International Law and Sovereignty in Cyberspace : The UK position explored (Part 2)

 -  -  4

Spread the love

This is a lead on from our article published last week with the same name


It may be presumed that states conduct foreign cyber operations to advance their interests. Assuming the UK is no exception and importantly if the UK were to adopt a “defend forward”[1] strategy by proactively conducting cyber operations into other states (below prohibited intervention) to defend against future possible interferences,[2] constraints on flexibility warrant discussion. Flexibility will be defined as the ability to act asymmetrically without time constraints.

The UK may currently conduct a broad range of cyber operations, before undeniably violating international law, due to the high threshold of prohibited intervention. The principle of non-intervention is defined as interference by one state into the affairs of another, coercively (the essence of prohibited intervention per Nicaragua)[3]or by “forcible or dictatorial means”.[4] Historically, the prohibition of intervention developed to forbid “indirect interference through economic, political and diplomatic means”[5] , rather than solely military intervention.[6] Although signifying a lowering of the threshold, the burden on states to convincingly assert a prohibited intervention has occurred is nevertheless higher than for a violation of sovereignty to be claimed. Evidencing the high threshold, Russian interference in US elections via influencing public opinion did not satisfy the coercion element as electoral infrastructure was not directly interfered with.[7]

By not recognising sovereignty prohibits actions falling below the prohibited intervention threshold, the UK can act with less political and bureaucratic entanglements that, if required, could undermine the purpose and effectiveness of such operations. Equally, publicly expressing this view gives the UK a basis to contest a possible claim of violation.

Cyber operations require flexibility.[8]A detriment of recognizing sovereignty as a rule would require the UK to seek consent (SS Lotus) prior to conducting cyber operations,[9]  potentially undermining their purpose. Schmitt and Vihul counter-argue that a states flexibility would not be inhibited due to the availability of responses, such as the plea of necessity or countermeasures and due to the notion that not all cyber operations conducted into another state’s infrastructure violate sovereignty.[10]

However, the applicability of the de minimis approach alluded to by Schmitt and Vihul is arguably unsettled. The spectrum of positions publicly declared can be bracketed by France as the most strict to the UK as most permissive, with varying views in the middle.[11] Whereas physical territory and airspace are rigorously defended,[12] with scant exception for de minimis type violations, the technical aspects of cyberspace (and the added issues  VPN’s or Blockchain may pose for example) enable the imprecise definition of what constitutes a violation of sovereignty. Avoiding uncertainty surrounding permissible operations may advantage the UK, given that timeliness and authorisation processes for conducting cyber operations would not necessarily suffer by virtue of an imprecise framework of if and when consent is needed. Undoubtedly, the UK nevertheless risks condemnation; however, maintaining its current position, coupled with the uncertainty surrounding this new area, gives the UK a feasible basis to assert no violations occurred.

Secondly, Schmitt and Vihul’s argument that responses such as countermeasures are available,[13] only addresses one aspect of the limitation that sovereignty as a rule poses on flexibility. Countermeasures would merely guard the UK from condemnations for violation when responding to initial violations by other states.[14] Crucially, however, the UK would remain significantly limited if it desired to proactively conduct cyber operations into other states.

A consequence of retaining flexibility is the risk of escalation,[15] where an ‘injured’ state maintains the UK violated international law, unrecognised by the UK as valid, leaving the injured state only retaliation as a response. Ultimately, the debate concerns the reward of flexibility versus the risk of escalation. Although the risk of escalation seems a lesser burden, to fully assess the impact of losing flexibility, an analysis of confidential cyber operations the UK conducts into foreign states would be necessary to gauge the true cost of recognising sovereignty as a rule.

In conclusion, recognition of sovereignty as a principle allows the UK to maintain flexibility as to the timing and targets of cyber operations, while allowing a defensible basis for such operations. Presuming the UK currently has good offensive and defensive cyber abilities, it can be assumed that flexibility provided by the UK’s position is more advantageous than risking escalation.

Available Responses

Were the UK to recognise that sovereignty exists as a rule and therefore prohibits cyber operations falling below the threshold of prohibited intervention, the spectrum of possible legal responses to combat cyber operations conducted into the UK would increase. Two such notable responses are countermeasures and due diligence. Increasing the availability of measures available to the UK to counter cyber operations immediately seems an advantage. However, certain nuances in both countermeasures and due diligence limit the true benefits they bring.

The apparent response to hostile cyber operations would seem to be self-defence. However, self-defence is exclusively available, if cyber operations amount to an armed attack,[16] making the threshold for its usage extremely high. The Tallinn Manual 2.0 states that a cyber operation significantly injuring or killing people, or significantly damaging, or destroying property would constitute an armed attack.[17] This highlights  the level of gravity needed for self-defence to be a viable response. The vast majority of cyber operations conducted into UK infrastructure, however, would never exceed this level;[18]countermeasures, on the other hand, are available more readily. They are State actions which, prima facie, violate international law but are legally available when conducted into another State to halt unlawful actions conducted into that state by the former.[19]

Recognising sovereignty as a rule would enable the UK to lawfully employ countermeasures against states conducting cyber operations (violating sovereignty) into the UK. Whereas the UK’s current position may arguably provide the UK with a somewhat defendable basis to ‘hack back’, recognising that sovereignty prohibits interference below the prohibited intervention threshold and therefore gaining countermeasures as a legally valid response, would ground such reactions by the UK in internationally recognised law and minimize possible escalation. Perhaps, the more significant benefit attached to countermeasures, is that they may equally be non-cyber in nature.[20] Fundamentally, this would provide the UK with a large scope of non-cyber options that would otherwise be unavailable and would serve as a legitimate safeguard against allegations of international law violations in areas, where the law is clearly set into stone – either by solid custom or treaty.

It is arguable, however, that multiple restrictions placed on their use ultimately limit their true benefit. Countermeasures are guarded by the principle of proportionality and available only, if a recognised illegal act has been committed by the opposing state, pursuant to the law of state responsibility (i.e. not by non-state actors).[21] Given the identities of the cyber perpetrators may often be unclear or deniable, attributing blame to a specific state presents at times an insurmountable problem, potentially largely limiting the realistic availability of such countermeasures. It could be therefore argued that the mere prospect of employing countermeasures is a rather tenuous reason upon which to accept sovereignty as a rule.

Due diligence potentially remedies this issue, as it is “an obligation of conduct”[22] of a State to prevent their territories from being used (by state and non-state actors) in detrimental or harmful actions against other states.[23] Requesting a foreign state to intervene or halt, based on the concept of due diligence, may advantage the UK. However, the usage of this may equally be limited. Indeed, as Schmitt highlights, to invoke due diligence, the harm must reach a threshold that becomes a “legitimate concern”[24] in inter-state relations, i.e. not merely a nuisance.[25] Furthermore, it is  important to note, as due diligence merely requires a State to take action,[26] it does not guarantee results. Equally, recognition of sovereignty as a rule and therefore the possibility of due diligence obligations arising would impose the identical duty upon the UK, potentially causing a burden.

Credibility and the RBIO

Kaczorowska identifies public opinion as a significant factor that states consider pertaining to international law.[27] Indeed, leading by example is useful in the decentralised international context when condemnation is a frequently used tool. A state which lacks credibility in a given domain will see its criticisms or complaints of other states having a reduced impact. The UK’s position, specifically not recognising cyber operations (below prohibited interventions) as a violation of state sovereignty will necessarily make criticism of other states engaged in such activity less potent, but it could be questioned to what degree this is seen.

This warrants discussion as the UK issues condemnations of other states. Examples include condemnation of Russian cyber activities on infrastructure in Ukraine,[28] Russia’s military intelligence service (hereinafter ‘GRU’) cyber attacks against Georgia,[29] and recently GRU cyber attacks aimed at UK research facilities targeting COVID-19 vaccine research.[30]

In a 2018 news release, the UK labelled GRU cyber activities unfolding on Ukraine infrastructure as a “flagrant violation of international law”[31]. Biller and Schmitt assessed the legality of the cyberoperations, concluding they would not cross the high threshold of prohibited intervention as they were not “coercive or intruding upon the domainé reservé”.[32] They concluded that the “most likely”[33] violation of law was of Ukraine’s sovereignty.[34] The juxtaposition of the UK’s claims when condemning other states for their actions, while maintaining that sovereignty does not exist as a rule, undermines these condemnations. In an interview, Dominic Raab, the Secretary of State for Foreign Affairs, deemed the GRU cyber attacks on vaccine research “contrary to international law”[35]. The question of which rule of international law was violated must be asked; targeting such vaccine research would unlikely cross the level of prohibited intervention. However, the operations resemble espionage, which is widely accepted in the realm of international law,[36] and thus the legal basis for protesting the perceived violation is likely a violation of state sovereignty. As the precise wording of “contrary to international law”[37] was not utilised in the official press release, the first example better displays how recognising sovereignty as a rule could increase the legitimacy and provide a more “defensible basis”[38] for such condemnations, whereas the latter example evidences such condemnations are not in the past.

On the other hand, it may be argued that an underlying legal rule is not required for a condemnation to be effective because such condemnations frequently aim to produce political pressure. The public nature of their deliverance buttresses this view. From a wider perspective, however, the importance of public opinion to the UK equally must not be underestimated. Legitimacy was identified in Chatham House as a major challenge to the Rules-Based International Order (hereinafter ‘RBIO’).[39] It was highlighted that for the system to be effective, rules must be equally observed by their advocates.[40] Given the uncertainty surrounding Brexit and the UK’s interest in championing Global Britain and commitment to the RBIO,[41] the disconnect between the UK’s position (as articulated by Jeremy Wright and the UK’s condemnation of other states for what are seemingly such violations of sovereignty) likely perpetuates the lack of legitimacy and selectiveness among states, thereby hindering the persuasiveness of the UK’s commitment to the RBIO. This could possibly diminish the UK’s influence in the post-Brexit period.

In conclusion, recognition of sovereignty as a principle will not disallow public condemnation of other states, as the effect on public opinion may nevertheless produce (albeit potentially limited) results. However, recognising sovereignty as a rule, would add a “defensible”[42] and credible basis for the UK government’s statements and would further reflect on the UK as a responsible actor within the RBIO, which bears importance given the interest in championing ‘Global Britain’.


Based on a survey of customary international law and treaties, it can be said that sovereignty is a well established and endorsed rule in international law.  When violated, an illegal act is recognised as having occurred with consequences following thereof. As an established rule and on the strength of well respected academic writings, such as the Tallinn Manual 2.0, it may justly be assumed to extend to cyberspace.  Factually, many states who have publicly declared their position on this topic concur with this interpretation,[43] leaving the UK in the minority at this time. However, given the nature of international law, requiring treaties or opinio juris and state practice to become settled customary international law,[44] and further, due to the diffuse nature of cyberspace, rapidly evolving technology and the possible resulting difficulty of attributing culpability in a timely manner, there exists a rational basis to assert that international law remains unsettled on this point, justifiably allowing the UK to take the position asserted by Mr. Wright.

Potential detriments to the UK’s position include loss of credibility among the international community and advocates of the RBIO, if the UK condemns other states for cyber operations falling below the threshold of prohibited intervention or cites a lack of due diligence should other states fail to control hostile cyber operations emanating from their territory. Significantly, the legal use of countermeasures in regard to cyber operations falling below the threshold of prohibited intervention will be forfeited, including the possibility to use non-cyber countermeasures in the event of a cyber operation against the UK.[45]

The UK’s position, however, provides significant benefits in the areas of flexibility, in terms of timing and targets, allowing the UK to defend forward or undertake operations against state and non-state actors without the express consent of the ‘host’ state. A further benefit would be the deniability that an illegal act was committed, should the UK be condemned. Further, the controversial nature of the UK’s position may encourage debate and provide incentive for other states to formulate and clearly state their views overall helping to settle applicable law in this area.

Operating on the assumption that the UK is currently confident in their cyber abilities and assuming this remains so in the future, the benefits accruing to the UK via recognizing sovereignty as a rule (extending to cyberspace) are likely outweighed by the benefits associated with the freedom to act with a high degree of flexibility in the cyber realm. This is of course circumstantially dependent. The relative cyber capabilities of the UK must nevertheless be consistently analysed and should they diminish, or should new threats emerge, the current position may require re-evaluation.

[1] Paul Ney, ‘DOD General Counsel Remarks’ (speech at U.S. Cyber Command Legal Conference, Virginia, 2 March 2020) <> accessed 19 July 2020.

[2] ibid.

[3] Military and Paramilitary Activities in and against Nicaragua (Nicaragua v United States of America) Merits, Judgment [1986] ICJ Rep 14, 205.

[4] Philip Kunig, ‘Prohibition of Intervention’, Max Planck Encyclopedia of Public International Law (2008) para 5 <> accessed 22 July 2020.

[5] ibid.

[6] ibid.

[7] Nicholas Tsagourias, ‘Electoral Cyber Interference, Self-Determination and the Principle of Non-Intervention in Cyberspace’ (EJIL:Talk!, 26 August 2019) <> accessed 1 August 2020.

[8] Corn and Taylor (n 2) 211.

[9] SS Lotus (France v Turkey) (1927) PCIJ Rep Ser A No 10, 18.

[10] Schmitt andVihul (n 13) 1669.

[11] Roguski (n 25).

[12] ‘Iran Frees Captured US Marines’ FARS News Agency (Tehran, 13 January 2016) <> accessed 17 July 2020.

[13] Schmitt and Vihul (n 13) 1669.

[14] Kaczorowska-Ireland (n 5) 453.

[15] Jeffrey Biller and Michael N. Schmitt, ‘Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences’ (EJIL:Talk!, 24 October 2018) <> accessed 23 July 2020.

[16] Charter of the UN (n 7) Art 51.

[17]  Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (n 30) 17.

[18] Michael N Schmitt, ‘”Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law’ (2014) 54 VJIL 698.

[19] Federica Paddeu, ‘Countermeasures’, Max Planck Encyclopedia of Public International Law (2008) para 1 <> accessed 22 July 2020.

[20] Schmitt (n 59) 702.

[21] ibid 707.

[22] Timo Koivurova, ‘Due Diligence’, Max Planck Encyclopedia of Public International Law (2008) para 1 <> accessed 22 July 2020.

[23] Michael N Schmitt, ‘In Defense of Due Diligence in Cyberspace’ (2015) 125 Yale LJF 68, 76.

[24] ibid.

[25] ibid.

[26] Koivurova (n 63) para 1.

[27] Kaczorowska-Ireland (n 5) 4.

[28] ‘Reckless campaign of cyber attacks by Russian military intelligence service exposed’ (National Cyber Security Centre, 3 October 2018) <> accessed 25 July 2020.

[29] Foreign and Commonwealth Office, National Cyber Security Centre, and Dominic Raab, ‘UK condemns Russia’s GRU over Georgia cyber-attacks’ (GOV.UK, 20 February 2020) <> accessed 26 July 2020.

[30] Foreign and Commonwealth Office and Dominic Raab, ‘UK condemns Russian Intelligence Services over vaccine cyber attacks’ (GOV.UK, 16 July 2020) <> accessed 26 July 2020.

[31] ‘Reckless campaign of cyber attacks by Russian military intelligence service exposed’ (National Cyber Security Centre, 3 October 2018) <> accessed 25 July 2020.

[32] Biller and Schmitt (n 56).

[33] ibid.

[34] ibid.

[35] The Telegraph UK, Interview with Dominic Raab, Secretary of State for Foreign and Commonwealth Affairs of the United Kingdom (London, United Kingdom, 16 July 2020) <> accessed 27 July 2020.

[36] Corn and Taylor (n 2) 209.

[37] The Telegraph UK, Interview with Dominic Raab, Secretary of State for Foreign and Commonwealth Affairs of the United Kingdom, (London, United Kingdom, 16 July 2020) <> accessed 27 July 2020.

[38] Biller and Schmitt (n 56).

[39] Chatham House, ‘Challenges to the Rules Based International Order’ (London Conference 2015 Background Papers, June 2015) <> accessed 5 August 2020.

[40] ibid.

[41] Foreign and Commonwealth Office and Dominic Raab, ‘Global Britain is leading the world as a force for good: article by Dominic Raab’ (GOV.UK, 23 September 2019) <> accessed 26 July 2020.

[42] Biller and Schmitt (n 56).

[43] Roguski (n 25).

[44] Treves (n 41).

[45] Schmitt (n 59) 707.

4 recommended
comments icon 0 comments
0 notes
bookmark icon

Write a comment...

Your email address will not be published. Required fields are marked *