966) Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and Other Celestial Bodies.

[29] Nola Taylor Redd, ‘Yuri Gagarin: First Man in Space’ (, 12 October 2012) <> accessed 2 August 2020.

[30] Michael N Schmitt eds, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017) 17.

[31] ibid.

[32] Eric Talbot Jensen, ‘The Tallinn Manual 2.0: Highlights and Insights’ (2017) 48 GJIL 735, 741.

[33] Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (n 30) 20.

[34] Ministere des Armees, Republique Francaise, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6 <> accessed 19 July 2020.

[35] ibid.

[36] Liis Vihul, ‘The Tallinn Manual on the International Law applicable to Cyber Warfare’ (EJIL:Talk!, 15 April 2015) <> accessed 18 July 2020.

[37] ibid.

[38] Schmitt and Vihul (n 13) 1650.

[39] UNGA Res 70/237 (30 December 2015) UN Doc A/RES/70/237.

[40] UNGA ‘Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015) UN Doc A/70/174 para 27.

[41] Tulio Treves, ‘Customary International Law’, Max Planck Encyclopedia of Public International Law (2006) 44 <> accessed 2 August 2020.

9 recommended
comments icon 0 comments
0 notes
bookmark icon

Write a comment...

Your email address will not be published. Required fields are marked *